Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Uniform Guidance - Lessons Learned And To Be Learned
Jerry E. Durham
DAY ■ MAY 23, 2017 3:35-4:50PM
Assistant Director for Research and Compliance, Tennessee Comptroller of the Treasury
Ann Fritz Finance Director, City of Saint Petersburg, FL
Nancy WishmeyerController, City of Aurora, Colorado
MODERATOR
SPEAKERS
#GFOA2017
Jeff Markert Partner, KPMG LLP
Agenda—Lessons Learned Internal control Polices and procedures Risk assessment Role of grants management systems Subrecipient risk assessment and monitoring Reporting
—Common findings under UG—Recent federal activity
Internal Control
4
Internal Control Requirements—Non-Federal entities must establish and maintain effective
internal control that provides reasonable assurance that entity is managing Federal award in compliance with Federal statutes, regulations, and terms and conditions of Federal award.
—Internal controls should be in compliance with: COSO (Internal Control Integrated Framework, issued by the
Committee of Sponsoring Organizations of the Treadway Commission), and
Green Book (Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States)
Green Book has similar structure to COSO.
5
What is Internal Control?AICPA (AU-C 315.04) Green Book (OV1.01) and COSO
Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved.
6
Entity Level and Process Level ControlsControl
EnvironmentRisk
AssessmentInformation and Communication Monitoring Control
Activities
Entity Level Controls
Process Level Controls
Higher Level Controls
Controls that do not specifically relate to an assertion
Controls that specifically relate to an assertion
7
Internal Control –Lessons Learned—Focus on control activities at the compliance requirement
level Avoid natural tendency to focus solely on financial
reporting controls—Documentation is time consuming and a continuous work in
process—Different methods/tools may be appropriate Questionnaires Narratives Flow charts
Many organizations had very little internal control documentation prior to UG.
8
Internal Control –Lessons Learned—Staff often do not understand their internal control
responsibilities—Evaluation of internal control design and operating
effectiveness need to be performed by someone—Need to take reasonable measures to safeguard to PII—Ensure you understand the difference between a process vs.
a control
Knowledgeable, committed staff are key to integrity of internal controls.
9
Distinguishing a Process from a Control
Business Process
The activity performed by the process owner.
Includes a series of steps to initiate, recognize and
disclose business transactions in a particular
period.
A process activity are where an error can
occur.
Internal Control
Activities that mitigate processing risk (either
directly or indirectly) in an entity’s business process
to an acceptable level.
An activity that is performed to prevent or
detect an error.
Policies and Procedures
11
Written policies required by UG
“Written Policy” references in UG (25 times)
Financial management – section 200.302
Payment – section 200.305
Procurement – sections 200.318, 200.319, and 200.320
Compensation – sections 200.430 and 200.431
Relocation costs – section 200.464
Travel costs – section 200.474
12
Policies and Procedures–Lessons Learned—Decentralized environment presents challenges for
establishing consistent and appropriate policies and procedures
—Consider use of grants management steering committee
—Essential to incorporate policies and procedures into training
—Utilize grants administration manual
Updates ordinarily must be approved by multiple stakeholders.
Risk Assessment
14
Risk Assessment–Lessons Learned—Understand the difference between entity-wide
level and compliance requirement level—Risk assessment should also be performed at the
federal program/compliance requirement level
Consider involving internal audit.
Role of Grants Management System
16
Grants Management System–Lessons Learned—Important to have grants management module
that identifies federal programs and related costs on front end
—Separately identify pre and post UG awards
Take advantage of electronic system capabilities!!!
Subrecipient Risk Assessment and Monitoring
18
Pass-Through Entity Requirements—Each subaward must clearly be identified as subaward and include
standard data elements, including: Requirements imposed by pass-through entity Provision for indirect costs
• Either negotiated or a de minimis rate of 10%
—Clarifies Federal expectations for pass-through entities Consolidates and clarifies subrecipient monitoring Must evaluate each subrecipient’s risk of noncompliance for purposes
of determining appropriate monitoring. Evaluation may include:
Prior experience with similar subawards
Results of previous audits
Whether subrecipient has new personnel or
systems
Extent and results of Federal awarding agency
monitoring
19
Pass-Through Entity Requirements—Monitoring activities must include: Reviewing financial and programmatic reports required by pass-
through entity Following up on corrective action Issuing management decisions Verifying every subrecipient is audited as required by Subpart F Consider taking enforcement action against noncompliant
subrecipients
—Based on risk assessment, following monitoring tools may be used: Providing training to subrecipients Performing on-site reviews Arranging for agreed-upon procedures engagements
20
Subrecipient Risk Assessment and Monitoring–Lessons Learned—Fundamental change in mindset from a post-award to pre-
award focus Historically looked at as a back end process Getting information upfront is difficult
—Subrecipient monitoring is more than just checking a box—Difficult to link risk assessment for subrecipient to
monitoring activities performed—Consider centralizing monitoring activities for fiscal and
administrative
Treat subrecipients like an extension of your organization.
21
Subrecipient Risk Assessment and Monitoring –Questions to ask?— How does the PTE ensure all information required to be communicated to a
subrecipient has been communicated?— Does the PTE’s evaluation of risk include consideration of appropriate factors?— What are the responsibilities of the subrecipient in relation to the program?
(e.g., determine eligibility, provide services, case management)— What compliance requirements are applicable at the subrecipient level?
Almost always: Allowability, Cash Management, Reporting, Period of Performance, Procurement, Suspension, and Debarment.
Often: Eligibility, Matching, Level of Effort, Earmarking, etc.
— How does the PTE ensure that costs incurred by a subrecipient are for allowable items and other applicable requirements are met?
Consider using subrecipient matrix of direct and material compliance requirements to document monitoring activities by compliance requirement.
Reporting
23
Schedule of Expenditures of Federal Awards (SEFA) • Face of SEFA must include all Federal awards expended including:
• Footnotes to SEFA must include:
Noncash assistance
Loan programs (beginning balance of outstanding loans plus loans disbursed during
period plus interest subsidy, cash, or
administrative cost allowance)
Loan guarantee programs
Amounts passed through to
subrecipients for each program
Year-end loan balances
Whether or not entity used 10% de minimus cost rate
Significant accounting
policies
24
Reporting–Lessons Learned—High error rate in submissions to FAC Common errors include:
• Not including all required elements on SEFA• Stating whether or not organization is using the 10% indirect cost
rate• Stating whether the financial statements were prepared in
accordance with GAAP• Disclosing in findings whether sample was statistically valid• Disclosing in findings whether the finding was reported in the prior
year
Gather relevant grant information in one place.
25
Reporting–Lessons Learned—Reports are significantly more visible now that they
are publically available
—Need to include separate corrective action plan “Views of Responsible Officials” is not sufficient
CAP and SSPAF must include both GAGAS and UG findings.
Common Findings under UG
27
Common Findings under UG—NFE not able to identify pre and post UG expenditures—PTE did not make subrecipient aware of award information
required by 200.331(a)—PTE did not adequately perform risk assessment of
subrecipients to determine appropriate monitoring and/or did not document
—PTE did not adequately document risk assessment —PTE did not update monitoring procedures and tools based on
UG
Whether the lack of written policies under UG, by it self, results in a reportable finding appears to be a facts and circumstances evaluation based on nature of noncompliance and control deficiencies identified.
28
Common Findings under UG—PTE did not adequately perform or had missing monitoring
activities—NFE did not have effective internal control over direct and
material compliance requirements—NFE did not comply with procurement requirements of UG—SEFA not including all required elements under UG
Recent Federal Activity
30
OMB Activity— Potential delay of COFAR Frequent Asked Questions (FAQ) — Procurement Status of micro purchase threshold increase Potential extension of “procurement delay” for third year
— SEFA pilot project (Federal Auditing Clearinghouse) Goal is to eliminate separate preparation and presentation of SEFA 20 participants in recent project Expected to be incorporated into FAC in 2019
— Future CFDA number format changes From XX.XXX to XXX.XXXX
• First three digits to align with federal agency number used by Treasury• Last four digits to provide greater flexibility to agencies in assigning program numbers
— 2017 Compliance Supplement
31
2017 Compliance Supplement— No major changes, but one clarification to two year look back ruleWhen OMB adds a new CFDA number to a cluster listed in Part 5, the cluster does not meet the two-year look back unless the client’s current year expenditures for the new CFDA number were less than or equal to twenty-five percent (0.25) of the Type A threshold. For example:— Type A threshold $750,000. — Cluster ABC (93.123, 93.125 and 93.127) was audited in 2015 with no audit
findings.— The 2017 Compliance Supplement added CFDA 93.129 to the cluster. — The organization's expenditures for 2017 were:— 93.123: $ 300,00093.125: $ 400,000 93.127: $ 500,000 93.129: $ 300,000— 2017 major program determination: Cluster ABC was audited in 2015. However,
because the organization's current year expenditures for CFDA 93.129 exceed $187,500 (0.25 of the Type A threshold), cluster ABC fails the two-year look back criteria.
32
Student Financial Aid—SFA as a major program issue Same process as 2016 (send email)
—Gramm Leach Bliley (Cybersecurity) update To be tested starting in 2018