Best Practices

Internal Control for Grants

In regards to internal control for grants, governments should adhere to the following framework: control environment, risk assessment, control activities, information and communication, and monitoring.

Federal, state, local and private entity grant funds often represent a significant source of funding for governments. In some governmental functions they represent the primary source of funding (e.g. housing, social services, etc.).  As a result, it is crucial that governments have the proper framework for internal control to ensure that:

  1. These resources are being utilized effectively and efficiently;
  2. Assets purchased or developed with them are being safeguarded properly;
  3. Financial reporting required by these grants is accurate and timely; and
  4. Grant resources are being utilized in compliance with appropriate laws and regulations.

The most widely recognized source of guidance on internal control is the Committee of Sponsoring Organizations (COSO), which updated its classic Internal Control-Integrated Framework in 2013. The GFOA has organized the following best practice steps for grant internal control into COSO's five essential components of a comprehensive framework of internal control: 1) Control Environment; 2) Risk Assessment; 3) Control Activities; 4) Information and Communication; and 5) Monitoring, as follows:

  1. Control Environment
    1. Alert agencies that policy decisions concerning grants are made entity-wide to ensure consistency and adherence to strategic planning goals;
    2. Ensure that each area of the grant process (programmatic, budgeting, accounting, etc.) is managed by competent staff who are knowledgeable in their areas of responsibility;
    3. Give staff authority and responsibility for their tasks associated with the grant;
    4. Hold staff accountable for their tasks; and
    5. In larger organizations, create cross-functional teams to support entity-wide grants management.
  2. Risk Assessment
    1. Perform and document a risk assessment of the entity's grants management processes;
    2. Utilize a comprehensive, internal control questionnaire to facilitate the risk analysis;
    3. Consider the level of program risk (e.g., high, medium, low) when establishing control activities;
    4. Perform a cost/benefit analysis prior to installing a new control activity;
    5. Consider the possibility and likelihood of fraud in the entity's grants management process; and
    6. Identify and assess changes in the regulatory, technology, personnel and operating environment under which the grants are managed.
  3. Control Activities
    1. Document both government-wide and individual grant policies;
    2. Document both government-wide and individual grant procedures;
    3. Develop a timeline and process for updating policies and procedures as changes occur;
    4. Become knowledgeable of and adhere to federal, state, and local laws and regulations;
    5. Establish control activities to ensure the reliability of information obtained from third parties (e.g., vendors);
    6. Develop comprehensive, information technology policies and procedures;
    7. Keep information technology policies and procedures current;
    8. Become knowledgeable of and implement, as necessary, federal and state standards for financial management systems;
    9. Utilize financial management systems to support compliance with grant-related legal and regulatory requirements;
    10. Become knowledgeable of and implement, as necessary, federal and state standards for procurement; and
    11. Utilize federal and state official debarment lists to update the government's list of vendors.
  4. Information and Communication
    1. Document in a format accessible to stakeholders the purpose and the government's responsibilities for each of its grants;
    2. Distinguish grants by source (federal, state, local, and private entity);
    3. Identify the time periods required by the grants;
    4. Identify grant reporting requirements;
    5. Identify grants that require specialized administration;
    6. Ensure that grant requirements are documented in vendor communication;
    7. Ensure that grant information is available to internal stakeholders;
    8. Develop ongoing communication and knowledge of grantors, and pass-thruough organizations;
    9. Develop an ongoing dialogue with financial statement, single audit, and program auditors concerning grant reporting and compliance; and
    10. Develop processes to ensure that quality, supportable information is utilized in grant decision making.
  5. Monitoring
    1. Develop a processes of ongoing (daily/weekly) and periodic (annual) programmatic control activities that ensures compliance with laws and regulations;
    2. Provide an annual periodic review of the risk assessment process;
    3. Ensure that program deficiencies are communicated to all responsible parties, including management and elected officials; and
    4. Ensure that corrective action plans are taking place, addressing the control deficiencies and responding to the deficiencies in a timely manner.


  1. The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.           
  2. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.          
  3. Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.      
  4. Information and communication are the continual iterative process of providing, sharing, and obtaining necessary information.
  5. This represents the process of ongoing and periodic evaluations to ascertain whether the components of internal control are present and functioning. To the extent control deficiencies are found they are communicated, in a timely manner, to responsible parties, including senior management and elected officials, for corrective action. 

This best practice was previously titled Framework for Entity-wide Grants Internal Control.

  • Board approval date: Wednesday, September 30, 2015