Federal, state, local and private entity grant funds often represent a significant source of funding for governments. In some governmental functions they represent the primary source of funding (e.g. housing, social services, etc.). As a result, it is crucial that governments have the proper framework for internal control to ensure that:
- These resources are being utilized effectively and efficiently;
- Assets purchased or developed with grant funds are being safeguarded properly;
- Financial and other reporting required by these grants is accurate and timely; and
- Grant resources are being utilized in compliance with appropriate laws and regulations.
The most widely recognized source of guidance on internal control is the Committee of Sponsoring Organizations (COSO), which updated its classic Internal Control-Integrated Framework in 2013 and published Enterprise Risk Management — Integrating with Strategy and Performance in 2017.
GFOA recommends that governments adhere to a comprehensive framework of internal control for grants that includes the components of: control environment, risk assessment, control activities, information and communication, and monitoring.
Control Environment - The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.
- Alert agencies that policy decisions concerning grants are made entity-wide to ensure consistency and adherence to strategic planning goals;
- Ensure that each area of the grant process (programmatic, budgeting, accounting, etc.) is managed by competent staff who are trained and knowledgeable in their areas of responsibility;
- Give staff authority and responsibility for their tasks associated with the grant;
- Hold staff accountable for their tasks; and
- In larger organizations, create cross-functional teams to support entity-wide grants management.
Risk Assessment - Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.
- Perform and document a risk assessment of the entity's grants management processes;
- Utilize a comprehensive, internal control questionnaire to facilitate the risk analysis;
- Consider the level of program risk (e.g., high, medium, low) when establishing control activities;
- Perform a cost/benefit analysis prior to installing a new control activity;
- Consider the possibility and likelihood of fraud in the entity's grants management process; and
- Identify and assess changes in the regulatory, technology, personnel and operating environment under which the grants are managed.
Control Activities - Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
- Document both government-wide and individual grant policies;
- Document both government-wide and individual grant procedures;
- Develop a timeline and process for updating policies and procedures as changes occur;
- Ensure that staff are knowledgeable of and adhere to federal, state, and local laws and regulations and the specific requirements of the grant and Uniform Guidance;
- Establish control activities to ensure the reliability of information obtained from third parties (e.g., contractors, subrecipients and beneficiaries);
- Develop comprehensive, information technology policies and procedures;
- Ensure that information technology policies and procedures are reviewed at least annually;
- Become knowledgeable of and implement, as necessary, federal and state standards for financial management systems;
- Utilize financial management systems to support compliance with grant-related legal and regulatory requirements;
- Become knowledgeable of and implement, as necessary, federal and state standards for procurement; and
- Utilize federal, state and local government’s official debarment lists to update the government's list of contractors.
Information and Communication - Information and communication are the continual iterative process of providing, sharing, and obtaining necessary information.
- Document in a format accessible to stakeholders the purpose and the government's responsibilities for each of its grants;
- Distinguish grants by source (federal, state, local, and private entity);
- Identify the time periods required by the grants;
- Identify grant reporting requirements;
- Identify grants that require specialized administration;
- Ensure that grant requirements are documented in contractor communication;
- Ensure that grant information is available to internal stakeholders;
- Develop ongoing communication and knowledge of grantors, pass-through organizations and subrecipients, including confirmation of the nature of the relationship (contractor or subrecipient)
- Develop an ongoing dialogue with financial statement, Single Audit, and program auditors concerning grant reporting and compliance; and
- Develop processes to ensure that quality, supportable information is utilized in grant decision making.
Monitoring - Monitoring represents the process of ongoing and periodic evaluations to ascertain whether the components of internal control are present and functioning. To the extent control deficiencies are found they are communicated, in a timely manner, to responsible parties, including senior management and elected officials, for corrective action.
- Develop a processes of ongoing (daily/weekly) and periodic (quarterly, annual) programmatic control activities that ensures compliance with laws and regulations;
- Provide an annual periodic review of the risk assessment process;
- Ensure that program deficiencies are communicated to all responsible parties, including management and elected and appointed officials; and
- Ensure that corrective action plans addressing the control deficiencies are written, identify responsible parties and timelines, and are implemented in a timely manner.
This best practice was previously titled Framework for Entity-wide Grants Internal Control.
- Board approval date: Thursday, September 1, 2022