Internal Controls over Federal Awards

Uniform Guidance (guidelines for organizations receiving federal awards) states that you must establish and maintain internal controls over federal awards that provide reasonable assurance that you are managing them in compliance with general federal requirements and the specific rules for the funding you receive. Internal controls should be in compliance with the Green Book and/or with COSO.

  1. COSO, which stands for The Committee of Sponsoring Organizations (composed of accounting leadership organizations), or
  2. The Green Book – Standards for Internal Control in the Federal Government

Both of these have been recently updated to take into account how changes in technology have affected all businesses.

Here are links for more information about each of these:

COSO Internal Control Structure – Executive Summary

The Green Book

You don’t need to master both of these; in fact, they are very similar. They both identify same elements that are necessary for proper internal controls. They are:

  • The Control Environment – your board and senior management competence and commitment to proper controls,
  • Risk Assessment – a careful look at your organization’s operations and consideration of what could “go wrong” (what might prevent you from accomplishing your objectives, expose you to risk with funders or regulators, or cause financial loss or be an embarrassment),
  • Control Activities – policies and procedures that are put in place such as segregation of responsibilities, reviews, and reconciliations,
  • Information and Communication – clear communication from management to staff about the policies, procedures, and controls that are in place, and
  • Monitoring Activities – periodic follow-up to reassess potential risks, to make sure that controls are still appropriate based on current operations and that they are still being followed. In big organizations, this can be done with an internal audit function. In smaller organizations it will more likely be done by an audit or finance committee.

Possible Monitoring Activities

Your written policies set standards for performance. Monitoring should include a review of your policies to be sure they are current and appropriate. It should also determine whether staff are familiar with your policies. Is training of new and current staff appropriate? Be sure to review personnel, conflict-of-interest and whistleblower protection policies.

Determine what security measures are in place over confidential information such as employee, donor and credit card information.

Your risk assessment and monitoring should also consider the safety of your staff, clients and others who have a relationship with your organization.

Review your Organization’s hiring procedures; determine whether references are verified and background checks are used.

Check whether images of checks are provided with your checking account bank statement and verify whether an independent person reviews checks, electronic payments and transfers to be sure they are proper.

Check how up-to-date bank reconciliations are.

Look at documentation for vouchers/drawdowns to be sure that it is properly detailed and supports the voucher.

Look at some invoices for purchases to determine whether they are properly marked to document approval, nonpayment of sales tax, and to note payment.

Check whether unused checks and undeposited checks and cash received are kept in a locked/secure area.

Review charge card statements to see if there is an independent review and the documentation for all purchases.

Review expense reimbursements, especially for senior personnel to verify that there is proper documentation and an independent review.

The great majority of frauds are uncovered by employees. Interview to be sure that employees know that they are encouraged to communicate any wrongdoing, and that they are familiar with the process for doing so.

Look at how time worked is documented and whether there was an independent review of time worked.

So, as you establish controls over your federal awards, keep these principles in mind and remember that controls are a system, and an ongoing process, not an event.

In our next issue we will provide a list of potential controls and the risks they are designed to minimize.