Finding Text
Finding 2023-004 – Internal Controls for Subrecipient Monitoring
Repeat Finding: No
Federal Program Title – U.S. Department of Defense
Cybersecurity Core Curriculum 12.905
Condition
The College did not have sufficient documentation that internal controls were in place and operating effectively over risk assessment procedures required by the subrecipient monitoring compliance requirement. Although the College was able to provide a timeline noting a risk assessment took place and ongoing monitoring was occurring, there was no formal documentation of the risk assessment.
Criteria
Uniform Grant Guidance (2 CFR 200.303) requires nonfederal entities receiving Federal awards establish and maintain internal controls designed to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure that reviews are formally documented over subrecipient monitoring.
Questioned Costs
There were no questioned costs related to reporting.
Cause
The National Security Agency pre-selected the subrecipient college for this grant. As a result, the College did not fully utilize its subrecipient monitoring tool to document its rigorous subrecipient risk assessment and monitoring process.
Prevalence
Frequent. One out of one subawards selected for testing.
Effect
Lack of properly documented evidence of subrecipient monitoring policies and procedures could result in the loss of future funding.
Recommendation
We recommend the College review current processes, policies and procedures to ensure that subrecipient monitoring policies and procedures are properly documented for each subaward.
Views of responsible officials
We agree with this finding. See corrective action plan.