Are there red flags that a risk assessment of a nonprofit serving as a subrecipient to a city should uncover, that if addressed might prevent fraud or at a minimum trigger greater scrutiny to prevent fraud or misappropriation of COVID relief funds?

Performing a risk assessment of a potential nonprofit subrecipient (“subrecipient”) for a municipality may provide an opportunity to identify red flags that could lead to fraud or misappropriation of grant funds, if left unaddressed.

When a municipality awards funds to a subrecipient, it is required to evaluate the subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining appropriate subrecipient monitoring.[1] Municipalities should consider performing a SAM.gov debarment check as a part of this risk assessment to ensure that a nonprofit being considered for an award is eligible to receive federal funds.[2]

If the risk assessment identifies red flags or performance concerns and a municipality still awards grant funds to the subrecipient, the municipality should put a monitoring plan in place imposing specific subaward conditions to ensure the subrecipient addresses any concerns.[3]

Below are common red flags that might surface during a risk assessment, including some specific to nonprofits, that could lead to fraud and/or misappropriation of COVID relief funds, if left unaddressed:

1. The nonprofit lacks prior experience with receiving subawards.
2. The nonprofit lacks an understanding of the federal rules surrounding the subaward.
3. The nonprofit lacks experienced staff or does not have enough staff to ensure compliance and oversight of federal awards and mitigate the risk of fraud, waste and abuse.
4. Previous state, local, and/or federal audits noted significant deficiencies.
5. The nonprofit uses new personnel or new or updated systems for the municipality’s program.
6. A separate federal awarding agency has identified concerns with the nonprofit (e.g., if the nonprofit also receives federal awards from a federal awarding agency, who put monitoring in place because of identified vulnerabilities).
7. The nonprofit has a history of past civil, criminal, and/or administrative investigations.
8. The nonprofit has failed to timely file its Form 990 tax documentation.[4]
9. The nonprofit has previous revocation or suspension of nonprofit status.
10.  The nonprofit has a lack of internal controls to monitor distribution of funds and/or services.
11. No documented policy for conducting due diligence on contractors, suppliers, and vendors exists for the nonprofit.
12. There is no central repository for documenting the subaward activities, such as invoicing, procurement, and inventory control.
13. The nonprofit lacks an employee code of conduct or conflict of interest policy.

Identification of the above red flags may indicate vulnerabilities that could lead to fraud and misappropriation of grant funds.  A risk assessment is critical to identify red flags so that they can be addressed prior to the distribution of funds and/or services.

The municipality should apply the following monitoring tools to ensure proper accountability and compliance with program requirements and achievement of performance goals:[5]

1. Providing subrecipients with training and technical assistance on program-related matters
2. Performing on-site reviews of the subrecipient's program operations.
3. Requiring the subrecipient to submit work-in-progress reports at regular intervals.
4. Establishing a point of contact with the subrecipient for questions or concerns.

Monitoring SAM.gov’s exclusion record throughout the course of the subaward to ensure that the subrecipient is eligible for federal funds.

Last Updated: February 2, 2023

Are all grants to businesses coming from SLFRF grants considered gross income and therefore taxable? (This presumably would require cities to send 1099-Gs to businesses that received grants.)

Businesses should anticipate that the Internal Revenue Service (IRS) may treat Coronavirus State and Local Fiscal Recovery Funds (SLFRF) grants as taxable gross income. The IRS released guidance on the taxability of SLFRF, indicating that “[s]ome SLFRF recipients may have to report certain payments as income and may owe tax depending on the purpose of the payment.”[1] Specifically, payments that are not taxable are those made to:

• reimburse or pay reasonable and necessary personal, family, living, or funeral expenses incurred as a result of a qualified disaster, or
• promote the general welfare in connection with a qualified disaster. See Internal Revenue Code (the “Code”) section 139(b)(1) and (4).

While there is an exemption for grants made to promote the general welfare in response to a qualified disaster, like the COVID-19 pandemic, this is typically only applicable to individuals and families (i.e., not businesses). Additionally, this exemption does not apply to grants that are made to compensate individuals or businesses for services rendered.[2]

The IRS notes that:

“Payments are not treated as qualified disaster relief payments if the payments are in the nature of compensation for services performed by the individual. Additionally, payments made to or for the benefit of an individual are not treated as qualified disaster relief payments to the extent the expense of the individual compensated by such payment is otherwise compensated for by insurance or otherwise. See section 139(b)”[3]

In general, individuals must include in gross income any payment or accession to wealth from any source unless an exclusion applies.[4]

While the question of whether grants to businesses is considered gross taxable income is not explicitly answered for SLFRF grants, the IRS did state that Coronavirus Aid, Relief, and Economic Security Act (CARES Act) grants issued in cases of a government starting a grant program to support business generally are not excluded from the business’s taxable gross income:

“Yes, receipt of a government grant by a business generally is not excluded from the business's gross income under the Code and therefore is taxable. However, a grant made by the government of a federally recognized Indian tribe to a member to expand an Indian-owned business on or near reservations is excluded from the member's gross income under the general welfare exclusion.”[5]

As such, municipalities should consider issuing 1099s to businesses that receive SLFRF and CARES Act grants that are taxable pursuant to IRS guidance issued to date. Municipalities should seek the advice of their tax professionals to address the specific facts and circumstances regarding their tax obligations.

Last Updated: January 23, 2023

What resources or strategies exist to help municipalities develop robust program outcome measures to incorporate into their grant applications?

Municipalities should ensure program outcomes are specific, measurable, attainable, results-oriented, and time-bound. To facilitate meaningful program outcomes, municipalities should first examine a grant’s Notice of Funding Opportunity (“NOFO”). Municipalities should consider contacting the funding agency for project guidance and direction regarding acceptable and anticipated outcomes and potential strategies to obtain those goals. When applying for funding, municipalities should aim to understand the grantor’s priorities and comply with points emphasized by the relevant NOFOs to put their grant applications in a more advantageous position.

Grant applications often include a scoring rubric or scoring considerations to help applicants develop program outcome measures. For example, the U.S. Department of Transportation’s Rebuilding American Infrastructure with Sustainability and Equity (“RAISE”) Grant Program NOFO scoring category for “Innovation” includes in the description of a “High” ranking project, the following:

“Innovation is an explicit project purpose AND the project has clear, direct, data-driven, and significant benefits beyond common practice for planning, designing, or building infrastructure for [d]eploying technologies and other practices that drive safety, equity, climate and resilience, or economic outcomes for underserved, overburdened, or disadvantaged communities or augment workers.”[1]

A scoring rubric is a useful tool in determining how likely a proposed project or program is to be funded. Self-scoring also allows applicants to reflect and adjust programs, outcomes, or other project-related components. Municipalities may also use the resulting score as guidance for future grant cycles.

Further, municipalities may refer to the funders’ websites to access specific award requirements and archives of past awards, applications, and project abstracts. Municipalities can also connect with past award recipients to improve the municipality’s understanding of program outcome measures and lessons learned. Municipalities may also consider requesting copies of successful application packets and any supporting materials from past award recipients to use as a reference.

Municipalities should also carefully review the funders’ compliance and reporting requirements to ensure the necessary criteria are measured. In addition, municipalities may benefit from conducting research on comparable grant-funded programs and reviewing the applicable outcomes and other data measurement tools related to those programs. 

Partner and stakeholder alliances can also help develop funded projects and foster ongoing coordination and collaboration between stakeholders, including sharing data and letters of support.

Finally, the COVID-19 pandemic has shifted the way many funders and applicants communicate. Many federal, state, and local funders have transitioned to online grant applicant briefings, and recorded information sessions can now be found on agency websites. Municipalities may also attend online, or in-person funding availability listening sessions and ask agency representatives questions. Funders are often willing and helpful collaborators in the grant application development process, as are agency representatives.

Last Updated: February 2, 2023

What criteria should municipalities follow when contracting for external cybersecurity management, monitoring, tracking, and auditing services?

Municipalities should refer to the State and Local Cybersecurity Grant Program (“SLCGP”) Notice of Funding Opportunity (“NOFO”) to guide them in contracting for external cybersecurity management, monitoring, tracking, and auditing services. Eligible incurred costs under the SLCGP must comply with the Uniform Administrative Requirements, Cost Principles, and Audit Requirements outlined at 2 C.F.R. Part 200, including, among other requirements, the requirement that “costs must be incurred, and products and services must be delivered, within the period of performance of the award.”[1]  

Further, the procurement of any services must comport with procurement standards outlined at 2 C.F.R. §§ 200.317–200.327, including following recognized procurement methods and respecting socioeconomic considerations related to soliciting small and minority businesses, women’s business enterprises, and labor surplus area firms.[2]

Generally, costs associated with management and administration fall into one of the seven allowable expense categories enumerated in the SLCGP NOFO.[3] Accordingly, administrative costs related to management, monitoring, tracking, and auditing services could all be considered eligible costs, as long as the costs are reasonable and allocable to the grant, and provided the contracts for the services follow the procurement standards at 2 C.F.R. §§ 200.317–200.327.[4] Finally, the SLCGP Notice of Funding Opportunity specifies that the maximum amount of funding for management and administrative costs is five percent of the SLCGP award.[5]

What are good practices to demonstrate the benefits of SLCGP funding on projects in existing or new cybersecurity plans?

An eligible entity can greatly benefit from the State and Local Cybersecurity Grant Program (“SLCGP”) by partnering with one or more other eligible entities to form a multi-entity group.[1] Such a partnership could result in cost savings for the partnering entities equaling 10 percent, as there is no cost share requirement for multi-entity projects during Fiscal Year 2022.[2] Partnerships between multiple diverse entities can also yield several additional benefits, including information sharing that can help improve existing cybersecurity plans, and access to combined resources that can help inform the creation of new plans. Partnerships also allow smaller entities to participate in parts of the procurement process which they may not have otherwise had access to, including benefits associated with major acquisitions.[3] Simultaneously, all participating parties to a multi-entity grant may realize cost savings because of volume purchases.[4] Combining resources through partnerships may also facilitate timely development, prioritization, and implementation of projects by eliminating duplication of efforts and aiding in the identification of planning gaps.

Can a city’s partial or existing cybersecurity plan be integrated into the cybersecurity plan required of eligible entities under the State and Local Cybersecurity Grant Program?

Yes, a city’s partial or existing cybersecurity plan can be integrated into the cybersecurity plan eligible entities are required to submit under the State and Local Cybersecurity Grant Program (“SLCGP”). The SLCGP defines the term “eligible entity” to include “states or tribal governments”.[1]

To receive funding under SLCGP, eligible entities, such as states or territories, must submit a cybersecurity plan that includes certain required elements, as outlined 6 U.S.C. § 665g. [2] These required elements incorporate the development of cybersecurity capabilities across the state or territory and are not specific to local governments.[3]  However, if the eligible entity is a state, input and feedback from local governments and associations of local governments should be incorporated.[4]

Cities are only eligible for SLCGP funding as subapplicants and should work with the eligible entity’s Cybersecurity Planning Committee to receive subawards.[5] Accordingly, cities are not required, under the SLCGP, to integrate their partial or existing cybersecurity plans into the eligible entity’s final cybersecurity plan but may do so.   

Though not required, cities and eligible entities are encouraged to connect and collaborate regarding the integration of partial or existing cybersecurity plans into the eligible entities’ required plans.

The Department of Homeland Security recommends that eligible entities take the following steps in crafting their SLCGP cybersecurity plans:

• review existing governance and planning documents;
• review existing assessments and evaluations (e.g., reports, after action reports) conducted by state, local, tribal, and territory governments;  
• identify any governance, planning, assessment, or evaluation gaps that should be addressed by the cybersecurity plan; and
• identify potential SLCGP projects to address identified gaps and prioritize mitigation efforts.[6]

Like eligible entities under SLCGP, cities are also encouraged to review the above guidance from the Department of Homeland Security as they craft and/or update their own cybersecurity plans. 

Can municipalities use the same cybersecurity plan for the entire duration of the SLCGP period of performance, ending August 31, 2026?

The State and Local Cybersecurity Grant Program (“SLCGP”) requires eligible entities to submit a comprehensive and strategic cybersecurity plan to reduce cybersecurity risks and increase capacity to address cybersecurity vulnerabilities as part of their grant application. A municipality’s Cybersecurity Committee and Chief Information Officer/Chief Information Security Officer must approve the plan. A municipality’s cybersecurity plan should cover two to three years.[1] The plan will initially be approved for two years and will require annual approval thereafter.[2] The Notice of Funding Opportunity for the SLCGP does not address any extension of the annual plan approvals. Note that all eligible entities within a multi-entity group must already have a Cybersecurity Plan in place for the multi-entity group to be eligible for an award; multi-entity groups are not eligible for awards to develop a Cybersecurity Plan.

Last Updated: October 28, 2022

Can an application for funding originally submitted for another Infrastructure Investment and Jobs Act programs be repackaged and submitted for the State and Local Cybersecurity Grant Program?

The Notice of Funding Opportunity for State and Local Cybersecurity Grant Program (“SLCGP”) does not specifically address repackaged applications.[1] However, an eligible entity may be able to repackage and submit to the SLCGP an application previously submitted for another Infrastructure Investment Jobs Act (IIJA) program, provided the application is complete, includes all information required for eligibility under the program being applied to, and did not result in funding under another grant program.

Determinations of FY22 SLCGP funding allocations will be formula-based as described in the notice of funding opportunity (“NOFO”). SLCGP also requires a non-federal cost share. The SLCGP NOFO states that even if the actual cost of an SLCGP grant application or project exceeds the grant amount under SLCGP, the grant amount will not change. The NOFO, however, does not specifically state anything about use of other federal grants to fund any potential cost overrun.

If a previously submitted application for another IIJA program resulted in funding allocation, in addition to SLCGP requirements, applicants should review the requirements of the other grant program and confirm that there are no restrictions against submitting that application for SLCGP and does not result in funding for the same projects (a duplication of benefits). 

Per the Uniform Administrative Requirements in 2 C.F.R. 200, entities should ensure that SLCGP funds do not duplicate other federal funding sources.[2] FEMA describes Duplication of Benefits (“DOB”) for entities using multiple federal funding sources in FAQs as follows:

A DOB occurs when an entity receives (i.e., draws down/takes possession of) multiple sources of federal funding assistance, or outside funding (e.g., insurance), for a specific eligible cost or activity where funding has already been used for the entirety of that particular cost or activity, or in excess of the amount needed for that specific eligible cost or activity.[3]

Last Updated: November 7, 2022

How is State and Local Cybersecurity Grant Program funding calculated?

The State and Local Cybersecurity Grant Program (“SLCGP”) provides $185 million in funding.[1] States, the District of Columbia, and Puerto Rico will receive a minimum of $2 million, with additional funds to be allocated based on a recipient’s total population and the ratio of each state’s population residing in a rural area.[2] Each of the four U.S. territories will receive $500,000.[3]

The funding for the fiscal year 2022 will be awarded by the U.S. Department of Homeland Security (“DHS”) based on baseline minimums and population as required by the Homeland Security Act of 2002.[4] According to the Federal Emergency Management Agency (“FEMA”):

Each state and territory will receive a baseline allocation using thresholds established in the Homeland Security Act of 2002. All 50 States, the District of Columbia, and the Commonwealth of Puerto Rico will receive a minimum of $2,000,000 each, equaling 1% of total funds appropriated to DHS in FY 2022. Each of the four territories (American Samoa, Guam, the Northern Mariana Islands, and the U.S. Virgin Islands) will receive a minimum of $500,000, equaling 0.25% of the total funds appropriated to DHS in FY 2022. $90,500,000, 50% of the remaining amount will be apportioned based on the ratio that the population of each state or territory bears to the population of all states and territories. The remaining $90,500,000, equaling the other 50% of the remaining amount, will be apportioned based on the ratio that the population of each state that resides in rural areas bears to the population of all states that resides in rural areas.[5]

A detailed listing of allocations per state and territory is available on the Department of Homeland Security Notice of Funding Opportunity Fiscal Year 2022 State and Local Cybersecurity Grant Program.[6]

Last Updated: October 24, 2022

What are some good practices for grant managers to follow when assessing the health of grant programs within an inherited portfolio?

There are several ways a grants manager may approach evaluating the health of various grant programs within a newly inherited portfolio. The following recommendations are based on the experiences of financial management professionals skilled in designing and implementing grant programs across various stages of the grant lifecycle. These recommendations may assist new grants managers with ways to familiarize themselves with a grants program. However, these recommendations may not apply to every government organization. Municipalities may wish to consult with counsel and their accounting team to ensure compliance with federal, state, and local laws.

• Review program requirements for each grant program within the portfolio. A grant manager should identify and review relevant information for each grant program within the portfolio to gain insight into the program’s eligibility requirements, allowable activities, performance periods, reporting, and any applicable Uniform Guidance provisions. To understand the requirements for each grant program, it may be helpful to identify the “assistance listing” associated with the specific programs, if this information is available. Assistance listings outline all requirements associated with federal awards and can be accessed here: https://sam.gov/content/assistance-listings.[1]
• Review previous audit or Single Audit reports. For most federal programs, recipients who expend more than $750,000 in federal funding in any given fiscal year are required to conduct a Single Audit.[2] Single Audits typically focus on:
• Eligibility
  • Allowable Costs and Activities
  • Cash Management
  • Equipment and Real Property Management
  • Matching, Level of Effort, and Earmarking
  • Period of Performance
  • Procurement, Suspension, & Debarment
  • Program Income
  • Reporting
  • Subrecipient Monitoring
  • Special Tests and Provisions

Audit reports can inform a grants manager of any weaknesses, deficiencies, adverse conditions, or changes identified during the audit. Audit reports also include recommendations for improvements to the areas outlined above.

• Review financial or performance reports. Most federal, state, and local grant programs require a progress report, including financial and programmatic data. These reports are often submitted on a quarterly or annual basis and outline the status of the grant program and how funding has been spent. Reviewing these reports may be another way to identify if program requirements are being met.
• Read Legislative Updates on grant programs, if available. Most legislative bodies are responsible for the appropriation of grant funding for an organization. Often, program managers and department directors prepare legislative updates for general legislative meetings or budget hearings. Reading these reports may provide additional details on how the program was established, legislative input and feedback on the design of the program, and any program status updates.
• Review grant program documentation. To better understand an inherited grant program, it may be useful to review existing grant program documentation, including standard operating procedures, or other administrative policies establishing internal controls. These documents may help provide additional information on the efficiency of a grant program.
• Request a transition meeting or status update from existing grant program managers or relevant stakeholders on the progress of the grant program. Speaking directly with program stakeholders, such as the program manager, may assist a grants manager with understanding the overall requirements and status of each grant program, including:
  • Eligibility requirements associated with a grant;
  • Funding available under a grant program;
  • Proposed timelines for implementation of a grant project;
  • Performance metrics associated with a grant project; and
  • Internal or external reporting requirements associated with a grant project.

Program stakeholders may also be able to assist a grants manager with obtaining access to key program documentation relevant to the transition from one grants management team to the next.

What are some strategies for ensuring grant-funded initiatives are inclusive and aligned with community needs/desires?

A municipality should first ensure any grant-funded programs and activities are compliant with grant requirements, including but not limited to civil rights laws, ADA regulations, and Fair Housing regulations.  

If a municipality has staff that monitors and conducts legislative analysis, the municipality should incorporate that resource into its overall strategy for ensuring compliance and inclusivity relative to specific grant programming.  

For a municipality’s programs and projects, an equity framework should be considered from planning through completion. To consider equity considerations, it is important to have an open and transparent planning process that includes routine engagement with elected officials, stakeholders, and the public.

It is also important to ensure a public involvement plan is in place to address the ways a municipality will engage with the community. This plan should employ strategies that are creative and engage diverse populations so there is equal access to programs services.  The plan should outline strategies to reach underserved populations with messaging regarding grant funded services, including communications in locations where such populations socialize. A municipality could consider holding public meetings and civic gatherings, as well as providing information and targeted outreach to underserved populations before, during, and after grant programming is initiated. The plan should also consider how to provide meaningful access to limited English proficient (“LEP”) individuals. Agency training should also be provided to ensure staff comprehension of both regulatory compliance requirements and inclusive approaches under any given grant program. In developing the plan, a municipality may wish to utilize in-house Geographic Information Services (“GIS”) to update demographic data and assist with identifying and meeting program objectives with respect to areas that are considered underserved, marginalized, and adversely affected. If the municipality does not have a GIS resource, the municipality may use the data gathering and analysis tools available on the US Census Bureau’s website, including tools that populate maps of underserved areas and identify Qualified Census Tracts (“QCTs”).[1] Other resources for demographic information may include Metropolitan Planning Organizations and regional or state municipalities. It is also important to be aware of local and national political, social, and economic events which impact community health and viability, such as employment rates, job availability, education and workforce training, food deserts, public transportation, among other issues.

Municipalities may also consider engaging with community-based organizations, non-profits, and the public to help build an understanding of the community’s needs and to help facilitate impact.

Finally, municipalities should aim to garner trust within the community. An example of this can be to highlight for the community updates and advertise local opportunities for engagement and community input. This may be done on the municipality website but can also be shared through community-based organizations (“CBO”) such as media outlets. Fostering an inclusive environment for community members to voice concerns regarding inequities will help solidify trust and facilitate critical feedback. It will also become an invaluable resource for determining program needs more generally.

Can a municipality alter its use of ARP funds after it has designated a project in quarterly reporting to Treasury? Would this be allowable if ARP funds expended on the originally planned project were reimbursed with city funds?

The U.S. Department of the Treasury’s (“Treasury”) Final Rule on the American Rescue Plan Act’s (“ARP”) Coronavirus State and Local Fiscal Recovery Funds (“CSLFRF”) does not expressly permit or prohibit changes in project plans, nor does it address a jurisdiction’s internal or regulatory fiscal processes concerning approval by a legislative body in activities such as budget amendments, change orders, and other actions.

Treasury’s Project and Expenditure Report User Guide for CSLFRF states:

Treasury understands that recipients may use different budget processes. For example, a recipient may consider a project budgeted once a legislature has appropriated funds; whereas another recipient may consider a project budgeted at the moment the funds have been obligated.[1]

While nearly all federal grants require approval on most every component of a project and its associated budget and expenditures, Treasury specifically states that this is not the case with respect to the use of CSLFRF funds:

Treasury is not approving or pre-approving projects or budgets. Treasury will use this information to better understand the intended impact, identify opportunities for further engagement, and understand the recipient’s progress in program implementation. Treasury is also collecting additional descriptive information about the budget process to better understand the context of recipients’ budget processes.[2]

The Project and Expenditure Report User Guide also provides the following information to address steps that must be taken when project plans change on a quarterly or annual basis. This guidance acknowledges that awardees may find it necessary to alter project plans, including changes to previously budgeted and expended project line items.

Treasury’s Project and Expenditure Report User Guide states in relevant part:

Certain data fields may be updated in Treasury’s Portal. In addition, if projects were previously reported under an Expenditure Category that changed or no longer exists, or additional programmatic data is needed, the Project Profile screen will show a yellow pencil icon.[3]

Once a new project is identified and vetted, municipalities should consider thoroughly reviewing Section V. Editing and Revising Your Data, with the proposed project in mind, to better understand the steps required to report project changes, including project updates, revisions, and cancellations.[4] Section V provides instructions to edit and revise data through either manual entry or bulk upload depending upon which method is preferred or previously followed by the recipient.   

Manual entry utilizes the Treasury portal’s web-based forms to edit or change fields individually. Bulk upload functionality would be appropriate when dealing with larger sets of data or records. Using this process, recipients will have the ability to delete any new projects that have been created during the current reporting cycle.[5]   

Projects submitted in prior reporting periods may be removed through cancelling and setting obligations and expenditures to $0.00, and/or creating offsetting entries to capture the project changes. Appropriate edits of subrecipient(s) and subrecipient data can also be made.[6] Further, it may be reasonable to assume that a fully vetted project alteration would likely be allowable provided it complies with all other applicable Treasury guidance. Finally, because Treasury does not provide budget guidance, a municipality may appropriately rely on its own internal procedures and processes as well as any other relevant regulatory provisions regarding budget amendments to reflect changes in use of funds or project allocations.

Last Updated: July 6, 2022