Should a municipality consider conducting risk assessments as part of its audit strategy?

A municipality should consider conducting risk assessments as part of its audit strategy. Risk assessments can be used to evaluate the condition of a program and comply with federal program requirements. Risk assessments are required when a municipality is a recipient of federal funds and when it is acting as a pass-through entity.[1]  Risk assessments are likely not required when the municipality is a subrecipient of award funds.[2]

If a municipality is eligible for federal funding as a subrecipient, it should work with the pass-through entity to receive subawards. 2 CFR § 200.1 defines the term “pass-through entity” to include “a non-federal entity that provides a subaward to a subrecipient to carry out part of a [f]ederal program.”[3]

Municipalities and pass-through entities are encouraged to connect with each other and collaborate regarding compliance with program requirements.[4]

Conducting Risk Assessments

It is a good practice for municipalities receiving federal funding as subrecipients to conduct risk assessments so they are aware of their own risk for federal noncompliance ahead of the mandatory risk assessments awarding entities will conduct. Subrecipients that conduct such self-risk assessments may help facilitate a more comprehensive risk assessment by the awarding entity.

However, it is a federal requirement to perform a risk assessment when the municipality is going to pass the funds to a subrecipient. 2 CFR § 200.332 (b) requires all pass-through entities (the awarding entities) to conduct a risk assessment evaluating a subrecipient’s risk of noncompliance with federal statutes before the entity may award federal funds to a subrecipient. 2 CFR § 200.322 (b) outlines factors pass-through entities may consider in evaluating level of risk for non-compliance:[5]

• The subrecipient’s prior experience with the same or similar subawards
• The results of previous audits including whether the subrecipient receives a Single Audit in accordance with 2 CFR §200.501 (b), and the extent to which the same or similar subaward has been audited as a major program
• Whether the subrecipient has new personnel, or new or substantially changed systems
• The extent and results of [f]ederal awarding agency monitoring (e.g., if the subrecipient also receives [f]ederal awards directly from a federal awarding agency).[6]

Monitoring and Auditing Programs Following Risk Assessments

A risk assessment breaks down each aspect of a program to identify high-risk areas for operational fraud. These operational fraud risk areas should be monitored and audited to ensure compliance with program requirements.[7] Once a risk assessment is completed, the project oversight team, including auditors, will be able to monitor and audit key areas of focus, including but not limited to:

• Planning for the use of federal funds and compliance with federal regulations; 
• Financial, acquisition, and grant management policies and procedures;
• Organizational leadership, capacity, and expertise;
• Existing internal controls and any identified weaknesses;
• Findings and recommendations from prior state or federal audit;
• Program governance, administration, and oversight;
• Subrecipient internal control weakness;
• Barriers to tracking and reporting on the use and results of federal funding;
• State and federal procurement requirements;
• Potential conflicts of interest and ethics compliance;
• Health and safety;
• Information security and data protection; and
• Due diligence.