What controls should a municipality have in place for receiving and distributing COVID funds?

I.  Guiding Resources on Internal Controls

A. The Green Book

Standards for internal controls in the Federal Government are collectively known as the “Green Book,” which is a US Government Accountability Office (“GAO”) publication that sets forth standards for an effective internal control system for federal agencies.^[1]

B. COSO Framework

The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) has created a framework to help​​ organizations design and implement internal controls.^[2] COSO is a private sector organization and not part of the GAO.  COSO offers a framework that provides useful tools, advice and directions on how to create and apply internal controls in addressing operations and reporting objectives, and also clarifies the requirements for effective internal controls.  COSO has also issued Illustrative Tools for Assessing Effectiveness of a System of Internal Control and the Internal Control over External Financial Reporting (“ICEFR”): A Compendium of Approaches and Examples. The Illustrative Tools are intended to assist entities when assessing whether a system of internal control meets the requirements set forth in the framework.   

II.  The Uniform Administrative Guidance

A.  Generally

The Uniform Administrative Guidance (“UAG”), which is set forth in the Code of Federal Regulations at 2 CFR § 200 and issued by the Office of Management and Budget (“OMB”), includes provisions which lay out internal control requirements. 

The CARES Act and the CRF reference the UAG standards. The US Treasury sets out guidance and responses to FAQs, which include specific reference to internal controls and aspects of the UAG that apply to the CARES Act.  (A potentially useful resource may be found here: https://www.whitehouse.gov/wp-content/uploads/2020/12/2020-Compliance-Supplement-Addendum_Final.pdf ). 

The UAG provisions referenced above, which set forth guidance for internal controls over the use and distribution of CRF and CARES Act funds, may apply in a similar way to the ARP. However, explicit guidance on establishing and applying internal controls with respect to the ARP has not yet been decided or disseminated.

B. Potentially Relevant UAG Provisions^[3]

Below are potentially relevant UAG provisions relative to internal controls.  The following include definitions, processes overview, and regulatory considerations.

2 CFR § 200.61 Internal Controls 

“Internal Controls means a process, implemented by a non-Federal entity, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:  

(a) effectiveness and efficiency of operations;  

(b) reliability of reporting for internal and external use; and  

(c) compliance with applicable laws and regulations.” 

2 CFR § 200.62 Internal control over compliance requirements for Federal awards.  

“Internal control over compliance requirements for Federal awards means a process implemented by a non-Federal entity designed to provide reasonable assurance regarding the achievement of the following objectives for Federal awards:  

(a) Transactions are properly recorded and accounted for, in order to:  

     (1) permit the preparation of reliable financial statements and Federal reports;  

     (2) maintain accountability over assets; and  

     (3) demonstrate compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.

(b) Transactions are executed in compliance with:  

     (1) federal statutes, regulations, and the terms and conditions of the Federal award that could have a direct and material effect on a Federal program;  

     (2) any other Federal statutes and regulations that are identified in the Compliance Supplement; and  

(c) funds, property, and other assets are safeguarded against loss from unauthorized use or disposition.”  

According to the Federal Registrar^[4] issued by the U.S. Treasury dated January 15, 2021, fund payments are subject to the requirements in the Uniform Guidance 2 CFR 200.303 regarding internal controls.

2 CFR § 200.303 Internal Controls: 

“The non-Federal entity must:   

(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  

(b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards. 

(c) Evaluate and monitor the non-Federal entity's compliance with statutes, regulations and the terms and conditions of Federal awards. 

(d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings.  

(e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state, local, and tribal laws regarding privacy and obligations of confidentiality.” 

[78 FR 78608, Dec. 26, 2013, as amended at 79 FR 75883, Dec. 19, 2014]  

III. Conclusion

In addition to the potentially applicable UAG 2 CFR § 200 provisions summarized above, it is important to follow local jurisdictional rules and guidelines for internal controls.  Consideration of the guidance contained in the “Green Book” or the “Internal Control Integrated Framework” (COSO) would be prudent, as well as any guidance which may be forthcoming relative to internal controls and the ARP.