The risk assessment requirements for pass-through entities are a framework used by pass-through entities to evaluate and establish an appropriate monitoring strategy for subrecipients to the prime Federal award.
This information applies to:
all grants and cooperative agreements
Per 2 CFR 200, pass-through entities must evaluate their subrecipient's risk of noncompliance with applicable Federal statutes, regulations, and the Federal award's terms and conditions. The central purpose of the risk assessment is to determine the appropriate level of monitoring of Federally-funded project activities to ensure the subaward objectives and purpose are met; that the subrecipient is in compliance with all applicable Federal requirements;, and that the performance goals of the subaward are achieved.
2 CFR 200 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards
§200.74 Pass-through entity.
Pass-through entity means a non-Federal entity that provides a subaward to a subrecipient to carry out part of a Federal program.
Recipient means a non-Federal entity that receives a Federal award directly from a Federal awarding agency to carry out an activity under a Federal program. The term recipient does not include subrecipients. See also §200.69 Non-Federal entity.
Subaward means an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a Federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a Federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract.
Subrecipient means a non-Federal entity that receives a subaward from a pass-through entity to carry out part of a Federal program; but does not include an individual that is a beneficiary of such program. A subrecipient may also be a recipient of other Federal awards directly from a Federal awarding agency.
[78 FR 78608, Dec. 26, 2013]
§200.331 Requirements for pass-through entities.
All pass-through entities must:
(b) Evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient's prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F—Audit Requirements of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
[78 FR 78608, Dec. 26, 2013, as amended at 79 FR 75885, Dec. 19, 2014; 80 FR 54409, Sept. 10, 2015]
2 CFR 200 Compliance Supplement (Frequently Asked Questions—July 2017 update)
.331-10 Requirements for Pass-Through Entities. Timing of Subrecipient Risk Assessments *
Q: Section §200.331 (b) indicates that pass-through entities must “evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring…” Are pass-through entities required to assess the risk of non-compliance for each applicant prior to issuing a subaward?
A: No. While section §200.331 (b) requires risk assessments of subrecipients, there is no requirement for pass-through entities to perform these assessments before making subawards. Under the Uniform Guidance, the purpose of these risk assessments is for pass-through entities to determine appropriate subrecipient monitoring. Pass-through entities may use judgment regarding the most appropriate timing for the assessments. Regardless of the timing chosen, the pass-through entity should document its procedures for assessing risk. Section §200.331 (b) (1) – (4) includes factors that a pass-through entity may consider when assessing subrecipient risk. While section §200.205 imposes requirements for a Federal awarding agency to review the risk posed by applicants prior to making a Federal award, there are no corresponding requirements for a pass-through entity; however, it is a best practice for pass-through entities to evaluate risk prior to making a subaward.
Frequently Asked Questions
What is the purpose of having to complete a risk assessment of our subrecipients?
Pass-through entities must complete a risk assessment on each of their subrecipients to help ensure that the Federal award is spent properly and that the subrecipient complies with all applicable Federal statutes, regulations, and the terms and conditions of the Federal award. This is the same reason why each Federal awarding agencies must also complete a risk assessment for each of their prime recipients prior to issuing a Federal award. The risk assessment also provides the framework by which the pass-through entity can help to mitigate for any potential risk associated with each subrecipient.
Am I required to complete a risk assessment of my subrecipients before issuing a subaward?
§200.331(b) requires pass-through entities to conduct a risk assessment of their subrecipients, but does not specify that such assessments be completed prior to issuing the subaward or the subsequent disbursement of funds to the subrecipient. The Council On Financial Assistance Reform (COFAR) addressed this question in its FAQs (updated July 2017).
My organization uses only "contracts" as the legal instrument to enter into agreements with both subrecipients and contractors. Therefore we consider all of our relationships as contractors. Do we still have to complete risk assessments?
Maybe. Many non-Federal entities, particularly State agencies, call all of their legal instruments "contracts". According to 2 CFR 200.300, "A non-Federal entity may concurrently receive Federal awards as a recipient, a subrecipient, and a contractor, depending on the substance of its agreement with the Federal awarding agency and pass-through entities. Therefore, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of Federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor." Pass-through entities need to reflect upon the nature of each relationship in order to determine if the partnering non-Federal entity is a subrecipient or a contractor (see 'Subrecipient vs Contractor Determination').
How often do I need to complete a risk assessment of a subrecipient?
Pass-through entities should complete a risk assessment of their subrecipients according to their established and documented policies and procedures.
Where should I keep the results of our subrecipient risk assessment?
It is a best management practice to keep the results of each subrecipient risk assessment in either their agency's official subrecipient award file or in a centralized subject-matter file. In either the case, the results of the risk assessment should be easily accessible by your program/fiscal staff and auditors if they request it.
What criteria or factors should a pass-through entity evaluate when conducting a risk assessment on a potential subrecipient?
§200.331(b)(1-4) provides some factors that pass-throughout entities may review when evaluating a subrecipient's potential risk of noncompliance. These factors should not limit a pass-through entity from evaluating additional factors that are above and beyond those listed in § 200.331.
The FWS has developed its own risk assessment form for evaluating their prime recipients. May we use their form to evaluate our subrecipients?
Pass-through entities who have not developed and implemented their own risk assessment form are welcome to review the Service's risk assessment form for evaluating its prime recipients potential risk of noncompliance. This form may provide a great starting point for pass-through entities as they begin to develop their own risk assessment. Pass-through entities should be aware that the Service's risk assessment form was developed specifically to satisfy its requirements under § 200.205 Federal awarding agency review of risk posed by applicants. This form was not developed for, nor was it ever intended to be used by, pass-through entities to meet their risk assessment requirements under §200.331(b). Pass-through entities who use the Service's risk assessment form do so voluntarily and the Service accepts no responsibility or liability should auditors determine that this risk assessment fails to meet the requirements set forth for pass-through entities conducting risk assessments of their subrecipients.
Are there differences in the requirements for a risk assessment that Federal awarding agencies must complete on their prime recipients compared to the requirements for a risk assessment that pass-through entities must complete on their subrecipients?
Yes there are differences in the requirements. §200.205 requires Federal awarding agencies, for competitive grants and cooperative agreements, have in place a framework for evaluating the risk posed by applicants before they receive Federal awards. In evaluating such risk, the Federal awarding agency may use a risk-based approach and may consider any items such as the following:
(1) Financial stability;
(2) Quality of management systems and ability to meet the management standards prescribed in 2 CFR 200;
(3) History of performance;
(4) Reports and findings from audits performed under Subpart F - Audit Requirements of this part or the reports and findings of any other available audits; and
(5) The applicant's ability to effectively implement statutory, regulatory, or other requirements imposed on non-Federal entities.
§200.331 requires that pass-through entities evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in § 200.331(d-e). In evaluating such risk, pass-through entities may consider such factors as:
(1) The subrecipient's prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F - Audit Requirements, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g. if the subrecipient also receives Federal awards directly from a Federal awarding agency).
How should pass-through entities use the results of their subrecipient's risk assessment?
Pass-through entities should use the results of the risk assessment to help determine the appropriate level of subrecipient monitoring to ensure that the Federal award is used properly and the subrecipient remains in compliance with Federal statutes, regulations, and terms and conditions of the Federal award. Based on the results of the risk assessment, the pass-through entity's monitoring of the subrecipient must include:
(1) Review of financial and performance reports required by the pass-through entity;
(2) Follow up and assurance that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means; and
(3) Issuance of a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 Management decision.
Pass-through entities may also use the results of the risk assessment to place additional, special conditions on the Federal award to help aid with the mitigation of elevated risk posed by the subrecipient. The pass-through entity should advise the subrecipient of the need for additional, special conditions and should also advise the subrecipient on what courses of action need to be successfully implemented to properly mitigate for such risk. Once the subrecipient has successfully met the conditions to offset for this risk, then the special conditions should be removed from the Federal award.
Additionally, pass-through entities may find the following tools useful to ensure proper accountability and compliance with program requirements and achievement of performance goals:
(1) Provide subrecipients with training and technical assistance on program-related matters;
(2) Perform on-site reviews of the subrecipient's program operations; and
(3) Arrange for agreed-upon-procedures engagements as described in §200.425 Audit services.
What happens if a pass-through entity rates their subrecipient as low risk, but then determines the subrecipients is a higher risk entity?
If a pass-through entity completes a risk assessment and scores a subrecipient low and then during the award identifies enhanced levels of risk posed by the subrecipient, the pass-through has the ability to amend the subaward to add additional terms/conditions to mitigate this risk. Pass-through entities may also choose to increase their monitoring efforts on such subrecipients to ensure that Federal funds are used effectively. Additionally, pass-through entities then use this information during future awards with the subrecipient to enhance the accuracy of their risk assessments (e.g., perhaps increase their risk level as a result of this prior knowledge of past performance issues).
What happens if a subrecipient is scored as high risk, but the pass-through entity does not impose any special requirements?
Imposing special requirements on high/medium/low risk subrecipients is an effective way for the pass-through entity to mitigate potential risk, ensure that Federal funds are used effectively, and reduce the potential for waste, fraud, and misuse. Pass-through entities should remember that in the unfortunate case where Federal funds may be used inappropriately, or waste, fraud, or abuse has occurred, the Federal awarding agency may seek remedies or legal action against the prime recipient. They will not seek legal action against the subrecipient, this would be the responsibility of the pass-through entity.
What happens if a subrecipient is rated as higher risk, but the pass-through entity fails to follow through on any special requirements?
§200.331 details the requirements of pass-through entities whenever they enter into a financial assistance relationship with another non-Federal entity (subrecipient) using Federal funds. One of the requirements is to conduct a risk assessment of the subrecipient to evaluate that entity's risk potential as it relates to Federal laws, regulations, and the terms and conditions of the prime Federal award.
The purpose of the risk assessment is to allow pass-through entities to develop monitoring protocols and special terms/conditions to mitigate for potential risk posed by subrecipients and help to ensure that Federal funds are used effectively. §200.338 provides guidance to Federal awarding agencies to remedy noncompliance of their prime recipients.
Can pass-through entities allow their subrecipients to fill out the risk assessment?
§200.331(b) requires pass-through entities to evaluate their subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward. It does not go into detail about what exactly must be included in the risk assessment in order to allow recipients the flexibility to develop their own risk assessment to meet their needs, expectations, and comfort levels. It also allows pass-through entities to develop grant specific risk assessments to meet the needs of their various financial assistance awards. It does not specifically address whether the risk assessment may or may not be completed by the subrecipient and subsequently certified by the pass-through entity.
What is the role of the FWS in overseeing implementation of any requirements as result of the risk assessment?
The Service's role in overseeing implementation of the risk assessment is to ensure that its prime recipients follow the requirements of 2 CFR 200 when they receive financial assistance awards. Department of the Interior OIG auditors may, during their reviews, test whether prime recipients are following the requirements of §200.331 when it has been determined that they are subawarding Federal funds to subrecipients. If prime recipients are found to not comply with the requirements of 2 CFR 200, then the Service may impose additional conditions on prime recipients as outlined in §200.338 in order to meet its Federal stewardship responsibilities.
Am I required to complete a risk assessment of my contractors under the prime Federal award?
Pass-through entities are not required to complete a risk assessment on contractors.