Risk Assessment Requirements for Pass-Through Entities

This information applies to:

all grants and cooperative agreements

Definitions

"Contract" is defined in § 200.22 and means a legal instrument by which a non-Federal entity purchases property or services needed to carry out the project or program under a Federal award. The term as used in this part does not include a legal instrument, even if the non-Federal entity considers it a contract, when the substance of the transaction meets the definition of a Federal award or subaward.

"Pass-Through Entity" is defined in § 200.74 and means a non-Federal entity that provides a subaward to a subrecipient to carry out part of a Federal program.

"Recipient" is defined in § 200.86 and means a non-Federal entity that receives a Federal award directly from a Federal awarding agency to carry out an activity under a Federal program. The term recipient does not include subrecipients.

"Subaward" is defined in § 200.92 and means an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a Federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a Federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract.

"Subrecipient" is defined in § 200.93 and means a non-Federal entity that receives a subaward from a pass-through entity to carry out part of a Federal program; but does not include an individual that is a beneficiary of such program. A subrecipient may also be a recipient of other Federal awards directly from a Federal awarding agency.

2 CFR 200.331 Requirements for pass-through entities.

... (b) Evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:

(1) The subrecipient's prior experience with the same or similar subawards;

(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F—Audit Requirements of this part, and the extent to which the same or similar subaward has been audited as a major program;

(3) Whether the subrecipient has new personnel or new or substantially changed systems; and

(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).

(c) Consider imposing specific subaward conditions upon a subrecipient if appropriate as described in § 200.207 Specific conditions.

(d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include:

(1) Reviewing financial and performance reports required by the pass-through entity.

(2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means.

(3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision.

(e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals:

(1) Providing subrecipients with training and technical assistance on program-related matters; and

(2) Performing on-site reviews of the subrecipient's program operations;

(3) Arranging for agreed-upon-procedures engagements as described in § 200.425 Audit services.

Frequently Asked Questions

What is the purpose of having to complete a risk assessment on our subrecipients?

The purpose for pass-through entities having to complete a risk assessment on each of their subrecipients is to better help ensure that the Federal award is spent properly and that the subrecipient complies with all applicable Federal statutes, regulations, and terms/conditions. This is the same reasoning why each Federal awarding agency must also complete a risk assessment on each of their prime recipients prior to issuing a Federal award. The risk assessment also provides the framework by which the pass-through entity can help to mitigate for any potential risk associated with each subrecipient.

Am I required to complete a risk assessment on both subrecipients and contractors before issuing a subaward?

§ 200.331(b) requires all pass-through entities to evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for the purposes of determining the appropriate monitoring needed to ensure that Federal funds are used properly. Pass-through entities are not required to complete a risk assessment on contractors.

2 CFR 200.331(b) states that pass-through entities are required to evaluate each subrecipient's risk of noncompliance to ensure that Federal funds are used properly. My organization uses only "contracts" as the legal instrument to enter into agreements with both subrecipients and contractors. Therefore we consider all of our relationships as contractors. Is this acceptable?

No. Many non-Federal entities, particularly State agencies, call all of their legal instruments "contracts". A non-Federal entity may concurrently receive Federal awards as a recipient, subrecipient, and a contractor, depending on the substance of its agreement with the Federal awarding agency and pass-through entities. Therefore, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of Federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor. Pass-through entities need to reflect upon the nature of the case-by-case relationship of the agreement in order to determine if the non-Federal entity is a subrecipient or a contractor.

How often do I need to complete a risk assessment of a subrecipient?

WSFR completes a risk assessment annually on each of our prime recipients (state fish and wildlife agencies). Pass-through entities should complete a risk assessment of their subrecipients according to their established and documented policies and procedures.

§ 200.331(b) requires pass-through entities to conduct an assessment of risk of their subrecipients, but does not specify that such assessments must be done prior to issuing the subaward or the subsequent disbursement of funds to the subrecipient. COFAR addressed this question in its FAQs (updated July 2017). Their response is: "No. While section § 200.331(b) requires risk assessments of subrecipients, there is no requirement for pass-through entities to perform these assessments before making subawards. Under the Uniform Guidance, the purpose of these risk assessments is for pass-through entities to determine appropriate subrecipient monitoring. Pass-through entities may use judgement regarding the most appropriate timing for these assessments. Regardless of the timing chosen, the pass-through entity should document its procedures for assessing risk. § 200.331(b)(1-4) includes factors that a pass-through entity may consider when assessing subrecipient risk. While § 200.205 imposes requirements for a Federal awarding agency to review the risk posed by applicants prior to making a Federal award, there are no corresponding requirements for a pass-through entity; however, it is a best practice for pass-through entities to evaluate risk prior to making a subaward."

Where should I keep the results of our subrecipient risk assessment?

It is a best management practice to keep the results of each subrecipient risk assessment in either your agencies official subrecipient award file or a centralized subject-matter reference file. In either the case, the results of the risk assessment should be easily obtainable by your program/fiscal staff and auditors if they request it.

What criteria or factors should a pass-through entity evaluate when conducting a risk assessment on a potential subrecipient?

§ 200.331(b)(1-4) provides some factors that pass-throughout entities may review when evaluating a subrecipient's potential risk of noncompliance. These factors should not limit a pass-through entity from evaluating additional factors that are above and beyond those listed in § 200.331.

The Service has developed its own official form for satisfying its requirements of evaluating their prime recipients potential risk of noncompliance. May we use their risk assessment form to evaluate the risk of our subrecipients?

Pass-through entities who have not specifically developed and implemented their own official risk assessment form are welcome to review the Service's official risk assessment form that it uses for evaluating its prime recipients potential risk of noncompliance. This form may provide a great starting point for pass-through entities as they begin to develop their own risk assessment forms that meet their specific requirements. Pass-through entities should be aware that the Service's risk assessment form was developed specifically to satisfy its requirements under § 200.205 Federal awarding agency review of risk posed by applicants. This form was not developed, nor was it ever intended to be used by pass-through entities to meet their risk assessment requirements under § 200.331(b). Pass-through entities who use the Service's risk assessment form do so completely voluntarily and the Service accepts no responsibility or liability should auditors determine that this risk assessment fails to meet the requirements set forth for pass-through entities conducting risk assessments of their subrecipients.

Are there differences in the requirements for a risk assessment that Federal awarding agencies must complete on their prime recipients compared to the requirements for a risk assessment that pass-through entities must complete on their subrecipients?

Yes there are differences in the requirements. § 200.205 requires that Federal awarding agencies, for competitive grants and cooperative agreements, must have in place a framework for evaluating the risk posed by applicants before they receive Federal awards. In evaluating such risk, the Federal awarding agency may use a risk-based approach and may consider any items such as the following: (1) Financial stability; (2) Quality of management systems and ability to meet the management standards prescribed in 2 CFR 200; (3) History of performance; (4) Reports and findings from audits performed under Subpart F - Audit Requirements of this part or the reports and findings of any other available audits; and (5) The applicant's ability to effectively implement statutory, regulatory, or other requirements imposed on non-Federal entities.

§ 200.331 requires that pass-through entities evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in § 200.331(d-e). In evaluating such risk, pass-through entities may consider such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F - Audit Requirements, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g. if the subrecipient also receives Federal awards directly from a Federal awarding agency).

How should pass-through entities use the results of their subrecipient's risk assessment of noncompliance?

Pass-through entities should use the results of the risk assessment to help determine the appropriate level of subrecipient monitoring to ensure that the Federal award is used properly and the subrecipient remains in compliance with Federal statutes, regulations, and terms/conditions of the Federal award. Based on the results of the risk assessment, the pass-through entities monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity; (2) Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means; and (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision.. Pass-through entities may also use the results of the risk assessment to place additional, special conditions on the Federal award to help aid with the mitigation of elevated risk posed by the subrecipient. The pass-through entity should advise the subrecipient of the need for additional, special conditions and should also advise the subrecipient on what courses of action need to be successfully implemented to properly mitigate for such risk. Once the subrecipient has successfully met the conditions to offset for this risk, then the special conditions should be removed from the Federal award.

Additionally, pass-through entities may find the following tools useful to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient's program operations; and (3) Arranging for agreed-upon-procedures engagements as described in § 200.425 Audit services..

What happens if a pass-through entity rates their subrecipient as low risk, but then determines the subrecipients is a higher risk entity?

If a pass-through entity completes a risk assessment and scores a subrecipient low and then during the award identifies enhanced levels of risk posed by the subrecipient, then the pass-through has the ability to perhaps amend their contractual agreement and add additional terms/conditions to the award to mitigate this risk. Pass-through entities may also choose to increase their monitoring efforts on such subrecipients to ensure that Federal funds are used effectively. Additionally, pass-through entities then use this information during future awards with the subrecipient to enhance the accuracy of their risk assessments (perhaps increase their risk level as a result of this prior knowledge of past performance issues).

What happens if a subrecipient is scored as high risk, but the pass-through entity does not impose any special requirements?

Imposing special requirements on high/medium/low risk subrecipients is an effective way for the pass-through entity to mitigate potential risk and ensure that Federal funds are used effectively and reduce the potential for waste, fraud, and misuse. The purpose of the risk assessment is to allow pass-through entities maximum flexibility to do business with various types (low/medium/high) of risk entities. In each case, special conditions can be developed to mitigate for various levels of risk.

Pass-through entities should remember that in the unfortunate case where Federal funds may be used inappropriately or waste, fraud, or abuse has occurred, the Federal awarding agency may seek remedies or legal action against the prime recipient. They will not seek legal action against the subrecipient, this would be the responsibility of the pass-through entity.

What happens if a subrecipient is rated as higher risk, but the pass-through entity fails to follow through on any special requirements?

2 CFR 200.331 describes the requirements of pass-through entities whenever they enter into a subrecipient relationship with another non-Federal entity (subrecipient) using Federal funds. One of the requirements is to conduct a risk assessment of the subrecipient prior to issuing the Federal award to evaulate that entities risk potential as it relates to Federal laws, regulations, ect. 2 CFR 200.331(a)(2) describes the requirements of pass-through entities to include information in the contractual document with the subrecipient concerning, "all requirements imposed by the pass-through entity to ensure that the Federal award is used in accordance with Federal statutes, regulations, and terms/conditions of the Federal award."

The purpose of the risk assessment is to allow pass-through entities to develop special terms/conditions to mitigate for potential risk posed by subrecipients and help to ensure that Federal funds are used effectively. 2 CFR 200.338 provides guidance to Federal awarding agencies to remedy noncompliance of their prime recipients.

Can pass-through entities allow their subrecipients to fill out the risk assessment?

2 CFR 200.331 describes the requirements of a pass-through entity having to complete a risk assessment on their subrecipients. It does not go into detail about what exactly must be included in the risk assessment because it allows recipients to develop their own risk assessment to meet their needs, expectations, and comfort levels. It also allows pass-through entities to perhaps develop grant specific risk assessments to meet the needs of their various grants. It does not specifically address whether the form may or may not be completed by the subrecipient and subsequently certified by the pass-through entity.

States are granted an enhanced level of autonomy by OMB in the Uniform Guidance. A BMP suggested by the training branch is not to allow subrecipients to complete the risk assessment, because this could potentially create a conflict of interest as subrecipients may inaccurately complete the assessment in order to enhance their ability to do business with the State. As a point of reference, some Service programs initially allowed their subrecipients to complete the Service's risk assessment form, and has subsequently informed those programs to cease this practice. Now all Service programs complete the risk assessment themselves (no subrecipients complete the risk assessment).

What is the role of the USFWS in overseeing implementation of any requirements as result of the risk assessment?

The Service's role in overseeing implementation of the risk assessment is to ensure that its prime recipients follow the requirements of 2 CFR 200 when they are issued Financial Assistance. Our OIG auditors may, during their reviews, test whether prime recipients are following the requirements of 2 CFR 200.331 when it has been determined that they are subawarding Federal funds to subrecipients. If prime recipients are found to not comply with the requirements of 2 CFR 200, then the Service may impose additional conditions on prime recipients as outlined in 2 CFR 200.338 in order to meet our Federal stewardship responsibilities.