The non-Federal entity must:

(a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in "Standards for Internal Control in the Federal Government" issued by the Comptroller General of the United States and the "Internal Control Integrated Framework", issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

(b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards.

(c) Evaluate and monitor the non-Federal entity's compliance with statute, regulations and the terms and conditions of Federal awards.

(d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings.

(e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality.

COFAR Frequently Asked Questions

According to auditing standards, "should" really means "must unless there is a well-documented reason why not". Is this the case in the Uniform Guidance? Does the "should" in section 200.303 referencing guidance provided by GAO and COSO really mean "must"?

See should vs must answer in .303-2 below for the meaning of “should” in the Uniform Guidance. COFAR will review the guidance and consider whether technical corrections are needed related to the use of "should".

The word “should” is used throughout section 200. Does it really mean “must”?

No. The word “must” is used throughout part 200 to indicate requirements. The word “should” is used to indicate best practices or recommended approaches that the COFAR wanted non-Federal entities to be aware of, but not necessarily required to comply with.

In section 200.303 Internal Controls, what is the expectation about a non-Federal entity’s compliance with the guidance in the Green Book?

The requirement is that the non-Federal entity must establish and maintain effective internal controls over Federal awards that provide reasonable assurance that awards are being managed in compliance with Federal statutes, regulation and the terms and conditions of the Federal award. The Uniform Guidance also refers non-Federal entities to the following three documents for best practices: - “Standards for Internal Control in the Federal Government” (Green Book) issued by the Comptroller General. - “Internal Control Framework” issued by the Committee on Sponsoring Organizations (COSO). - Appendix XI, Compliance Supplement – Part 6 Internal Control (which currently follows COSO but will consider both the Green Book and COSO in the 2015 update (200.514(c)(1)). While non-Federal entities must have effective internal control, there is no expectation or requirement that the non-Federal entity document or evaluate internal controls prescriptively in accordance with these three documents or that the non-Federal entity or auditor reconcile technical differences between them. They are provided solely to alert the non-Federal entity to source documents for best practices. Non-Federal entities and their auditors will need to exercise judgment in determining the most appropriate and cost effective internal control in a given environment or circumstance to provide reasonable assurance for compliance with Federal program requirements.