The risk assessment requirements for pass-through entities are a framework used by pass-through entities to evaluate and establish an appropriate monitoring strategy for subrecipients to the prime Federal award.
This information applies to:
all grants and cooperative agreements
| Contents |
|---|
Overview
Evaluating subrecipient risk of noncompliance with the Federal award and applicable Federal laws and regulations is required for pass-through entities per 2 CFR 200, which provides factors a pass-through entity may use when establishing their risk assessment process. The central purpose of the risk assessment is to determine the appropriate level of monitoring of project activities to ensure the subaward objectives and purpose are met, that the subrecipient is compliant with all applicable Federal requirements, and that the performance goals of the subaward are achieved.
Authorities
2 CFR 200 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards
§200.74 Pass-through entity.
Pass-through entity means a non-Federal entity that provides a subaward to a subrecipient to carry out part of a Federal program.
§200.86 Recipient.
Recipient means a non-Federal entity that receives a Federal award directly from a Federal awarding agency to carry out an activity under a Federal program. The term recipient does not include subrecipients. See also §200.69 Non-Federal entity.
§200.92 Subaward.
Subaward means an award provided by a pass-through entity to a subrecipient for the subrecipient to carry out part of a Federal award received by the pass-through entity. It does not include payments to a contractor or payments to an individual that is a beneficiary of a Federal program. A subaward may be provided through any form of legal agreement, including an agreement that the pass-through entity considers a contract.
§200.93 Subrecipient.
Subrecipient means a non-Federal entity that receives a subaward from a pass-through entity to carry out part of a Federal program; but does not include an individual that is a beneficiary of such program. A subrecipient may also be a recipient of other Federal awards directly from a Federal awarding agency.
[78 FR 78608, Dec. 26, 2013]
§200.331 Requirements for pass-through entities.
All pass-through entities must:
[...]
(b) Evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
(1) The subrecipient's prior experience with the same or similar subawards;
(2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F—Audit Requirements of this part, and the extent to which the same or similar subaward has been audited as a major program;
(3) Whether the subrecipient has new personnel or new or substantially changed systems; and
(4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
[78 FR 78608, Dec. 26, 2013, as amended at 79 FR 75885, Dec. 19, 2014; 80 FR 54409, Sept. 10, 2015]
2 CFR 200 Compliance Supplement (Frequently Asked Questions—July 2017 update)
.331-10 Requirements for Pass-Through Entities. Timing of Subrecipient Risk Assessments *
Q: Section §200.331 (b) indicates that pass-through entities must “evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring…” Are pass-through entities required to assess the risk of non-compliance for each applicant prior to issuing a subaward?
A: No. While section §200.331 (b) requires risk assessments of subrecipients, there is no requirement for pass-through entities to perform these assessments before making subawards. Under the Uniform Guidance, the purpose of these risk assessments is for pass-through entities to determine appropriate subrecipient monitoring. Pass-through entities may use judgment regarding the most appropriate timing for the assessments. Regardless of the timing chosen, the pass-through entity should document its procedures for assessing risk. Section §200.331 (b) (1) – (4) includes factors that a pass-through entity may consider when assessing subrecipient risk. While section §200.205 imposes requirements for a Federal awarding agency to review the risk posed by applicants prior to making a Federal award, there are no corresponding requirements for a pass-through entity; however, it is a best practice for pass-through entities to evaluate risk prior to making a subaward.
Frequently Asked Questions
What is the purpose of having to complete a risk assessment of our subrecipients?
The purpose for pass-through entities having to complete a risk assessment on each of their subrecipients is to better help ensure that the Federal award is spent properly and that the subrecipient complies with all applicable Federal statutes, regulations, and terms/conditions of the Federal award. This is the same reason why each Federal awarding agencies must also complete a risk assessment for each of their prime recipients prior to issuing a Federal award. The risk assessment also provides the framework by which the pass-through entity can help to mitigate for any potential risk associated with each subrecipient.
Am I required to complete a risk assessment of my subrecipients before issuing a subaward?
§ 200.331(b) requires pass-through entities to conduct an assessment of risk of their subrecipients, but does not specify that such assessments must be done prior to issuing the subaward or the subsequent disbursement of funds to the subrecipient. The Council on Financial Assistance Reform (COFAR) addressed this question in its FAQs (updated July 2017). Their response was:
"No. While section § 200.331(b) requires risk assessments of subrecipients, there is no requirement for pass-through entities to perform these assessments before making subawards. Under the Uniform Guidance, the purpose of these risk assessments is for pass-through entities to determine appropriate subrecipient monitoring. Pass-through entities may use judgement regarding the most appropriate timing for these assessments. Regardless of the timing chosen, the pass-through entity should document its procedures for assessing risk. § 200.331(b)(1-4) includes factors that a pass-through entity may consider when assessing subrecipient risk. While § 200.205 imposes requirements for a Federal awarding agency to review the risk posed by applicants prior to making a Federal award, there are no corresponding requirements for a pass-through entity; however, it is a best practice for pass-through entities to evaluate risk prior to making a subaward."
My organization uses only "contracts" as the legal instrument to enter into agreements with both subrecipients and contractors. Therefore we consider all of our relationships as contractors. Do we still have to complete risk assessments?
Maybe. Many non-Federal entities, particularly State agencies, call all of their legal instruments "contracts". According to 2 CFR 200.300, "A non-Federal entity may concurrently receive Federal awards as a recipient, a subrecipient, and a contractor, depending on the substance of its agreement with the Federal awarding agency and pass-through entities. Therefore, a pass-through entity must make a case-by-case determination whether each agreement it makes for the disbursement of Federal program funds casts the party receiving the funds in the role of a subrecipient or a contractor." Pass-through entities need to reflect upon the nature of the case-by-case relationship of the agreement in order to determine if the non-Federal entity is a subrecipient or a contractor (see 'Subrecipient vs Contractor Determination').
How often do I need to complete a risk assessment of a subrecipient?
Pass-through entities should complete a risk assessment of their subrecipients according to their established and documented policies and procedures.
Where should I keep the results of our subrecipient risk assessment?
It is a best management practice to keep the results of each subrecipient risk assessment in either your agency's official subrecipient award file or in a centralized subject-matter file. In either the case, the results of the risk assessment should be easily accessible by your program/fiscal staff and auditors if they request it.
What criteria or factors should a pass-through entity evaluate when conducting a risk assessment on a potential subrecipient?
§200.331(b)(1-4) provides some factors that pass-throughout entities may review when evaluating a subrecipient's potential risk of noncompliance. These factors should not limit a pass-through entity from evaluating additional factors that are above and beyond those listed in § 200.331.
The Service has developed its own risk assessment form for evaluating their prime recipients. May we use their form to evaluate our subrecipients?
Pass-through entities who have not developed and implemented their own risk assessment form are welcome to review the Service's risk assessment form it uses for evaluating its prime recipients potential risk of noncompliance. This form may provide a great starting point for pass-through entities as they begin to develop a risk assessment form that meet their specific requirements. Pass-through entities should be aware that the Service's risk assessment form was developed specifically to satisfy its requirements under § 200.205 Federal awarding agency review of risk posed by applicants. This form was not developed, nor was it ever intended to be used by pass-through entities to meet their risk assessment requirements under § 200.331(b). Pass-through entities who use the Service's risk assessment form do so completely voluntarily and the Service accepts no responsibility or liability should auditors determine that this risk assessment fails to meet the requirements set forth for pass-through entities conducting risk assessments of their subrecipients.
Are there differences in the requirements for a risk assessment that Federal awarding agencies must complete on their prime recipients compared to the requirements for a risk assessment that pass-through entities must complete on their subrecipients?
Yes there are differences in the requirements. § 200.205 requires that Federal awarding agencies, for competitive grants and cooperative agreements, must have in place a framework for evaluating the risk posed by applicants before they receive Federal awards. In evaluating such risk, the Federal awarding agency may use a risk-based approach and may consider any items such as the following: (1) Financial stability; (2) Quality of management systems and ability to meet the management standards prescribed in 2 CFR 200; (3) History of performance; (4) Reports and findings from audits performed under Subpart F - Audit Requirements of this part or the reports and findings of any other available audits; and (5) The applicant's ability to effectively implement statutory, regulatory, or other requirements imposed on non-Federal entities.
§ 200.331 requires that pass-through entities evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in § 200.331(d-e). In evaluating such risk, pass-through entities may consider such factors as: (1) The subrecipient's prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F - Audit Requirements, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g. if the subrecipient also receives Federal awards directly from a Federal awarding agency).
How should pass-through entities use the results of their subrecipient's risk assessment of noncompliance?
Pass-through entities should use the results of the risk assessment to help determine the appropriate level of subrecipient monitoring to ensure that the Federal award is used properly and the subrecipient remains in compliance with Federal statutes, regulations, and terms/conditions of the Federal award. Based on the results of the risk assessment, the pass-through entities monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity; (2) Following up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means; and (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 Management decision.. Pass-through entities may also use the results of the risk assessment to place additional, special conditions on the Federal award to help aid with the mitigation of elevated risk posed by the subrecipient. The pass-through entity should advise the subrecipient of the need for additional, special conditions and should also advise the subrecipient on what courses of action need to be successfully implemented to properly mitigate for such risk. Once the subrecipient has successfully met the conditions to offset for this risk, then the special conditions should be removed from the Federal award.
Additionally, pass-through entities may find the following tools useful to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient's program operations; and (3) Arranging for agreed-upon-procedures engagements as described in § 200.425 Audit services..
What happens if a pass-through entity rates their subrecipient as low risk, but then determines the subrecipients is a higher risk entity?
If a pass-through entity completes a risk assessment and scores a subrecipient low and then during the award identifies enhanced levels of risk posed by the subrecipient, then the pass-through has the ability to perhaps amend their contractual agreement and add additional terms/conditions to the award to mitigate this risk. Pass-through entities may also choose to increase their monitoring efforts on such subrecipients to ensure that Federal funds are used effectively. Additionally, pass-through entities then use this information during future awards with the subrecipient to enhance the accuracy of their risk assessments (perhaps increase their risk level as a result of this prior knowledge of past performance issues).
What happens if a subrecipient is scored as high risk, but the pass-through entity does not impose any special requirements?
Imposing special requirements on high/medium/low risk subrecipients is an effective way for the pass-through entity to mitigate potential risk and ensure that Federal funds are used effectively and reduce the potential for waste, fraud, and misuse. The purpose of the risk assessment is to allow pass-through entities maximum flexibility to do business with various types (low/medium/high) of risk entities. In each case, special conditions can be developed to mitigate for various levels of risk.
Pass-through entities should remember that in the unfortunate case where Federal funds may be used inappropriately or waste, fraud, or abuse has occurred, the Federal awarding agency may seek remedies or legal action against the prime recipient. They will not seek legal action against the subrecipient, this would be the responsibility of the pass-through entity.
What happens if a subrecipient is rated as higher risk, but the pass-through entity fails to follow through on any special requirements?
§ 200.331 describes the requirements of pass-through entities whenever they enter into a subrecipient relationship with another non-Federal entity (subrecipient) using Federal funds. One of the requirements is to conduct a risk assessment of the subrecipient to evaulate that entities risk potential as it relates to Federal laws, regulations, ect. § 200.331(a)(2) describes the requirements of pass-through entities to include information in the contractual document with the subrecipient concerning, "all requirements imposed by the pass-through entity to ensure that the Federal award is used in accordance with Federal statutes, regulations, and terms/conditions of the Federal award."
The purpose of the risk assessment is to allow pass-through entities to develop monitoring protocols and special terms/conditions to mitigate for potential risk posed by subrecipients and help to ensure that Federal funds are used effectively. § 200.338 provides guidance to Federal awarding agencies to remedy noncompliance of their prime recipients.
Can pass-through entities allow their subrecipients to fill out the risk assessment?
§ 200.331(b) describes the requirements of a pass-through entity having to complete a risk assessment on their subrecipients. It does not go into detail about what exactly must be included in the risk assessment because it allows recipients to develop their own risk assessment to meet their needs, expectations, and comfort levels. It also allows pass-through entities to perhaps develop grant specific risk assessments to meet the needs of their various grants. It does not specifically address whether the form may or may not be completed by the subrecipient and subsequently certified by the pass-through entity.
What is the role of the USFWS in overseeing implementation of any requirements as result of the risk assessment?
The Service's role in overseeing implementation of the risk assessment is to ensure that its prime recipients follow the requirements of 2 CFR 200 when they are issued Financial Assistance awards. Department of the Interior OIG auditors may, during their reviews, test whether prime recipients are following the requirements of § 200.331 when it has been determined that they are subawarding Federal funds to subrecipients. If prime recipients are found to not comply with the requirements of 2 CFR 200, then the Service may impose additional conditions on prime recipients as outlined in § 200.338 in order to meet our Federal stewardship responsibilities.
Am I required to complete a risk assessment of my contractors under the prime Federal award?
§ 200.331(b) requires all pass-through entities to evaluate each subrecipient's risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for the purposes of determining the appropriate monitoring needed to ensure that Federal funds are used properly. Pass-through entities are not required to complete a risk assessment on contractors.
top
Learning Aids
USFWS_PrimeRecipient_Risk Assessment Form (Excel)
top
Related Pages
Subrecipient vs Contractor Determination
top
Resources
top
References
§ 200.205 Federal awarding agency review of risk posed by applicants.
§ 200.331 Requirements for pass-through entities.
§ 200.521 Management decision.
top
