As you work to stay in compliance with federal programs, it’s easy to overlook internal controls that prove you’re properly managing the terms and conditions of federal awards.
Implementing and monitoring internal controls can help your tribal management and council feel confident the tribe is properly complying with requirements.
Below are tips your tribe can take to help decide which internal controls to put in place and how to manage them.
Internal Controls Overview
Although the concept of internal controls may seem vague, internal controls are embedded in the ways management and tribal council members perform tasks to operate their programs.
These tasks can include planning, execution, and final reporting, all of which help ensure program objectives are being met and the tribe is staying in compliance with grant requirements.
Often processes can be performed to achieve a particular result, however, that result may have been achieved without internal controls in place. For example, it’s possible that a required report is successfully submitted to an agency—the achieved desired result—without performing a review of the report for accuracy.
Processes are procedures that originate, transfer, or change data, and can result in errors. Internal controls are procedures designed to prevent, detect, and correct errors resulting from processes and can’t generate errors.
When designing internal controls, Part Six of the Office of Management and Budget (OMB) Compliance Supplement suggests considering the people involved in completing a process as the doers and those involved in internal controls as the reviewers. In the example above, a doer would be the person who prepared the report, while the reviewer would be the person who reviewed the report for accuracy.
Tips to Choose and Support Your Internal Controls
1. Plan to properly document your procedures.
No matter what controls you eventually decide to use, be prepared to develop proper documentation.
Entities that receive and operate federal awards, such as tribes, must establish and maintain their internal controls as required by the OMB’s uniform guidance—Title 2 US Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.
When federal agencies or auditors perform on-site reviews and audits, they look for:
- Your compliance with the award requirements
- The internal controls you’ve established, maintained, and documented to meet those compliance requirements
An effective way to prove you have established and maintained internal controls is to retain your documentation that demonstrates those controls are in place.
2. Ask the important question: What could go wrong? (WCGW)
There are different types of internal controls to consider implementing. The uniform guidance recommends that tribes have internal controls similar to the level of detail identified in the Standards for Internal Control in the Federal Government (the Green Book) issued by the Comptroller General of the United States or the Internal Control Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
While these standards may seem confusing or even intimidating at first glance, the Green Book provides various practical examples of internal controls for governments.
Some internal controls can help prevent noncompliance from occurring in the first place, while others detect noncompliance that’s occurred and promptly take corrective measures. Regardless, controls should be designed to address noncompliance risks and the potential for unexpected obstacles.
When designing or reevaluating your internal controls, consider bringing your team together to ask, “What could go wrong?” when completing a task—the OMB Compliance Supplement calls this “WCGW.”
As you complete specific tasks, think about events that could cause noncompliance and the various control activities that would either prevent or detect them.
Terms that often describe internal controls when completing a task include, but aren’t limited to:
- Authorization
- Secondary review
- Separation of duties or checks and balances
- System access
3. Address commonly neglected compliance areas.
Most tribes have established internal controls over purchases made with grant funds to address noncompliance risks related to allowable costs and allowed and unallowable activities. However, the following compliance areas typically lack supervisory control activities:
- Eligibility. The manual checklists or automated processes when eligibility determinations are completed are then reviewed and approved by a knowledgeable supervisor.
- Equipment and real property. Property and equipment listings associated with federal funds are reviewed periodically by knowledgeable officials to ensure completeness and accuracy.
- Matching, level of effort, and earmarking. Supervisors review monthly reporting of matching, level of effort, and earmarking data and resolution of variances.
- Suspension and debarment. Responsible officials review that the sam.gov website was checked for vendor suspension or debarment.
- Reporting. Knowledgeable individual reviews the report for accuracy, including a comparison to source documentation.
- Subrecipient monitoring. Program supervisor performs oversight activities over subrecipients, including award authorization, site visits, financial performance, and grant budgets and requests.
For a deeper dive into examples of internal controls for each type of compliance requirement, review Part Six of the OMB Compliance Supplement.
4. Identify potential super users and provide alternative solutions.
Within a tribe’s accounting system, tribal CFOs or equivalents often have unrestricted access to help processes. This access makes it easier for them to execute a transaction during unforeseen events and emergency situations than anyone else in the finance department. These individuals are often referred to as super users.
Separation of duties and having checks and balances over processes are considered basic internal controls, however, there may be times when separation of duties isn’t practical and a super user may need to complete the task.
In these situations, you should consider alternative internal controls to address the risks of noncompliance, fraud, abuse, and error that could be caused by a super user. Assigning your IT team or someone outside of the finance department to monitor systems access, and adding additional layers of review on the back end by individuals other than the super user, could help reduce these risks.
5. Keep in mind the unique needs of different programs.
Certain federal programs, such as a tribe’s clinic, housing, or child care center, may be administered under different control structures. In these cases, internal controls should be designed and implemented separately for these specific areas.
Federal programs operated by tribes can also vary in size, so your tribal management should conduct a cost-benefit analysis of designing and implementing internal controls that address specific risks of federal awards.
Ultimately, use your judgment to decide the most appropriate and cost-effective internal control for any given environment or circumstance.
We’re Here to Help
To learn more about how you can address your internal control concerns, contact your Moss Adams professional.