How Institutions Can Support Subrecipient Monitoring Requirements
Since the publication of Uniform Guidance, institutions have grappled with subrecipient monitoring requirements.
In the absence of specific direction from the federal government – or interpretation of the requirements in the form of major audit findings – organizations have independently developed policies and procedures to develop necessary internal controls that support compliance.
The prime recipient retains responsibility for ensuring subrecipients meet all of the requirements associated with federal awards. A developing area of risk relates to Health and Human Services Office of Inspector General’s (HHS OIG) emerging focus on 2 CFR 200.331. This regulation requires the prime recipient to assess the subrecipients’ ability to achieve program goals in a compliant manner.
Recently, HHS OIG conducted two audits focused on National Institutes of Health funded subawards. For both actions, the HHS OIG compared the institutional policies and procedures to the federal subrecipient monitoring requirements, sampled 30 outgoing and incoming subawards and reviewed subaward costs for allowability.
At both institutions, all invoiced expenses associated with subawards were deemed allowable.
At the first institution, the policies and procedures were found to comply with federal requirements. However, the second institution did not consistently apply risk assessments to Affiliates1 and fellow Federal Demonstration Partnership (FDP)2 members. As a result, they were found to be out of compliance with regulations. HHS OIG recommended that the institution update its policies to require risk assessments for all subawards and ensure that risk assessments are consistently implemented.
As best practices continue to evolve, there are immediate actions institutions can take to support subrecipient monitoring requirements. The steps below specifically outline the development and management of subrecipient risk assessments:
1. Develop weighted criteria and a risk measurement tool
Weighted criteria should measure subrecipients’ risk in the areas of prior experience, audits, changes in personnel and systems, size and type of their research portfolio and the portion of the award they will implement. Once criteria are clearly identified, they should be translated into a functional tool that staff can easily use to standardize and document the assessment.
Some institutions have elected to use the FDP’s Risk Assessment Questionnaire, while others have developed their own criteria that more closely align to their risk tolerance and/or sponsored award portfolio. Regardless of the route taken, the tool should be used thoroughly and consistently.
2. Identify and publicize roles and responsibilities
For most institutions, the assessment requires input from several departments. For example, the central post-award unit can provide expert analysis on audit findings, central pre-award can typically opine on the subrecipients’ systems and personnel and the principal investigator and departmental staff can deliver meaningful data on previous experience with the subrecipient.
Given the number and complexity of hand-offs associated with a risk assessment, the thoughtful development and widespread publication of roles and responsibilities is critical to ensuring meaningful assessments.
3. Align institutional policies and procedures
Following the development of a risk assessment tool and clarification of the associated roles and responsibilities, institutions should review and update their subrecipient monitoring policies and procedures. This should include guidance on the timepoints when risk assessments will occur, procedures for documenting the assessments and direction on updating subrecipient contracts to reflect elevated risk ratings.
Risk in the area of subrecipient monitoring can never be completely eliminated – but the development of effective internal controls in the form of a risk assessment can help manage compliant subrecipient activities. Learn more about Huron’s research compliance services, including our comprehensive Subrecipient Monitoring Toolkit, by contacting Anne Pifer or visiting our research compliance library.
1 In this context, an Affiliate refers to a third-party business entity that a) controls the institution, b) is controlled by the institution or c) or is subject to control from the same outside entity.
2 Per the FDP website, “The Federal Demonstration Partnership is a cooperative initiative among 10 federal agencies and 154 institutional recipients of federal funds to reduce the administrative burdens associated with research grants and contracts to improve the national research enterprise.”