CSBG Data ARRA Technical Assisstance: Risk Assessment and Mitigation for CSBG - States
Community Services Block Grant (CSBG)
Risk Assessment and Risk Mitigation for CSBG ARRA Funds
Text for Recorded Call for States
Note: The text below is the prepared script for the technical assistance conducted on Wednesday, September 8, 2009. Minor wording changes may have occurred during recording.
[SPEAKER SETH HASSETT]
- Good afternoon.
- I’m Seth Hassett, Director of the Division of State Assistance in the Office of Community Services.
[SPEAKER BRANDY RAYNOR]
- I’m Brandy RayNor, Team Lead for Program Operations.
[SPEAKER SETH HASSETT]
- Thank you for joining us for this technical assistance conference call focused on risk assessment and risk mitigation for the Community Services Block Grant.
- This conference call presentation has an accompanying slide presentation that should be viewed in conjunction with the telephone presentation. This slide presentation was distributed via an e-mail message and is available on the CSBG web page on the Administration for Children and Families’ website.
- It is strongly recommended that listeners either have a printed copy of the presentation available, or that listeners view the slide presentation with a copy of the slide presentation on their computer screens.
- If you have not already printed a copy of the slide presentation, it can be obtained on the Community Services Block Grant website, which is at the following address:
- On the OCS website, go to the right hand side of the screen under “What’s New” and click on the text that references this presentation. If you have available a copy of the Powerpoint presentation, please note that in the lower right hand corner of each slide, there is a number.
- We will be referencing this number as we progress through the presentation. Please move to the next slide as I prompt you to do so.
- We begin with the cover page.
[SPEAKER BRANDY RAYNOR]
PLEASE NOW MOVE TO SLIDE 2, entitled CSBG Information Memorandum 112 Risk Assessment and RISK MITIGATION PROCESS for CSBG ARRA FUNDS
- On August 18, 2009, the Office of Community Services (OCS) transmitted guidance for all States and Territories for a risk assessment and risk mitigation plan for Community Services Block Grant (CSBG) funds received under the American Recovery and Reinvestment Act (ARRA).
- The risk assessment guidance was communicated via Information Memorandum 112 which was included with the e-mail and is posted to the CSBG website.
- IM 112 is applicable to State CSBG Lead Agencies, and local CSBG-eligible entities.
- As communicated in the e-mail, State CSBG Lead Agencies should distribute IM 112 to local CSBG-eligible entities for immediate review.
- For the purposes of CSBG ARRA implementation, all CSBG-eligible entities are expected to certify to the State CSBG Lead Agency that a basic risk assessment has been conducted, previous auditing or monitoring findings addressed, and certify that certain statutory, regulatory and internal controls are adequate.
- IM 112 provides guidance and reference tools to assist in identifying appropriate risk mitigating measures and compensating controls. A model format for a plan and certification are provided as an attachment to IM 112.
- State CSBG Lead Agencies must review the risk assessments conducted by eligible entities, and provide the risk assessments to OCS with State comments.
- States may either certify that they concur with the risk assessment of eligible entities, or may provide comments on additional areas of risk. A model format for such certification is provided as an attachment to IM 112.
- The Office of Community Services will use risk assessment information to identify and prioritize technical assistance and monitoring activities including specific training events, webinars, guidance materials, and areas for on-site assistance to supplement regular State monitoring activities.
[SPEAKER SETH HASSETT]
- PLEASE MOVE TO SLIDE 3, entitled “An APpropriate balance between risk and Internal Controls
- At the outset of a risk assessment process, it is important to acknowledge that certain risks are inherent in the distribution and expenditure of Federal grant funds.
- The goal is not to eliminate all risk, but instead to mitigate the risks through appropriate internal controls, checks and balances.
- A lack of internal controls presents risks.
- At the same time, excessive control systems may adversely impact the efficiency of a program effort.
- PLEASE MOVE TO SLIDE 4, entitled “Analyzing and PRIORITIZING RISKS”
- Assessing risks requires careful analysis and prioritization of potential risks that come with the expenditure of Federal grant funds.
Two key dimensions for analysis are:
- the probability of occurrence—in other words, what is the likelihood that something will happen; and
- the scope of potential impact—whether it is financial loss, legal issues, an adverse impact on program mission, or a negative impact on an organization or program’s reputation in the community, State, or nation.
- A LOW probability-LOW impact risk may warrant relatively limited controls or monitoring,
- A LOW probability—HIGH impact risk warrants careful attention and
- A HIGH probability—HIGH impact risks warrant vigilant attention and compensating controls.
[SPEAKER BRANDY RAYNOR]
- PLEASE MOVE TO SLIDE 5, entitled “EXAMPLES OF RISK AREAS”
- What are some examples of risks to be considered?
As discussed in IM-112, and in referenced internal control standards from the Government Accountability Office (or GAO) and private sector organizations, risk assessment encompasses the organizational environment, policies and procedures, as well as specific risks associated with certain types of expenditures.
- Some examples of risks for organizations to consider with CSBG ARRA funds are as follows:
- Previous audit or monitoring findings with no corrective actions – a failure to take any corrective action on a previous audit finding is a red flag for auditors and Federal monitors. Results of single audits, which are available to all Federal monitors, are a key example of such findings.
- IM-112 emphasizes corrective actions from previous audits and monitoring visits, because these a key item that independent reviewers will go for future reviews and audits. By reviewing and documenting corrective actions, agencies can anticipate and avoid future issues.
Likewise, a lack of clear policies and procedures—or policies and procedures that are in conflict with the CSBG Act, regulatory requirements, or commonly-accepted accounting standards present significant risks.
- For example, elements of the CSBG Act—such as income eligibility requirements—should be reviewed in conjunction with existing organizational procedures to assure consistency.
- CSBG IM-112 also includes reference to OMB Cost Principles, along with a internet link to OMB circular A-87 and A-122. We strongly recommend that large and small entities have someone “in-house” who is well versed in the applicable OMB cost principles, since these are a likely area for review in analyzing the appropriateness of expenditures.
- Clear policies and procedures are necessary, but not sufficient, to address potential areas of risk. Policies and procedures must be updates as necessary to incorporate new information and these changes must be communicated to staff.
- If operating procedures are not consistently followed—or are routinely bypassed, that is another area of potential risk to consider and address through training and review.
- Even in strong organizations that have clearly articulated operating systems and procedures, it is critical to review to assure that these systems are sufficient to address expectations of the Recovery Act, such as the expectation that Recovery Act funds will be tracked and reported on separately from regular CSBG funds.
- PLEASE MOVE TO SLIDE 6, entitled “OTHER EXAMPLES OF RISK AREAS”
- A key area of risk with disbursement of within and outside of eligible entity organizations is the segregation of duties.
- Simply put, no one individual or small group of staff should have unmonitored ability to plan, approve, disburse, and report on funds.
- Organizations should maintain checks and balances in the review of expenditures and activities.
- Tripartite boards have an essential role to play in this process, assuring accountability to the individuals and communities served by CSBG funds.
- Risk assessment includes review of personnel expertise and training. Staffing plans should be reviewed in light of the Recovery Act funds to assure sufficient availability of staff with appropriate skills.
- Certain types of activities may present inherent risks that require especially vigilant oversight.
- One example to consider is any type of direct cash assistance or financial assistance on rental or mortgage issues.
- Without appropriate expertise, review, and eligibility determination, direct financial assistance could present a high impact risk.
- Inadequate documentation of expenditures, as well as inadequate protections against theft or misuse of property, not only present financial or legal risks, but also can damage organizational reputations.
- Stories of misuse of property, or inability to account for property or expenditures, can fairly or unfairly be used to impact the reputation of an organization and its services, no matter how valuable these services are to the recipient community.
[SPEAKER SETH HASSETT]
- PLEASE MOVE TO SLIDE 7, entitled “ThE RISK ASSESSMENT PROCESS”
- The risk assessment process outlined in IM-112 reserves considerable judgment for the Chief Executive and Board Chairpersons of eligible entities.
- To the extent that organizations have existing risk assessment processes in place—including reviews for other related program areas such as Head Start--entities are encouraged to build upon or utilize these existing process.
- IM-112 includes a model template for a risk assessment certification, but CSBG entities may provide a certification in an alternate format approved by the State.
- The risk assessment must include a review of past audit or monitoring findings—and any corrective actions that have been implemented.
- Entities should review the GAO standards for internal controls, the COSO standards, and the OMB Cost principles. For many organizations—these standards are second nature. However, we strongly encourage familiarity with these types of standards because in the event of audits or reviews, these will be a point of reference for Inspector General, GAO, and other review offices.
- As discussed earlier, existing procedures and policies should be reviewed for compliance with the CSBG act and ARRA requirements. For organizations that have been in place for many years, this may seem unnecessary, but it is important to recognize that the Recovery Act funds will be subject to a high level of scrutiny and we want to meet high standards.
- PLEASE MOVE TO SLIDE 8, entitled “ThE RISK ASSESSMENT PROCESS”
- We strongly encourage some type of internal testing—particularly of any “high probability – high impact” risks you’ve identified with CSBG ARRA funds.
- Sampling work and looking for “blind spots” in existing systems, controls, and procedures can avoid problems later.
- While it is understandably quite challenging to undergo such efforts during the ramp up of program efforts, there is a high probability of future audits and reviews, and self testing can be extremely helpful.
- Entities may wish to consider identifying outside organizations or individuals to assist in assessment of risk and testing of controls.
- Ultimately, a risk assessment effort is only valuable if potential risk areas are communicated among program stakeholders, and refinements are put in place where necessary.
[SPEAKER BRANDY RAYNOR]
- PLEASE MOVE TO SLIDE 9, entitled “BE PREPARED”
- Many listeners to this call have been involved in the CSBG program for many years and recognize that the Recovery Act presents major new opportunities and challenges.
- Within the Division of State Assistance, we recognize the difficult work and long hours that have already gone in to this process.
- The risk assessment process we are undertaking is an effort to be prepared for the next phases of program implementation.
- As we have discussed, Federal Recovery Act funds will be subject high levels of scrutiny, and the self-assessment process will prepare us as a network for future reviews, audits, and oversight.
- Risk assessment can also be a key element of accomplishing the goals of a program or activity by assuring that activities are conducted as intended by Congress, the Administration, and State and Community stakeholders.
- PLEASE MOVE TO SLIDE 10, entitled “DEADLINES”
- As outlined in IM-112, by October 15, 2009 – All eligible entities are expected to submit a certification statement signed by the chief executive and board chairperson to CSBG Lead Agencies that a risk assessment has been conducted.
- By October 30, 2009 – State CSBG Lead Agencies are expected to provide all risk assessment assurances to OCS with additional comments on any areas of risk identified by the State CSBG Lead Agency.
- As you move forward with this risk assessment effort, please communicate with your assigned DSA liaison staff if you encounter challenges.
- A follow-up call is scheduled for Wednesday, September 23, 2009 at 2:00 p.m. Eastern Standard Time. If you have questions you would like to have answered on that call, please send them to [GREG ELLIOTT E-MAIL] by Wednesday, September 16.
- Thank you for your participation in this call and thank you for your ongoing work on behalf of children, families, and communities.