CSBG IM #112 Risk Assessment for FY 2009 ARRA Funds (States)
COMMUNITY SERVICES BLOCK GRANT PROGRAM Information Memorandum |
U.S. Department of Health and Human Services |
Transmittal No. 112 Date: August 18, 2009
TO: |
State Community Services Block Grant Program (CSBG) Administrators, U.S. Territory CSBG Program Administrators, Administrators for CSBG-Eligible Entities, and Members of Tripartite Boards for CSBG-Eligible Entities |
SUBJECT: |
Risk Assessment and Risk Mitigation Process for Fiscal Year (FY) 2009 CSBG American Recovery and Reinvestment Act (ARRA) Funds |
PURPOSE: |
To ensure assessment of potential risks and appropriate mitigation efforts throughout the Community Action Network for CSBG ARRA Funds |
RELATED REFERENCES: |
Community Services Block Grant Act; American Recovery and Reinvestment Act of 2009 |
This Information Memorandum outlines risk assessment expectations for CSBG-eligible entities and States as part of the CSBG ARRA Risk Assessment process along with timelines for submission of information to the Office of Community Services (OCS) to help guide monitoring and technical assistance efforts.
Background
On April 10, 2009, the Department of Health and Human Services announced the release of
$985 million in CSBG funds appropriated as a result of the American Recovery and Reinvestment Act of 2009 (ARRA). Funds were released to States, U.S. Territories, and eligible Tribal governments and Tribal Organizations based on a statutorily defined formula outlined in Public Law 105-285, the Community Opportunities, Accountability, and Training and Educational Services Act of 1998.
Concurrent with the release of funds, OCS issued Information Memoranda (IM) with initial guidance for implementation (CSBG IM-109 and CSBG IM-110). Funds were released contingent on specific terms and conditions of the award with the requirement that CSBG ARRA plans be provided for Federal review by May 29, 2009. At the time of the grant release, OCS announced that additional guidance would be provided on CSBG ARRA reporting and accountability requirements as new information became available.
OCS completed an initial review of all State, Territorial and Tribal Plans by June 30, 2009. States, Territories, and Tribal organizations have either been notified that plans are accepted or have been notified of specific information needed for final acceptance of plans. In rare situations where OCS identifies significant statutory concerns, or in which essential information has not been provided, OCS may temporarily suspend the ability to draw down funds in the Payment Management System pending specific clarifications or changes.
As a next step in the implementation and monitoring process for CSBG ARRA funds, all States and Territories will be asked to work in partnership with eligible entities on locally based risk assessment efforts, which will be used to help guide OCS technical assistance and monitoring support with the goal of assuring appropriate expenditures in compliance with requirements of the CSBG Act and ARRA.
Available Standards and Guidelines for Internal Controls
According to the Government Accountability Office (GAO), “internal control is not one event, but a series of actions and activities that occur throughout an entity’s operations and on an ongoing basis. Internal control should be recognized as an integral part of each system that management uses to regulate and guide its operations rather than as a separate system within an agency.” (GAO/AIMD-00-21.3.1, Standards for Internal Control in the Federal Government).
GAO standards for internal control in the Federal Government are available online at the following web address:
http://www.gao.gov/special.pubs/ai00021p.pdf (PDF)
GAO standards for internal controls are based on The Internal Control Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), an independent private-sector initiative formed in 1985 to assess causal factors that can lead to fraudulent financial reporting. A summary of COSO’s framework is available online at the following web address:
http://www.coso.org/IC-IntegratedFramework-summary.htm
Under the COSO framework, internal control consists of five interrelated components: 1) Control Environment, including the integrity, ethical values, management philosophy, and operating style of organizational management; 2) Risk Assessment, including identification and analysis of relevant risks to achievement of organizational objectives; 3) Control Activities, including the policies and procedures that help ensure management directives are carried out; 4) Information and Effective Communication, such as reports, containing operational, financial and compliance-related information, and communication of objectives and responsibilities within an organization and with key external parties; and 5) Monitoring of internal controls and system performance both through ongoing internal monitoring and separate evaluations (COSO Internal Control Integrated Framework, Executive Summary).
Internal Controls for CSBG ARRA — A Federal, State, and Local Partnership
With the exception of one percent of funds available for benefits enrollment coordination efforts at the State level, the Recovery Act (ARRA) specifies that all funds will be provided to eligible entities as defined in the CSBG Act. States do not receive additional funds through ARRA for administration or monitoring of eligible entities, but may include ARRA oversight activities in monitoring and reporting systems supported through regularly appropriated CSBG funds.
Because States do not receive additional funds for monitoring or administrative activities, the process of assessing and mitigating risks of inappropriate expenditures with CSBG funds must be a partnership between Federal, State, and local agency levels of the Community Action Network with shared accountability and responsibility for internal controls at all organizational levels.
Expectations for CSBG-Eligible Entities and Tripartite Boards
The first level of accountability for CSBG ARRA expenditures lies with the CSBG-eligible entities that provide direct community services. To assure high quality services and appropriate expenditures, the management and tripartite boards of eligible entities must take a direct and individually accountable role in overseeing organizational risk assessment and reviewing internal controls to assure that funds are spent appropriately and in accordance with Federal and State CSBG requirements.
The process of assessing entity vulnerabilities and risks should be ongoing and integrated within management and board oversight efforts. The CSBG Act specifies that tripartite boards must fully participate in the development, planning, implementation, and evaluation of program efforts for low-income communities.
Ongoing risk assessments should focus on the likelihood of risk for errors in expenditures, programmatic errors or delays that may prevent an eligible entity from meeting its program objectives, as well as areas for potential fraud or abuse within the entity and among recipients of support or funding.
For the purposes of CSBG ARRA implementation, all CSBG-eligible entities are expected to certify to the State CSBG Lead Agency that a basic risk assessment has been conducted. Risk assessments may be conducted by reviewing existing policies and procedures to assure that they address unique requirements under ARRA for separate accounting of funds and quarterly reporting on expenditures activities. A model format for such certification is provided as an attachment to this guidance. Entities may use this format or an alternate format approved by the State CSBG lead agency.
At minimum, all risk assessments must include a certification that risk assessments have addressed the following factors:
- Previous Audit or Monitoring Findings — Have there been any material weaknesses and reportable conditions, questioned costs or other findings cited within the last three years in annual audits, State monitoring assessments, Inspector General reviews, or
other Government agency reviews of entity finances and operations? If so, have these material weaknesses been corrected? How has the agency verified that material weaknesses have been corrected (e.g., verification by auditors or independent reviewers)?
Internal Controls — Does the entity have in place standard financial and operating controls to ensure assets and information are protected against fraud, waste and abuse, and mismanagement of Federal funds? Have these financial and operating controls been reviewed and updated to address new activities and funding under ARRA? Have internal control systems been tested, either through internal or outside reviews to assess potential vulnerabilities?- Statutory and Regulatory Compliance — Does the entity have in place clearly stated and current administrative, fiscal and programmatic policies and operating procedures in accordance with the CSBG statute? Does the entity assure that policies and procedures are distributed to staff accompanied by training? Are procedures in place to assure adherence to Office of Management and Budget (OMB) Cost Principles? OMB Cost Principles are available on the following websites:
Cost Principles for State, Local, and Indian Tribal Governments (OMB Circular A—87)
http://www.whitehouse.gov/omb/fedreg/2005/083105_a87.pdf (PDF)
Cost Principles for Non-Profit Organizations (OMB Circular A—122)
http://www.whitehouse.gov/omb/fedreg/2005/083105_a122.pd (PDF) - Equipment and Property — What procedures are in place to assure that any general purpose equipment purchased using CSBG ARRA funds is directly related to specific CSBG services under the ACF Grant Terms and Conditions appliccable to ARRA funds? If the entity proposes any purchase or improvement of land, or the purchase, construction, or permanent improvement (other than low-cost residential weatherization or other energy-related home repairs) of any building or other facility, has a Federal waiver been requested, and approved as required under the CSBG Statute?
Risk assessments must include the following certification, signed by the chief executive and board chairperson: “I certify that a risk assessment has been conducted to assure appropriate expenditures of Community Services Block Grant funds received through the American Recovery and Reinvestment Act of 2009. This risk assessment addressed previous audit or monitoring findings within the last three years, a review of existing internal controls, a review of statutory and regulatory compliance, and a review of equipment and property procedures to assure a direct relationship to CSBG services. Where potential risks have been identified, appropriate risk mitigation measures and compensating controls have been identified.”
State Review of Risk Assessments and Certification or Comment
Section 678B of the CSBG Act requires that States conduct monitoring visits and a full onsite review of each eligible entity at least once during each three-year period. The CSBG Act also requires that States conduct an onsite review of each newly designated entity immediately after the completion of the first year in which the entity receives funds through CSBG. States are required under the regular CSBG program to conduct follow-up reviews including prompt return visits to eligible entities, and their programs, that fail to meet the goals, standards, and requirements established by the State. The CSBG Act also requires that States conduct other reviews as appropriate, including reviews of entities with programs that have had other Federal, State, or local grants other than assistance provided under CSBG terminated for cause.
Based on these routine monitoring activities, State CSBG Lead Agencies are expected to have a strong understanding of the entity structures, entity strengths, compliance histories, and risks among eligible entities. For the purposes of CSBG ARRA implementation, State and Tribal CSBG Lead Agencies are expected to review risk assessments conducted by eligible entities and provide the risk assessments to OCS with State comments. States may either certify that they concur with the risk assessments of eligible entities, or may provide comments on additional areas of risk. States may identify additional areas of risk within specific eligible entities or Statewide.
OCS Review of Risk Assessment Information
Risk assessment information provided by eligible entities and State CSBG Lead Agencies will be utilized by OCS for the purpose of prioritizing technical assistance and monitoring activities. Areas of common risk identified by multiple communities and States may be addressed through specific training events, webinars, or guidance materials. In other instances, risk assessment information will be analyzed by OCS to identify priority areas for direct on-site assistance to supplement regular State monitoring activities.
Timelines
This risk assessment should be distributed upon issuance to all eligible entities included in State CSBG ARRA plans. To assure timely technical assistance and monitoring assistance at the Federal level, the following timelines are established for risk assessments:
October 15, 2009
Eligible entities provide a certification statement, signed by the chief executive and board chairperson to CSBG Lead Agencies that a risk assessment has been conducted addressing previous audit or monitoring findings, internal controls, compliance risks, avoidance of real or apparent conflicts of interest, equipment and property. This assurance statement must identify any specific risks identified and plans to mitigate those risks.
October 30, 2009
State CSBG Lead Agencies provide all risk assessment assurances to OCS with additional comments on any areas of risk identified by the State CSBG Lead Agency.
Eligible Entity Risk Assessment Assurances and State Comments should be mailed to:
U.S. Department of Health and Human Services
Administration for Children and Families
Office of Community Services
Division of State Assistance
Attention: Community Services Block Grant Program
370 L'Enfant Promenade S.W., 5th Floor West
Washington, D.C. 20447
If you need additional information, contact your assigned Office of Community Services’ CSBG Program Services - Regional Contacts. This contact information is available on the CSBG program website.
/s/
__________________________
Yolanda J. Butler, Ph.D.
Acting Director
Office of Community Services
Attachment:
- Model Template for Risk Assessment Assurance Statement by CSBG-Eligible Entities
SAMPLE RISK ASSESSMENT ASSURANCE TEMPLATE CSBG ARRA Risk Assessment of Grantees, Sub-Grantees and Vendors/Contractors
Name of Entity |
Date |
|||
Please check “Yes” or “No” for each of the following questions. Comments should be completed when a specific system needs enhancement instead of the total system or process. |
||||
Risk Assessment Questions |
Yes |
No |
Comments should include |
|
1.Have there been any material weaknesses and reportable conditions, questioned costs and other findings cited within the last three years in annual audits, State monitoring assessments, Inspector General Reviews, or other Government Agency reviews of entity finances and operations that have not been corrected? |
||||
2. Does the entity have in place standard financial and operating controls to ensure assets and information are protected against fraud, waste and abuse, and mismanagement of Federal funds? |
||||
3. Does the entity have in place clearly stated and current administrative, fiscal and programmatic policies and operating procedures in accordance with the CSBG statute? Does the entity assure that policies and procedures are distributed to staff accompanied by training? |
||||
4. Does the entity have in place a methodology for monitoring compliance with internal policies and procedures? Have internal policies and procedures been reviewed for compliance with requirements of the CSBG Act, ARRA, CSBG Information Memoranda, OMB Circulars, ACF Grant Terms and Conditions and other contractual terms and conditions? |
||||
5. What procedures are in place to assure that any general purpose equipment purchased using CSBG ARRA funds is directly related to specific CSBG services under the ACF Grant Terms and Conditions applicable to ARRA? |
||||
6. If any purchase or improvement of land, or the purchase, construction, or permanent improvement (other than low-cost residential weatherization or other energy-related home repairs) of any building or other facility, has a Federal waiver been requested and approved as required under the CSBG Statute? |
||||
Risk Mitigation Activities — A “yes” to question number one indicates a potential risk area for CSBG ARRA implementation. A “no” to questions 2-6 indicates a potential risk area. For any identified risks, please describe current risk mitigation plans or compensating controls established. Attach additional sheets as necessary. |
||||
GAO -01-1008G, Internal Control and Evaluation Tool August 2001
2 CFR Part 225, Cost Principles for State, Local, and Indian Tribal Governments dated August 29, 1997; and
2 CFR Part 230, Cost Principles for Non-Profit Organizations dated June 1, 1998.
SEC. 678F (a) (1) Limitation on Use of Funds.
Certification Statement: I certify that a risk assessment has been conducted to assure appropriate expenditures of Community Services Block Grant funds received through the American Recovery and Reinvestment Act of 2009. This risk assessment addressed previous audit or monitoring findings within the last three years, a review of existing internal controls, a review of statutory and regulatory compliance, and a review of equipment and property procedures to assure a direct relationship to CSBG services. Where potential risks have been identified, appropriate risk mitigation measures and compensating controls have been identified.
Chief Executive ____________________________________________________
Board Chairperson _________________________________________________
State CSBG Lead Agency Comments
□ I concur with the eligible entity’s assessment of risk with no additional comment.
□ I have attached comments on additional areas of risk within this entity or Statewide.
State CSBG Program Manager __________________________________________