The Changes and Effects of Internal Controls in the 2016 Compliance Supplement

by Jason Guilbeault on Tuesday, September 20, 2016

Jason Guilbeault, CRA
Director, Post Award Services
Augusta University (formerly Georgia Regents University)

Renotta Young
Deputy Controller
Columbia University in the City of New York

The long awaited 2016 Compliance Supplement was released at the beginning of August, 2016, allowing us to finally review and digest the new Part 6 – Internal Controls section. As many of you know, the Uniform Guidance has a large focus on internal controls, and the new Audit Requirement in Subpart F applies to fiscal years that started December 26, 2014 or later, so many of us are only recently seeing the effects of the internal controls standards on our Single Audits. For example if your fiscal years run from July – June, then your fiscal year ending June 30, 2016 would be the first auditable year under Subpart F of the Uniform Guidance.

Before we proceed, you may recall that the Part 6 in the 2015 Compliance Supplement included a paragraph that instructed auditors to refer to COSO’s “Internal Control Integrated Framework” and the Government Accountability Office’s “Standard’s for Internal Control in the Federal Government,” which is also referred to as the Greenbook, but did not include the 25 pages of internal control guidance, either at the entity level or the Compliance Requirement level. Therefore, our comparison is between Part 6 in the 2014 Compliance Supplement and the Part 6 in the 2016 Compliance Supplement.

The Part 6 of the 2016 Compliance Supplement is basically the first 4 pages of the Part 6 in the 2014 Compliance Supplement, which is where the high level entity controls and general information about internal controls were listed; however there are some changes to those pages. Starting with what got removed in the 2016 Part 6 is the breakdown of the 5 components of internal controls (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) for each of the 12 Compliance Requirements, which leaves us with only the entity level controls to refer to. This also means that the 2016 Compliance Supplement is about 20 pages shorter than 2014.

From an auditee perspective, there can be both good and bad sides to having a less detailed Part 6. The 2014 Part 6 connected the dots between the regulations and the internal controls that could be associated with them, and while those controls are not meant to be a checklist, as stated in the 2014 Part 6, some auditors and auditees did use them as checklists, which could limit flexibility in designing controls. Having only the high-level controls in Part 6 allows you to connect your own dots between internal controls and regulations, such as the Uniform Guidance, and allow you to engineer your own processes around your institution’s unique infrastructure. The down side is that auditors will likely do the same thing and have their own interpretations of which internal controls should exist at our institutions.

One key addition to the new 2016 Part 6 of the Compliance Supplement, which may be advantageous for auditees, is the following language:

Internal Control should be an integral part of the entire cycle of planning, budgeting, management, accounting, monitoring, and reporting. It should support the effectiveness and the integrity of every step of the process and provide continual feedback to management. Non-Federal entities’ program managers must carefully consider the appropriate balance between controls and risk in their grant award programs and operations. Too many controls can result in inefficient and ineffective operations; managers must ensure an appropriate balance between the strength of controls and the relative risk associated with particular grant award programs and operations. Additionally the benefits of controls should outweigh the costs. Non-Federal entities should consider both qualitative and quantitative factors when analyzing costs against benefits.

The impact of this statement is that it provides a lot of flexibility in engineering our own compliance infrastructure to suit each of our individual institutional needs. If you have ever had an auditor that likes to bring up the most immaterial inconsistency, this is a good statement to fall back on. It is not always practical or beneficial to document every single step in every single process that you have at your institution. Many of us have very diverse award portfolios and need flexibility in our processes to accommodate for that. This is now recognized in the 2016 Compliance Supplement.

Another change in the 2016 Part 6 is the added emphasis on management’s role in and accountability for internal controls, which has consistently been a very prevalent theme in the Greenbook. Does your institution have controls that have no management oversight to ensure processes are being carried out? Are there reports that every manager in a sponsored program office should be regularly reviewing in order to stay informed of potential issues that may not be reported to them? Reports that show due dates for financial reports (final Federal Financial Reports, or FFRs), awards that have ended but are not officially closed out, and billed and unbilled Accounts Receivable/Aging reports are just a few that should be reviewed monthly so that management can see potential issues and stay informed on  the institution’s sponsored programs. Below is a comparison of the 2014 and 2016 Part 6 emphasizing the importance of management’s role in internal controls. The one exception, Number 4 on the list is the only one that doesn’t speak to this issue; however it does speak to the issue of materiality as discussed in the previous paragraph.

2014 Part 6 Language:

  1. Control Environment (characteristic): Management’s respect for and adherence to program requirements
  2. Control Environment (characteristic): Management’s positive responsiveness to prior questioned costs and control recommendation
  3. Control Environment (characteristic): Management’s support of adequate information and reporting system
  4. Risk Assessment (characteristic): Processes are established to implement changes in program objectives and procedures
  5. Control Activities (definition): are the policies and procedures that help ensure that management’s directives are carried out
  6. Information and Communication (definition): are the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities
  7. Monitoring (definition): is a process that assesses the quality of internal control performance over time
  8. Monitoring (characteristic): Follow up on irregularities and deficiencies to determine the cause

 2016 Part 6 Language with (with differences underlined).

  1. Control Environment (characteristic): Management demonstrates respect for and adherence to program requirements
  2. Control Environment (characteristic): Management initiates positive responsiveness to prior compliance and control findings
  3. Control Environment (characteristic): Management makes evident its support of adequate information and reporting systems
  4. Risk Assessment (characteristic): Processes are established to implement significant changes in program objectives and procedures
  5. Control Activities (definition): The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal controls system, which includes the entity’s information system
  6. Information and Communication (definition): The quality of information management and personnel communicate and use to support the internal control system
  7. Monitoring (definition): Activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews
  8. Monitoring (characteristic): Management follows up on irregularities and deficiencies to determine the cause

An important point to take in to account as we navigate the new compliance requirements, there is no need to panic, as the majority of our institutions have longstanding internal controls in place, however it is important to constantly evaluate our policies, procedures, and controls as our institutional infrastructure evolves and our needs change. In fact, these evaluations are part of an effective monitoring control (the fifth internal control component). Overall, the changes in the 2016 Part 6 may allow us more flexibility in the design of our controls, but there is also a greater expectation regarding management oversight of those controls.

The 2014 Part 6 and the 2016 Part 6 are included at the end of this article, as well as a link to a related article, “What to Expect While You’re Expecting…Your Single Audit,” written by Jason Guilbeault. Please feel free to contact either of us if you have any questions.

Supplementary Documents: