deirdre joseph, mba, cgms€¦ · photo by julian beever 1. insufficient documentation • written...
TRANSCRIPT
Deirdre Joseph, MBA, CGMS
Six days after a ransomware cyberattack, Atlanta
officials are filling out forms by hand.
March 28, 2018 - CNN
City of Atlanta paid 8 firms $2.7M to combat
ransomware attack April 24, 2018 – Atlanta Business Chronicle
Atlanta's computer network hit with cyberattack demanding ransom for access to
files. March 22, 2018 - ABC Action News
“Employees were handed instructions to not turn on
computers or log into workstations” March 23, 2018 - Atlanta Journal Constitution
Cyber Security IJ Required ~ § 200.303 PII ~ RISK
Global Ransomware Damage Costs Predicted to
Exceed $5 Billion in 2017
Audit Found “…papers not available to audit staff”
RECOMMENDATIONS
• Identify
requirements
• Document
• Implement
• Disseminate
• Test
*§200.331(b) Pass-through entities are required to
evaluate sub recipient's risk of noncompliance
with Federal statutes, regulations and terms and
conditions of sub award.
How?
When?
Where do I start?
What does that look like?
*Internal Controls
*Documentation Methods for Internal Control
*Flowcharting
*Narrative (with internal control compliance)
*Internal Control Questionnaires
*Crosswalk
*Documentation Tips and Best Practices
*Current Grant ‘Hot Topics’
*Example/Walkthrough of Documenting Internal Controls
GOALS
Documentation Strong
Internal
Controls
+
Flowchart
Internal
Control
Questionnaire
Narrative
Successful Grants Management requires…
Timeline
Checklist Crosswalk
Logic Models
Diagram Decision Trees
+
Communication & Training
*Internal Controls
Detective Preventive
A process designed to provide
‘reasonable assurance’
regarding the achievement of
objectives for categories.
*Internal Controls
Sources for Internal Controls
* The Green Book
* “Internal Control Framework” by COSO
* Appendix XI, Compliance Supplement
Desk Reviews
On-Site
Technical Assistance
Trainings
Audit
Additional Terms
High Risk, More Testing , < Reliance
Strong Internal Controls = Low Risk, Less Testing, > Reliance
Weak Internal Controls =
Flowcharting
Start/End
Manual
Process
Automated
Process
Document
Control
Connector
Decision
Request
Purchase
Budget
Purchase
Equipment Control
2
Control
1
Control 1:
• Purchase request are
accompanied by approved
budget
• Control is that budget is
reviewed and approved
by City Council as
evidenced by resolution
• Only authorized
persons may make
request
Consideration
• Is this request supported by
an investment justification?
• RISK – denied cost due
to not following grant
requirements
Procurement, Suspension, Debarment Controls:
(1) The City of Tampa has a written procurement policy that includes federal requirements.
(2) All contracts are reviewed and approved by Legal prior to execution and include
current suspension and debarment certifications.
(3) Employees must sign a Conflict of Interest statement affirming that the vendors used are
not related parties.
(4) The City of Tampa checks (and prints out) the government website listing SAM.gov and
FAPIIS to ensure that none of their current contractors are included on the list.
Process:
Each grant employee receives a operating procedure manual, which includes procurement
standards and details the federal regulations concerning procurement and subcontractors.
The procedures manual offers procurement guidelines and checklist should they need to
solicit bids for contractual services. Only certified buyers within the Purchasing Department
are authorized to initiate the solicitation of bids. The manual also discusses the issues of
debarment and suspension. All consultants/contractors are given debarment and suspension
certification form to sign certifying they have not been debarred.
*
Purpose: A detailed questionnaire of various systems
that provides an understanding of internal controls,
record keeping and reporting. This document can be
used to review the strength of internal controls,
develop audit test, policies and procedures.
How Done? Complete at least one question per control
identified
Internal Control Questionnaire (ICQ)
Purpose: A detailed questionnaire of various systems that provides an understanding
of internal controls, record keeping and reporting. This document can be used to
review the strength of internal controls, develop audit test, policies and procedures.
How Done? Complete at least one question per control identified
YES NO
1. When making purchases, do you check the System For Award
Management (SAM) to ensure that vendors are not suspended
and/or debarred. If no, please explain_______________________ X
ICQ for Procurement
Control (Strong): All vendors, prior to issuing a purchase order, are reviewed in
SAM.gov to ensure that they are not suspended and debarred. A
dated print out of the results is placed in the procurement and
grant file.
Responsible
Party
ICQ – Inventory
YES NO 1. Do your written inventory policies include
reference to 2 CFR §200.313(d)(12) specifying
that a physical inventory is required every two
years?
If NO, please explain_______________________
2. Is the person receiving your inventory the
same person responsible for remitting
payment?
If NO, please explain______________________
3. Is there a mechanism in place to identify grant
assets?
If NO, please explain_______________________
Accounting Agency
Property
Control Comments
1. Who is responsible for ordering equipment?
2. Who reconciles ordered equipment to delivery?
3. Who is responsible for maintaining grant
equipment?
4. Who pays for equipment?
5. Who conducts inventory?
ICQ – Inventory
Segregation of Duties
Procurement ~ Documentation ~ Inventory ~ Allowability
Legal ~ Human Resources ~ Internal Audit ~ Purchasing ~ Finance
Procurement 200.113 - Mandatory
Disclosure: Requires
disclosure, in writing, of
any violations of Federal
criminal law involving
fraud, bribery, or gratuity
violations affecting the
Federal award.
1. The City of Tampa has a Code of
Ethics Complaint Form to report alleged
violations to be reviewed by the Ethics
Commission. 2. All Lobbyist must
register and Sign-In when conducting
meetings. There is also a lobbyist annual
expenditure report. 3. Internal Audit has
an anonymous whistleblower program. 4.
Employees must disclose non-City
employment and private business.
*Consider adding
review of the
State's convicted
vendor list to
Purchasing
manual
*Formal bid
language may be
expanded
*Agreements may
be impacted.
Grant File Documentation * Accessible * Reference Contract *Checklist
Application
• Grant Research
• Grant Application Review
• Submitted Application
• Correspondence
Award
• Award Letter (Terms &
Conditions)
• City Council Resolution
• Executed Grant Agreement
& Amendments
• Sub-Recipient Awards
• Memorandum of
Understanding (MOU)
• Timeline
• Monitoring/Audit Reports
• Budget
• Financial & Programmatic
• Correspondence
• Close-Out
• SAM.gov
Grant File
• Procurement support
(SAM.gov, methodology)
• Inventory
• Personnel (time and
effort, job descriptions)
• Special Approval
• Payment support
(canceled checks,
invoices, purchase order
• Allowable grant
checklist
• Investment Justification
• SEFA (current)
Consider…
• Issue Tracking
• Self Assessment
Grant File…Amendment Tracking
Start Date: 11/9/16 End Date: 5/31/18
Award Amount: $2,813,900
Modification to Increase: Amount$________ Date _____
Amount$________ Date _____
Modification to Decrease: Amount $2,629,100 Date 11/9/16 RESO#2018-154
Amount $________ Date ______ RESO _______
Modification of Dates: New Date 9/30/18 RESO#2017-63
(Extend/Shorten) New Date________ RESO#_______
*200.301 Performance Measurement
• Federal Agencies MUST include
performance goals aligned with program
goals in notice
• Entities MUST relate financial data to performance accomplishment
Goal = Increase On-
Scene Security and
Protection Capability
$170K purchase of
Microwave Downlink
System
50% more
coverage for
surrounding
counties due to
shareable
deployment
=
*1. Identify purchase needs (1 week)
2. Purchase equipment
Formal Bid
Draft generic RFQ (1 week)
Post Bid (3 weeks)
Tabulate and Award Bid (1 week)
Contract approval from State (2 weeks)
Contract to City Council (3 weeks)
Issue purchase order (1 week)
Receive and verify equipment (6 weeks)
Remit Payment (1 week)
3. Train on Equipment (1 week)
4. Deploy equipment in Field (1 week – ongoing)
The City of Tampa will use FY
2018 funding for CBRNE
equipment and training to
enhance on-scene security and
protection capabilities by
purchasing a microwave
downlink system for its
airborne unit to include
$160,000 and $10,000 in
related training.
Milestone #1: Purchase
equipment within 5 months,
December 2018.
Milestone #2: Deliver Training
to Aviation Unit by January
2019.
Milestone #3: Enhance the
region by cross training the
Aviation Team in Hillsborough
County.
Property & Equipment
A control system MUST be developed to ensure
adequate safeguards to prevent loss, damage,
or theft of property.
A physical inventory
of the property
MUST be taken and
the results
reconciled at least
once every two
years.
Inventory What control is in place to ensure inventory is reconciled every 2 years
• Schedule
• Year 1, Inventory, July 10, 2018
• Inventory List Generated (3 months, prior)
• Testing
• Results Reported by Fiscal Year End
City of Tampa
Yearly Inventory Report for Citrus County
UASI Grants (FY 2006 – 2016)
As of June 10, 2018
Summary:
We conducted our annual review of 100% of our assets as required by Florida Statutes 44 CFR
13.32(d)(2) for our UASI 2016 grant, contract 11-DS-A1-08-39-02-418. No discrepancies were
noted. The City’s system was updated to reflect current inventory date and missing descriptions.
Scope:
Total Assets Reviewed - 4 ($528,000)
Total Capital Assets Reviewed - 3 ($527,500)
Assets Located - 4 (100%)
Assets Disposed - 0
• Risk
• Lack of Documentation
• No evidence of inventory review or reconciliation to financial records
• Segregation of Duties
• Mitigation of Risk
• Review Equipment & Inventory Procedures
• Do they reference §200.313?
• Are disposals procedures clearly defined?
• Are police reports required for stolen or lost equipment?
• Do they specify a hierarchy of use?
• Do your policies reference Record Retention Standards §200.333?
• Do you have sub-recipients? Are you monitoring their inventory?
Accounting Agency
Property
Control Comments
1. Who is responsible for ordering equipment?
2. Who reconciles ordered equipment to delivery?
3. Who is responsible for maintaining grant equipment?
4. Who pays for equipment?
5. Who conducts inventory?
Inventory
Record Retention Standards
• Clarification – Files must be maintained for 3 years from the
date of FINAL Expenditure Report
Submit Final
Report Clock Starts
Grant Closing
Report
Year 1
Year 2
Year 3
Litigation
Audit Started
Claim
Yes No
X
X
X
Clock Re-Starts
Standardized Supporting Documentation Contain the following elements…
• Consistent naming conventions
• Cross-Reference
• Uses page numbering and lettering
Step 1:
Add a column
for References
Step 2:
Assign a letter
to each
reimbursement
line
Standardized Supporting Documentation Step 4:
Prepare a memo that includes each
referenced letter
Step 5: For each letter, list the categories
below and include a page(s) number
reference. Place a N/A for those items that
are not applicable
• Check Number
• Invoice Number
• Environmental Historic Planning
approval
• Procurement Methodology:
Formal Bid
Competitive Bid
Sole Source
State Contract
• SAM.gov excluded party review
• Certification of Debarment
• Grant Asset Paperwork
• Explanation of Project/Updates
Standardized Supporting Documentation
Place the
corresponding letter
to reference your
project in the right
lower page.
Place the page
number in the left
lower page. Use
the
Number/Total
pages format.
Timelines for Pre & Post Award Page # Date Explanation .
1 8/24/2016 Grant Agreement Received from Grantor
2 10/6/2016 RESO 2016-755: Agreement approved City Council
8 11/9/2016 Agreement Executed
9 1/26/2017 RESO 2017-63: Modification#1 to Extend
10 5/4/2017 Modification#1 to Extend Executed
11 8/3/2017 RESO 2017-631: Modification#2 to Decrease approved City Council
11 8/31/2017 Modification#2 to Decrease Executed
Aug 2016 Oct 2016 Nov 2016 Jan 2017 May 2017 Aug 2017
8/24/16
Agreement
Received
10/6/16
Agreement
RESO
Approved
11/9/16
Agreement
Executed
5/4/17
Modification#1
Executed
1/26/17
Modification#1
RESO
Approved
8/31/17
Modification#2
Executed
8/31/17
Modification#2
Executed
*Common UGG Findings
Photo by Julian Beever
1. Insufficient Documentation
• Written procedures
• No documentation
• Unaware of the
REQUIRED written
procedures 200.302,
200.305 and 200.318
2. Oversight
• Terms & Conditions
not passed onto sub-
recipients and no
technical assistance
provided
3. Improper Expenditures
• Allowable Cost (200.302)
The Best Defense is a Good Offense “Numbers don’t lie…and neither does good data and documentation”
Common UGG Findings continued….
4. Lack of Policy and Processes
( 82%)
• Conflict of Interest (200.318)
*
March is Purchasing Month - Purchasing Principles & Practices No. 8
In celebration of March as Purchasing Month - Purchasing Principles & Practices No.
8 - Invitation to Bid (ITB) vs. Request for Proposal (RFP)?
I need to make a purchase request. Which purchasing method is best suited for my
need? An ITB or a RFP?
Generally speaking, ITB’s are recommended when there is a well-defined, competitively
written specification for which there are several competitors in the marketplace who can
meet or exceed requirements. With all factors being equal, ITB’s are awarded to the
lowest responsive, responsible bidder.
* Citywide Periodic Updates
• Webinars
• FAQs on the top 10 FACTS about Homeland Security Grants
• Easy to Find Information
“there is no need in having a policy or procedure manual that no-one sees, reads
or understands”.
Current Grant Topics
*
The non-Federal entity or applicant for a Federal award must disclose,
in a timely manner, in writing to the Federal awarding agency or
pass-through entity all violations of Federal criminal law involving
fraud, bribery, or gratuity violations potentially affecting the
Federal award. Non-Federal entities that have received a Federal award
including the term and condition outlined in Appendix XII - Award
Term and Condition for Recipient Integrity and Performance Matters
are required to report certain civil, criminal, or administrative
proceedings to SAM. Failure to make required disclosures can
result in any of the remedies described in § 200.338 Remedies for
noncompliance, including suspension or debarment. (See also 2 CFR
part 180, 31 31 U.S.C. 3321, and 41 U.S.C. 2313.)
[ 80 FR 43308, July 22, 2015]
Recommendation #1: Include the complete citation for 2 CFR 113 in all grants,
cooperative agreement and other Federal assistance awards.
Recommendation #2: (as a best practice) Recipient notify the State OIG, prime recipient
(if pass-through) and cognizant Grant Officer, all violations
Recommendation #3: Amend all active grants to include the Department’s revised
Standard Terms and Conditions.
FINDINGS: (excerpt source: OIG Report INV-15-02)
The recipient agrees to execute the work in accordance with the Notice of Award, the
approved application incorporated herein by reference or as attached, and 2 CFR Parts
200 and 600 including any subsequent revisions.
OIG’s assessment found that the mandatory disclosure provision in 2 CFR Section
200.113 is incorporated by reference into the award, when the recipient agrees to comply
with 2 CFR Part 200, among other terms. However, the specific requirement of 2 CFR
Section 200.113 is not expressly referred to or cited.
*Be Specific!
*The Data Accountability & Transparency
(DATA)Act
Establishes government-wide financial data standards and increase the
availability, accuracy, and usefulness of Federal spending information
Conflict of Interest 200.112: Awarding Agency
MUST establish
Conflict of Interest policy
and Non-Federal entity
MUST disclose any potential
Conflicts of Interest
Best Practice • Need a process to ensure
that everyone understands
and is covered
• Self Reporting
• Ethics Hotline
• Anonymous
Conflict of Interest
• Have you selected a family
member or friend as a
supplier of goods and
services?
• What is the continuing
procedure to ensure
that an employee does
not have a conflict of
interest?
• Who reviews the
information provided
by the employee?
Conflict of Interest
200.318:
MUST
document
what remedy
will be used
if COI is
violated
BEST PRACTICE: “Written procedures such as required per 2
C.F.R. Part 200.318 should not be a
reiteration of the federal requirements or
policies or goals. Rather, procedures are the
step by step process that is used to obtain the
goal or the steps that are necessary to be in
compliance with the federal requirement.” Source: WI Debt of Public Instruction
Sub-Recipient Review & Monitoring § 200.205 Risk Assessment REQUIRED PRIOR to awarding Funds
• Review of Audit Reports and Findings
• Quality of management systems and management standards
• Financial Stability
• Performance history review
2 CFR §200.331 – Ongoing Monitoring is REQUIRED (risk based)
• Debarred or Suspended? • SAM.gov current
• Do you pass through these requirements to your sub-recipients and vendors? If so,
• Audited? If so, what are the results? • Agency Audits
• Single Audit (last 3 years including most current copy). Has any federal award been terminated or canceled?
• Do you have audit findings? If so, how resolved and what controls are in place to mitigate the risk
• Do your policies and procedures address procurement,
equipment, cash management, conflict of interest, allowability
of cost? • How is training being conducted to ensure compliance?
• What federal funds have you had within X number of years? • What is the rate your are spending down funding?
• How many extensions have you filed for?
Timely Spending of Grant Funding
Compare and Contrast…
[Percentage (%) of Expended] -vs- [Percentage (%) of Days in the Grant]
Example:
The City of Tampa was awarded a $2,850,000, 3-Year UASI Grant executed
9/30/17 and closing 9/30/2020. Quarterly expenditure reports as of June 30, 2018
indicate reimbursements of $360,000.
As of July 10, 2018, we have 76% more time before closure and have expended
12% of the funding.
3/31/18
4%
6/30/18
12%
3/31/19
Pending
Structure: Sub-Recipient of SAA, sub-granting equipment to various agencies
Purchasing RISKS
• High A-133 Audit Risk
• Fraud
• Insufficient Documentation
C1
Control 1 (Strong)
• A. Centralized purchasing
• B. Professional Buyers
• C. Current Training
• D. Policies & Procedures Updated
A. Agencies, who may have less stringent rules or inconsistent practices, are not allowed to make
purchases, even via P-Card.
B. All buyers are certified via the industry’s standard CRBB.
C. Education is current through FEMA purchasing trainings and webinars on current grants
D. Purchasing policies have been reviewed and updated, as of 6/2018, to include references to:
• New thresholds
• Requirement for SAM.gov
• Pre-approvals
• Other items listed in the list….Cite purchasing references
Receive
Equipment C2
RISKS
• Lost or missing equipment
• Fraud – personal enrichment
• Improperly identifying equipment Control 2 (Strong)
• A. Segregation of duties
• B. Delivered to a secure location
• C. Equipment reconciled to purchase order
• D. Equipment is tagged
• E. Chain of Custody is documented
A. The purchaser cannot be the receiver or verifier of equipment; that function belongs to independent
property control
B. All purchase order specify delivery to the Property Room; exceptions made for large items (e.g. vehicles)
C. Equipment is inspected for completeness and accuracy upon receipt by comparing to the purchase order,
which specify ‘no partial shipments’.
D. All grant equipment, no matter what the threshold (e.g. Microcomputers)
E. The equipment chain of custody is documented from receipt to delivery and requires sign-off for transfer
Inventory
Equipment C3
RISKS
• Lost, stolen or missing equipment
• Misuse of equipment
• Replacement cost
• Missed or untimely inventory
• Personnel turnover
Control 3 (Medium)
• A. Yearly inventory
A. A yearly inventory (requirement is bi-annually) is conducted per City of Tampa rules.
• Inventory sample requires a time and date stamped photo of equipment (in addition to physical
verification by agency)
• Request agency’s inventory
• City of Tampa Inventory Schedule 6/18 6/19 6/20
• Hillsborough County (2 years) 3/18 3/20
• Pinellas County (18 months) 3/18 9/19
• Pasco County (yearly) 1/18 1/19 1/20
• Request disposition status (testing shows that new personnel may be unfamiliar with grant equipment
procedures)
Suggestion: Take photos of all equipment up-front and
maintain in grant file.
Purchasing C1
Inventory
Equipment C3
Receive
Equipment C2
Strong + Strong + Medium = Overall Strong
Testing: Self Assessment by sample testing through-out the
year based on agency’s inventory.
To Help Mitigate Risks
Reminder of the consequences of non-compliance
(see next slide) which should be documented in
participating agreement.
Require compliance to be a part of the UAWG
* (11) REMEDIES.
If an Event of Default occurs, then the Division shall,
after thirty calendar days written notice to the Recipient and upon the Recipient's
failure to cure within those thirty days, exercise any one or more of the following
remedies, either concurrently or consecutively:
(a) Terminate this Agreement, provided that the
Recipient is given at least thirty days prior written notice of the termination. The
notice shall be effective when placed in the United States, first class mail, postage
prepaid, by registered or certified mail-return receipt requested, to the address in
paragraph (13) herein;
(b) Begin an appropriate legal or equitable action to
enforce performance of this Agreement;
(c) Withhold or suspend payment of all or any part of a
request for payment;
(d) Require that the Recipient refund to the Division
any monies used for ineligible purposes under the laws, rules and regulations
governing the use of these funds.
(e) Exercise any corrective or remedial actions, to include but not be limited to:
1. Request additional information from the Recipient to determine the reasons for or
the extent of non-compliance or lack of performance,
2. Issue a written warning to advise that more serious measures may be taken if the
situation is not corrected,
3. Advise the Recipient to suspend, discontinue or refrain from incurring costs for any
activities in question or
4. Require the Recipient to reimburse the Division for the amount of costs incurred for
any items determined to be ineligible;
(f) Exercise any other rights or remedies which may be
available under law.
Remedies
• Termination
• Suspend
Payment
• Legal Action
• Require
refunds