Deirdre Joseph, MBA, CGMS

Six days after a ransomware cyberattack, Atlanta

officials are filling out forms by hand.

March 28, 2018 - CNN

City of Atlanta paid 8 firms $2.7M to combat

ransomware attack April 24, 2018 – Atlanta Business Chronicle

Atlanta's computer network hit with cyberattack demanding ransom for access to

files. March 22, 2018 - ABC Action News

“Employees were handed instructions to not turn on

computers or log into workstations” March 23, 2018 - Atlanta Journal Constitution

Cyber Security IJ Required ~ § 200.303 PII ~ RISK

Global Ransomware Damage Costs Predicted to

Exceed $5 Billion in 2017

Audit Found “…papers not available to audit staff”

RECOMMENDATIONS

• Identify

requirements

• Document

• Implement

• Disseminate

• Test

*§200.331(b) Pass-through entities are required to

evaluate sub recipient's risk of noncompliance

with Federal statutes, regulations and terms and

conditions of sub award.

How?

When?

Where do I start?

What does that look like?

*Internal Controls

*Documentation Methods for Internal Control

*Flowcharting

*Narrative (with internal control compliance)

*Internal Control Questionnaires

*Crosswalk

*Documentation Tips and Best Practices

*Current Grant ‘Hot Topics’

*Example/Walkthrough of Documenting Internal Controls

GOALS

Documentation Strong

Internal

Controls

+

Flowchart

Internal

Control

Questionnaire

Narrative

Successful Grants Management requires…

Timeline

Checklist Crosswalk

Logic Models

Diagram Decision Trees

+

Communication & Training

*Internal Controls

Detective Preventive

A process designed to provide

‘reasonable assurance’

regarding the achievement of

objectives for categories.

*Internal Controls

Sources for Internal Controls

* The Green Book

* “Internal Control Framework” by COSO

* Appendix XI, Compliance Supplement

Desk Reviews

On-Site

Technical Assistance

Trainings

Audit

Additional Terms

High Risk, More Testing , < Reliance

Strong Internal Controls = Low Risk, Less Testing, > Reliance

Weak Internal Controls =

Flowcharting

Start/End

Manual

Process

Automated

Process

Document

Control

Connector

Decision

Request

Purchase

Budget

Purchase

Equipment Control

2

Control

1

Control 1:

• Purchase request are

accompanied by approved

budget

• Control is that budget is

reviewed and approved

by City Council as

evidenced by resolution

• Only authorized

persons may make

request

Consideration

• Is this request supported by

an investment justification?

• RISK – denied cost due

to not following grant

requirements

Procurement, Suspension, Debarment Controls:

(1) The City of Tampa has a written procurement policy that includes federal requirements.

(2) All contracts are reviewed and approved by Legal prior to execution and include

current suspension and debarment certifications.

(3) Employees must sign a Conflict of Interest statement affirming that the vendors used are

not related parties.

(4) The City of Tampa checks (and prints out) the government website listing SAM.gov and

FAPIIS to ensure that none of their current contractors are included on the list.

Process:

Each grant employee receives a operating procedure manual, which includes procurement

standards and details the federal regulations concerning procurement and subcontractors.

The procedures manual offers procurement guidelines and checklist should they need to

solicit bids for contractual services. Only certified buyers within the Purchasing Department

are authorized to initiate the solicitation of bids. The manual also discusses the issues of

debarment and suspension. All consultants/contractors are given debarment and suspension

certification form to sign certifying they have not been debarred.

*

Purpose: A detailed questionnaire of various systems

that provides an understanding of internal controls,

record keeping and reporting. This document can be

used to review the strength of internal controls,

develop audit test, policies and procedures.

How Done? Complete at least one question per control

identified

Internal Control Questionnaire (ICQ)

Purpose: A detailed questionnaire of various systems that provides an understanding

of internal controls, record keeping and reporting. This document can be used to

review the strength of internal controls, develop audit test, policies and procedures.

How Done? Complete at least one question per control identified

YES NO

1. When making purchases, do you check the System For Award

Management (SAM) to ensure that vendors are not suspended

and/or debarred. If no, please explain_______________________ X

ICQ for Procurement

Control (Strong): All vendors, prior to issuing a purchase order, are reviewed in

SAM.gov to ensure that they are not suspended and debarred. A

dated print out of the results is placed in the procurement and

grant file.

Responsible

Party

ICQ – Inventory

YES NO 1. Do your written inventory policies include

reference to 2 CFR §200.313(d)(12) specifying

that a physical inventory is required every two

years?

If NO, please explain_______________________

2. Is the person receiving your inventory the

same person responsible for remitting

payment?

If NO, please explain______________________

3. Is there a mechanism in place to identify grant

assets?

If NO, please explain_______________________

Accounting Agency

Property

Control Comments

1. Who is responsible for ordering equipment?

2. Who reconciles ordered equipment to delivery?

3. Who is responsible for maintaining grant

equipment?

4. Who pays for equipment?

5. Who conducts inventory?

ICQ – Inventory

Segregation of Duties

Procurement ~ Documentation ~ Inventory ~ Allowability

Legal ~ Human Resources ~ Internal Audit ~ Purchasing ~ Finance

Procurement 200.113 - Mandatory

Disclosure: Requires

disclosure, in writing, of

any violations of Federal

criminal law involving

fraud, bribery, or gratuity

violations affecting the

Federal award.

1. The City of Tampa has a Code of

Ethics Complaint Form to report alleged

violations to be reviewed by the Ethics

Commission. 2. All Lobbyist must

register and Sign-In when conducting

meetings. There is also a lobbyist annual

expenditure report. 3. Internal Audit has

an anonymous whistleblower program. 4.

Employees must disclose non-City

employment and private business.

*Consider adding

review of the

State's convicted

vendor list to

Purchasing

manual

*Formal bid

language may be

expanded

*Agreements may

be impacted.

Grant File Documentation * Accessible * Reference Contract *Checklist

Application

• Grant Research

• Grant Application Review

• Submitted Application

• Correspondence

Award

• Award Letter (Terms &

Conditions)

• City Council Resolution

• Executed Grant Agreement

& Amendments

• Sub-Recipient Awards

• Memorandum of

Understanding (MOU)

• Timeline

• Monitoring/Audit Reports

• Budget

• Financial & Programmatic

• Correspondence

• Close-Out

• SAM.gov

Grant File

• Procurement support

(SAM.gov, methodology)

• Inventory

• Personnel (time and

effort, job descriptions)

• Special Approval

• Payment support

(canceled checks,

invoices, purchase order

• Allowable grant

checklist

• Investment Justification

• SEFA (current)

Consider…

• Issue Tracking

• Self Assessment

Grant File…Amendment Tracking

Start Date: 11/9/16 End Date: 5/31/18

Award Amount: $2,813,900

Modification to Increase: Amount$________ Date _____

Amount$________ Date _____

Modification to Decrease: Amount $2,629,100 Date 11/9/16 RESO#2018-154

Amount $________ Date ______ RESO _______

Modification of Dates: New Date 9/30/18 RESO#2017-63

(Extend/Shorten) New Date________ RESO#_______

*200.301 Performance Measurement

• Federal Agencies MUST include

performance goals aligned with program

goals in notice

• Entities MUST relate financial data to performance accomplishment

Goal = Increase On-

Scene Security and

Protection Capability

$170K purchase of

Microwave Downlink

System

50% more

coverage for

surrounding

counties due to

shareable

deployment

=

*1. Identify purchase needs (1 week)

2. Purchase equipment

Formal Bid

Draft generic RFQ (1 week)

Post Bid (3 weeks)

Tabulate and Award Bid (1 week)

Contract approval from State (2 weeks)

Contract to City Council (3 weeks)

Issue purchase order (1 week)

Receive and verify equipment (6 weeks)

Remit Payment (1 week)

3. Train on Equipment (1 week)

4. Deploy equipment in Field (1 week – ongoing)

The City of Tampa will use FY

2018 funding for CBRNE

equipment and training to

enhance on-scene security and

protection capabilities by

purchasing a microwave

downlink system for its

airborne unit to include

$160,000 and $10,000 in

related training.

Milestone #1: Purchase

equipment within 5 months,

December 2018.

Milestone #2: Deliver Training

to Aviation Unit by January

2019.

Milestone #3: Enhance the

region by cross training the

Aviation Team in Hillsborough

County.

Property & Equipment

A control system MUST be developed to ensure

adequate safeguards to prevent loss, damage,

or theft of property.

A physical inventory

of the property

MUST be taken and

the results

reconciled at least

once every two

years.

Inventory What control is in place to ensure inventory is reconciled every 2 years

• Schedule

• Year 1, Inventory, July 10, 2018

• Inventory List Generated (3 months, prior)

• Testing

• Results Reported by Fiscal Year End

City of Tampa

Yearly Inventory Report for Citrus County

UASI Grants (FY 2006 – 2016)

As of June 10, 2018

Summary:

We conducted our annual review of 100% of our assets as required by Florida Statutes 44 CFR

13.32(d)(2) for our UASI 2016 grant, contract 11-DS-A1-08-39-02-418. No discrepancies were

noted. The City’s system was updated to reflect current inventory date and missing descriptions.

Scope:

Total Assets Reviewed - 4 ($528,000)

Total Capital Assets Reviewed - 3 ($527,500)

Assets Located - 4 (100%)

Assets Disposed - 0

• Risk

• Lack of Documentation

• No evidence of inventory review or reconciliation to financial records

• Segregation of Duties

• Mitigation of Risk

• Review Equipment & Inventory Procedures

• Do they reference §200.313?

• Are disposals procedures clearly defined?

• Are police reports required for stolen or lost equipment?

• Do they specify a hierarchy of use?

• Do your policies reference Record Retention Standards §200.333?

• Do you have sub-recipients? Are you monitoring their inventory?

Accounting Agency

Property

Control Comments

1. Who is responsible for ordering equipment?

2. Who reconciles ordered equipment to delivery?

3. Who is responsible for maintaining grant equipment?

4. Who pays for equipment?

5. Who conducts inventory?

Inventory

Record Retention Standards

• Clarification – Files must be maintained for 3 years from the

date of FINAL Expenditure Report

Submit Final

Report Clock Starts

Grant Closing

Report

Year 1

Year 2

Year 3

Litigation

Audit Started

Claim

Yes No

X

X

X

Clock Re-Starts

Standardized Supporting Documentation Contain the following elements…

• Consistent naming conventions

• Cross-Reference

• Uses page numbering and lettering

Step 1:

Add a column

for References

Step 2:

Assign a letter

to each

reimbursement

line

Standardized Supporting Documentation Step 4:

Prepare a memo that includes each

referenced letter

Step 5: For each letter, list the categories

below and include a page(s) number

reference. Place a N/A for those items that

are not applicable

• Check Number

• Invoice Number

• Environmental Historic Planning

approval

• Procurement Methodology:

Formal Bid

Competitive Bid

Sole Source

State Contract

• SAM.gov excluded party review

• Certification of Debarment

• Grant Asset Paperwork

• Explanation of Project/Updates

Standardized Supporting Documentation

Place the

corresponding letter

to reference your

project in the right

lower page.

Place the page

number in the left

lower page. Use

the

Number/Total

pages format.

Timelines for Pre & Post Award Page # Date Explanation .

1 8/24/2016 Grant Agreement Received from Grantor

2 10/6/2016 RESO 2016-755: Agreement approved City Council

8 11/9/2016 Agreement Executed

9 1/26/2017 RESO 2017-63: Modification#1 to Extend

10 5/4/2017 Modification#1 to Extend Executed

11 8/3/2017 RESO 2017-631: Modification#2 to Decrease approved City Council

11 8/31/2017 Modification#2 to Decrease Executed

Aug 2016 Oct 2016 Nov 2016 Jan 2017 May 2017 Aug 2017

8/24/16

Agreement

Received

10/6/16

Agreement

RESO

Approved

11/9/16

Agreement

Executed

5/4/17

Modification#1

Executed

1/26/17

Modification#1

RESO

Approved

8/31/17

Modification#2

Executed

8/31/17

Modification#2

Executed

*Common UGG Findings

Photo by Julian Beever

1. Insufficient Documentation

• Written procedures

• No documentation

• Unaware of the

REQUIRED written

procedures 200.302,

200.305 and 200.318

2. Oversight

• Terms & Conditions

not passed onto sub-

recipients and no

technical assistance

provided

3. Improper Expenditures

• Allowable Cost (200.302)

The Best Defense is a Good Offense “Numbers don’t lie…and neither does good data and documentation”

Common UGG Findings continued….

4. Lack of Policy and Processes

( 82%)

• Conflict of Interest (200.318)

*

March is Purchasing Month - Purchasing Principles & Practices No. 8

In celebration of March as Purchasing Month - Purchasing Principles & Practices No.

8 - Invitation to Bid (ITB) vs. Request for Proposal (RFP)?

I need to make a purchase request. Which purchasing method is best suited for my

need? An ITB or a RFP?

Generally speaking, ITB’s are recommended when there is a well-defined, competitively

written specification for which there are several competitors in the marketplace who can

meet or exceed requirements. With all factors being equal, ITB’s are awarded to the

lowest responsive, responsible bidder.

* Citywide Periodic Updates

• Webinars

• FAQs on the top 10 FACTS about Homeland Security Grants

• Easy to Find Information

“there is no need in having a policy or procedure manual that no-one sees, reads

or understands”.

Current Grant Topics

*

The non-Federal entity or applicant for a Federal award must disclose,

in a timely manner, in writing to the Federal awarding agency or

pass-through entity all violations of Federal criminal law involving

fraud, bribery, or gratuity violations potentially affecting the

Federal award. Non-Federal entities that have received a Federal award

including the term and condition outlined in Appendix XII - Award

Term and Condition for Recipient Integrity and Performance Matters

are required to report certain civil, criminal, or administrative

proceedings to SAM. Failure to make required disclosures can

result in any of the remedies described in § 200.338 Remedies for

noncompliance, including suspension or debarment. (See also 2 CFR

part 180, 31 31 U.S.C. 3321, and 41 U.S.C. 2313.)

[ 80 FR 43308, July 22, 2015]

Recommendation #1: Include the complete citation for 2 CFR 113 in all grants,

cooperative agreement and other Federal assistance awards.

Recommendation #2: (as a best practice) Recipient notify the State OIG, prime recipient

(if pass-through) and cognizant Grant Officer, all violations

Recommendation #3: Amend all active grants to include the Department’s revised

Standard Terms and Conditions.

FINDINGS: (excerpt source: OIG Report INV-15-02)

The recipient agrees to execute the work in accordance with the Notice of Award, the

approved application incorporated herein by reference or as attached, and 2 CFR Parts

200 and 600 including any subsequent revisions.

OIG’s assessment found that the mandatory disclosure provision in 2 CFR Section

200.113 is incorporated by reference into the award, when the recipient agrees to comply

with 2 CFR Part 200, among other terms. However, the specific requirement of 2 CFR

Section 200.113 is not expressly referred to or cited.

*Be Specific!

*The Data Accountability & Transparency

(DATA)Act

Establishes government-wide financial data standards and increase the

availability, accuracy, and usefulness of Federal spending information

Conflict of Interest 200.112: Awarding Agency

MUST establish

Conflict of Interest policy

and Non-Federal entity

MUST disclose any potential

Conflicts of Interest

Best Practice • Need a process to ensure

that everyone understands

and is covered

• Self Reporting

• Ethics Hotline

• Anonymous

Conflict of Interest

• Have you selected a family

member or friend as a

supplier of goods and

services?

• What is the continuing

procedure to ensure

that an employee does

not have a conflict of

interest?

• Who reviews the

information provided

by the employee?

Conflict of Interest

200.318:

MUST

document

what remedy

will be used

if COI is

violated

BEST PRACTICE: “Written procedures such as required per 2

C.F.R. Part 200.318 should not be a

reiteration of the federal requirements or

policies or goals. Rather, procedures are the

step by step process that is used to obtain the

goal or the steps that are necessary to be in

compliance with the federal requirement.” Source: WI Debt of Public Instruction

Sub-Recipient Review & Monitoring § 200.205 Risk Assessment REQUIRED PRIOR to awarding Funds

• Review of Audit Reports and Findings

• Quality of management systems and management standards

• Financial Stability

• Performance history review

2 CFR §200.331 – Ongoing Monitoring is REQUIRED (risk based)

• Debarred or Suspended? • SAM.gov current

• Do you pass through these requirements to your sub-recipients and vendors? If so,

• Audited? If so, what are the results? • Agency Audits

• Single Audit (last 3 years including most current copy). Has any federal award been terminated or canceled?

• Do you have audit findings? If so, how resolved and what controls are in place to mitigate the risk

• Do your policies and procedures address procurement,

equipment, cash management, conflict of interest, allowability

of cost? • How is training being conducted to ensure compliance?

• What federal funds have you had within X number of years? • What is the rate your are spending down funding?

• How many extensions have you filed for?

Timely Spending of Grant Funding

Compare and Contrast…

[Percentage (%) of Expended] -vs- [Percentage (%) of Days in the Grant]

Example:

The City of Tampa was awarded a $2,850,000, 3-Year UASI Grant executed

9/30/17 and closing 9/30/2020. Quarterly expenditure reports as of June 30, 2018

indicate reimbursements of $360,000.

As of July 10, 2018, we have 76% more time before closure and have expended

12% of the funding.

3/31/18

4%

6/30/18

12%

3/31/19

Pending

Structure: Sub-Recipient of SAA, sub-granting equipment to various agencies

Purchasing RISKS

• High A-133 Audit Risk

• Fraud

• Insufficient Documentation

C1

Control 1 (Strong)

• A. Centralized purchasing

• B. Professional Buyers

• C. Current Training

• D. Policies & Procedures Updated

A. Agencies, who may have less stringent rules or inconsistent practices, are not allowed to make

purchases, even via P-Card.

B. All buyers are certified via the industry’s standard CRBB.

C. Education is current through FEMA purchasing trainings and webinars on current grants

D. Purchasing policies have been reviewed and updated, as of 6/2018, to include references to:

• New thresholds

• Requirement for SAM.gov

• Pre-approvals

• Other items listed in the list….Cite purchasing references

Receive

Equipment C2

RISKS

• Lost or missing equipment

• Fraud – personal enrichment

• Improperly identifying equipment Control 2 (Strong)

• A. Segregation of duties

• B. Delivered to a secure location

• C. Equipment reconciled to purchase order

• D. Equipment is tagged

• E. Chain of Custody is documented

A. The purchaser cannot be the receiver or verifier of equipment; that function belongs to independent

property control

B. All purchase order specify delivery to the Property Room; exceptions made for large items (e.g. vehicles)

C. Equipment is inspected for completeness and accuracy upon receipt by comparing to the purchase order,

which specify ‘no partial shipments’.

D. All grant equipment, no matter what the threshold (e.g. Microcomputers)

E. The equipment chain of custody is documented from receipt to delivery and requires sign-off for transfer

Inventory

Equipment C3

RISKS

• Lost, stolen or missing equipment

• Misuse of equipment

• Replacement cost

• Missed or untimely inventory

• Personnel turnover

Control 3 (Medium)

• A. Yearly inventory

A. A yearly inventory (requirement is bi-annually) is conducted per City of Tampa rules.

• Inventory sample requires a time and date stamped photo of equipment (in addition to physical

verification by agency)

• Request agency’s inventory

• City of Tampa Inventory Schedule 6/18 6/19 6/20

• Hillsborough County (2 years) 3/18 3/20

• Pinellas County (18 months) 3/18 9/19

• Pasco County (yearly) 1/18 1/19 1/20

• Request disposition status (testing shows that new personnel may be unfamiliar with grant equipment

procedures)

Suggestion: Take photos of all equipment up-front and

maintain in grant file.

Purchasing C1

Inventory

Equipment C3

Receive

Equipment C2

Strong + Strong + Medium = Overall Strong

Testing: Self Assessment by sample testing through-out the

year based on agency’s inventory.

To Help Mitigate Risks

Reminder of the consequences of non-compliance

(see next slide) which should be documented in

participating agreement.

Require compliance to be a part of the UAWG

* (11) REMEDIES.

If an Event of Default occurs, then the Division shall,

after thirty calendar days written notice to the Recipient and upon the Recipient's

failure to cure within those thirty days, exercise any one or more of the following

remedies, either concurrently or consecutively:

(a) Terminate this Agreement, provided that the

Recipient is given at least thirty days prior written notice of the termination. The

notice shall be effective when placed in the United States, first class mail, postage

prepaid, by registered or certified mail-return receipt requested, to the address in

paragraph (13) herein;

(b) Begin an appropriate legal or equitable action to

enforce performance of this Agreement;

(c) Withhold or suspend payment of all or any part of a

request for payment;

(d) Require that the Recipient refund to the Division

any monies used for ineligible purposes under the laws, rules and regulations

governing the use of these funds.

(e) Exercise any corrective or remedial actions, to include but not be limited to:

1. Request additional information from the Recipient to determine the reasons for or

the extent of non-compliance or lack of performance,

2. Issue a written warning to advise that more serious measures may be taken if the

situation is not corrected,

3. Advise the Recipient to suspend, discontinue or refrain from incurring costs for any

activities in question or

4. Require the Recipient to reimburse the Division for the amount of costs incurred for

any items determined to be ineligible;

(f) Exercise any other rights or remedies which may be

available under law.

Remedies

• Termination

• Suspend

Payment

• Legal Action

• Require

refunds

Questions?