As our government clients work to safeguard grants and comply with Office of Management and Budget (OMB) requirements, strategic planning for internal controls is critical.

Governments rely heavily on federal, state, local, and private entity grant funds. As such, a robust internal control framework can help to ensure that:

  • Resources are utilized effectively and efficiently
  • Resource utilization is compliant with applicable laws and regulations
  • Assets purchased or developed using grant funding are properly safeguarded
  • Financial and other types of reporting required by these grants is performed in a timely and accurate manner

Failure to comply with OMB requirements is common for a variety of reasons. However, the problem typically stems from a lack of communication or understanding of internal controls or compliance requirements.

Below, we’ve summarized comprehensive General Finance Office Association (GFOA) guidance on the 5 key components of internal controls for grants: [1]

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Control monitoring

Control Environment

A control environment is a set of processes that establish a foundation for how activities should be executed. With regard to grants, the control environment should:

  • Provide staff with authority and responsibility for specific tasks associated with the grant
  • Hold staff accountable for their tasks
  • Alert agencies when policy decisions concerning grants are made to ensure consistency and adherence to strategic planning goals
  • Ensure the staff managing a specific area of the grant process (programming, budgeting, accounting, etc.) is properly trained, knowledgeable, and competent
  • For larger organizations, establish cross-functional teams when entity-wide grant management comes into play

Risk Assessment

For purposes of internal controls for grants, a risk assessment should establish an iterative process that identifies and assesses risks specifically pertaining to achieving the desired outcomes of the grant.

GFOA suggests the following steps for any grant-related risk assessment:

  • Document the risk assessment process for grant management
  • Incorporate a dynamic and comprehensive internal control questionnaire to facilitate the risk analysis
  • Consider the level of program risk when designing controls and control activities
  • Perform a cost/benefit analysis prior to installing a new control activity
  • Consider the possibility of fraud within the grants management process
  • Assess any changes within the following environments related to grants management:
    • Regulatory
    • Technological
    • Personnel
    • Operations

Control Activities

Control activities should minimize grant management risk and maximize the likelihood the desired outcomes of a grant can be achieved. GFOA recommends that control activities include the following:

  • Document both government-wide and individual grant policies and procedures
  • Establish a process for updating policies and procedures over time
  • Ensure staff handling grants understand federal, state, and local laws and regulations as well as specific requirements of the grant itself
  • Design control activities to check the reliability of information provided by third parties (e.g., contractors, sub-recipients, beneficiaries, etc.)
  • Develop comprehensive information technology policies and procedures and then review on an ongoing basis
  • Deploy financial management systems to support compliance with grant-related legal and regulatory requirements in accordance with federal and state standards
  • With regard to procurement, utilize debarment lists to review contractors and implement federal and state standards, as necessary

Information and Communication

Processes to provide, share, and obtain information should be established to:

  • Document the purpose of each grant plus the government’s responsibilities in a manner that is accessible to stakeholders
  • Include the following for each grant:
    • Source (federal, state, local, and private entity)
    • Timing
    • Reporting requirements
    • Specialized administration, when necessary
  • Establish and document processes that ensure:
    • Ongoing communication with grantors, pass-through organizations, contractors, sub-recipients, etc.
    • Ongoing dialogue with financial statement, single audit, and program auditors re: grant reporting and compliance
    • Contractors understand grant requirements
    • Reliable information supports all decision-making related to grants


Periodically, grant recipients should perform evaluations to ensure various internal controls are properly functioning.

Any identified control deficiencies should be communicated to the appropriate parties (e.g. senior management, elected officials, etc.) so that a timely corrective action can be developed and implemented.

Specific suggestions from the GFOA include:

  • Perform an annual periodic review of the overall risk assessment process
  • Develop a process to review programmatic control activities related to compliance. GFOA recommends this be done on a weekly (or even daily) basis
  • In corrective action plans, the following should be documented:
  • Specific control deficiencies
  • Responsible parties
  • Timeline

Take a Proactive Approach to Internal Controls

Properly establishing internal controls for grants can save headaches and prevent serious financial consequences for governmental funding. By proactively deploying a well-structured internal control process, you can promote accountability and awareness that can minimize risk to your organization.

Although creating a robust internal control environment requires training, time, and effort, our team can simplify and streamline the process. Contact us today for a complimentary consultation.

[1] The complete list of Best Practices for Grants Administration from the GFOA can be found here.