Name: The Seven Components of Internal Controls in Grants Management
Uploaded: 2026-05-13T18:30:54.215Z
Duration: 57 min 24 s
Description: The Seven Components of Internal Controls in Grants Management

Transcript for "The Seven Components of Internal Controls in Grants Management": Hi, everyone, and welcome. My name is Caroline, and I'll be kicking things off today. Thank you for joining us for the seven components of internal controls in grants management. Before we dive in, let's quickly cover a few housekeeping details. For engagement tools, on the right hand side of your screen, you'll see the control panel with chat, docs, polls, and q and a. These are your tools to interact with us throughout the session. In the docs tab, you can download today's webinar. We'll also send you an email of today's webinar recording after the session. For polls, all poll questions will appear in the polls tab, which pops up in the control panel during the presentation. And each poll will stay open for a few minutes so you have time to respond. If you are looking to earn CPE credit, responding to the polls is required, and the polls tab will disappear once the polls close. For chat and q and a, feel free to chat with us and other attendees during the webinar. If you have questions, submit them in the q and a box in your control panel. We'll answer as many as we can during the session and at the end of the session. For any streaming issues, if you experience any streaming problems, just try refreshing your browser. This usually resolves the issue quickly. And then just to go over if you're a current customer and have a question about your software, we recommend using the chat or calling the support number provided here. And then just to go over again, CPE credit is available for this session. You must answer all three poll questions to receive CPE credit, and certificates will be sent out within two weeks of the webinar over email. If you have any questions or issues, please reply to the email or contact here. And with that, let's get started. I'm excited to hand things over to Rachel. Sorry. Just wanna make sure I was unmuted to do that before I put it on full screen. Hey, everybody. Nice to see you on this Wednesday. Might be morning, might be afternoon. So happy Wednesday. Happy hump day. As my daughter says, like, half the week is over, so there you go. So let's talk about internal controls because I get a lot of questions about grant management, internal controls, and what does it look like. And especially now that federal grants are going under much more scrutiny and there's a lot more focus on all of the things that can ensure compliance with the federal regulations and also just being mindful that things are changing. What can we do to at least stabilize our infrastructure, stabilize things within our own organization, our agency to ensure that we're doing our best to be a good steward of federal funds. So that's what we're gonna talk about today. I'm gonna go into some of the regulatory framework in two CFR 200. We're gonna talk about the seven components of internal controls, and then I'm gonna be here to answer questions. So I'm gonna leave time for that and also just to bring in some discussion questions to see how you all are feeling about internal controls. Okay. So with that, let's get started. So here's a little bit about me. So I'm based in the DC area. I have my own company, My Fed Trainer. We provide grant management training to entities all over the country, sometimes internationally, and what we really focus is focus on is federal grant compliance. So I work with a lot of different entities, public agencies. I work with tribal nations, nonprofits. So we really try to support entities where they are and trying to understand, the regulatory frameworks that govern all federal grant funding and also do compliance and pre award support through the consulting work at RBW Strategy. So that's a little bit about me, but let's get into it. Okay. So here's the core focus of what we're gonna talk about today. We're gonna have an overview of internal controls, how they relate to federal grants, then we're gonna go into the seven components, and we're going to talk about some of the policies and procedures and how they can become and how that you can use those to become more federally compliant and then just get into best practices. So let's start off with talking more about what are internal controls or what do they look like. So I think that a common misconception that a lot of people have is that internal controls are just policies. Internal controls are just, hey. We have these great policies and procedures in place, and so now we're good. Right? Well, no, because that is just one component of what that can do to really help support your grant ready organization. So here's more of a definition here. So to ensure compliance with all of your federal grants, and I would argue that this is a good best practice in all fiscal stewardship of all different kinds of funding, not just grants, but also different kinds of donor and corporate funding and all of those kinds of things. You must have the policies, processes, and procedures in place. Now these are the components of internal controls, but it goes beyond that. It goes into establishing an to have your organization have an appropriate and effective infrastructure for managing that. So it's about the culture of compliance. It's also putting procedures in place and training staff on what to do. It's also about understanding, you know, what procedures and the specific actions that need to take place and communicating potential risk. And also just the ongoing monitoring to ensure that you are continuing to be in compliance. So why are they important? And I I look at internal controls in most of grant management as a risk mitigation strategy, because we always need to ensure that we are reducing liability for our agencies, for our organizations, because we don't wanna be in situations where we could be in potentially risky situations of disallowed costs, of audit findings. So internal controls really establish a more pro it's a proactive measure to create this sort of working risk mitigation process. And having these seven components developed as as part of your infrastructure will help you establish a more robust framework. So in terms of the the risks that could take place, obviously, we know that working with subrecipients, working with contractors can create elevated risk. And and really when federal agencies and pass through entities I know that some of you are pass through entities that distribute funding to different subrecipients and contractors that you are thinking about this as well of how you can minimize risks and how you can be more proactive in supporting your different partners as well. So it's important to establish that understanding to know how it is part of the risk management structure and also how agencies are using that as a as a tool to determine whether you will be a good fiscal steward of funding. So in terms of the responsibilities, this is actually built into two CFR 200 section two zero six. So as I mentioned before, federal agencies look at risk. And so you don't wanna be considered a high risk recipient or a high risk pass through entity. So they want to have that understanding that when they provide funding to you, that that you're going to do what they expect, that you're going to do the goals and objectives that are outlined in your application, that you're gonna go off to the races and support your communities. So here are the things that they're looking for. These are the things that are really the framework for those internal controls. They're looking at financial stability. Are you able to have a budget that is reconciled and that that you have strong financials, that you're not in the red, and that you are doing a good job to ensure that you are maintaining strong financial controls. Also, your management system. So this goes beyond financial because it's also programmatic and thinking about your performance measures or operations and making those applicable updates that are needed based on any regulatory changes. Your history of performance. So looking back and seeing, okay, you know, if you have done this before with others, how have you performed? How have you performed in managing federal funds? And looking at previous audits, reports and findings to see if there's any tells there, whether you are actually doing a good job in managing those funds or if there have been any, weaknesses that were found or findings, and what did you do to address them in your corrective action plan, and also just how you're able to implement the program. So these are some of the ways that federal agencies look to see how you are going to manage those funds. And they look across all these different risks because risk are beyond just financial. They could be operational. They could be regulatory if you adhere to the compliance requirements, and they could be strategic, which is impacting your strategic goals and priorities. And the one that I think is kind of impacted by all the others is reputational. Because I look at it as reputational happens when there's a failure in one of these other areas, when there's a risk that came to fruition and it turned into a real crisis or issue. Because once you lose your reputation, once it's in The Washington Post, it's really difficult to get that back. So we obviously wanna avoid that. And I can tell you that I actually worked with an organization who was in The Washington Post, and that was that was not a good situation because it took them a really long time to get to a place where they were seen as having a positive role in the community. So let's talk about internal controls and COSO and how they work together, what's how they are linked. So internal controls is codified in section three zero three, and so it indicates that these are the requirements for any grant recipient or subrecipient. So you need to have the internal controls established as outlined by the Committee of Sponsoring Organizations or COSO. So I'm gonna go through that a little bit more. Obviously, complying with the different statutes such as the constitution and other federal regulations, overseeing subrecipients, taking prompt action when there is noncompliance and not pushing it under the rug. And this is a new one that was added, which is about cybersecurity because we now know that there's more focus on the use of different, electronic and digital records and different documentation. So it's really important to have strong cybersecurity controls in place. I know that even sometimes our emails through MyFed trainer can get stopped by a firewall, and that's a good thing because, you know, it means that you have, a good cybersecurity system in place. So all of those things. So just to clarify what COSO is, is that COSO is a conglomerate, association of different auditors, accountants, different quality assurance specialists, risk management specialists who really are focused on and this is industry agnostic, which means that it covers all different areas, government, nonprofit, business. So this is what we see as the fundamental required controls that need to be in place that govern strong financial and operational strength for the organization. So if you don't have those, then that could be a problem. So that is where a lot of the requirements in two CFR come from is through that body. So here's the COSO Rubik's cube. So you can see that there's a bunch of different areas, and I I used to do this, Rubik's cube when I could come in person. But, it's really under it's really about how do these pieces fit together. So in the front, you see the different areas like the control environment, risk assessment, control activities, all of those different things are related to the specific actions that need to take place within an organization. Those are specific processes. And then on top, you have sort of the overarching areas, which are compliance, reporting, and, gosh, why am I having trouble seeing and operations. Sorry. So those are the three that cover all those different processes. And then on the side on the right, you see where it takes place within the organization. So, of course, it's gonna look different. Some entities have a very big organizational structure. I'm thinking universities, state, local government, and then some might be smaller if you work for a nonprofit, if you work for a tribal nation. It could be a little bit less of a deeper, sort of framework. So it really just depends, and it's not meant to be that prescriptive that you need to have all of these pieces. But it's just more about understanding how this is organized and it's gonna look different within your organization as opposed to somebody else's. So here's internal controls in real life, and these are actual scenarios. I'm sure that you've thought of this as well. So one of the things that you can think about, is conducting a go no go assessment when pursuing a grant opportunity. So you can think about how will it impact my organization, especially now with a lot of the eligibility requirements that are changing, a lot of the things that are being modified because of the recent federal updates. You know, there might be different calculus on deciding whether you're going to pursue a federal grant or maybe it's a renewal, whether you decide you're going to do the renewal. And then you could also think about it from a partnership perspective. Is this person gonna be a good partner? And how do we evaluate that partner? And how do we determine whether they're low risk or high risk? And also thinking about the different activities that will minimize the impact of potential disallowed costs and avoiding those kinds of situations because you have protective measures in place to avoid any of those negative, situations. And that all kind of leads to this culture of compliance. So I think internal controls and the culture of compliance like peas and carrots, you put them together and magic happens. So I think of the culture of compliance as the Kipling method. Who, what, when, where, why, how. So these are all the things that need to be in place to ensure that you have a grant ready organization that able to weather the storm depending on, you know, the type of situations that arise, but you have a framework in place and you're able to see things in advance and, and know how you can make changes and adapt as needed. So here's a breakdown of what that looks like. So the people that's the who, those are the ones who are actually doing the work. And so those are financial, operations, programmatic, your leadership, and other partners. So as I said, this is going to look different. So the things that are in here are going to be very different from what might be in your organization, but this is sort of generalized. You have your knowledge, which is the why, and that's two CFR 200. There could be state specific requirements. There could be other agency specific requirements. So all of those things is why you do the things you do because you have to adhere to those regulations and those standards. And then the policies are what you build out to show that, yes, we are following the protocols. Yes. We have a system in place. Yes. We can showcase that our internal controls are effective. And the processes are what. So that's the road map that allows you to see. Those are the organizational charts. Those are the different breakdown. It's because you have a policy, but then you have to show how you're going to do it. And then you have the maintenance of when that happens. During meetings, you might have a project management or grant management system that you're using and reporting. So all of those things to show that you are keeping track and making updates as needed and the systems so that you have, the systems in place that can ensure that you are actually making those updates. So there are three ways that you can build out a culture of compliance. So having policies that encourage ethical behavior and also that adhere to those regulations. So ensuring also that you have ongoing meetings so that you can keep tabs on any progress and any challenges that are happening. Because sometimes there could be a lack of communication between program and finance, and those can be seen as a little siloed. So it's important to just be aware, especially for reporting purposes because no funder wants to see that there's, an issue when a report comes out. They wanna know beforehand. And, also, this is something that I think takes time, but developing job descriptions where those internal control functions are actually incorporated in some way and that they align with the different processes that you have in place. So let's, launch the first poll here, and, let's see how what your thoughts are. So I'm curious what your thoughts are regarding the internal controls. Do you need some work? Do you feel like, yes, we have it, which would be awesome. But I have a feeling that that's not the case for all. So it seems like somewhat is the highest answer, which is good. It just means that there's room for improvement, but at least you have a baseline in there. So that's helpful. So at least you have something in there that you can work from. It's better to start from somewhere than starting from scratch. Okay. Great. Alright. So now we're gonna get into it. Let's talk about the seven components. Now we understand why we need to have them and why internal controls are important as part of your risk management strategy. Now we're actually gonna talk about the seven different components, sort of like the seven deadly sins, although these are good things because you wanna have these in place. So, let's talk about the seven main components of COSO. So this is what kind of governs these different components of that Rubik's cube, which I put in the corner here. So the first thing, I get this question a lot. I get this question about what is something that we can start doing right now to help our compliance. And I think the number one thing you can do is separation of duties because separation of duties ensures that you have a level of checks and balances. There's accountability, especially for key financial functions. So when you think about some of these different cases of waste and fraud that have been in the national headlines, there's a lot in there that we need to unpack about, okay, well, what exactly what how could have these been avoided? And the answer usually comes down to separation of duties. Because if you think about it, when there's accounting protocols or when there's somebody who's taking money from their their finance. They usually don't have another person to check and say, hey. What's happening here? How why did this not come to fruition? And so you need to have those separation of duties to ensure that there is an appropriate level of accountability. So for things like time and effort reporting, when somebody is signing off on a time sheet, it's not the person who actually did the work. So it's built into your processes and your policies. This is especially important for things like payroll, for things like, invoicing and working with different partners and looking at different reports and approving those reports. So there's a lot of different pieces there. So there has to be more than two people. And even in small organizations, there are ways that you can get through that. So let's also talk about policies and procedures. As I said, it's one of the seven, components of the internal controls, but it really outlines all the things that you're doing from an organizational perspective to ensure that you have a strong risk mitigation plan in place. And this is showing how you are being proactive in assuring that there is a strong internal control capacity within your organization. So this is just what demonstrates that. So it's not the be all, end all. You can't just show an auditor your policies and procedures and say, okay. We're done. There's more to it than that. So another component is documentation. Record keeping is so important because how can people see that what you actually did was, one, in compliance with two CFR 200, and two demonstrates that you followed the different rules within that adhere to your policies, but also within the program requirements. So it's important to keep those records, make them accessible to especially to those who are authorized to gain access to that information because you are required to maintain records for at least three years after the closeout of that award. And then similar to the separation of duties, there's authorization. So this is kind of built into that process. So in addition to having the separation of duties is somebody has to authorize and review those different types of, especially financial transactions, to ensure that they they adhere to what was outlined in the notice of grant award and also with what was approved for the budget. Because let's say that you're approving an invoice for one of your partners, and that invoice that they had was for $50,000, but they were only approved for $25,000. That's an issue, and that should be flagged. So that should not be signed off on. So it's important to have that a couple of people who are who are familiar with it to have the different levels and those to be codified within your organization or agency. And, also, continuing on, asset safeguarding. So there there's a lot of ways that you can use federal funds. So some of them are for equipment, for property. Also, you know, assets can also include things like financial assets as well. So that could be what you use in your own investments. It could be program income. It could also be cost share. So there has to be an appropriate level of, systems to ensure that they're safeguarding of all of that very important, either physical assets or it could be, financial assets. And then reconciliation. So this is what has to happen on an ongoing basis. So at least on a monthly basis to check to see, are we off track with our spending? Are we off track, or are there things that we need to discuss? Let's say that you're falling behind and you are not spending your funds in alignment with the work plan, that's a red flag because it shows that, okay, we're able to complete this work, but we don't have the funds to support it. So how does that show that we need federal funding? And then the opposite, if you're overspending, then you're not able to manage the budget. So it's okay to have some slight deviations. It's not supposed to be a 100%, but you have to do some budget amendments if there is a variance and there has to be a plan for how you're gonna reconcile that. And also monitoring. So this is critical for partner management, so it's important to oversee contractors and also subrecipient monitoring. So all of those pieces are what are what, the internal controls are comprised of. So let's go into them in more detail. So the first is segregation of duties. So it's important to have those adequate segregation or separation of duties. So if you think about it, one person is the custodian, so that's the person who's actually doing it. Record keeping, so that could be a custodian. It could be an authorizer. So if you're a small organization so let's say that, there's some kind of, like, financial protocols or financial approvals that need to be made. Even if you're a small nonprofit, you could have someone on the board. There could be a financial committee that's approving them. They could serve as the authorization. And you can demonstrate how this is segregated by things like report reviews, the different ways that assets are managed, and how they're with how they're organized and reviewed within your organization, and also the process for authorizing anything that is related to compensation or I'm I'm even thinking about if you have property, if the property needs to be sold or depreciation. So there has to be appropriate authorizations. So then we get into record keeping. So record keeping is important because, one, it is required per two CFR 200 section three three four, and it demonstrates you actually did the things that you said you were gonna do and that you actually put in your reports. So if you can't demonstrate that, then how is anybody going to believe that you actually did the work and that you can be a trusted partner? So it's important to keep those records. And what we mean by records, we mean financial records, we mean programmatic records, procurement records, anything that's related to the work to administer those grant awards. And so the general rule for, the record keeping is that they should be kept at least three years from the end of the closeout period. There could be some instances where if there's ongoing litigation, if you purchase property and that property has not been properly, disposed of, or if there is a situation where the programmatic requirements state that you have to keep it longer than three years. But in general, it's three years. So you can see the, the slur for the coronavirus state and local fiscal recovery funds require at least five years. So just keep that in mind because I know a lot of you have received funding through that source. So authorization. So it's important to have a clear understanding of the thresholds for expenditures, contracts, and budget modification. So this means that if there's any specific approvals that are needed, that you could have a different level of, authorization because you might need three people for some kind of, purchase that's above a certain dollar amount, and you can base it on the procurement thresholds as well. So maybe items that are under $15,000 that are in the micro purchase threshold may not go through as much of a robust authorization or review process as process as some that are in more of the $350,000 and above. So it's important to outline what this looks like in your written policies and also what the process is for signing off. Is there signature that's required? Is there some kind of checklist approval if you're going through some kind of financial system? So just keep that in mind when determining your authorization process. And reconciliations are critical because that allows you to see how you're actually doing in relation to what you said you were gonna do in the application. And it is important for, especially now, for financial drawdowns and for any cash requests for reimbursement. And if you're working with your contractors and subrecipients, having that same process so you can see how they're doing and how are they reconciling their funds as well. So it's important to have that included in your accounting system of record. And as I said, a monthly basis is really important to do that, especially for federal grants. It's probably not as critical for some of the smaller, maybe private foundation or other types of grants, but I will say that it is it is helpful just to see where you are in comparison to some of the, you know, what you said you were gonna do and also in comparison to some of your other funding as well. So asset safeguarding. So it's important to have a system in place. So if you do have property, if you do have a large equipment that you purchased with federal funds, who is the facility manager? Who's the person who's really responsible for overseeing it? And then from a financial standpoint, that's probably gonna be somebody different. It's probably gonna be someone on your accounting team. It's probably gonna be someone who is familiar with those different funds. And so how what's the process for protecting that and ensuring that especially, when I mentioned before about cybersecurity is really critical. So ensuring that there's that appropriate level of authorization on who can access certain information because not everybody should have access to this information, it will be really helpful for you. And then, monitoring. So monitoring is really thinking through the different ways that we are assessing partner performance. So with subrecipients, there are subrecipient monitoring plans, and those are usually based on the level of risk. So low risk subrecipients will require less monitoring. High risk subrecipients will require more monitoring. There's different processes. So it's important as long as you incorporate the components into CFR, which is section three three two, then you have, some systems in place that could really help oversee the processes and the requirements that are needed. And so also tracking performance, and this is, again, going back to documentation that you're keeping track. So if somebody is not in compliance, what are you doing to escalate? So thinking about the escalation procedure. So if, let's say, that you have a subrecipient that is not doing the work as they said they would in their, their subrecipient agreement with your agreed upon scope of work, what are you doing about it? Are you withholding funds until you receive confirmation of milestones that are completed? Are you putting in specific remedies? Perhaps was there going to be a desk review or site visit? So what are the things that you're doing to be proactive in ensuring that they are actually delivering on what they promised? And this is similar to, before. So the asset safeguarding. So it's just ensuring that there's, an appropriate, system of records for how you're managing the process for the physical inventory and also the policies that you have in place for the use and protection of all of the equipment and and financial and investment information as well. So having appropriate segregation of duties and authorization is really a step in just ensuring that you have a proactive framework to protect all of your key assets and the things that were purchased with federal funds and also for your financial transactions as well. So I'm gonna pause here for the poll, and I'm gonna ask a question in the chat because I'm curious. What do you, okay, what do you think is the biggest obstacle for you in terms of internal controls? What is the internal control that gets you a little bit you find the most challenging to to do? Because I know that this is going to differ, but I'm just curious. Okay. And I see that people are still working on the poll, so I'm just curious what the responses are. And I'm also gonna look in the chat to see what people say. Somewhat. Okay. So you have somewhat. Alright. Good. And, you know, honestly, the two CFR, is going to change even more. So even if you did, it's okay for most of it. Just know that there's more changes that are coming, so be prepared for those. Alright. So what do we have? Okay. Segregation. Let's see. What are what are people saying here? The segregation of duties. Oh my gosh. Due to small staff. That is a problem. Yeah. I've heard this before, and I can go through a couple scenarios because I do think that, especially with nonprofits with a small staff, that can be a real challenge. And so that's when you have to think about using external consultants, when you have to think about other partners, where you have to think about your board. And I see that to be a common one. Tone from the top. So that's even a bigger one because that's sort of setting up the appropriate infrastructure and the culture of compliance for you to thrive. And getting other departments to adhere to their responsibilities, oh, yeah. That's always tough, especially if you don't have direct oversight of them. Subrecipient monitoring. Yeah. It's it's that can be tough to do it effectively. So that's why the more you can establish those subaward agreements to have the specific, conditions that would allow them to thrive. And, also, I think a good practice is to have things like, standard templates that they can use for invoicing and anything that could really help them understand their role in the process. Because I think a lot of subrecipients don't realize that even though they're subrecipients, they still have to adhere to everything in two CFR the same as a pass through entity or primary recipient. What else do we have? Oh, reconciliation of indirect cost. Oh, yeah. That that seems like a challenge. Monitoring. We got separation of duties. That seems to be the biggest one that I see, and also subrecipient monitoring. Yeah. I can definitely see that. Okay. Alright. Alright. Well, thank you for sharing. Okay. So now we're gonna get into written procedures. So as I said, even though we want to have these various different, areas in place throughout covering all internal controls, it is important to have the written procedures that reflect what you're actually doing. Reflect what you're actually doing. So if it's not written down, it doesn't exist. I think you heard me say this before, the importance for an auditor, the importance for your own records, the importance for the funder to know what you actually did, and that it was in compliance with two CFR 200. So these have to be well documented. So because you wanna avoid these different situations like dis you wanna avoid disallowed costs. You wanna avoid scenarios where you're putting yourself in a vulnerable position. There has to be a way to be proactive and have these different, policies and procedures really reflect not just the best case scenario, but what's actually happening and setting the stage for you to be successful. So here's a a list of the sample policies that you'll wanna develop. So these are cover various different areas. So program management. We have subrecipient monitoring. And this is something where I think you could really build out because I know a lot of people mentioned monitoring as an issue. So this is where you wanna highlight. If you're a low risk subrecipient, what does that look like in your subrecipient monitoring plan, and what triggers an entity to be deemed as a low risk subrecipient? And then the same thing for a high risk. What are the different, the levels of risk, and how do they impact the way that you monitor them? And, also, what happens when an issue arises? How are you going to remedy that situation? That is what should be included in those policies. And you have to base it on what you're actually able to do. So some of you said that you're really in small nonprofits and so you don't have the bandwidth. So what can you do to help protect yourself? So maybe site visits is out of the question. Maybe you have to develop a strong questionnaire for desk reviews that has you coding them or grading them on this particular scale to say, oh, okay. They're actually delivering on what they needed to do, or we see these areas as being flagged. So having those types of things that could really help you at least get some kind of documentation so that if the funder comes back and says to you, hey. You were not properly monitoring your subawares advance, then you at least can share of what information you provided to them and what you were keeping track of. So another thing, as you can see, financial management policies tend to be the biggest one because, obviously, financials are what drive whether you're in compliance or not because that's what people look for is whether you are adhering to the financial requirements, whether you spent down the funds in accordance. So things like cash management policy is really important. That's kind of the safeguarding of assets, indirect cost rate agreement, if you have one, and also how you utilize indirect costs. You also big one is travel. Travel tends to be a really tricky area, and so you obviously don't wanna have a travel policy that if it's not clear, people are not gonna purchase first class airfare for, a through a federal grant. So you have to be very, very clear and prescriptive and also what is business versus pleasure and what are the things that are allowable because there is a little bit more leeway with travel as opposed to some of these other areas. There's not as much clarity in the guidance in two CFR 200. So people look to things like IRS and looking to the GSA, the per diem, for different clarity on how you can look at travel expenses and what's approved. Also, things like allowable costs and referencing two CFR 200, there could be other requirements of things that you are considering allowable costs. So for instance, we worked with an organization, and their capitalization threshold was $5,000. And the equipment was moved up to $10,000, but they said, no. That's capitalization for us. So you'd have to adhere to those policies and what is allowable, what's not allowable. And then you have other things like procurement. Procurement's a huge area because it's not just, working with different partner entities, mostly contractual partners, but do you have do you have different deviations from the federal requirements? Do you have lower thresholds for what you use for, going after different, like, a micro purchase threshold and, simplified acquisition threshold and all those kinds of things. How is do you have different threshold levels, and what do you look at? Do you have an RFP template or standard contract provisions? There's a lot of things to consider. And, also, things like your record keeping policies, this can provide more clarity as to where your records should be stored. And then here's some more ethics. Ethics and grants is another one, like peanut butter and jelly. So if you have a whistleblower policy, let's say, that's going to create, a safer environment for somebody to say, hey. Guess what? That person is signing off on checks and not going through the appropriate authorization. So that is something that can happen that leads to fraudulent activities. So how are you deterring those fraudulent activities? So it's a safeguarding protection of employees and also, protecting your partners as well and the funder. So and your code of conduct is your conflict of interest. So how are you incorporating, you know, your conflict of interest as part of your procurement process, but also with other operational issues? So let's say that you're just not hiring somebody who's not qualified for a job, that you actually have specific protocols. But, you know, let's say that that person who was hired was actually somebody, the board member's cousin. So we don't want to have those situations. There has to be specific protocols in place. And then you have funding oversight for things like time and effort reporting and the reporting structure and performance reviews. So all of these other things that can come into the general sort of administration of different awards. And some people have asked me, should I have different policies for federal grants versus other? And my response is that you shouldn't have two different kinds of policies because if you adhere to federal grants, even if you don't really have a lot of federal funding, these are just good to have. They might not all apply to you, so you wanna be mindful about which ones are in line with the work that you're actually doing, but this just kind of covers the bases. So here's a case study. So, again, travel is a huge issue. So a situation where an employee is traveling for work and decides to add a few extra days for vacation to the end of their trip. Their travel policy is not clear, so the employee by default charges the entire stay to the company. So guess what happens? The employee has to, pay it back, And, also, there could be, as you can see here, material weakness because there was no clarity in the travel policy, and it required repayment disallowed costs. So it's important to be mindful of what you can do to ensure those safeguards in your policy so that they're very clear and people understand them. So I'm also gonna add a note about data privacy because that is really important here. So it's it's just to protect sensitive, confidential information, especially if you work in the health care space. We know the HIPAA rules and the HIPAA requirements, but there's a lot of confidential information. There could be student information. There could be Social Security numbers and insurance information. So how are you protecting that? And, also, how are you maintaining those records and ensuring that only authorized individuals have access? So it's important to think of the three areas, three principles of confidentiality, integrity, and availability. So this also kind of relates back to that ethical behavior. And so integrity is a huge part of having strong ethics. So here's some best practices of using encrypted systems, restricting access, avoiding, storing of sensitive data, redacting or anonymizing, and establishing clear record retention and destruction schedules. So these are just some things that you might wanna incorporate into your own sort of data privacy areas, especially when working with funding that might have a lot of sensitive information. Oh, and some people are offering some suggestions. Okay. So now we're gonna launch the next poll. So let's go see you here. So in terms of internal controls, which one are you saying, I wanna jump into next? And I can already see based on, you know, the responses. I see a split between segregation of duties and subrecipient monitoring. I could be wrong, but maybe, I could be right too. So I'm curious. Okay. Update policies and procedures. Okay. Okay. So we have a little bit of so that that's one that's in the lead. Okay. So that's that's great. And there is no right or wrong answer because it's just based on where you are and what where you need to start your next steps. Okay. And segregation of duties also seems to be up there. Okay. So let's then talk about how does this translate into my work, and then I'm gonna leave some time for answering any questions that come up because I always wanna leave about ten minutes. So where do I begin? So if you're just thinking this is a lot, how do I even start? And so this is this is all gonna be dependent on where you are. So the first thing I would do, look to see if you have any audit findings or if you've received any feedback from your auditor or your funder saying, this might be a necessary for this might be necessary for additional review. Another thing you can do is look at the different, grant awards that you have or that you might be seeking out and seeing what are some gaps in our systems that we need to address. So I know some people said policies and procedures. Okay. That's a great thing to start. And if perhaps you had some audit findings related to things like your subrecipient monitoring, that's a good place to start. So, again, you have to see what is the low hanging fruit and know that you build from each different area. So you don't have to start everything from scratch. And even when you talk about updating your policy and procedures, start with the first, you know, three to five and then go from there because not everything is gonna carry the same weight. And you also wanna do that gap analysis to identify weaknesses. So if you look at those seven components of internal controls, you can say, where are we strong? Where are we weak? And which ones are not applicable? So you may not have subrecipients, so that one is unnecessary. You might, be focused on segregation of duties because you're a small organization. So maybe that's where you wanna start. And so that's a weakness. So how can you address that? How can you ensure and which different tasks would require those different levels of authorization and checks and balances? And as another way you can think about it is start from with one internal control and build from there. So, you know, as I said, segregation of duties. And then think about how you're building this out little by little over time. As I said, you don't wanna start off with everything at once. It's too overwhelming. So start off with the one that you think is going to lead to the worst consequences if there is something that arises or comes fruition. So thinking about how you can slowly build up that culture of compliance is a great way to at least begin thinking about it, within your organization. So here's just a sample because we've talked about small organizations. So here's a process. So this is a payment process. So let's say that you, received a payment request. So the grant manager could wear many hats, might not be called a grant manager, prepares a payment request and supporting documentation. So then the executive director reviews and approves, and then a bookkeeper or an outsourced accounting resource enters the payment into the accounting system and then processes it accordingly. And we know some of the challenges is that when one person is handing handling multiple steps, it could create some risk, and there could be some bandwidth issues. So that's why you perhaps want to think about, okay, the executive director perhaps sign off on purchases up to a purchases up to a certain amount, and then maybe we wanna have the board or a financial committee sign off on those that are a little bit, higher value. So it's really just about how you can incorporate different people within your existing stakeholders and the different staffing model that you have to ensure that you are leveraging the resources. And here's what it looks like in a medium organization. So you can see there's multiple layers. So if you're a larger entity, then perhaps you have a program officer, then a grant finance officer, maybe then there's a finance director. So there's there's a different range of what that looks like. And then you can see with a large organization, there's definitely a lot of layers. And sometimes those bigger layers can create bureaucracy and bottlenecks. So it's not necessarily the best case that you have, especially I you know, working with universities and state, agencies. Sometimes there's just not that ability or that opportunity to communicate as frequently. So if you're kind of left in these siloed areas, and so you don't really know what the other team is doing and where they are in the process. So it's important to at least try to be on the same page. You can see how all those pieces tie together. So I'm gonna finish up here and then open it up for questions. So it's really important, of course, to understand the framework of internal controls, how they are based on the COSO framework, and they're incorporated into two CFR 200 and also to develop policies that comply with these different areas, but also to ensure that you have those seven components reflected throughout your organization. The policies merely dictate what you're doing, what the practices that are in place, and that's what builds the culture of compliance. So that's really, you know, in a nutshell, what is important is to try to, focus on those things that can really help get you to that that federal grant ready state so that you can feel confident in the work that you're doing and your supporting partners and so forth. So I'm gonna open it up to questions, and then, I'm also going to share this resource if you're interested. So we have a free resource library that we're continuing to build up. We have free webinars. We have free, free resources that are available to you. So if you click on that QR code, you can access it. And so with that, I wanna see what questions I I can answer over these next, I guess, eight minutes. Okay. So let's see. Do you have an example federal grant policy? Well, I am glad you asked that, Kevin, because we do. So on the on the myFED trainer website, we do actually have, do it yourself, grant management policies that you can download and that you can actually complete. So you can build that out. So those are just some samples that, that we use. And so if you have specific questions, you you can go on to the myFED trainer website, but we actually provide them to different entities and so that you can modify them based on what works best for your organization. Okay. Is there an Excel template available each year for the schedule of federal expenditures? Oh, so for the CIFA? Yeah. I mean, I believe that there is, there there is an Excel template. I have seen them before. I'll have to get back to you on that if you wanna email me separately about that. My email is you can email support@myfedtrainer.com or rachel@myfedtrainer.com, and I can, look into that for you. So we already talked about sample policies and procedures, procurement. Yep. So, and as I said, we have resources available on our website and can also, you know, direct you to specific examples. So when creating a job description, what is the title for finance department staff responsible for grant management and internal controls? Well, so internal controls, I would clarify if that's related to grant management or just in general sort of quality assurance. I mean, I don't think that the the title necessarily manner matters. It could be finance director, but I think that you'll want to ensure that those job responsibilities adhere to what some of the other people who are responsible for grant administration activities are doing. So I think that you'll wanna keep that in mind, But, you know, I've seen accountant. I've seen grant, grant accountant. I've seen, grant finance manager. I've seen finance director. So there's a lot of different titles that you can use. I would just use something that's in line with how your organization normally, develops the different job descriptions and that the titles reflect, you know, the certain pay scale and so forth of what you're doing. Okay. So another question. How are organizations handling the quickly changing government policies? Breathing into a paper bag? No. I'm just kidding. But seriously, there's a little lot of changes. I think that staying informed is the best way to do it, you know, and I've shared that some of the resources before that I look to. So there is, of course, you know, my LinkedIn page, I share a lot of updates, but I think that, whitehouse.gov, even if you might not wanna receive updates, there's always gonna be information on the executive orders. I think that, the National Council of Nonprofits has been doing an excellent job, and they have information on their website about the different regulations and the proposed responses that they are and actions that they are taking to help support nonprofits. There's also thehill.com, which is one of my personal favorites, which is a local DC, more about the Capitol Hill and what's happening legislation. So that's a great resource. There's a lot of different places. The National Grant Management Association is another good one. So I think that there's a lot of different, places to look. If you have something specific, please reach out, and I'll definitely be able to do that. And I definitely think so. DocTrack is really good for, policy development and management. So oh, great. Subscribing to nonprofit quarterly, yeah, you could definitely do that. I'm not sure how much they're doing on the, federal regulations, but, you know, certainly, it doesn't hurt. The more information you have, the better. So okay. Let's see. I'm looking to see if there's any other questions. I don't know if I see anything else. So I'm just gonna say, you know, if if any of you have any questions, you can feel free to reach out to me. And anything else that, Caroline, you wanna add before we wrap up? Awesome. Yeah. Thank you, Rachel. That was great. I think everyone has seen, but I did push out two poll questions, so feel free to respond to those. And then just to kinda go over some of our resources again, you'll find that we have a few log posts in there and white papers that we thought you would find helpful. But other than that, that's really all I have, and thank you again. K. Thank you all, and definitely feel like you can reach out to me. If there's a burning question that you have, I'm happy to answer it and look forward to speaking with you again, and best of luck. I know that these are tricky times, so just getting informed is what you can do to really put yourself ahead. Awesome. Thank you. Thank you.