Seven Steps for Tackling the 2019 Single Audit Compliance Supplement

The Office of Management and Budget informed the grants community on June 28 that the 2019 Compliance Supplement (aka 2 CFR 200, Appendix XI) would be available on July 1. I’m sure that grants auditors and geeks like me took this as a sign to get ready for a not-so-relaxing read during the holiday week. I also took the additional step to review the recently released SF-SAC for fiscal periods ending in 2019, 2020, and 2021 in detail.

Here’s how I would approach understanding the 1,600+ pages of material if you’re not an auditor…because I’m assuming auditors are going to read every single page.

Step 1. Make sure that you’ve bookmarked the following webpages:

Why? The 2019 Compliance Supplement only applies to fiscal periods ending after June 30, 2019, the 2018 and 2017 Compliance Supplements go together (see last year’s review), and the forms your organization needs to use to submit a Single Audit vary by year. And OMB stopped posting the Compliance Supplement on its Circulars page in 2018.

Step 2. Understand the “philosophy” of the 2019 update.

OMB and the team working on the 2019 Compliance Supplement kept to earlier hints that an underlying goal is to reduce grantee burden in accordance with CAP Goal 8 (see page 1-2). Agencies had to limit the number of compliance requirements subject to audit to six or seven (depending on if a program is in the Research and Development cluster). You can also see this in some of the changes to the new SF-SAC form – corrective action plans and findings will be searchable because they’ll be in the form and not somewhere in the narrative audit report.

Now let’s be real. There could be a lot of changes for your organization and your auditor. Change is likely going to mean a potential increase in the level of effort because everyone is learning the new way and requirements. Someone is going to have to figure out the new way of doing things. Make sure that you and your auditor negotiate the potential changes to the level of effort in the price of the contract. You might even read pages 1-3 and 1-4 before having that conversation to see if the helpful examples apply to your organization.

At the very least, the Schedule of Expenditures of Federal Awards (SEFA) should be faster as everyone now has access to the auto-populate feature tested during the DATA Act pilot.

Step 3.  Check if any of your grants fit within the pick six or seven programs.

Skip ahead to page 2-2 and do a “control find” (Ctrl+F) for your grants’ CFDA numbers. Everyone should double check as some programs were added, and others were removed. If your program was retained, the changes to the audit requirements are highlighted in bold and yellow. You should continue reading the detailed requirements. Use the Table of Contents near the beginning of the document to find the relevant pages in Part 4. If your program isn’t listed here and does not fall in Part F – Cluster of Programs, go to Step 6. And remember that your program is subject to all audit requirements.

Step 4. Accept that pick six or seven audit requirements may not equal six or seven.

Sometimes it’s just better to let it go.

  • Agencies could select up tosix or seven audit requirements per program – so your program could have fewer than six or seven requirements.
  • Audit requirements A (Activities Allowed or Unallowed) and B (Allowable Costs/Cost Principles) count as one requirement – which is why you may count seven or eight requirements in a line.
  • If your organization had a finding in the previous year in a requirement now marked as no, the auditor is still going to need to check.
  • No now means that the audit requirement is not subject to audit for the program instead of meaning that the requirement normally does not apply to the program.

If your program does not fall in Part F – Cluster of Programs, go to Step 6.

Step 5. Note changes in the clusters section.

I came across the following changes in the Research and Development (R&D) cluster when comparing the 2019 Compliance Supplement against the 2017 Compliance Supplement.

  • Program Procedures: Federal Acquisition Regulation (FAR) references for cost-reimbursement contracts changed.
  • Compliance Requirements
    • Language modified to “Federal program” from “R&D cluster” with regards to applicability.
    • Requirements G (Matching, Level of Effort, Earmarking), J (Program Income), and L (Reporting) are now marked “no” while Requirement F (Equipment and Real Property) is now marked “yes.”
    • Clarifying language added to Requirement B (Allowable Costs/Cost Principles).
    • The “must” requirements for time and effort reporting are removed, which is more consistent with 2 CFR 200.430(i).
  • Other Information Section removed

I admit it. I ran out of steam when I got to the Student Financial Assistance Cluster and Other Clusters. If you have a program under Student Financial Assistance, do compare the 2017-2019 documents carefully as there have been shifts in policy at the Department of Education.

Step 6. Read the Internal Controls section. All of it.

The past few years, you might have struggled with the guidance that your organization should be in compliance with the “Standards for Internal Control in the Federal Government,” issued by the Comptroller General of the United States (the Green Book) or the “Internal Control Integrated Framework” (revised in 2013), issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The 2019 Compliance Supplement finally has returned to providing a lot of useful information on what internal controls are (and are not) with examples.

Even though the whole document is in federal-ese, the illustrative internal control examples can help you and your colleagues better wrap your heads around what you must or should do when it comes to putting controls in place. Read this section like you would a Notice of Funding Opportunity.

Step 7. Think about how you’re going to monitor single audit findings and corrective actions.

We have encouraged anyone who performs monitoring and audit activities to use the Federal Audit Clearinghouse to look for and at their recipients and subrecipients findings. Of course, if you’re already doing this, you then have to download the narrative report to get to the details, which can be time-consuming, especially if you aren’t doing this frequently and data downloads aren’t a preferred activity.

Here’s the thing: the text of those findings and corrective actions are going to be searchable because they are now a required field on the form which means that you can pull this information in a single download and analyze it. For those of you with hundreds of recipients and subrecipients, this should make you happy that this feature is being introduced. Unless you haven’t been using the Federal Audit Clearinghouse and you will no longer be able to claim ignorance.

And if you can search for findings more effectively and efficiently, so can the public. Which means anyone can call your funding agency when it does not seek to manage corrective actions assigned to it. Everyone is advancing their monitoring know-how.

Hopefully, these steps help you get through the 2019 Compliance Supplement and the new SF-SAC. Happy reading!

Written by:
Erica Preston
Grants & Assistance
Media Type:

Eliminating Gaps in Agency Leadership – Part II: Introspection
10 Facts about PMP® Exam Changes Taking Effect December 16, 2019