OMB Releases 2016 Compliance Supplement and the Revised SF-SAC Form
Last week, I wrote about my daily disappointment in waiting for the release of the 2016 Compliance Supplement and the revised SF-SAC Form. Well, good news, both documents are now available.
On Monday, the Office of Management and Budget (OMB) published the 2016 Compliance Supplement on the Office of Federal Financial Management Single Audit webpage. This year’s Compliance Supplement is currently not available through the Federal Register or on the OMB’s Circulars webpage, as in previous years.
Fortunately, with all the recent changes to grants management, this year’s Compliance Supplement does not present too many changes!
As I read through it, I highlighted the following items:
- Part 1 – Background, Purpose, and Applicability: The Compliance Supplement has been updated with the appropriate usage of the words should and must under 2 CFR 200, provisions and statements using “should” represent a recommended or best practice, and statements using the word “must” indicate required actions.
- Part 2 – Matrix of Compliance Requirements: On this year’s matrix, OMB now indicates with a “Y” or an “N” which of the 12 compliance requirements are applicable to each Federal program. In previous years, OMB used a gray box to indicate a requirement’s applicability.
- Part 3 – Compliance Requirements: OMB retains the 12 compliance requirements for Federal programs and provides guidance on how to audit awards made before December 14, 2016, located in Part 3.1, and for awards subject to the provisions under 2 CFR 200, located in Part 3.2. OMB has also revised Part 3 to indicate the effect of additional Frequently Asked Questions that may be published within the next year. Part 3 also highlights that the micro-purchase procurement threshold was increased to $3,500 last year.
- Part 6 – Internal Controls: This year’s Compliance Supplement provides guidance on internal controls. Last year, OMB removed this section due to time constraints. Part 6 provides suggestions to both auditors and non-Federal entities on implementing and evaluating internal controls based on the principles found in the “Standards for Internal Control in the Federal Government” (Green Book) and the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission. Under 2 CFR 200.303, a non-Federal entity’s internal controls should be in compliance with these principles.
- Appendix II, Federal Agency Codification of Governmentwide Requirements and Guidance for Grants and Cooperative Agreements, provides a useful table indicating the location of each agency’s implementation regulations
- Appendix VII, Other Audit Advisories, provides additional audit guidance. I found the discussion in Part I, Effect of Implementation of the Uniform Guidance on Major Program Determination, insightful. OMB has identified a significant transition issue regarding major program determination that could potentially increase the audit burden for some non-Federal entities in the third fiscal year under 2 CFR 200. To alleviate this potential problem, OMB gives auditors leeway to audit some low-risk Type A programs as additional major programs in the first and second fiscal years.
Grants administrators and auditors should also carefully review Appendix V, List of Changes for the 2016 Compliance Supplement, to identify any compliance requirement changes for specific grant programs.
The Federal Audit Clearinghouse (FAC) has published the revised SF-SAC Form to be used for all audits conducted under 2 CFR 200. As with the Compliance Supplement, OMB has not yet published a notice in the Federal Register. The revised SF-SAC Form does not fundamentally alter the required data elements, but it does request auditors provide additional information regarding pass-through funding and repeat audit findings from the prior year. The revised form also requires auditees to provide additional certifications, most notably regarding the protection of Personally Identifiable Information (PII) and business identifiable information.
Let us know your thoughts about the Compliance Supplement and the revised SF-SAC Form in the comments section below.