Grant Compliance Begins with Board Oversight

Many non-profits are exploring new sources for grant funds to meet program needs during these challenging times.  The Economic Injury Disaster Loan (EDIL) is an example of a new federal grant provided by the Coronavirus Aid Relief and Economic Security (CARES) Act.   Local governments and agencies are also receiving funds passed through the states.  Receiving federal and state awards can provide valuable funding to help an organization further its mission. However, along with that funding comes compliance requirements, some of which can be costly to implement. The role of the board of directors is vital to ensuring that organizations are using resources effectively, taking on projects it has the resources to handle and fulfilling both its mission and compliance requirements. A knowledgeable, engaged and effective board can be the difference in whether or not an organization receives or keeps grant funding.

While the board shouldn’t be involved with the day-to-day compliance, it has the responsibility at the entity level to make sure the organization has the resources and oversight needed to achieve compliance. Much of the guidance issued by oversight agencies reference the “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States (the Green Book)[1] and the “Internal Control Integrated Framework” (revised in 2013), issued by the Committee of Sponsoring Organization of the Treadway Commission (COSO)[2] for best practices in designing the internal control structure. Both the Green Book and COSO are divided into five components of internal control where the board can exercise oversight: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.[3]

Control Environment

The Control Environment refers to establishing a structure that defines roles and responsibilities, allows oversight and is conducive to informed and ethical decision making. The board contributes to the control environment of an organization by establishing and approving over-arching policies that govern the organization, setting the expectations and the tone for employees and enforcing accountability. To maintain a solid control environment, the board should regularly evaluate the internal control structure related to compliance, the social climate of the organization and performance of management.

Risk Assessment

Risk Assessment involves identifying the potential risks facing the entity, including factors which could lead to fraud or noncompliance, and developing a response. While risks may be addressed as they arise throughout a fiscal year, there should be either a board meeting or committee meeting on an annual basis where time is set aside for risk assessment. The board should consider both internal and external factors which could affect the entity and threaten financial stability or compliance. Once these threats have been identified the board should develop plans for management to address risk factors, including whether to accept, avoid, reduce, or share each risk.  New funding sources increase risk as employees may not be familiar with the unique compliance requirements or have the resources to monitor them.

Control Activities

Control Activities refer to the design and implementation of individual control activities which, for the most part, take place at the management level. It’s important to note that many organizations have altered their control structure to adjust to the work-from-home environment. Overriding control activities can increase the risk of noncompliance.  The board is responsible for ensuring that hired management of the organization have the proper knowledge, skills and experience to carry out the duties for which they are responsible. Along with the knowledge, skills and experience, the board must also consider whether management has the monetary, technological and human resources necessary to maintain a compliant environment. While it is prudent to keep the expenses spent on administrative functions to a minimum, the cost of noncompliance has the potential to be much greater if it leads to the loss of vital funding.

Information and Communication

Information and Communication involves obtaining quality information for decision-making and having open lines of communication for necessary information going to internal and external parties. It is crucial for employees to have multiple avenues to communicate important matters to the appropriate level. This can include establishing a chain of command and a whistleblowers’ hotline. Management also has to be able regularly communicate with the board about significant matters, including those which can have an impact on financial viability or compliance. When setting the agenda for board meetings it is good practice to consult management for any relevant topics that need to be brought to the board’s attention. It is also valuable to have external parties, such as financial advisors or legal counsel, communicate with or present for the board as needed.  As the pace of change increases, board members should communicate with management and advisors more frequently.


Monitoring is the process by which an organization reviews results of operations, performs evaluations, and learns from past mistakes. The board exercises oversight by reviewing regular financial and operational reports. These can include comparing actual operations to a budget, noting audit deficiencies and reviewing progress toward performance benchmarks. Any measures relevant to compliance with federal or state grants should be included in the board’s package for review. This is the component of internal control where it is valuable for board members to be engaged and ask questions in order to identify areas where the organization may be struggling and find ways to improve.

As we navigate working from home and the isolation from our teams that this has caused, the need for strong internal controls, especially monitoring, continues.  Boards must ensure that they are effectively communicating with management staff at their organization and providing continued oversight.  While the current situation does not allow for face to face communication, a good way for keeping in touch is to use virtual meeting tools such as Zoom.  Virtual meeting apps allow for scheduling meetings, audio and video of the participants as well as file sharing capabilities.  Communication is critical for effective organizational operation and virtual meetings are a way to accomplish this as we navigate these times of increased isolation.


Increased compliance needs for an organization means a solid control environment needs to be in place and creating a strong control environment starts with a knowledgeable and effective board. By knowing where to start and pulling from authoritative guidance a board member is able to fulfill his or her duties for the organization as it pertains to grant compliance, even in times of uncertainty and change.

For questions or more information on internal control tips offered in this article, contact us at

[1] US GAO – Government Accountability Office – Green Book -
[2] COSO - Committee of Sponsoring Organization of the Treadway Commission -
[3] Office of Management and Budget, 2 CFR Part 200, Appendix XI Compliance Supplement, August 2019, Part 6 accessible at


Mark Nicolas
Managing Partner, Non-profit, Education & Government

For questions or more information on internal control tips offered in this article, contact us at

© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.