How to Conduct a Subrecipient Risk Assessment

Why the Risk Assessment Is Required

2 CFR 200.332(b) requires pass-through entities to evaluate the risk posed by each subrecipient prior to issuing a sub-award. The requirement exists because pass-through entities are responsible for subrecipient compliance - if a subrecipient misuses federal funds, the finding lands in the pass-through entity’s single audit, not just the subrecipient’s.

The risk assessment is the pass-through entity’s due diligence before taking on that compliance responsibility.

The most common audit finding on subrecipient monitoring is not that monitoring was inadequate - it is that the risk assessment was never conducted. Organizations that perform monitoring throughout the grant period without a documented pre-award risk assessment still receive a finding, because the regulation requires the assessment before the sub-award is issued.

The Risk Factors Under 2 CFR 200.332(b)

The regulation identifies specific risk factors that must be considered. These are not optional elements of the assessment - they are the criteria the regulation defines.

Prior experience with similar federal programs. Does the subrecipient have a track record managing federal awards of the same type? An organization that has successfully administered similar programs for years presents lower risk on this factor than one receiving its first federal sub-award.

Results of previous audits. If the subrecipient has a single audit history, review it in the Federal Audit Clearinghouse at fac.gov. Look for findings related to financial management, compliance, or program requirements. A clean audit history is a low-risk indicator. Recent significant deficiency or material weakness findings on relevant compliance areas are high-risk indicators.

Whether the entity is new to the organization. Pass-through entities have no direct performance history with new subrecipients. Prior relationship with the organization - and specifically positive performance history - is a risk-reducing factor. A first-time sub-award to an organization the pass-through has never worked with is inherently a higher information gap.

Adequacy of financial management systems. Does the subrecipient have accounting systems capable of tracking restricted federal funds separately, generating the required financial reports, and maintaining adequate documentation? This factor may be assessed through a pre-award questionnaire, a financial management survey, or for higher-risk situations, a pre-award review of the subrecipient’s policies and procedures.

Applicable qualifications of key personnel. Do the individuals who will manage the sub-award have the experience and qualifications the program requires? Significant staff turnover in key program or financial roles is a risk signal.

Results of federal monitoring. If a federal agency has monitored the subrecipient recently, the monitoring results are relevant to the risk assessment. Check whether the subrecipient has any active corrective action plans from prior federal monitoring.

The Scoring Matrix Approach

Rating each factor as low, medium, or high risk produces a composite assessment. A simple matrix:

Assign each factor a score: 1 (low risk), 2 (medium risk), 3 (high risk). Add the scores and divide by the number of factors. A composite under 1.5 suggests low overall risk. Between 1.5 and 2.5 suggests medium risk. Above 2.5 suggests high risk.

Adjust the composite for severity weighting: prior audit findings with material weaknesses or prior federal monitoring findings should weight toward high risk regardless of scores on other factors. A single high-severity factor can override an otherwise favorable composite.

The scoring matrix documents your analysis. It does not replace judgment. If your organization has specific knowledge about a subrecipient that changes the risk picture in either direction, document that rationale alongside the matrix.

Responding to High Risk

A high-risk determination does not end the sub-award process - it shapes the monitoring approach. 2 CFR 200.332(b)(1) provides a list of conditions that may be imposed on high-risk subrecipients:

Specifying how and when payments will be made, requiring the submission of financial reports more frequently, requiring additional project monitoring by the pass-through entity, requiring the subrecipient to obtain technical or management assistance, and establishing additional prior approval requirements for specific expenditures.

The monitoring plan for a high-risk subrecipient should be documented before monitoring begins. This includes: the reporting frequency, the documentation review schedule, whether a site visit is planned (and when), the specific conditions attached to the sub-award agreement, and the process for escalation if problems emerge.

Download the Subrecipient Monitoring Checklist for the complete framework - pre-award through closeout - including a pre-award risk assessment template.

Free resource

Get the Subrecipient Monitoring Checklist

A complete subrecipient monitoring checklist covering pre-award risk assessment, agreement requirements, ongoing monitoring, and documentation - organized for the pass-through entity. Delivered by email.

Pass-through entity: A non-federal entity that provides a sub-award to a subrecipient to carry out part of a federal program. The pass-through entity is responsible for subrecipient monitoring under 2 CFR 200.332.

Subrecipient: A non-federal entity that receives a sub-award from a pass-through entity to carry out part of a federal program. Subject to program compliance requirements and the pass-through entity's monitoring obligations.

Enhanced monitoring: Increased oversight applied to high-risk subrecipients under 2 CFR 200.332(b)(1), which may include more frequent reporting, additional documentation requirements, prior approval conditions, or site visits.

Q&A

Why is subrecipient risk assessment the most commonly missing documentation in a single audit?

Pass-through entities are often focused on selecting a subrecipient and getting the program moving. The risk assessment is a pre-award administrative step that does not feel urgent once the decision to make the sub-award has been made. Auditors look for it specifically because 2 CFR 200.332(b) requires it, and its absence is an automatic finding - the lack of documentation cannot be compensated for after the fact.

Q&A

What is a proportionate monitoring plan?

A monitoring plan is proportionate when the frequency and intensity of monitoring matches the subrecipient's risk level. Low-risk subrecipients: periodic financial report review, annual performance check. Medium-risk: quarterly financial reports with documentation sampling. High-risk: detailed quarterly reviews, possible site visits, pre-approval requirements for certain expenditures. The monitoring plan should be written and on file before monitoring begins.

Frequently asked

Frequently Asked Questions

What does 2 CFR 200.332 require for subrecipient risk assessment?

2 CFR 200.332(b) requires pass-through entities to evaluate the risk posed by each subrecipient before issuing a sub-award. The evaluation must consider: prior experience with similar federal awards, results of previous audits, whether the subrecipient is new to the organization, and adequacy of financial management. The regulation does not specify a required format but the assessment must be documented.

What if a subrecipient has no single audit history?

Many smaller subrecipients do not have single audit history - they may not have met the $1,000,000 threshold in any prior year. The absence of a single audit is not itself a risk factor, but it means you cannot rely on audit findings as a risk signal. In these cases, weight the pre-award questionnaire responses, financial statement review (if available), and organizational references more heavily.

How often do risk assessments need to be updated?

At a minimum, before each new sub-award year or renewal period. Additionally, if the subrecipient has a new audit with findings, if they miss reporting deadlines, if there are program performance problems, or if your monitoring identifies new concerns, update the risk assessment and adjust the monitoring plan accordingly.

Does a high-risk rating mean we cannot make the sub-award?

No. A high-risk determination means enhanced monitoring is required, not that the sub-award cannot be made. 2 CFR 200.332(b)(1) lists additional conditions that may be imposed on high-risk subrecipients, including more frequent financial reporting, additional documentation requirements, prior approval for certain expenditures, and increased site visit frequency.