Skip to main content

Document a Subrecipient Risk Review


Published: Last updated: Reviewed: Verified: Sources: ecfr.gov

Short answer

A subrecipient risk review should explain how the organization judged risk and chose monitoring steps. Under 2 CFR 200.332, pass-through entities must evaluate fraud risk and risk of noncompliance for subrecipients.

A subrecipient risk review is not a form to fill after the subaward is signed. It is how the pass-through entity decides how much monitoring the subrecipient needs.

2 CFR 200.332 tells pass-through entities to evaluate fraud risk and risk of noncompliance. It also names common factors: prior experience, audit results, new staff or systems, and federal monitoring results.

The review does not need to be long. It does need to be specific. A reviewer should understand why the subrecipient was rated low, medium, or high risk.

Step 1: confirm the entity type

Before scoring risk, confirm whether the organization is a subrecipient or a contractor. 2 CFR 200.331 requires a case-by-case determination.

A subrecipient carries out part of the federal program. A contractor provides goods or services for the recipient’s own use. The label in the contract does not decide the answer by itself.

Save the determination. If the entity is a contractor, use procurement rules instead. If it is a subrecipient, continue the risk review.

Step 2: verify exclusion status

Check whether the subrecipient is suspended, debarred, or otherwise excluded from receiving federal funds. The regulation points to SAM.gov as a verification method.

Save the search result with the date, entity name, and unique entity identifier if available.

This step is required, but it is not the whole review. A clean exclusion check does not prove the organization can manage the subaward well.

Step 3: review prior experience

Ask whether the subrecipient has handled the same or similar federal work before. Prior experience lowers risk when the work was done well and reports were timely.

If this is a new partner, document that. New does not mean bad. It means the monitoring plan may need more support at the start.

Look for late reports, unsupported costs, weak communication, or repeated budget problems. Those are risk signals.

Step 4: review audits and findings

Ask whether the subrecipient had a Single Audit. If yes, review findings that relate to the same program, similar costs, or internal controls.

If there were findings, document the corrective action status. A finding that was fixed may carry less risk than one that remains open.

If the subrecipient was below the audit threshold, say that. Do not mark audit history as clean if no audit was required.

Step 5: check people and systems

Risk rises when the subrecipient has new finance staff, a new accounting system, a new grants lead, or a major program change.

Ask simple questions. Who will approve costs? Who will prepare reports? What accounting system tracks the subaward? How will staff separate federal costs from other costs?

Save the answers. This helps explain why the monitoring plan asks for more detail, more often.

Step 6: choose monitoring steps

Match monitoring to risk. Low risk may need standard financial and performance reports. Medium risk may need more frequent check-ins or backup support for selected costs. High risk may need site visits, training, prior approval before certain costs, or corrective action tracking.

Do not use the same monitoring plan for every subrecipient. That defeats the purpose of risk review.

Step 7: save the decision

The file should include the entity determination, SAM.gov check, evidence reviewed, risk rating, reasons, monitoring plan, and approval.

Link this record to the subaward. It should also feed later audit work and the SEFA support binder if subrecipient spending must be shown.

Make the rating useful

A risk rating should change the way the team works. If every partner gets the same rating and the same monitoring plan, the review is not doing its job.

Use plain rating reasons. For low risk, name the facts that support trust: clean audit, prior successful work, stable staff, timely reports, and strong systems. For medium risk, name the limits: new program, minor prior issues, new finance lead, or larger award size. For high risk, name the concern and the added monitoring.

Avoid vague labels like “good partner” or “needs support.” They do not help a future reviewer understand the decision.

Revisit the review

Risk can change during the award. Update the review if the subrecipient has late reports, unsupported costs, staff turnover, a new audit finding, or major program change.

Also update it when performance improves. A partner that completes several clean reporting cycles may need less monitoring later. The file should show both the original risk and the reason for any change.

This record protects both sides. The subrecipient gets a monitoring plan that matches the facts, and the pass-through entity can explain why it chose that plan.

How GrantPipe helps

GrantPipe can keep subrecipient records, monitoring tasks, reports, and support files connected to the award. That helps staff show both the decision and the follow-through.

Free resource

Get the Nonprofit Grant Compliance Checklist

A practical checklist for post-award grant compliance: restricted funds, reporting cadence, audit prep, and common failure points. Delivered by email.

Looking for something else?

We'll email the resource and a short follow-up sequence. Unsubscribe any time.

Email is required because the download link is delivered by email, not on-page.

Q&A

Who documents the risk review?

The pass-through entity documents it. Grants and finance should both review because program performance and financial controls both matter.

Q&A

What is the output of the review?

The output is a risk rating, reasons for that rating, and a monitoring plan matched to the risk.

Frequently asked

Frequently Asked Questions

Review risk before issuing the subaward and update it when facts change, such as audit findings, staff turnover, or new systems.
Use prior experience, audit results, personnel or system changes, federal monitoring results, and any known fraud or compliance concerns.
No. SAM.gov exclusion status is required, but risk review also covers audit history, experience, systems, and monitoring needs.

Next step

Pick the next guide.

Use the resource hub to find the next page to read.