Are you evaluating the risks to your federal programs? SAO has a new tool to get you started

Apr 14, 2022

Imagine you are planning an expensive Hawaiian vacation—your first in two years. One of the first things you check is whether any of the costs are refundable if something were to prevent you from going. When you learn you could lose your deposit if you pull out of the trip, you plan to buy trip insurance just to be safe. In other words, you've identified a risk and found a way to mitigate it.

We face risks in all aspects of our lives, and we're constantly assessing them to achieve a desired outcome. For many governments, accessing federal funding is critical to service delivery and continued operations. So are you also considering the risks that your local government faces in meeting the objectives of your federal programs?

Performing federal program risk assessments can help you more effectively meet your compliance objectives. A risk assessment involves identifying risks, prioritizing those risks, and determining how you'll address them.

Risk assessment is not only a best practice, it's an expectation. The Uniform Guidance (§200.303) states that your internal controls should comply with either the Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States, or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Both documents recommend a risk assessment process.

Our audits often find that risk assessment is ad-hoc, informal, and doesn't directly address federal programs. Your organization is vulnerable if you don't formalize your risk assessment process and document it.

SAO's new and improved tool can help you get started with your own federal programs risk assessment.

How to perform a risk assessment with SAO's tool

The first step is to identify the risks or challenges related to achieving your federal program's objectives. SAO's new checklist has questions designed to help you think through what those risks might be.

Once you've identified your risks, assess whether they are low, medium or high by considering the nature of each risk, how greatly each one could affect your program, and the likelihood of its occurrence. For example, your assessment of the risk might change if it was related to fraud or complex or unusual transactions, or subjective in nature.

Then, starting with your highest risks, think about how you might reduce, avoid or share those risks. In some cases, you might decide to accept the risk as is. Once you've decided on the best path, document your implementation plans and assign responsibility for them.

There's no such thing as a risk-free environment, and rarely does an organization have enough resources to fully mitigate all the risks they've identified. Additionally, everyone's risk appetite will vary. If you work in order of priority, you can dedicate your limited resources to the biggest risks you face first.

How local governments use risk assessments

Here are some examples of how local governments could use risk assessments.

  • Something new—Cedars City accepts a new, significant federal award involving state and local fiscal recovery funds. Management wants to pass money through to subrecipients, but realizes the city has never done this before. The city's risk assessment identifies a risk associated with staff's lack of experience and knowledge of subrecipient assessment and monitoring. Management decides the risk is high and plans to implement a new subrecipient assessment and monitoring policy to help guide staff.
  • Complexity abounds—Douglas College regularly awards federal financial aid dollars to students, using a software system that determines student eligibility based on multiple criteria and at several points in time. While performing a risk assessment, management identifies a risk that computer calculations might not perform student eligibility checks as expected, especially at the start of new school year when there are system updates. Management assesses the risk as high and will have a staff member run a set of tests on the system before the start of each semester and report out on the test results.
  • Decentralized grant management—Juniper County has numerous grant programs that different departments manage. The county's past audits included reportable issues because departmental staff struggled to keep up with the federal grant requirements. Through a risk assessment, management quickly identifies a risk that program staff aren't receiving enough technical training or support. Management assess the risk as high and decides to mitigate it by planning annual training for all federal program managers.

As illustrated in these examples, a risk assessment can help you identify and evaluate risks or challenges that you otherwise might miss. This critical first step helps you prioritize risks and effectively allocate resources to them. That way, you can spend your time and resources on controls that best protect your organization and achieve your federal program's objectives.

For help

Remember, we're here to help. While your grantor is the best source for information about a federal program, you can also submit technical questions about federal awards to our HelpDesk in the client portal.

If you have other questions, comments or suggestions, feel free to email us at