Compliance and Control Frameworks

Compliance is not a paperwork exercise — it is a control system designed to ensure public funds produce their intended outcomes, and organizations that treat it as bureaucratic overhead create the audit exposure they fear. This is not a philosophical claim. It is an observable pattern: the organizations with the weakest compliance infrastructure generate the most findings, the highest questioned costs, and the most punitive corrective action plans. The compliance investment they avoided costs less than the compliance failure they produce.

The word “compliance” carries baggage. In most healthcare organizations, it evokes binders, checklists, and the annual audit scramble. This framing is the problem. Compliance is the accountability architecture for public investment. When Congress appropriates money for behavioral health integration in rural communities, compliance is the system that ensures the money actually reaches rural communities and actually funds behavioral health integration. When compliance works, no one notices. When it fails, the consequences cascade: questioned costs, disallowed expenditures, corrective action plans, special conditions on future awards, and — in extreme cases — debarment from federal funding. The organizations most vulnerable to these consequences are the ones that can least afford them.

Compliance as a control system means understanding it through the lens of control engineering: inputs are controlled (who can obligate funds, under what conditions), processes are monitored (are expenditures matching approved budgets, are activities producing documented outputs), and deviations trigger corrective action (findings generate remediation requirements). The control system has three layers — preventive, detective, and corrective — and the distribution of organizational investment across those layers predicts audit outcomes more reliably than any other factor.

The Regulatory Framework

All federal grant compliance traces to a single master regulation: 2 CFR Part 200, formally titled “Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.” Before 2014, these requirements were scattered across multiple OMB circulars — A-110 (administrative requirements), A-122 (cost principles for nonprofits), A-87 (cost principles for governments), A-21 (cost principles for educational institutions), and A-133 (audit requirements). The 2013 OMB reform consolidated these into a single framework, effective December 2014, creating the Uniform Guidance. Every federal grant recipient in the United States operates under this regulation.

The Uniform Guidance is organized into subparts, three of which form the compliance backbone:

Subpart D: Post-Federal Award Requirements (2 CFR 200.300-345). This subpart governs what happens after the award is made — financial management standards, payment requirements, cost sharing, program income, property management, procurement, and reporting. It establishes the baseline rules: recipients must maintain financial management systems that provide accurate, current, and complete disclosure of the financial results of each federal award (200.302). They must maintain internal controls consistent with federal guidance (200.303). They must have written procurement procedures conforming to applicable federal, state, and local law (200.318). Subpart D is the process architecture — the operating manual for managing federal funds.

Subpart E: Cost Principles (200.400-475). This subpart determines what grant money can pay for. Every expenditure charged to a federal award must be allowable (permitted by the regulation and the award terms), allocable (properly assigned to the award that benefits from the cost), reasonable (what a prudent person would pay), and consistent (treated the same way across federal and non-federal activities). Subpart E provides specific guidance on dozens of cost categories: compensation, travel, equipment, consultant costs, insurance, meetings, and many others. It also lists explicitly unallowable costs: alcoholic beverages (200.423), entertainment (200.438), lobbying (200.450), and fines and penalties (200.441), among others. Misunderstanding Subpart E is the single most common source of questioned costs in Single Audits.

Subpart F: Audit Requirements (200.500-521). This subpart establishes the Single Audit framework — the mechanism by which the federal government verifies that recipients have used funds appropriately. Any non-federal entity that expends $750,000 or more in federal awards during its fiscal year must have a Single Audit conducted by an independent auditor in accordance with Government Auditing Standards (the Yellow Book, published by GAO). The audit tests both financial statements and compliance with federal award requirements. The auditor identifies findings — instances of noncompliance or internal control deficiency — and the organization must submit a corrective action plan for each finding. Findings are reported to the Federal Audit Clearinghouse, where they become part of the organization’s public compliance record. Future award decisions reference this record.

Beyond the Uniform Guidance, each federal agency layers additional requirements through agency-specific terms and conditions. HRSA grants carry terms in the HRSA Grants Policy Statement and in the Notice of Award. SAMHSA grants include program-specific requirements in the NOFO and in the Terms and Conditions document attached to the award. These supplements do not replace 2 CFR 200 — they build on it. A behavioral health organization with both HRSA and SAMHSA awards must comply with the Uniform Guidance as the baseline, plus HRSA-specific terms on one set of grants and SAMHSA-specific terms on another. The compliance landscape is layered, not monolithic, and each layer adds obligations.

The Control Hierarchy

Controls exist to manage risk. In grant compliance, the risk is that funds are spent improperly — on unallowable costs, at unreasonable rates, without adequate documentation, or in ways that do not advance the program’s objectives. Controls address this risk at three levels, and the level at which an organization concentrates its investment determines its compliance posture.

Preventive controls stop noncompliance before it occurs. They are the front line of the control system and the most cost-effective intervention point. Examples:

  • Approval workflows. Purchase orders above a threshold require supervisory approval before commitment. Personnel hiring requires budget verification against the approved award budget. Travel must be pre-approved with a documented purpose tied to grant objectives. These are gate controls — they create a decision point where a human reviews the proposed expenditure against allowability rules before the money is committed.
  • Budget checks. Accounting systems are configured to flag expenditures that would exceed a budget category or push cumulative transfers past the 10% threshold requiring prior approval under 2 CFR 200.308. The check occurs at the point of entry, not at month-end reconciliation.
  • Eligibility verification. For programs serving specific populations (e.g., HRSA’s Health Center Program, SAMHSA’s Projects for Assistance in Transition from Homelessness), client eligibility is verified at intake and documented before services are rendered. Serving ineligible individuals charges the cost of those services to the award improperly.
  • Time-and-effort systems. Staff whose compensation is charged to federal awards document their time allocation contemporaneously — at the time the work is performed, not retrospectively from memory. Under 2 CFR 200.430, charges for personal services must be based on records that accurately reflect the work performed. Contemporaneous documentation is the preventive control; after-the-fact reconstruction is the detective control that discovers the preventive control was absent.

Detective controls identify noncompliance that has already occurred. They are necessary because no set of preventive controls is perfect, but they are inherently more expensive than prevention — the noncompliance has already happened, and the question is how quickly it is discovered and how much damage has accumulated.

  • Monitoring. Program officers review expenditure reports, progress reports, and site visit findings to identify patterns of concern. Internal monitoring compares actual spending to budget projections on a monthly or quarterly cycle.
  • Reconciliation. Financial staff compare general ledger entries to supporting documentation — purchase orders, invoices, time records, travel receipts. Reconciliation identifies expenditures that lack documentation, exceed approved amounts, or appear in the wrong budget category.
  • Audit. The Single Audit under 2 CFR 200 Subpart F is the formal detective control. An independent auditor tests a sample of transactions for compliance with federal requirements and evaluates the adequacy of internal controls. The audit occurs annually, meaning noncompliance can persist for up to 12 months before the detective control activates.

Corrective controls respond to identified noncompliance. They are the most expensive layer because they operate after the failure has been detected and documented.

  • Findings. An auditor documents a finding when noncompliance is identified. Findings are categorized by severity: material weakness (a deficiency so severe that noncompliance could occur and not be detected), significant deficiency (less severe but more than inconsequential), and other findings. Each finding requires a corrective action plan.
  • Corrective action plans. The organization must describe what it will do to address the finding, who is responsible, and what the timeline is. The corrective action plan is submitted to the federal agency and monitored for implementation. Failure to implement a corrective action plan can result in special conditions on future awards — additional reporting requirements, pre-approval requirements, or reduced funding.
  • Sanctions. In severe cases, the federal agency can impose sanctions: suspension of payment, withholding of funds, termination of the award, or debarment of the organization from future federal awards. Debarment is the capital punishment of grant compliance — it removes the organization from the federal funding ecosystem entirely.

The critical insight is asymmetry. Preventive controls are cheap, detective controls are moderate, and corrective controls are expensive. An organization that invests $85,000 per year in a dedicated grants accountant, a time-and-effort system, and approval workflows is investing in preventive controls. An organization that skips that investment and instead relies on annual audit to catch problems is investing in detective controls at ten times the cost. The compliance-overhead trap — discussed below — is the mechanism by which organizations choose the expensive path while believing they are saving money.

Internal Controls: COSO Applied to Grants

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its Internal Control — Integrated Framework in 1992, with a major update in 2013. COSO defines internal control as “a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.” The framework identifies five interrelated components. The GAO’s Standards for Internal Control in the Federal Government (the Green Book, GAO-14-704G) adapts these five components for the public sector and is the standard federal agencies use to evaluate recipient internal controls.

1. Control Environment. The organizational culture and governance structure that establishes the tone for internal control. In grant operations, the control environment is set by leadership’s attitude toward compliance. An executive team that treats compliance as a cost center to be minimized sends a different signal than one that treats it as a core operational function. The control environment is observable: Does the organization have a grants management policy? Is there a designated grants accountant or controller? Do program directors understand their compliance responsibilities, or do they view compliance as “someone else’s job”?

Most healthcare organizations have strong control environments for revenue cycle — years of CMS billing compliance, RAC audits, and Stark Law enforcement have built robust controls around clinical billing. Those same organizations often have weak control environments for grant operations because grants represent a newer, smaller revenue stream. The assumption that revenue cycle controls transfer to grant compliance is wrong. The regulatory framework is different (2 CFR 200 vs. CMS billing rules), the documentation requirements are different (time and effort vs. charge capture), and the audit mechanism is different (Single Audit vs. RAC audit). Organizations that recognize this gap build parallel control environments. Organizations that do not create a control gap that auditors find reliably.

2. Risk Assessment. The process of identifying and analyzing risks to the achievement of objectives. For grant operations, risk assessment means identifying where noncompliance is most likely to occur. The answer is predictable: personnel costs (the largest budget category and the one most dependent on time-and-effort documentation), procurement (where conflicts of interest, sole-source justifications, and cost reasonableness determinations create exposure), cost sharing (where match requirements may not be documented), and program income (where revenue generated by grant-funded activities must be tracked and reported).

Risk assessment should be specific to the portfolio. An organization with five federal awards from three agencies faces different compliance risks than one with a single HRSA cooperative agreement. The multi-award organization faces allocation risk (ensuring shared costs are properly allocated across awards), consistency risk (ensuring the same cost is not charged differently to different awards), and reporting risk (ensuring each award’s financial and progress reports are accurate and timely). These are not generic risks — they are risks that emerge from the structure of the portfolio.

3. Control Activities. The policies and procedures that implement the control environment. These are the preventive, detective, and corrective controls described above. In grant operations, control activities include: segregation of duties (the person who approves an expenditure is not the person who records it and is not the person who reconciles it), transaction authorization levels, documentation standards for each cost category, and reconciliation procedures.

4. Information and Communication. The systems that produce, capture, and communicate compliance-relevant information. In grant operations, this means the accounting system must track expenditures by award, by budget category, and by budget period. It means progress data must be captured in a form that supports both program management and required reporting. It means compliance status must be visible to the people who make spending decisions, not locked in the finance department.

The information and communication gap is where many organizations fail. The program director making daily operational decisions — hiring staff, scheduling travel, purchasing supplies — may have no visibility into the budget status of the award funding those activities. The grants accountant tracking expenditures may have no visibility into whether the activities those expenditures support are producing the required outputs. The disconnect between financial data and programmatic data produces a condition where no single person has the information needed to assess compliance status. This is not a technology problem. It is a control design problem.

5. Monitoring. The ongoing evaluation of the control system itself. Are the controls working? Are they being followed? Are there gaps? Monitoring is the meta-control — the control that evaluates whether the other controls are effective. In well-functioning organizations, monitoring includes management review of financial reports, periodic internal compliance assessments, and follow-up on prior audit findings. In poorly functioning organizations, monitoring is the annual Single Audit — the external detective control that substitutes for internal monitoring that does not exist.

The Compliance-Overhead Trap

This is the central failure mode in grant compliance, and it follows a predictable causal sequence.

Step 1: Compliance is framed as overhead. The organization’s leadership views compliance activities — documentation, reconciliation, time tracking, approval workflows — as administrative burden rather than operational infrastructure. This framing is often reinforced by program staff who see compliance requirements as obstacles to service delivery. The framing is understandable. It is also wrong.

Step 2: Investment is minimized. Because compliance is framed as overhead, the organization invests minimally. There is no dedicated grants accountant — the finance manager handles grants alongside all other accounting. There is no time-and-effort system — staff complete semi-annual certifications from memory. There are no formal approval workflows — the program director approves expenditures verbally. Procurement follows general organizational procedures that do not incorporate the federal requirements in 2 CFR 200.318-327.

Step 3: Control gaps accumulate. Without preventive controls, noncompliant expenditures enter the system unchecked. Time records are vague or missing. Procurement files lack required documentation (cost/price analysis, conflict of interest disclosures, vendor selection justification). Travel expenditures lack pre-approval documentation tying them to grant objectives. These are not isolated errors — they are systemic patterns produced by the absence of controls.

Step 4: The Single Audit discovers the gaps. The independent auditor tests a sample of transactions and finds systematic noncompliance. The findings are not surprises — they are the predictable result of the control gaps. But the organization experiences them as surprises because it has no internal monitoring that would have detected them earlier.

Step 5: Corrective action consumes capacity. The audit produces findings. Each finding requires a corrective action plan. Implementing corrective action plans requires staff time — the same staff time that was supposedly being saved by minimizing compliance investment. The corrective action plan also requires building the infrastructure that should have existed from the start: writing policies, implementing systems, training staff, and documenting retroactively what should have been documented contemporaneously.

Step 6: Future awards carry risk. Audit findings are public record, submitted to the Federal Audit Clearinghouse. Federal program officers review applicants’ audit history when making award decisions. An organization with unresolved findings may receive special conditions on new awards — additional reporting requirements, reduced payment flexibility, or enhanced monitoring. In competitive awards, audit history is a negative signal that reviewers weigh against the application.

The trap is self-reinforcing. Minimizing compliance investment produces audit findings. Audit findings consume capacity that could have been invested in compliance. The consumed capacity reduces the organization’s ability to build the infrastructure needed to prevent future findings. The cycle continues until external intervention (a corrective action plan with teeth) or internal recognition (leadership decision to invest in compliance infrastructure) breaks it.

Healthcare Example: The Cost of Underfunded Compliance

Consider a mid-size behavioral health organization — a community mental health center in rural Appalachia serving three counties — with 5 active federal grants totaling $6M annually. The portfolio includes two SAMHSA grants (a CCBHC expansion award and a State Opioid Response subaward), two HRSA grants (a Behavioral Health Workforce Education and Training award and a Rural Communities Opioid Response Program award), and one CDC grant (an Overdose Data to Action cooperative agreement). Five awards, three agencies, two direct and one pass-through.

For two fiscal years, the organization operates with underfunded compliance infrastructure:

  • No dedicated grants accountant. The CFO’s office handles grant financial management alongside the organization’s $18M operating budget. The finance team has expertise in Medicaid billing and state contract management but limited experience with 2 CFR 200.
  • Effort reporting is done quarterly, by memory, rather than contemporaneously. Clinical staff complete time-and-effort certifications at the end of each quarter, estimating their time allocation across programs from recall. The certifications are not supported by contemporaneous activity records — no timesheets, no electronic time tracking, no calendar-based documentation.
  • No formal time-and-effort system. The organization’s payroll system allocates compensation to awards based on budgeted percentages, not actual effort. A clinician budgeted at 50% on the CCBHC grant and 50% on the RCORP grant is charged at that ratio regardless of actual time distribution.
  • Procurement files are incomplete. Several contracts lack cost/price analyses, conflict of interest disclosures, or documentation of the vendor selection process.
  • Cost sharing documentation for one award relies on estimates rather than documented actual costs.

The Single Audit at the end of year two produces the following:

Finding 1: Inadequate support for personnel costs (material weakness). The auditor tested a sample of 25 payroll transactions charged to federal awards and found that time-and-effort documentation did not meet the requirements of 2 CFR 200.430. Certifications were completed retrospectively and were not supported by records reflecting the actual activity of each employee. Questioned costs: $112,000 (the sampled personnel charges that could not be verified).

Finding 2: Procurement noncompliance (significant deficiency). Three contracts totaling $340,000 lacked required documentation under 2 CFR 200.320. Two lacked evidence of competitive procurement. One lacked a conflict of interest disclosure. Questioned costs: $48,000 (the contract without competitive procurement documentation, which the auditor could not verify met cost reasonableness standards).

Finding 3: Inadequate cost sharing documentation (other finding). One award required a 25% non-federal match. The organization reported meeting the match requirement but could not provide documentation sufficient to verify $20,000 of the reported match. Questioned costs: $20,000.

Total questioned costs: $180,000. Three findings. A mandatory corrective action plan for each.

The corrective action process consumes approximately 400 staff hours over four months: writing corrective action plans (60 hours), implementing a time-and-effort tracking system (120 hours including vendor selection, configuration, training, and rollout), revising procurement policies and retraining staff (80 hours), documenting cost sharing procedures and retroactively assembling documentation (60 hours), and management time on oversight, federal reporting, and agency correspondence (80 hours). At a blended staff cost of $55/hour, the corrective action process costs approximately $22,000 in direct staff time — plus the opportunity cost of 400 hours not spent on program delivery.

The compliance infrastructure the organization avoided would have cost approximately $85,000 per year: a dedicated grants accountant at $65,000 (salary plus benefits for a mid-career professional in a rural market), a cloud-based time-and-effort tracking system at $12,000/year, and procurement policy development and training at $8,000 in the first year. Total: $85,000 in year one, $77,000 in subsequent years.

The math is unambiguous. Two years without infrastructure: $0 compliance investment, $180,000 in questioned costs, $22,000 in corrective action costs, 400 hours of diverted capacity, findings on the public record affecting future competitiveness. Two years with infrastructure: $162,000 compliance investment, near-zero questioned costs, no findings, no corrective action, no reputational damage. The organization that “saved” money on compliance spent more on the consequences of not having it.

Just-Right Compliance

The goal is not maximum compliance activity. Over-compliance is a real problem — organizations that build elaborate control systems beyond what is necessary consume program capacity on documentation and approval workflows that do not reduce risk. The goal is effective controls: the minimum set of controls that produces reliable accountability without consuming the program capacity the funding was intended to support.

Just-right compliance requires risk-based thinking. Not every expenditure category carries the same compliance risk. Personnel costs, which consume the largest share of most grant budgets and depend on time-and-effort documentation, warrant strong preventive controls. Supply purchases under $1,000, which are low-dollar and high-volume, may warrant simplified documentation procedures rather than full approval workflows for each transaction. The control investment should be proportional to the risk — both the probability of noncompliance and the consequence if it occurs.

The GAO Green Book (GAO-14-704G) addresses this explicitly: internal controls should provide “reasonable assurance” — not absolute assurance — regarding the achievement of objectives. Reasonable assurance acknowledges that controls have costs, that no system is perfect, and that the objective is risk reduction to an acceptable level, not risk elimination. An organization spending 15% of its grant budget on compliance infrastructure is almost certainly over-controlled. An organization spending 1% is almost certainly under-controlled. The right number depends on portfolio complexity, organizational capacity, and risk tolerance — but for most mid-size healthcare organizations managing multiple federal awards, 3% to 5% of grant revenue invested in compliance infrastructure produces a return that more than justifies the cost.

Practical calibration of “just right” follows a hierarchy of priorities:

  1. Time and effort first. Personnel is the largest cost category and the one most frequently cited in audit findings. A contemporaneous time-tracking system pays for itself in the first audit cycle.
  2. Procurement documentation second. Procurement findings are the second most common Single Audit finding type. Written policies, documented vendor selection, and conflict of interest disclosures are low-cost, high-return controls.
  3. Financial reporting discipline third. Monthly reconciliation of grant expenditures to the general ledger catches mispostings and category errors before they accumulate into material variances.
  4. Cost sharing documentation fourth. For awards with match requirements, document the match as it occurs rather than assembling documentation at reporting time.
  5. Everything else fifth. Travel documentation, supply procurement, subrecipient monitoring — these are important but lower-risk categories that warrant standard procedures rather than elaborate controls.

The Product Owner Lens

What is the compliance problem? Organizations underinvest in compliance infrastructure, producing control gaps that are discovered at audit rather than prevented at the point of activity. The result is questioned costs, findings, and corrective action plans that cost more than the infrastructure would have.

What mechanism explains the bottleneck? The compliance-overhead trap: compliance is framed as administrative burden rather than operational infrastructure, investment is minimized, control gaps accumulate invisibly, and the Single Audit converts invisible gaps into visible findings. The mechanism is delayed feedback — the consequence of underinvestment arrives 12 to 24 months after the decision, long enough for the causal link to be obscured.

What controls or workflows improve it? Preventive controls at the point of activity: contemporaneous time tracking, pre-commitment budget verification, approval workflows with documented authorization, procurement documentation checklists, and automated budget category monitoring. The shift from detective to preventive controls is the single highest-leverage change an organization can make.

What should software surface? Compliance status by award: percentage of personnel charges with contemporaneous time documentation, percentage of procurement transactions with complete documentation files, budget category utilization with alerts at cumulative transfer thresholds (7% warning, 10% hard stop), cost sharing documentation completeness versus match requirements, and days since last reconciliation for each award. The dashboard should present compliance health as a leading indicator, not a lagging audit result.

What metric reveals risk earliest? The documentation completeness rate — the percentage of transactions in the current period that have all required supporting documentation at the time of the transaction, not at the time of the audit. An organization with 95% documentation completeness at the point of activity will have a clean audit. An organization at 70% is accumulating findings. This metric is computable in real time from the accounting system and document management system, and it predicts audit outcomes 12 months before the audit occurs.

Warning Signs

Time-and-effort certifications are completed from memory. If staff complete time allocation certifications weeks or months after the work was performed, without contemporaneous supporting records, the organization is building a questioned-cost exposure that grows with every pay period. The 2 CFR 200.430 requirement for records that “reasonably reflect the total activity for which the employee is compensated” is not met by retrospective estimation.

No one can produce a current compliance status by award. If the question “are we in compliance on Award X right now?” requires research rather than a dashboard check, the information and communication component of the control system is broken. Compliance status should be continuously available, not periodically reconstructable.

Procurement files are assembled after the fact. If procurement documentation — cost/price analysis, conflict of interest disclosures, vendor selection justification — is created or gathered when the auditors request it rather than at the time of procurement, the preventive control does not exist. The documentation is detective at best, fabricated at worst.

The grants accountant function is a fraction of someone’s job. An organization managing $2M or more in federal awards without a dedicated grants financial management role is structurally under-controlled. Grant accounting under 2 CFR 200 requires specific expertise that general accounting staff may not have, and adding it to an already-full workload ensures it receives insufficient attention.

Prior audit findings remain unresolved. Repeat findings — the same noncompliance identified in consecutive audit cycles — are a signal that the corrective action process is performative. The organization wrote a corrective action plan to satisfy the auditor but did not implement it. Repeat findings escalate: what was a significant deficiency becomes a material weakness, what was a questioned cost becomes a disallowed cost, and the federal agency’s patience narrows.

Leadership refers to compliance as “the audit stuff.” Language reveals framing. If the executive team discusses compliance only in the context of audit preparation — rather than as an ongoing operational function — the control environment is weak regardless of what policies exist on paper.

Integration Hooks

Human Factors Module 8 (Fraud Patterns and Adversarial Design). Compliance monitoring and fraud detection share the same structural problem: an observer must distinguish legitimate activity from noncompliant or fraudulent activity against a background of high-volume transactions. The connection is deeper than analogy. Goodhart’s Law — “when a measure becomes a target, it ceases to be a good measure” — applies directly to compliance metrics. An organization that tracks “percentage of time-and-effort certifications completed on time” as its primary compliance metric will optimize for certification completion, not for accuracy of time reporting. Staff will submit certifications on schedule regardless of whether those certifications reflect actual effort. The metric will show 100% compliance while the underlying behavior remains noncompliant. Effective compliance measurement requires metrics that resist gaming — documentation completeness verified against source records, not self-reported certification rates. HF Module 8’s analysis of adversarial design provides the framework: design the measurement system as if someone is trying to satisfy the metric without satisfying its intent, because in practice, that is what happens under compliance pressure.

Human Factors Module 3 (Signal Detection Theory). Compliance monitoring is an SDT problem with identifiable parameters. The “signal” is a noncompliant transaction. The “noise” is the population of compliant transactions. The monitoring system must detect true noncompliance (hits) without generating excessive false alarms (flagging legitimate transactions as noncompliant). The base rate matters enormously: in a well-controlled organization, the vast majority of transactions are compliant, which means any monitoring system faces a low-base-rate detection problem where even a modest false alarm rate produces far more false positives than true positives. This is the exact dynamic described in HF Module 3’s analysis of clinical alerting — and the same principles apply. A compliance monitoring system that flags 20% of transactions for review in an organization where 2% are actually noncompliant will produce a positive predictive value of approximately 10%, meaning 90% of flagged items are false alarms. The monitoring staff will habituate to the noise and begin clearing flags without investigation — the compliance equivalent of alert fatigue. The solution is the same: improve discriminability (better data, more specific rules) and set the criterion based on explicit cost analysis (the cost of missing a noncompliant transaction versus the cost of investigating a compliant one).

Key Frameworks and References

  • 2 CFR Part 200 (Uniform Guidance) — the master regulation for all federal grant compliance; Subpart D (post-award requirements), Subpart E (cost principles), Subpart F (audit requirements)
  • 2 CFR 200.302 — financial management system requirements for federal award recipients
  • 2 CFR 200.303 — internal controls requirement, incorporating federal internal control standards
  • 2 CFR 200.318-327 — procurement standards for federal awards
  • 2 CFR 200.405 — allocability standard for costs charged to federal awards
  • 2 CFR 200.430 — compensation — personal services; the time-and-effort documentation requirement
  • COSO Internal Control — Integrated Framework (2013) — five-component model for internal control design and evaluation
  • GAO Standards for Internal Control in the Federal Government (Green Book, GAO-14-704G) — federal adaptation of COSO framework, the standard used by auditors evaluating recipient internal controls
  • Single Audit Act Amendments of 1996 (31 U.S.C. 7501-7507) — the statutory basis for the Single Audit requirement
  • OMB Compliance Supplement — annual guidance to auditors on which compliance requirements to test for each federal program
  • Government Auditing Standards (Yellow Book, GAO-21-368G) — the auditing standards under which Single Audits are conducted
  • HRSA Grants Policy Statement — HRSA-specific compliance requirements supplementing the Uniform Guidance
  • SAMHSA Terms and Conditions — SAMHSA-specific award requirements
  • HHS OIG Semiannual Reports — Office of Inspector General reports documenting common compliance failures, fraud patterns, and audit outcomes across HHS-funded programs
  • Federal Audit Clearinghouse (FAC) — the repository where Single Audit results are filed and publicly accessible