Subrecipient Risk Assessment

The pre-award checklist that sets how closely you'll watch a subrecipient.

Updated July 11, 2026

Before federal money moves to a subrecipient, Uniform Guidance (2 CFR 200.332(b)) asks you to size up the risk that they'll mishandle it. Not as a judgment on the partner — as a way to decide how closely you need to watch them. A well-run partner with a clean audit history needs a lighter touch than a brand-new group taking its first federal dollars.

NP Ledger captures this as a structured checklist. You answer seven factors, set an overall risk level, and write down your monitoring plan. The result drives how often the compliance report expects you to check in. It's a record-keeping aid — the risk-level call is yours, not the software's.

Do the assessment before you activate the subaward — that's the "pre-award" in pre-award risk assessment, and NP Ledger won't let a subaward go active without one on file. Do a fresh one whenever something material changes: a new audit comes in, the partner reorganizes, or you renew for another period. Assessments are immutable once saved, so a new one never overwrites the old — it supersedes it, and the history stays intact for your auditor.

Each factor is a plain multiple-choice. Here's what each one is really asking.

  1. Prior experience with similar subawards. Has this partner run this kind of federally funded work before? A group with five years of it carries less risk than a first-timer — not because new groups are bad, but because there's no track record to lean on yet.

  2. Results of previous audits. What did their last audits find? "No findings" is reassuring; "findings still open" is a flag worth a closer look. "No prior audits" isn't bad on its own — it just means less to go on.

  3. New personnel or systems since the last audit. Turnover in finance staff or a switch in accounting systems can undo the controls an earlier audit relied on. Fresh people and fresh systems haven't been tested yet.

  4. Extent and results of federal monitoring. Have federal agencies or other pass-through entities monitored this partner, and how did it go? Clean prior monitoring is a good sign; known issues are worth weighing.

  5. Financial stability. Based on their recent financial statements, are they on solid footing? A partner running on fumes is a higher risk to the program, whatever their intentions. If you haven't reviewed statements, say so — "not reviewed" is an honest answer, not a wrong one.

  6. Quality of management systems. Do they have documented, tested financial and program controls, or are they running on good intentions and a spreadsheet? Documented-and-tested is the gold standard.

  7. Single Audit status. If they spend enough federal money, they owe a Single Audit. Is it done, and was it clean? A required-but-not-completed audit is a real gap. (The Single Audit threshold is $1,000,000 in federal spending under the 2024 Uniform Guidance revision — worth knowing if your subrecipient is near it.)

After the seven factors, set an overall level: low, medium, or high. NP Ledger suggests a level based on your answers, but the call is yours — you know context the checklist can't see. The level isn't a grade on the partner. It's a dial for how much attention the relationship needs.

Here's how the level translates into a suggested monitoring rhythm:

Risk level Suggested cadence
Low Annual desk review
Medium Semiannual desk review plus one site visit
High Quarterly reviews, a site visit, and closer invoice scrutiny

The cadence is a suggestion, not a rule the software enforces. But the compliance report uses it: set a partner to high risk, and the report expects to see monitoring every quarter. Go too long without logging a check-in, and their traffic light turns yellow, then red.

The plan is a short free-text note — at least a couple of sentences — describing how you'll actually watch this subrecipient. What will you review? How often? What would make you step it up? Future-you (and your auditor) will thank present-you for writing it down while it's fresh.

Every saved assessment has a PDF export — a clean, one-page workpaper with the factors, the risk level, the plan, and the assessor and date. It carries a plain disclaimer that it's a record-keeping tool, not a compliance determination. Hand it to your auditor as-is, or drop the whole set into the PBC audit export from the CPA Dashboard.

This checklist helps you organize a judgment. It doesn't make one for you, and it isn't legal or audit advice. If a factor is close to the line, or you're not sure how to weigh a partner's history, that's a good conversation to have with your CPA or grant compliance officer before you activate the award.

Was this page helpful?

Ready to try NP Ledger?

Native fund accounting, Form 990 support, and smarter bookkeeping for nonprofits.