The Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) and related federal programs provided crucial federal funding to state and local governments, not-for-profit organizations, and for-profit entities. Companies receiving any form of funding under the CARES Act or other federal funding programs should review the program to determine applicable reporting and audit requirements. Use the link below to access a summary of audit requirements by federal agency and program.

Covid-19 Related Federal Funding Audit Requirements

Based on an update from the U.S. Department of Health and Human Services (“HHS”) on July 22, 2020, and as noted in the summary referenced above, recipients of Provider Relief Fund payments, as well as other federal programs (including commercial entities), will be subject to Single Audit requirements if the entity expended $750,000 or more of federal funds received during its fiscal year.

Some for-profit companies may be subject to Single Audit requirements for the very first time. The information below provides further information on a Single Audit, how companies can begin to prepare, and how to maintain compliance while using the payments received. Single audits are due 9 months after an entity’s fiscal year-end.

What is a Single Audit?

A Single Audit is an audit of a non-federal entity that expends $750,000 or more of federal assistance during its fiscal year.  The audit is conducted under Subpart F of the Office of Management and Budget’s (OMB) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance).  There are two main parts of a Single Audit: an audit of the financial statements and a compliance audit of the entity’s major federal award programs. The compliance audit of the entity’s major programs includes gaining an understanding and testing internal controls over compliance and testing compliance with the applicable requirements for each major program.

Historically, state and local governments and not-for-profit organizations expending $750,000 or more of federal funds annually have been subject to the Single Audit provisions.  Commercial (or for-profit) entities were previously not subject to Single Audit requirements under the Uniform Guidance.

What is a Compliance Supplement?

The OMB issues an annual Compliance Supplement which discusses compliance requirements and provides suggested audit procedures for several federal award programs. The Compliance Supplement is the primary source for identifying compliance requirements for federal programs. Auditors will use the Compliance Supplement, in conjunction with professional judgment, to determine which of the 12 types of compliance requirements may have a direct and material effect on each major program. The 2020 Compliance Supplement is expected to be issued in two parts. The first part, which was issued in August 2020, primarily related to what was developed prior to the COVID-19 pandemic. The second part is expected to address COVID-19 matters and related funding.  Part 2 of the 2020 Compliance Supplement is expected to be issued this fall and will address specific testing requirements for auditors.  The 2020 Compliance Supplement is applicable for audits of fiscal years beginning after June 30, 2019.

What internal control policies does a company need related to federal funding?

Management should develop and review policies and procedures for internal controls in place over federal funds received and gain an understanding of applicable compliance requirements.  There are 12 basic compliance requirements that are found in the Compliance Supplement; however, not all of the requirements listed below will be applicable for a given major program. Entities need to ensure they understand the specific requirements applicable to each federal award received.

Compliance requirements:

  1. Activities Allowed or Unallowed
  2. Allowable Costs/Cost Principles
  3. Cash Management
  4. Eligibility
  5. Equipment and Real Property Management
  6. Matching, Level of Effort and Earmarking
  7. Period of Performance
  8. Procurement, Suspension and Debarment
  9. Program Income
  10. Reporting
  11. Subrecipient Monitoring
  12. Special Tests and Provisions

For more information on preparing for your first single audit, read here.

Are there any cash management requirements related to federal funding?

Cash management policies require non-federal entities to minimize the time elapsing between the transfer of funds from the U.S. Treasury or pass-through entity and disbursement by the non-Federal entity for direct program or project costs.  In accordance with cash management compliance requirements of Uniform Guidance (2 CFR section 200.305(8)), in general, non-federal entities receiving advance payments of federal awards must maintain these payments in interest-bearing accounts.  Further, the Uniform Guidance (2 CFR section 200.305(9)) states that any interest earned on deferral advance payments in excess of $500 per year must be remitted annually to HHS’s payment management system. Cash management procedures and specific procedures will likely be tested as part of compliance requirements in the Single Audit.

What healthcare-related expenses or lost revenues are eligible for reimbursement related to Provider Relief Fund Payments?

The CARES Act Provider Relief Fund distributed $175 billion to hospitals and healthcare providers to assist in combating the COVID-19 pandemic. Funding is meant to be used for reimbursing hospitals and healthcare providers for healthcare-related expenses or lost revenues related to preventing, preparing for, or responding to COVID-19. HHS initially provided guidance regarding eligibility of applying Provider Relief Fund payments to healthcare-related expenses or lost revenues through FAQ’s on the HHS website. On September 19, 2020, HHS published a Post-Payment Notice of Reporting Requirements which provided further guidance for reporting and use of the funds. On October 22, 2020, HHS amended the Post-Payment Notice of Reporting Requirements, which can be found here – https://www.hhs.gov/sites/default/files/post-payment-notice-of-reporting-requirements-october-2020.pdf. LBMC is currently reviewing the updated Post-Payment Notice of Reporting Requirements to gain an understanding of the changes and new guidelines. We expect to be able to issue further clarification and interpretation of the changes in the coming week. In the meantime, if you would like to discuss the new requirements further, please reach out to your LBMC team member or contact Laura McGregor at (615) 309-2289.

Are there any other reporting requirements related to Provider Relief Fund Payments other than the Single Audit discussed above?

Any entity that received $10,000 or more in the aggregate from the Provider Relief Fund will be subject to additional reporting requirements, which are intended to demonstrate compliance with the Terms & Conditions of the Provider Relief Fund.

On September 19, 2020, HHS published a Post-Payment Notice of Reporting Requirements, which was amended on October 22, 2020 and can be found here – https://www.hhs.gov/sites/default/files/post-payment-notice-of-reporting-requirements-october-2020.pdf. The notice provides further guidance for reporting and use of the funds.

Recipients of the Provider Relief Fund Payments will be required to report the following information.

Demographic Information

  1. Reporting Entity: Entity (TIN) that received one of more provider relief payments, or an entity that meets the following criteria: (1) is the parent entity of one or more subsidiaries that received General Distribution payments, (2) has providers that were treating patients with possible or actual cases of COVID-19 on or after January 31, 2020, and (3) is an entity that can attest to the Terms and Conditions. If the entity has subsidiary TINs that received funds from the General Distribution, the Reporting Entity may report and direct the use of General Distribution payments.  However, if a subsidiary TIN received a Targeted Distribution payment, those funds must be used by the TIN that received payment and cannot be allocated to other subsidiaries or the parent entity. The subsidiary TIN receiving the Targeted Distribution payment must also report use of funds for that payment.
  2. Tax Identification Number (TIN)
  3. National Provider Number (NPI) optional
  4. Fiscal Year-End Date
  5. Federal Tax Classification

Expenses attributable to Coronavirus not reimbursed by other sources (2020 only)

  1. A Reporting Entity that received between $10,000 and $499,999 in aggregated provider relief payments are required to report healthcare related expenses (as defined above) in two categories: G&A expenses and other healthcare related expenses
  2. A Reporting Entity that received more than $500,000 in aggregated provider relief payments must break out expenses into more detailed information within G&A expenses and healthcare related expenses as described below:
    • General and administrative expenses
      • Mortgage/rent
      • Insurance
      • Personnel
      • Fringe Benefits
      • Lease Payments
      • Utilities/Operations
      • Other General and Administrative Expenses
    • Healthcare Related Expenses Attributable to Coronavirus
      • Supplies
      • Equipment
      • Information Technology
      • Facilities
      • Other Healthcare Related Expenses

Lost revenue attributable to Coronavirus

    1. Total revenue (net of uncollectible bad debts) from patient care related sources (2019 and 2020). Calendar year actual revenues will be entered by quarters.
    2. Revenue from patient care payer mix (2019 and 2020)
    3. Other assistance received during 2020
      1. Treasury, Small Business Administration (SBA) and the CARES Act/Paycheck Protection Program (PPP)
      2. FEMA CARES Act
      3. CARES Act Testing
      4. Local, State, and Tribal government assistance
      5. Business insurance
      6. Other assistance
    4. Total calendar year expenses broken down into G&A and healthcare related expenses (2019 and 2020). Calendar year actual expenses will be entered by quarters.

Additional non-financial data (by quarter)

  1. Facility, staffing, and patient care
    1. Personnel metrics (including personnel by labor category, re-hires, new hires, and separations)
    2. Patient metrics (including total patient visits, admits, resident patients)
    3. Facility metrics (available staffed beds for medical/surgical, critical care, and other beds)
  2. Change in ownership
    1. Reporting Entities that acquired or divested of related subsidiaries must provide certain additional information related to the change in ownership
  3. Single Audit status
    1. Reporting entities must indicate if they are subject to Single Audit requirements (as described above), and indicate whether the auditors selected provider relief fund payments to be within the scope of the Single Audit (if known at time of reporting)

The reporting system is scheduled to open to providers on January 15, 2021.  The first reporting deadline for all providers on use of funds is February 15, 2021.  The final reporting deadline for providers who did not fully expend funds prior to December 31, 2020, is July 31, 2020.

These final reporting requirements do not apply to Nursing Home Infection Control distribution recipients, Rural Health Clinic Testing distribution recipients, or Health Resources and Services Administration (HRSA) Uninsured Program reimbursement recipients.  Separate reporting requirements may be announced in the future.

HHS indicated that commercial organizations may have “a financial related audit of the award or awards conducted in accordance with Government Auditing Standards (“Yellow Book”)” instead of a Single Audit. What does this type of audit entail and how is it different from a Single Audit?

As discussed above, a Single Audit includes an audit of an organization’s financial statements and a compliance audit of the entity’s major federal award programs.  A “financial related audit under the Yellow Book is described as follows:

“Financial audits provide independent assessments of whether entities’ reported financial information (e.g., financial condition, results, and use of resources) is presented fairly, in all material respects, in accordance with recognized criteria. Financial audits conducted in accordance with GAGAS include financial statement audits and other related financial audits”.

The most common type of financial related audit is an engagement where an auditor reports on an organization’s financial statements as well as on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements that have a material effect on the financial statements. However, the Yellow Book also describes the following other types of financial related audits:

  1. obtaining sufficient, appropriate evidence to form an opinion on a single financial statement or specified elements, accounts, or line items of a financial statement;
  2. issuing letters (commonly referred to as comfort letters) for underwriters and certain other requesting parties
  3. auditing applicable compliance and internal control requirements relating to one or more government programs; and
  4. conducting an audit of internal control over financial reporting that is integrated with an audit of financial statements (integrated audit)

The third option noted above appears to be the most relevant type of engagement that will satisfy the requirements for audits of the Cares Act Relief funds when a Single Audit is not specifically required. Under this type of audit, the grant recipient may be required to have an audit of a statement which includes the expenditures for all awards made to the organization by the Department of Health and Human Services (“DHHS”). An auditor would be required to audit this statement as well as perform specific procedures to understand and test internal controls over the administration of these government awards and perform tests of compliance with the specific terms and conditions of the awards.  The auditor would include any compliance findings in their report.

Additional information is expected to be provided by the DHHS about specific compliance requirements or audit procedures that are required.