Internal Controls and Compliance Under Uniform Guidance: Why Process, Control, and Compliance Are Not the Same
- JConner
- 2 days ago
- 7 min read
Organizations subject to Single Audit requirements often understand the importance of compliance, but many struggle with how auditors evaluate internal control over compliance.
One common issue is that auditees confuse a process with a control. Another is the belief that if the organization complied with a requirement, there cannot be a control deficiency. A third is failing to recognize that when noncompliance occurs, there is usually a related control issue that needs to be evaluated.
A fourth issue is just as important: management may say something was reviewed, but the review was not documented.
These distinctions matter because Uniform Guidance requires recipients and subrecipients to establish, document, and maintain effective internal control over federal awards.
The Uniform Guidance Requirement
Under 2 CFR 200.303, recipients and subrecipients must establish, document, and maintain effective internal control over federal awards that provides reasonable assurance they are managing the award in compliance with federal statutes, regulations, and the terms and conditions of the award.
The regulation also requires recipients and subrecipients to evaluate and monitor compliance and take prompt action when instances of noncompliance are identified.
This means the audit focus is not limited to whether a transaction was compliant. Auditors also evaluate whether internal controls over compliance were properly designed, implemented, documented, and operating effectively.
Process vs. Control
A process describes how work gets done.
A control is the specific activity designed to either prevent an error, omission, or instance of noncompliance from occurring, or to detect and correct it timely if it does occur.

Example: Allowable Costs
Process:
An invoice is received, coded to a federal grant, entered into the accounting system, and paid.
Preventive control:
A qualified reviewer compares the invoice to the grant agreement, approved budget, period of performance, supporting documentation, and allowability requirements before payment. The reviewer documents approval through a dated sign-off or workflow approval.
Detective and corrective control:
The Grants Manager reviews a monthly grant expense detail report, investigates unusual or miscoded expenses, and corrects errors before reimbursement requests or financial reports are submitted.
The process explains the workflow.
The control addresses the risk.
If the documentation only says, “Invoices are submitted to finance for payment,” that is not enough to demonstrate an effective control over allowable costs.
“We Reviewed It” Is Not the Same as Documented Review
One of the most common issues in Single Audits is undocumented review.
Management may explain that someone reviewed an invoice, payroll allocation, reimbursement request, financial report, procurement file, or grant reconciliation. But if there is no evidence of the review, the auditor may not be able to test whether the control actually operated.
For audit purposes, a review control should usually show:

A signature, dated approval, workflow history, review checklist, reconciliation sign-off, exception log, or documented review note can provide evidence that the control occurred.
A review that is not documented may be difficult to distinguish from a review that never happened.
If the organization wants to rely on review as a control, the review should leave evidence.
Examples of Review Evidence
Weak evidence:
“Reviewed” with no date or name
Verbal confirmation that someone looked at the report
An email saying “looks good” with no supporting detail
A report saved in a folder with no sign-off
A checklist with boxes checked but no indication of what was tested
Stronger evidence:
Dated approval in the accounting system
Signed reconciliation with review notes
Review checklist tied to specific compliance requirements
Email approval that references the report reviewed and any follow-up performed
Exception log showing what was found, who resolved it, and when it was corrected
Monthly grant reconciliation with preparer and reviewer sign-off
Report package showing review, questions asked, and management’s resolution
The goal is not to create unnecessary paperwork. The goal is to retain enough evidence to show that a knowledgeable person reviewed the right information, at the right time, using the right criteria, and followed up on exceptions.

A stronger control description should answer the 5W questions, plus “how.”
Who performs the control? Identify the role responsible for the control, such as the Grants Manager, Controller, Program Director, CFO, or Finance Committee member.
What is reviewed or performed? Describe the specific document, report, transaction, reconciliation, approval, or monitoring activity.
When is the control performed? State the frequency or timing, such as before payment, monthly, quarterly, before reimbursement submission, or before financial report submission.
Where is the evidence retained? Identify where the review evidence is maintained, such as the accounting system, grant file, reconciliation workbook, approval workflow, board packet, or shared drive.
Why is the control performed? Tie the control to the risk or compliance requirement, such as allowability, period of performance, procurement, reporting accuracy, cash management, subrecipient monitoring, or payroll allocation support.
How is the control performed? Explain the specific criteria used, how exceptions are identified, how corrections are made, and how resolution is documented.
Using the 5W method helps turn a vague control description into something management can perform consistently and auditors can test.
For example, “the report is reviewed monthly” is not a strong control description.
A stronger control description would be:
“The Grants Manager reviews the monthly grant expense detail before reimbursement requests are submitted to determine whether costs are allowable, incurred within the period of performance, charged to the correct award, and supported by documentation. The review is evidenced by dated sign-off on the reconciliation workbook, with exceptions documented and corrected before submission.”
That description tells the reader who performs the control, what is reviewed, when it happens, why it matters, how it is performed, and where the evidence is retained.
This matters because “review” is often the control clients describe, but the audit evidence is the documented proof that the review actually happened.
A strong control description should also identify whether the control is preventive, detective and corrective, or both.
Compliance Can Exist Even When a Control Deficiency Exists
This is one of the most important concepts for auditees to understand. A transaction can be compliant, but the related control can still be deficient. For example, assume payroll costs charged to a federal award were allowable and properly allocated in the sample tested. However, the organization cannot provide evidence that payroll allocations were reviewed, approved, or monitored during the year.
In that case, the compliance result may be acceptable, but the control may still be deficient because the organization cannot demonstrate that the control was designed and operating effectively.
When noncompliance occurs—such as an unallowable employee recognition cost being charged to a grant—management cannot just remove the transaction and say, "It was only one mistake." You must evaluate the root cause of the control structure.
If an unallowable cost slipped through, ask yourself: Was the reviewer familiar with the specific grant requirements? Was the review actually documented before payment?

The key point is this:
Correct results do not automatically prove effective controls.
A compliant transaction may occur because staff were experienced, the sample happened to be clean, or an error simply did not occur during the period tested. Auditors still need to understand whether the organization has a repeatable, documented control that provides reasonable assurance that noncompliance would be prevented, or detected and corrected timely.
When noncompliance occurs, management should evaluate the related control structure.
If an unallowable cost was charged to a federal award, one or more control issues likely existed. For example:
no allowability review was required
the review was not performed
the reviewer lacked sufficient knowledge of the award requirements
the review was performed but not documented
the control did not include the relevant compliance requirement
monitoring did not occur timely
exceptions were not investigated
errors were detected but not corrected timely
Not every compliance exception automatically results in a separately reportable significant deficiency or material weakness. Severity still matters. From a root-cause perspective, noncompliance generally means the control either did not exist, was not properly designed, was not operating effectively, or did not detect and correct the issue timely. Here is how these control gaps play out across different compliance areas:
Reporting
The organization submitted required quarterly financial reports on time, and the reports were accurate. However, there was no documented review, no reconciliation to the general ledger, and no evidence that a knowledgeable person approved the report before submission.
The organization may have complied with the reporting requirement, but the control over reporting may still be deficient.
Procurement
A vendor was legitimate, pricing appeared reasonable, and the goods were received. However, the procurement file did not show required approvals, cost or price analysis, conflict-of-interest review, or required procurement documentation.
The purchase may not result in questioned costs, but the procurement control may still be deficient.
Subrecipient Monitoring
A subrecipient performed the required work and submitted reports. However, the pass-through entity did not document monitoring procedures, review of reports, follow-up on issues, or risk assessment of the subrecipient.
The program activity may have occurred, but the monitoring control may not be supported.

Organizations can reduce Single Audit findings by strengthening control design and documentation before fieldwork begins.
Questions to Ask Before Fieldwork
Before the Single Audit begins, management should be able to answer:
What are the key compliance requirements for each major program?
What controls address each requirement?
Are controls preventive, detective and corrective, or both?
Who performs each control?
Is the reviewer independent enough and knowledgeable enough?
Is there evidence the control occurred?
Are exceptions tracked and resolved?
Are corrections made timely?
Were prior findings corrected?
Are policies aligned with actual practice?
Could an auditor reperform or inspect evidence of the control?
If the answer is unclear, the organization may have audit risk.
Helpful Resources
The following resources can help auditees better understand internal control over compliance and Single Audit expectations:
Final Thoughts
Single Audit findings are often preventable when organizations understand how compliance and internal control work together.
A process explains how work moves through the organization.
A control reduces the risk that the process will produce an error, omission, or instance of noncompliance by preventing the issue, or detecting and correcting it timely.
Compliance means the requirement was met.
Control effectiveness means the organization had a properly designed, consistently operating, and documented control to provide reasonable assurance that compliance would occur.
Documented review evidence shows that the control actually operated.
Those differences matter.
Organizations that understand them are better positioned to reduce findings, respond to exceptions, strengthen grant management, and improve audit readiness.
