What is segregation of duties in a federal grant?

Segregation of duties means no single person controls all parts of a financial transaction — for example, the person who approves a purchase shouldn't also be the one who receives the goods, records the transaction, and reconciles the account. Splitting these functions makes it much harder for errors or fraud to go undetected. It's one of the most basic internal controls auditors test, and it's a common weakness in small organizations with limited staff.

How do small organizations meet internal control requirements with limited staff?

When you can't fully segregate duties because you don't have enough people, you implement compensating controls — most often active oversight by a board member, executive director, or external party who reviews transactions independently. Documenting that mitigating review, having a second set of eyes on bank reconciliations and approvals, and using your accounting system's audit trail all help demonstrate effective control despite limited staff. Auditors accept compensating controls when they're real and documented.

Federal Grant Internal Controls: 2 CFR 200.303 Explained

Q: What does 2 CFR 200.303 require?

2 CFR 200.303 requires non-federal entities to establish and maintain effective internal control over the federal award that provides reasonable assurance the entity is managing the award in compliance with federal statutes, regulations, and the terms of the award. The regulation says these controls should be in compliance with guidance in the COSO Internal Control framework and the GAO Green Book. It also requires safeguarding protected information and taking prompt corrective action on identified deficiencies.

Q: What internal controls do auditors look for in a federal grant?

Auditors test whether you have controls over allowable costs, cash management, eligibility, reporting, procurement, and subrecipient monitoring — the compliance requirements relevant to your program. They look for written policies, segregation of duties, authorization and approval processes, documentation and recordkeeping, reconciliations, and monitoring. Critically, they test whether the controls operate in practice, not just whether they exist on paper.

Key Facts

2 CFR 200.303 is the requirement. Establish and maintain effective internal control over the federal award.
COSO + GAO Green Book are the named frameworks. Five components: control environment, risk assessment, control activities, information & communication, monitoring.
Segregation of duties is the foundational control — no one person owns a whole transaction end to end.
Controls must operate, not just exist. Auditors test whether the control actually happened, not whether a policy is on the shelf.
Small shops use compensating controls — documented independent oversight when you can't fully segregate duties.

Summary

Internal control is the boring foundation that everything else in grant compliance sits on, and it's the thing auditors examine first. 2 CFR 200.303 requires you to have effective internal control over your federal awards — meaning systems and processes that give reasonable assurance you're spending the money the way you're supposed to and catching problems before they become findings. It's not a single policy. It's how your organization actually operates.

The regulation points to two frameworks: the COSO Internal Control–Integrated Framework, which is the private-sector standard, and the GAO Green Book, which is the federal version. You don't have to formally adopt either one (the language is "should," not "shall"), but auditors evaluate your controls against these frameworks' five components. So understanding them isn't optional if you want to pass a Single Audit cleanly.

What 200.303 Says, Plainly

The section is short. It requires the non-federal entity to: (a) establish and maintain effective internal control over the federal award providing reasonable assurance of compliance; (b) comply with federal statutes, regulations, and award terms; (c) evaluate and monitor compliance; (d) take prompt action on instances of noncompliance, including audit findings; and (e) take reasonable measures to safeguard protected personally identifiable information and other sensitive information.

The phrase that matters is "reasonable assurance." Internal control isn't expected to be perfect or to guarantee nothing ever goes wrong — that's impossible and the regulation knows it. It's expected to be effective enough that, in the normal course of operations, errors and noncompliance get prevented or caught. The standard is reasonable, not absolute. That distinction is your friend when an auditor wants perfection.

The Five Components Auditors Evaluate

Both COSO and the Green Book organize internal control into five interrelated components. Auditors assess your controls through this lens, so know them:

Control environment. The tone at the top — does leadership take compliance seriously, are responsibilities clearly assigned, is there a culture of accountability? This is the foundation; weak control environment undermines everything else.

Risk assessment. Do you identify and analyze the things that could go wrong with your federal awards — the risk of unallowable costs, of missed reports, of a subrecipient misusing funds — and respond to them?

Control activities. The actual procedures: approvals, authorizations, verifications, reconciliations, segregation of duties, physical controls over assets. This is where most of the testable, concrete controls live.

Information and communication. Do the right people get the right information to do their jobs — does your finance team know the award terms, does your PI know the budget, does everyone know who approves what?

Monitoring. Do you check that the controls are working over time, and fix them when they're not? An organization that never reviews its own controls has a monitoring gap.

GrantMetric Analysis

A control that isn't documented didn't happen. This is the hard lesson. You may genuinely have someone review every reconciliation, but if there's no initial, no sign-off, no date, no record — the auditor can't test it, and an untestable control is treated as a control that isn't operating. Build evidence into the control itself: the reviewer initials and dates the reconciliation, the approver signs the purchase, the system logs who did what. The work you already do counts for nothing in an audit unless it leaves a footprint.
Segregation of duties is the first thing they test and the most common small-org weakness. The classic failure: one person requests the purchase, approves it, receives the goods, cuts the check, records it, and reconciles the bank statement. That's not a control — that's an opportunity. You don't need a huge staff to fix it. Split the chain. If the bookkeeper records and reconciles, the executive director should approve and review. Even a three-person organization can separate the critical incompatible duties: custody of assets, authorization, and recordkeeping.
Don't buy a 60-page policy manual and call it a day. Organizations sometimes respond to a controls finding by purchasing or copying an elaborate policy manual that bears no relationship to how they actually operate. Auditors see through this instantly — they test the operation, not the document. A short manual you actually follow beats a comprehensive one you ignore. Write down the controls you really use, make sure people follow them, and make sure they leave evidence. Substance over paperwork, every time.

Compensating Controls for Small Organizations

The most common real-world problem: you have three staff and you can't fully segregate duties because there just aren't enough hands. The regulation doesn't require you to hire people you can't afford. It requires effective control, and when full segregation isn't possible, you use compensating controls — most often independent oversight.

The classic compensating control is board or executive involvement in financial review. A board treasurer who independently reviews monthly bank reconciliations and the check register. An executive director who reviews and approves all disbursements over a threshold. An outside accountant who performs an independent monthly review. The key is that the oversight is genuinely independent of the person doing the transactions, and that it's documented — signed, dated, with evidence the review actually occurred. Auditors accept compensating controls when they're real. They reject them when they're claimed but can't be demonstrated.

Controls Tied to Specific Compliance Requirements

In a Single Audit, the auditor doesn't test internal control in the abstract — they test it against the specific compliance requirements for your program, drawn from the OMB Compliance Supplement. So you want controls mapped to the requirements that apply: controls that keep unallowable costs out (allowable costs/cost principles), controls over how fast you draw and disburse cash (cash management), controls over who's eligible (eligibility), controls ensuring reports are accurate and on time (reporting), and controls over how you select vendors (procurement). Think of internal control not as one big thing but as a control for each thing that could go wrong with your specific program.

Internal Controls Checklist

Separate incompatible duties — authorization, custody, recordkeeping, and reconciliation shouldn't sit with one person.
Document controls into the process — initials, dates, sign-offs, system logs. Evidence is the control.
Map controls to your program's compliance requirements — allowable costs, cash, eligibility, reporting, procurement.
Use real compensating controls if you're small — documented independent oversight, not just claimed.
Monitor and self-test — review whether controls are working and fix gaps before the auditor finds them.
Keep written policies you actually follow — short and real beats long and ignored.

Frequently Asked Questions

What does 2 CFR 200.303 require?

Establish and maintain effective internal control over the federal award giving reasonable assurance of compliance with statutes, regulations, and award terms — in line with the COSO framework and GAO Green Book. It also requires monitoring compliance, prompt corrective action, and safeguarding sensitive information.

What is segregation of duties?

No single person controls all parts of a transaction. The person who approves a purchase shouldn't also receive the goods, record it, and reconcile the account. Splitting incompatible duties makes errors and fraud much harder to hide. It's a foundational control and a common small-org weakness.

What controls do auditors look for?

Controls mapped to your program's compliance requirements — allowable costs, cash management, eligibility, reporting, procurement, subrecipient monitoring. They look for written policies, segregation of duties, approvals, documentation, reconciliations, and monitoring — and they test whether controls actually operate, not just exist.

How do small organizations comply with limited staff?

Use compensating controls — documented independent oversight by a board member, executive director, or external accountant when you can't fully segregate duties. Auditors accept compensating controls when they're genuinely independent and can be demonstrated with evidence.

Sources & Disclaimer Sourced from 2 CFR 200.303 (internal controls), the COSO Internal Control–Integrated Framework, and the GAO Standards for Internal Control in the Federal Government (Green Book). The applicable compliance requirements for testing come from the OMB Compliance Supplement. Your auditor and Grants Management Specialist are authoritative for your specific situation. GrantMetric is an independent platform not affiliated with any federal agency.