Program Letter 20-5
This Program Letter describes the most common compliance issues that the Legal Services Corporation’s (“LSC”) Office of Compliance and Enforcement (“OCE”) has observed during compliance oversight visits in the past 12 months, or which have otherwise come to LSC Management’s attention. We highlight these issues so that you can avoid or mitigate compliance risks.
A number of the issues described below concern the need for LSC recipients to have written policies that comply with LSC requirements. Sample policies are posted on LSC.gov. More extensive guidance, including examples of how LSC recipients have implemented the compliance requirements listed below, can be found in OCE Final Reports from visits to LSC-funded programs, which are available at http://www.lsc.gov/grants-grantee-resources/our-grantees/assessment-visit-reports.
I encourage you to share this guidance, along with the guidance we have provided in previous years, with your staff.
Responsibilities of the Financial Oversight Committee or Committees of Your Board of Directors:
- Each recipient’s governing body must appoint/elect a financial oversight committee or committees and identify the duties of the committees in writing. LSC Accounting Guide for LSC Recipients (2010 Ed.) (“LSC Accounting Guide”), § 3-5.2(b).
- The duties and responsibilities of the financial oversight committee or committees should be defined in the recipient’s bylaws or a governing body resolution. LSC Accounting Guide, § 1-7.
- As a best practice, the financial oversight committee or committees should have at least one member who is a financial expert, or the board should have access to a financial expert.
- A financial expert should have (1) an understanding of Generally Accepted Accounting Principles (GAAP) and financial statements, (2) the capacity to apply GAAP in connection with preparing and auditing financial statements, (3) familiarity with developing and implementing internal financial controls and procedures, and (4) the capacity to understand the implications of different interpretations of accounting rules. LSC Accounting Guide, § 1-7. LSC recognizes that the board composition requirements of 45 C.F.R. Part 1607 can limit a board’s ability to recruit board members with certain expertise (e.g., finance, fundraising). LSC encourages grantees to add financial experts as members to its finance and/or audit committee(s) to the extent allowed by state law. Committee members who are not board members may have to be non-voting members under state law.
Fiscal Management Issues Including Internal Controls and LSC Accounting Guide Concerns:
LSC Accounting Guide, § 2-2.2 -- Cash and Investments
LSC funds held for immediate operating expenses must be maintained in federally insured bank accounts. LSC funds in excess of the Federal Deposit Insurance Company limits and not needed for immediate operating expenses should be invested with another financial institution in federally insured accounts or certificates or invested in U.S. Treasury notes or bills or investment instruments.
LSC Accounting Guide, § 2-3.2, 45 C.F.R. Part 1630, and Program Letter 18-2 -- Cost Allocation
Pursuant to 45 C.F.R. § 1630.5(c)(3), “[r]ecipients must maintain accounting systems sufficient to demonstrate the proper allocation of costs to each of their funding sources.”
Recipients receiving funds from multiple sources should ensure that all costs which support work performed under more than one grant, contract, or other funding agreement are allocated among the relevant funding sources. Such common, or indirect costs, include, but are not limited to, costs of operating and maintaining facilities and general administrative expenses. LSC Accounting Guide, § 2-3.2 and 45 C.F.R. Part 1630.
LSC permits recipients of Basic Field Grants to allocate a proportional share of another funding source’s share of an indirect cost to LSC funds, where the other funding source “refuse[s] to allow the allocation of certain indirect costs to an award.” 45 C.F.R. § 1630.5(g). A refusal can take several forms, such as a cap on the amount of indirect costs that can be allocated to a grant or a statement from a funding source that including indirect costs in the application budget will cause the application not to be competitive. Recipients should develop a detailed methodology on how to use LSC funding in compliance with 45 C.F.R. § 1630.5 and Program Letter 18-2 if non-LSC funding sources refuse or limit indirect cost allocation.
Expenditures by a recipient are allowable under the recipient’s LSC grant only if the recipient can demonstrate that the cost was, among other things, “reasonable and necessary for the performance of the grant” and “allocable to the grant.”45 C.F.R. § 1630.5(a)(2) and (3). In determining the reasonableness of a given cost, consideration is given to, among other factors, “whether the cost is of a type generally recognized as ordinary and necessary for the operation of the recipient or the performance of the grant.” 45 C.F.R. § 1630.3(b)(1).
Historically, costs determined to be unallowable by LSC have included flowers, alcohol, holiday cards, and gifts for staff, board members, and/or private attorneys such as cakes, shot glasses, or other promotional items or tokens of appreciation such as pens, t-shirts, or coffee mugs. The new Financial Guide, currently in draft, introduces limited flexibility as to when some of these items might be allowed in some circumstances. For example, flowers, cakes, and promotional items or tokens of appreciation may be allowable in certain circumstances, such as fundraisers or recognition events for volunteer attorneys. Recipients should consult with LSC or seek an advance understanding under 45 C.F.R. § 1630.6 for situations that might justify using LSC funds for these expenses.
LSC Accounting Guide, §§ 3-5.2(d) and 3-5.15 -- Bank Reconciliations
Bank statement reconciliations to the general ledger should be conducted monthly by an individual who has no access to cash, is not a check signer, and has no cash bookkeeping duties. The reconciliation must be reviewed and approved by a responsible individual. The review must be appropriately documented by signature and date. LSC Accounting Guide, § 3-5.2(d). In addition, bank statements should be timely reconciled and reviewed by individuals who do not initiate or transmit electronic transactions. LSC Accounting Guide, § 3-5.15.
LSC Accounting Guide, § 3-5.4 -- Cash Disbursements
Recipients must establish cash disbursement procedures to ensure proper documentation and recordkeeping. All invoices and all supporting documents should be marked and recorded as paid or cancelled to avoid duplicate payment. All property purchased should be recorded in a property subsidiary record, which must include all necessary documentation and must agree with the general ledger property accounts.
45 C.F.R. Part 1604 -- Outside Practice of Law
Recipients must adopt written policies governing the outside practice of law by full-time attorneys that are consistent with the LSC Act and regulations. Policies must include language regarding the utilization of its resources in accordance with 45 C.F.R. § 1604.6.
45 C.F.R. Part 1609 -- Fee Generating Cases
Attorneys’ fees received by a recipient for representation supported in whole or in part with funds provided by LSC shall be allocated to the fund in which the recipient’s LSC grant is recorded in the same proportion that the amount of LSC funds expended bears to the total amount expended by the recipient to support the representation. 45 C.F.R. § 1609.4(a).
45 C.F.R. Part 1611 -- Financial Eligibility
When assessing prospective clients’ financial eligibility, recipients should use only the income exceptions allowed by LSC regulations and listed in their board-approved eligibility policy. 45 C.F.R § 1611.5.
45 C.F.R. Part 1611 -- Retainer Agreement
Cases requiring a retainer agreement should be compliant with 45 C.F.R § 1611.9. Retainer agreements must identify the legal problem for which representation is sought and the nature of the legal services to be provided. All retainers should be kept on file by the recipient and signed and dated by both the client and the recipient. Failure to obtain a required retainer agreement does not affect the case service reportability of an otherwise reportable case. CSR Handbook (2017 Ed.), § 5.6.
45 C.F.R. Part 1614 -- Private Attorney Involvement
Direct or indirect time of staff attorneys or paralegals allocated as a cost to PAI must be documented by time sheets. Personnel cost allocations for non-attorney or non-paralegal staff should be based on other reasonable operating data which is clearly documented. 45 C.F.R. § 1614.7(a)(1). Recipients should also look to 45 C.F.R. §§ 1630.5(d) and (e) when determining how to document direct and indirect costs associated with private attorney involvement.
45 C.F.R. Part 1626 and Program Letter 20-2 -- Restrictions on Legal Assistance to Aliens
Pursuant to 45 C.F.R. §§ 1626.6 and 1626.7, recipients must ensure that applicants and clients who are seen in person, as well as clients receiving extended services, execute a citizenship attestation or demonstrate alien eligibility and that all files contain the necessary documentation pursuant to CSR Handbook (2017 Ed.), § 5.5.
Program Letter 20-2 provides guidance on the options 45 C.F.R. § 1626.8 provides for recipients to document an applicant’s eligible non-U.S. citizen status “in an emergency” when the applicant cannot provide the required documents. For example, recipients may use the § 1626.8 procedures to temporarily document Part 1626 eligibility for non-U.S. citizens when an applicant “cannot feasibly come to the recipient’s office or otherwise transmit written documentation to the recipient” or otherwise “cannot produce the required documentation before commencement of the representation.” The COVID-19 pandemic is an emergency under § 1626.8. Any permissible legal assistance in which delay could cause harm to a client is considered to be “limited emergency legal assistance” under § 1626.8.
45 C.F.R. Part 1627 and CSR Handbook (2017 Ed.), § 4.4 -- Subgrants
Grantees that subgrant LSC funds to subrecipients under 45 C.F.R. Part 1627 should report all subgrant cases that are LSC-funded (in whole or in part) and otherwise meet the CSR criteria. Recipients may not report cases handled by a subrecipient that are not funded with any LSC funds, regardless of whether those cases and clients meet the LSC criteria.
45 C.F.R. Part 1630 -- Cost Standards and Procedures
Policies must be updated to reflect compliance with 45 C.F.R. § 1630.7 (Membership fees or dues) as opposed to 45 C.F.R. § 1627.4 (Subgrants and Membership fees or dues), as the regulations were updated effective December 31, 2017.
45 C.F.R. Part 1631 -- Purchasing and Property Management
Policies and procedures must be updated to ensure required requests for prior approval are submitted to LSC pursuant to 45 C.F.R. §§ 1630.6 and 1631.3. Grantees must request and obtain LSC’s approval prior to expending more than $25,000 of LSC funds on any of the following: a) a single purchase or single lease of personal property; b) a single contract for services; c) a single combined purchase or lease of personal property and contract for services; d) a single purchase of real estate (in any amount); and e) capital improvements. See 45 C.F.R. §§ 1630.6(b)(1) and (2).
For costs apportioned between LSC funds and one or more other funding sources, this requirement applies when the cost allocable to LSC funds is great than $25,000. See 45 C.F.R. § 1630.6(b)(3).
45 C.F.R. Part 1635 – Timekeeping
Time spent by attorneys and paralegals must be documented by contemporaneous time records that record the amount of time spent on each case, matter, or supporting activity. 45 C.F.R. § 1635.3(b).
Per the Office of Inspector General’s (“OIG”) Fraud Alert COVID-19 Fraud Schemes, issued February 24, 2020, we recommend that recipients be aware of the following example scams linked to the COVID-19 pandemic:
- Supply scams: Scammers are creating fake accounts claiming to sell medical supplies currently in high demand, such as surgical masks;
- Phishing scams: Scammers posing as national and global health authorities are sending phishing emails designed to download malware or steal personal identifying and financial information; and
- App scams: Scammers are also creating and manipulating mobile apps designed to track the spread of COVID-19 to compromise users’ devices and personal information.
As noted in the OIG’s alert, everyone, especially those most at risk of serious illness, is urged to avoid these and similar scams by taking the following steps:
- Verify the identity of any company and individual that contacts you regarding COVID-19;
- Check the websites and email addresses offering information, products, or services related to COVID-19;
- Be wary of unsolicited emails offering information, supplies, or treatment for COVID-19 or requesting your personal information for medical purposes;
- Do not click on links or open email attachments from unknown or unverified sources;
- Make sure the anti-malware and anti-virus software on your computer is operating and up to date;
- Ignore offers for a COVID-19 vaccine, cure, or treatment;
- Check online reviews of any company offering COVID-19 products or supplies. Avoid companies whose customers have complained about not receiving items;
- Research any charities or crowdfunding sites soliciting donations in connection with COVID-19 before giving;
- Be wary of any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail; and
- Be cautious of “investment opportunities” tied to COVID-19, especially those based on claims that a small company’s products or services can help stop the virus.
Ransomware attacks have begun appearing in the last few years. Ransomware is a type of malware installed on a computer or server that encrypts files, making them inaccessible. The attackers hold data, software, or an entire PC hostage until you pay them a ransom to get it back.
There are several steps recipients can take to protect their organization from ransomware:
- Keep anti-virus and anti-malware software up to date;
- Train employees to be aware. People remain the biggest source of security breaches. Employees unwittingly open malicious emails or go to corrupted sites and expose their employers’ networks and infrastructures to malicious software;
- Backups are probably the most important method to restore systems if a recipient suffers a ransomware attack. Make sure that backups are detached when the backup is not occurring. Otherwise, there is risk that even backup files will be corrupted. If possible, keep a backup in the cloud. Test your backups regularly;
- Manage the use of privileged accounts. Users should not be assigned administrative access or use administrator accounts unless necessary;
- Configure access controls in systems appropriately. For example, if users require only read access to information, do not provide write access;
- Disable macros from files transmitted over email;
- Understand how your cloud providers are affected by and handle ransomware;
- Keep all software programs updated. Software developers frequently patch vulnerabilities with new updates;
- Use pop-up blockers; and
- Check into cyber coverage from your insurance provider.
The Department of Defense offers a free phishing presentation that you can use to train your staff to be aware of malicious attempts to gain access to your organization’s systems: https://dl.dod.cyber.mil/wp-content/uploads/trn/online/phishing-awareness/launchPage.htm.
In addition, the Federal Communications Commission offers numerous cybersecurity resources which you may find useful: https://www.fcc.gov/general/cybersecurity-small-business.
Finally, LSC’s OIG anticipates releasing guidance and tips for avoiding ransomware scams in the near future. We recommend you carefully read the OIG’s guidance.
If you have a concern or question regarding compliance with LSC regulations or directives, particularly the compliance areas noted in this Letter, please contact Lora M. Rath, Director of LSC’s Office of Compliance and Enforcement, at firstname.lastname@example.org or 202-295-1524. In addition, OCE can provide training upon request. Training requests should also be submitted to Ms. Rath.