Grant compliance is the practice of meeting the rules, financial controls, and reporting obligations a funder attaches to an award, so funds are used as intended and can be evidenced on demand. For federal awards those rules sit in OMB Uniform Guidance (2 CFR 200). A March 2025 GAO review of 3,680 Single Audit findings found 36% involved incomplete subaward reporting, with weak subrecipient oversight a recurring issue alongside it.
That last point is the one lean teams feel most. The rules themselves are public and well documented, but the evidence that proves you followed them tends to scatter across inboxes, drives, and individual memories.
This guide defines grant compliance, sets out the federal requirements, gives you a checklist you can lift, and is honest about which part a system of record actually helps with. For the wider picture across governance, fundraising, and data, see our complete guide to nonprofit compliance.
What does grant compliance mean for a nonprofit?
Grant compliance means meeting every condition a funder attaches to an award across finance, programme delivery, procurement, and reporting. For federal awards the governing framework is OMB Uniform Guidance (2 CFR 200), revised in 2024 with changes in force from October 2024. It is no longer a finance-only concern.
There are two layers to keep apart. Each funder sets its own conditions in the award terms, and beneath those sits the federal baseline that applies to any organisation spending federal money. Missing either layer is a finding.
Compliance now reaches into leadership, programme, procurement, and operations rather than living solely with the finance team. The 2024 revision also shifted the disclosure bar: organisations must report fraud, conflicts of interest, or False Claims Act issues on credible evidence, not only on confirmed violations.
That widening is exactly why a single, current record matters. When obligations span four functions, no one person can carry them in their head.
What are the federal grant compliance requirements under Uniform Guidance?
Federal grant compliance requirements are set in OMB Uniform Guidance (2 CFR 200) and govern allowable costs, procurement, vendor and subrecipient management, internal controls, and audit. The 2024 revision added an in-force requirement to build cybersecurity safeguards, such as data encryption and multi-factor authentication, into internal controls for recipients and subrecipients.
The federal grant compliance requirements break into plain groups. Costs must be allowable and allocable to the award. Procurement decisions must follow set standards and be documented. Internal controls must now include those cybersecurity safeguards, and records must be retained for the required period.
Vendor and subrecipient management is its own group. The 2025 OMB Compliance Supplement expanded the monitoring and documentation primary recipients are expected to maintain over the organisations they fund, covered in our note on subrecipient monitoring.
The cost of getting this wrong is documented. The March 2025 GAO review of 3,680 Single Audit findings from 2022 to 2024 found that in nearly half of the cases recipients lacked the internal controls for basic subaward oversight.
What goes on a grant compliance checklist?
A grant compliance checklist tracks the conditions of an award from acceptance through closeout: allowable costs, procurement documentation, vendor evidence, subrecipient vetting and monitoring, internal controls, record retention, and scheduled reporting. Treat it as continuous, not annual. The OMB Uniform Guidance frames these as standing obligations across the life of the award, not a year-end task.
Here is a checklist a lean team can lift and adapt:
- Read and log every award's terms by issue date, since older awards may carry different rules.
- Map the budget against allowable and allocable cost rules.
- Document every procurement decision as it is made.
- Confirm each vendor under the award has a signed agreement and a recorded pre-engagement check.
- Vet subrecipients before funding and monitor them on a set schedule.
- Capture conflict-of-interest and related-party disclosures.
- Evidence internal-control and cybersecurity safeguards.
- Track every reporting deadline.
- Retain records per the applicable retention rules.
- Centralise all of the above so it is producible on demand.
The discipline behind items four through six is the same one covered in managing contract obligations and compliance, applied to grant work.
How does the vendor and subrecipient evidence trail fit into grant compliance?
Managing a federal award means evidencing the vendors and subrecipients engaged under it: who was checked, what was signed, and how each is being monitored. This third-party evidence trail is the part lean teams most often cannot produce on demand. The GAO review found subaward oversight gaps among the most common Single Audit findings, with some recipients not conducting risk assessments and others not reviewing their subrecipients' audit reports.
A subrecipient is an organisation a primary recipient passes federal funds to so it can carry out part of a programme. Monitoring it is continuous third-party due diligence: checking who you fund, collecting evidence that funds are used as intended, and keeping that current. The 2020 Blackbaud breach is the example sector leaders still cite for why vendor evidence matters, because many organisations found their exposure ran through a supplier they had not closely vetted.
This is where Gatekeeper's AI agents do the execution work, screening parties, collecting and chasing documents, and monitoring and flagging changes, while your team keeps the decisions about risk. The record itself sits in vendor management software, with ongoing third-party compliance monitoring surfacing changes as they happen. The same standing approach is covered in how to manage vendors.
Be clear about scope. A system of record helps you evidence the vendor and contract side of compliance; it does not manage the grant, draw down funds, or make compliance determinations. Mission-driven organisations including Rockefeller Philanthropy Advisors and Housing Partnership Network work with Gatekeeper.
How do grant compliance audits and the Single Audit connect?
Grant compliance audits test whether an organisation followed the rules attached to its federal awards. The federal Single Audit is required when an organisation expends one million dollars or more in federal funds in a fiscal year, under the threshold in force for fiscal years beginning on or after 1 October 2024. The Federal Audit Clearinghouse processes roughly 40,000 Single Audit submissions a year.
It helps to separate two things people both call an audit. An independent financial statement audit examines whether your financial statements are accurate and fairly presented. A Single Audit goes further, additionally testing programme-level compliance and internal controls over each federal programme you draw from.
Threshold timing matters for grant compliance audits. Awards issued before October 2024 may still carry the prior $750,000 threshold, so track each by issue date rather than assume the new line applies to everything. Funders may also require an independent audit regardless of the federal figure, a point we cover in what a nonprofit audit involves.
What does grant-related compliance reporting require?
Grant-related compliance reporting is the periodic financial and programmatic information a funder requires to show funds are used as intended, on the schedule set in the award terms. Missed or inaccurate reporting can trigger increased scrutiny, repayment, or loss of funding, according to guidance from the National Council of Nonprofits.
Reporting typically includes financial reports, performance or programmatic reports, and subrecipient pass-through data. The cadence is the hard part for a lean team, because deadlines stack across multiple awards with different schedules.
Reporting accuracy depends on keeping the underlying record current. When the vendor, subrecipient, and contract evidence is maintained as you go, each report is a query rather than a reconstruction. Our guide on how to prepare for a nonprofit audit walks through keeping that trail ready.
In force now, or proposed? Know the difference
Keep settled federal rules separate from proposed ones. In force now: the one million dollar Single Audit threshold, the cybersecurity internal-control requirement, and the expanded subrecipient monitoring expectations. Proposed and not yet law: OMB's proposed Uniform Guidance overhaul, published 29 May 2026 and open for comment until 13 July 2026, with a final rule expected around 1 October 2026.
| Status |
What it covers |
| In force now |
The one million dollar Single Audit threshold, the cybersecurity internal-control requirement, and the expanded subrecipient monitoring expectations. |
| Proposed, not yet law |
OMB published a proposed Uniform Guidance overhaul on 29 May 2026, open for comment until 13 July 2026, with a final rule expected around 1 October 2026. |
The proposed rule concerns grant conditions, eligibility, and termination, which are matters for your leadership and counsel. A vendor and contract system of record does not address those, and you should treat anything claiming otherwise with caution. Until the rule is final, plan around what is in force.
Frequently Asked Questions
What is grant compliance in simple terms?
Grant compliance means following every rule a funder attaches to an award, from how money is spent to how it is reported, so funds are used as intended and can be evidenced. For federal awards those rules sit in OMB Uniform Guidance (2 CFR 200), the framework that governs allowable costs, procurement, internal controls, and reporting.
What is on a federal grant compliance checklist?
A federal grant compliance checklist covers allowable costs, procurement documentation, vendor agreements and pre-engagement checks, subrecipient vetting and monitoring, conflict-of-interest disclosures, internal controls including cybersecurity safeguards, record retention, and scheduled reporting. The aim of the grant compliance checklist is a current record you can produce on demand, not reconstruct under audit pressure.
When is a Single Audit required for a nonprofit?
A federal Single Audit is required when a nonprofit expends one million dollars or more in federal funds in a fiscal year, under the threshold in force for fiscal years beginning on or after 1 October 2024. Older awards may carry the prior $750,000 threshold, so track each award by its issue date.
What happens if a nonprofit fails grant compliance?
Failing grant compliance can lead to increased scrutiny, repayment of funds, suspension or revocation of an award, and loss of future funding. GAO findings recur most often around subaward oversight. The practical fix is keeping financial, vendor, and subrecipient evidence current rather than reconstructing it under audit pressure.
Who is responsible for monitoring subrecipients under a federal grant?
The primary recipient is responsible for monitoring any organisation it passes federal funds to. That includes vetting the subrecipient before funding, collecting evidence that funds are used as intended, and keeping that oversight current. The 2025 OMB Compliance Supplement increased the documentation and monitoring primary recipients are expected to maintain at every tier.
.png)
.png)
.png)
-4.png)
