28 CFR §94.106

1. (a)Monitoring plan. Unless the Director grants a waiver, SAAs shall develop and implement a monitoring plan in accordance with the requirements of this section and 2 CFR 200.332. The monitoring plan must include a risk assessment plan.
2. (b)Monitoring frequency. SAAs shall conduct regular desk monitoring of all sub-recipients. In addition, SAAs shall conduct on-site monitoring of all sub-recipients at least once every two years during the award period, unless a different frequency based on risk assessment is set out in the monitoring plan.
3. (c)Recordkeeping. SAAs shall maintain a copy of site visit results and other documents related to compliance.