(a) Monitoring plan. Unless the Director grants a waiver, SAAs shall develop and implement a monitoring plan in accordance with the requirements of this section and 2 CFR 200.331. The monitoring plan must include a risk assessment plan.

(b) Monitoring frequency. SAAs shall conduct regular desk monitoring of all sub-recipients. In addition, SAAs shall conduct on-site monitoring of all sub-recipients at least once every two years during the award period, unless a different frequency based on risk assessment is set out in the monitoring plan.

(c) Recordkeeping. SAAs shall maintain a copy of site visit results and other documents related to compliance.