e-CFR banner

Home
gpo.gov
govinfo.gov

e-CFR Navigation Aids

Browse

Simple Search

Advanced Search

 — Boolean

 — Proximity

 

Search History

Search Tips

Corrections

Latest Updates

User Info

FAQs

Agency List

Incorporation By Reference

eCFR logo

Related Resources

 

Electronic Code of Federal Regulations

e-CFR data is current as of April 8, 2020

Title 29Subtitle APart 99 → Subpart E


Title 29: Labor
PART 99—AUDITS OF STATES, LOCAL GOVERNMENTS, AND NON-PROFIT ORGANIZATIONS


Subpart E—Auditors


Contents
§99.500   Scope of audit.
§99.505   Audit reporting.
§99.510   Audit findings.
§99.515   Audit working papers.
§99.520   Major program determination.
§99.525   Criteria for Federal program risk.
§99.530   Criteria for a low-risk auditee.

§99.500   Scope of audit.

(a) General. The audit shall be conducted in accordance with GAGAS. The audit shall cover the entire operations of the auditee; or, at the option of the auditee, such audit shall include a series of audits that cover departments, agencies, and other organizational units which expended or otherwise administered Federal awards during such fiscal year, provided that each such audit shall encompass the financial statements and schedule of expenditures of Federal awards for each such department, agency, and other organizational unit, which shall be considered to be a non-Federal entity. The financial statements and schedule of expenditures of Federal awards shall be for the same fiscal year.

(b) Financial statements. The auditor shall determine whether the financial statements of the auditee are presented fairly in all material respects in conformity with generally accepted accounting principles. The auditor shall also determine whether the schedule of expenditures of Federal awards is presented fairly in all material respects in relation to the auditee's financial statements taken as a whole.

(c) Internal control. (1) In addition to the requirements of GAGAS, the auditor shall perform procedures to obtain an understanding of internal control over Federal programs sufficient to plan the audit to support a low assessed level of control risk for major programs.

(2) Except as provided in paragraph (c)(3) of this section, the auditor shall:

(i) Plan the testing of internal control over major programs to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program; and

(ii) Perform testing of internal control as planned in paragraph (c)(2)(i) of this section.

(3) When internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(2) of this section are not required for those compliance requirements. However, the auditor shall report a reportable condition (including whether any such condition is a material weakness) in accordance with §99.510, assess the related control risk at the maximum, and consider whether additional compliance tests are required because of ineffective internal control.

(d) Compliance. (1) In addition to the requirements of GAGAS, the auditor shall determine whether the auditee has complied with laws, regulations, and the provisions of contracts or grant agreements that may have a direct and material effect on each of its major programs.

(2) The principal compliance requirements applicable to most Federal programs and the compliance requirements of the largest Federal programs are included in the compliance supplement.

(3) For the compliance requirements related to Federal programs contained in the compliance supplement, an audit of these compliance requirements will meet the requirements of this part. Where there have been changes to the compliance requirements and the changes are not reflected in the compliance supplement, the auditor shall determine the current compliance requirements and modify the audit procedures accordingly. For those Federal programs not covered in the compliance supplement, the auditor should use the types of compliance requirements contained in the compliance supplement as guidance for identifying the types of compliance requirements to test, and determine the requirements governing the Federal program by reviewing the provisions of contracts and grant agreements and the laws and regulations referred to in such contracts and grant agreements.

(4) The compliance testing shall include tests of transactions and such other auditing procedures necessary to provide the auditor sufficient evidence to support an opinion on compliance.

(e) Audit follow-up. The auditor shall follow-up on prior audit findings; perform procedures to assess the reasonableness of the summary schedule of prior audit findings prepared by the auditee in accordance with §99.315(b); and report, as a current year audit finding, when the auditor concludes that the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding. The auditor shall perform audit follow-up procedures regardless of whether a prior audit finding relates to a major program in the current year.

(f) Data collection form. As required in §99.320(b)(3), the auditor shall complete and sign specified sections of the data collection form.

§99.505   Audit reporting.

The auditor's report(s) may be in the form of either combined or separate reports and may be organized differently from the manner presented in this section. The auditor's report(s) shall state that the audit was conducted in accordance with this part and include the following:

(a) An opinion (or disclaimer of opinion) as to whether the financial statements are presented fairly in all material respects in conformity with generally accepted accounting principles and an opinion (or disclaimer of opinion) as to whether the schedule of expenditures of Federal awards is presented fairly in all material respects in relation to the financial statements taken as a whole.

(b) A report on internal control related to the financial statements and major programs. This report shall describe the scope of testing of internal control and the results of the tests, and, where applicable, refer to the separate schedule of findings and questioned costs described in paragraph (d) of this section.

(c) A report on compliance with laws, regulations, and the provisions of contracts or grant agreements, noncompliance with which could have a material effect on the financial statements. This report shall also include an opinion (or disclaimer of opinion) as to whether the auditee complied with laws, regulations, and the provisions of contracts or grant agreements which could have a direct and material effect on each major program, and, where applicable, refer to the separate schedule of findings and questioned costs described in paragraph (d) of this section.

(d) A schedule of findings and questioned costs which shall include the following three components:

(1) A summary of the auditor's results which shall include:

(i) The type of report the auditor issued on the financial statements of the auditee (i.e., unqualified opinion, qualified opinion, adverse opinion, or disclaimer of opinion);

(ii) Where applicable, a statement that reportable conditions in internal control were disclosed by the audit of the financial statements and whether any such conditions were material weaknesses;

(iii) A statement as to whether the audit disclosed any noncompliance which is material to the financial statements of the auditee;

(iv) Where applicable, a statement that reportable conditions in internal control over major programs were disclosed by the audit and whether any such conditions were material weaknesses;

(v) The type of report the auditor issued on compliance for major programs (i.e., unqualified opinion, qualified opinion, adverse opinion, or disclaimer of opinion);

(vi) A statement as to whether the audit disclosed any audit findings which the auditor is required to report under §99.510(a);

(vii) An identification of major programs;

(viii) The dollar threshold used to distinguish between Type A and Type B programs, as described in §99.520(b); and

(ix) A statement as to whether the auditee qualified as a low-risk auditee under §99.530.

(2) Findings relating to the financial statements which are required to be reported in accordance with GAGAS.

(3) Findings and questioned costs for Federal awards which shall include audit findings as defined in §99.510(a).

(i) Audit findings (e.g., internal control findings, compliance findings, questioned costs, or fraud) which relate to the same issue should be presented as a single audit finding. Where practical, audit findings should be organized by Federal agency or pass-through entity.

(ii) Audit findings which relate to both the financial statements and Federal awards, as reported under paragraphs (d)(2) and (d)(3) of this section, respectively, should be reported in both sections of the schedule. However, the reporting in one section of the schedule may be in summary form with a reference to a detailed reporting in the other section of the schedule.

§99.510   Audit findings.

(a) Audit findings reported. The auditor shall report the following as audit findings in a schedule of findings and questioned costs:

(1) Reportable conditions in internal control over major programs. The auditor's determination of whether a deficiency in internal control is a reportable condition for the purpose of reporting an audit finding is in relation to a type of compliance requirement for a major program or an audit objective identified in the compliance supplement. The auditor shall identify reportable conditions which are individually or cumulatively material weaknesses.

(2) Material noncompliance with the provisions of laws, regulations, contracts, or grant agreements related to a major program. The auditor's determination of whether a noncompliance with the provisions of laws, regulations, contracts, or grant agreements is material for the purpose of reporting an audit finding is in relation to a type of compliance requirement for a major program or an audit objective identified in the compliance supplement.

(3) Known questioned costs which are greater than $10,000 for a type of compliance requirement for a major program. Known questioned costs are those specifically identified by the auditor. In evaluating the effect of questioned costs on the opinion on compliance, the auditor considers the best estimate of total costs questioned (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor shall also report known questioned costs when likely questioned costs are greater than $10,000 for a type of compliance requirement for a major program. In reporting questioned costs, the auditor shall include information to provide proper perspective for judging the prevalence and consequences of the questioned costs.

(4) Known questioned costs which are greater than $10,000 for a Federal program which is not audited as a major program. Except for audit follow-up, the auditor is not required under this part to perform audit procedures for such a Federal program; therefore, the auditor will normally not find questioned costs for a program which is not audited as a major program. However, if the auditor does become aware of questioned costs for a Federal program which is not audited as a major program (e.g., as part of audit follow-up or other audit procedures) and the known questioned costs are greater than $10,000, then the auditor shall report this as an audit finding.

(5) The circumstances concerning why the auditor's report on compliance for major programs is other than an unqualified opinion, unless such circumstances are otherwise reported as audit findings in the schedule of findings and questioned costs for Federal awards.

(6) Known fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. This paragraph does not require the auditor to make an additional reporting when the auditor confirms that the fraud was reported outside of the auditor's reports under the direct reporting requirements of GAGAS.

(7) Instances where the results of audit follow-up procedures disclosed that the summary schedule of prior audit findings prepared by the auditee in accordance with §99.315(b) materially misrepresents the status of any prior audit finding.

(b) Audit finding detail. Audit findings shall be presented in sufficient detail for the auditee to prepare a corrective action plan and take corrective action and for Federal agencies and pass-through entities to arrive at a management decision. The following specific information shall be included, as applicable, in audit findings:

(1) Federal program and specific Federal award identification including the CFDA title and number, Federal award number and year, name of Federal agency, and name of the applicable pass-through entity. When information, such as the CFDA title and number or Federal award number, is not available, the auditor shall provide the best information available to describe the Federal award.

(2) The criteria or specific requirement upon which the audit finding is based, including statutory, regulatory, or other citation.

(3) The condition found, including facts that support the deficiency identified in the audit finding.

(4) Identification of questioned costs and how they were computed.

(5) Information to provide proper perspective for judging the prevalence and consequences of the audit findings, such as whether the audit findings represent an isolated instance or a systemic problem. Where appropriate, instances identified shall be related to the universe and the number of cases examined and be quantified in terms of dollar value.

(6) The possible asserted effect to provide sufficient information to the auditee and Federal agency, or pass-through entity in the case of a subrecipient, to permit them to determine the cause and effect to facilitate prompt and proper corrective action.

(7) Recommendations to prevent future occurrences of the deficiency identified in the audit finding.

(8) Views of responsible officials of the auditee when there is disagreement with the audit findings, to the extent practical.

(c) Reference numbers. Each audit finding in the schedule of findings and questioned costs shall include a reference number to allow for easy referencing of the audit findings during follow-up.

§99.515   Audit working papers.

(a) Retention of working papers. The auditor shall retain working papers and reports for a minimum of three years after the date of issuance of the auditor's report(s) to the auditee, unless the auditor is notified in writing by the cognizant agency for audit, oversight agency for audit, or pass-through entity to extend the retention period. When the auditor is aware that the Federal awarding agency, pass-through entity, or auditee is contesting an audit finding, the auditor shall contact the parties contesting the audit finding for guidance prior to destruction of the working papers and reports.

(b) Access to working papers. Audit working papers shall be made available upon request to the cognizant or oversight agency for audit or its designee, a Federal agency providing direct or indirect funding, or GAO at the completion of the audit, as part of a quality review, to resolve audit findings, or to carry out oversight responsibilities consistent with the purposes of this part. Access to working papers includes the right of Federal agencies to obtain copies of working papers, as is reasonable and necessary.

§99.520   Major program determination.

(a) General. The auditor shall use a risk-based approach to determine which Federal programs are major programs. This risk-based approach shall include consideration of: Current and prior audit experience, oversight by Federal agencies and pass-through entities, and the inherent risk of the Federal program. The process in paragraphs (b) through (i) of this section shall be followed.

(b) Step 1. (1) The auditor shall identify the larger Federal programs, which shall be labeled Type A programs. Type A programs are defined as Federal programs with Federal awards expended during the audit period exceeding the larger of:

(i) $300,000 (or $500,000 for fiscal years ending after December 31, 2003) or three percent (.03) of total Federal awards expended in the case of an auditee for which total Federal awards expended equal or exceed $300,000 but are less than or equal to $100 million.

(ii) $3 million or three-tenths of one percent (.003) of total Federal awards expended in the case of an auditee for which total Federal awards expended exceed $100 million but are less than or equal to $10 billion.

(iii) $30 million or 15 hundredths of one percent (.0015) of total Federal awards expended in the case of an auditee for which total Federal awards expended exceed $10 billion.

(2) Federal programs not labeled Type A under paragraph (b)(1) of this section shall be labeled Type B programs.

(3) The inclusion of large loan and loan guarantees (loans) should not result in the exclusion of other programs as Type A programs. When a Federal program providing loans significantly affects the number or size of Type A programs, the auditor shall consider this Federal program as a Type A program and exclude its values in determining other Type A programs.

(4) For biennial audits permitted under §99.220, the determination of Type A and Type B programs shall be based upon the Federal awards expended during the two-year period.

(c) Step 2. (1) The auditor shall identify Type A programs which are low-risk. For a Type A program to be considered low-risk, it shall have been audited as a major program in at least one of the two most recent audit periods (in the most recent audit period in the case of a biennial audit), and, in the most recent audit period, it shall have had no audit findings under §99.510(a). However, the auditor may use judgment and consider that audit findings from questioned costs under §99.510(a)(3) and §99.510(a)(4), fraud under §99.510(a)(6), and audit follow-up for the summary schedule of prior audit findings under §99.510(a)(7) do not preclude the Type A program from being low-risk. The auditor shall consider: the criteria in §99.525(c), §99.525(d)(1), §99.525(d)(2), and §99.525(d)(3); the results of audit follow-up; whether any changes in personnel or systems affecting a Type A program have significantly increased risk; and apply professional judgment in determining whether a Type A program is low-risk.

(2) Notwithstanding paragraph (c)(1) of this section, OMB may approve a Federal awarding agency's request that a Type A program at certain recipients may not be considered low-risk. For example, it may be necessary for a large Type A program to be audited as major each year at particular recipients to allow the Federal agency to comply with the Government Management Reform Act of 1994 (31 U.S.C. 3515). The Federal agency shall notify the recipient and, if known, the auditor at least 180 days prior to the end of the fiscal year to be audited of OMB's approval.

(d) Step 3. (1) The auditor shall identify Type B programs which are high-risk using professional judgment and the criteria in §99.525. However, should the auditor select Option 2 under Step 4 (paragraph (e)(2)(i)(B) of this section), the auditor is not required to identify more high-risk Type B programs than the number of low-risk Type A programs. Except for known reportable conditions in internal control or compliance problems as discussed in §99.525(b)(1), §99.525(b)(2), and §99.525(c)(1), a single criteria in §99.525 would seldom cause a Type B program to be considered high-risk.

(2) The auditor is not expected to perform risk assessments on relatively small Federal programs. Therefore, the auditor is only required to perform risk assessments on Type B programs that exceed the larger of:

(i) $100,000 or three-tenths of one percent (.003) of total Federal awards expended when the auditee has less than or equal to $100 million in total Federal awards expended.

(ii) $300,000 (or $500,000 for fiscal years ending after December 31, 2003) or three-hundredths of one percent (.0003) of total Federal awards expended when the auditee has more than $100 million in total Federal awards expended.

(e) Step 4. At a minimum, the auditor shall audit all of the following as major programs:

(1) All Type A programs, except the auditor may exclude any Type A programs identified as low-risk under Step 2 (paragraph (c)(1) of this section).

(2)(i) High-risk Type B programs as identified under either of the following two options:

(A) Option 1. At least one half of the Type B programs identified as high-risk under Step 3 (paragraph (d) of this section), except this paragraph (e)(2)(i)(A) does not require the auditor to audit more high-risk Type B programs than the number of low-risk Type A programs identified as low-risk under Step 2.

(B) Option 2. One high-risk Type B program for each Type A program identified as low-risk under Step 2.

(ii) When identifying which high-risk Type B programs to audit as major under either Option 1 or 2 in paragraph (e)(2)(i)(A) or (B), the auditor is encouraged to use an approach which provides an opportunity for different high-risk Type B programs to be audited as major over a period of time.

(3) Such additional programs as may be necessary to comply with the percentage of coverage rule discussed in paragraph (f) of this section. This paragraph (e)(3) may require the auditor to audit more programs as major than the number of Type A programs.

(f) Percentage of coverage rule. The auditor shall audit as major programs Federal programs with Federal awards expended that, in the aggregate, encompass at least 50 percent of total Federal awards expended. If the auditee meets the criteria in §99.530 for a low-risk auditee, the auditor need only audit as major programs Federal programs with Federal awards expended that, in the aggregate, encompass at least 25 percent of total Federal awards expended.

(g) Documentation of risk. The auditor shall document in the working papers the risk analysis process used in determining major programs.

(h) Auditor's judgment. When the major program determination was performed and documented in accordance with this part, the auditor's judgment in applying the risk-based approach to determine major programs shall be presumed correct. Challenges by Federal agencies and pass-through entities shall only be for clearly improper use of the guidance in this part. However, Federal agencies and pass-through entities may provide auditors guidance about the risk of a particular Federal program and the auditor shall consider this guidance in determining major programs in audits not yet completed.

(i) Deviation from use of risk criteria. For first-year audits, the auditor may elect to determine major programs as all Type A programs plus any Type B programs as necessary to meet the percentage of coverage rule discussed in paragraph (f) of this section. Under this option, the auditor would not be required to perform the procedures discussed in paragraphs (c), (d), and (e) of this section.

(1) A first-year audit is the first year the entity is audited under this part or the first year of a change of auditors.

(2) To ensure that a frequent change of auditors would not preclude audit of high-risk Type B programs, this election for first-year audits may not be used by an auditee more than once in every three years.

[64 FR 14541, Mar. 25, 1999, as amended at 72 FR 37105, July 9, 2007]

§99.525   Criteria for Federal program risk.

(a) General. The auditor's determination should be based on an overall evaluation of the risk of noncompliance occurring which could be material to the Federal program. The auditor shall use auditor judgment and consider criteria, such as described in paragraphs (b), (c), and (d) of this section, to identify risk in Federal programs. Also, as part of the risk analysis, the auditor may wish to discuss a particular Federal program with auditee management and the Federal agency or pass-through entity.

(b) Current and prior audit experience. (1) Weaknesses in internal control over Federal programs would indicate higher risk. Consideration should be given to the control environment over Federal programs and such factors as the expectation of management's adherence to applicable laws and regulations and the provisions of contracts and grant agreements and the competence and experience of personnel who administer the Federal programs.

(i) A Federal program administered under multiple internal control structures may have higher risk. When assessing risk in a large single audit, the auditor shall consider whether weaknesses are isolated in a single operating unit (e.g., one college campus) or pervasive throughout the entity.

(ii) When significant parts of a Federal program are passed through to subrecipients, a weak system for monitoring subrecipients would indicate higher risk.

(iii) The extent to which computer processing is used to administer Federal programs, as well as the complexity of that processing, should be considered by the auditor in assessing risk. New and recently modified computer systems may also indicate risk.

(2) Prior audit findings would indicate higher risk, particularly when the situations identified in the audit findings could have a significant impact on a Federal program or have not been corrected.

(3) Federal programs not recently audited as major programs may be of higher risk than Federal programs recently audited as major programs without audit findings.

(c) Oversight exercised by Federal agencies and pass-through entities. (1) Oversight exercised by Federal agencies or pass-through entities could indicate risk. For example, recent monitoring or other reviews performed by an oversight entity which disclosed no significant problems would indicate lower risk. However, monitoring which disclosed significant problems would indicate higher risk.

(2) Federal agencies, with the concurrence of OMB, may identify Federal programs which are higher risk. The OMB plans to provide this identification in the compliance supplement.

(d) Inherent risk of the Federal program. (1) The nature of a Federal program may indicate risk. Consideration should be given to the complexity of the program and the extent to which the Federal program contracts for goods and services. For example, Federal programs that disburse funds through third party contracts or have eligibility criteria may be of higher risk. Federal programs primarily involving staff payroll costs may have a high-risk for time and effort reporting, but otherwise be at low-risk.

(2) The phase of a Federal program in its life cycle at the Federal agency may indicate risk. For example, a new Federal program with new or interim regulations may have higher risk than an established program with time-tested regulations. Also, significant changes in Federal programs, laws, regulations, or the provisions of contracts or grant agreements may increase risk.

(3) The phase of a Federal program in its life cycle at the auditee may indicate risk. For example, during the first and last years that an auditee participates in a Federal program, the risk may be higher due to start-up or closeout of program activities and staff.

(4) Type B programs with larger Federal awards expended would be of higher risk than programs with substantially smaller Federal awards expended.

§99.530   Criteria for a low-risk auditee.

An auditee which meets all of the following conditions for each of the preceding two years (or, in the case of biennial audits, preceding two audit periods) shall qualify as a low-risk auditee and be eligible for reduced audit coverage in accordance with §99.520:

(a) Single audits were performed on an annual basis in accordance with the provisions of this part. A non-Federal entity that has biennial audits does not qualify as a low-risk auditee, unless agreed to in advance by the cognizant or oversight agency for audit.

(b) The auditor's opinions on the financial statements and the schedule of expenditures of Federal awards were unqualified. However, the cognizant or oversight agency for audit may judge that an opinion qualification does not affect the management of Federal awards and provide a waiver.

(c) There were no deficiencies in internal control which were identified as material weaknesses under the requirements of GAGAS. However, the cognizant or oversight agency for audit may judge that any identified material weaknesses do not affect the management of Federal awards and provide a waiver.

(d) None of the Federal programs had audit findings from any of the following in either of the preceding two years (or, in the case of biennial audits, preceding two audit periods) in which they were classified as Type A programs:

(1) Internal control deficiencies which were identified as material weaknesses;

(2) Noncompliance with the provisions of laws, regulations, contracts, or grant agreements which have a material effect on the Type A program; or

(3) Known or likely questioned costs that exceed five percent of the total Federal awards expended for a Type A program during the year.

Need assistance?