You are using an unsupported browser. This web site is designed for the current versions of Microsoft Edge, Google Chrome, Mozilla Firefox, or Safari.
The Office of the Federal Register publishes documents on behalf of Federal agencies but does not have any authority over their programs. We recommend you directly contact the agency associated with the content in question.
If you have comments or suggestions on how to improve the www.ecfr.gov website or have questions about using www.ecfr.gov, please choose the 'Website Feedback' button below.
If you would like to comment on the current content, please use the 'Content Feedback' button below for instructions on contacting the issuing agency
Enhanced content is provided to the user to provide additional context.
This content is from the eCFR and is authoritative but unofficial.
Navigate by entering citations or phrases (eg: 1 CFR 1.1 49 CFR 172.101 Organization and Purpose 1/1.1 Regulation Y FAR).
Choosing an item from citations and headings will bring you directly to the content. Choosing an item from full text search results will bring you to those results. Pressing enter in the search box will also bring you to search results.
Background and more details are available in the Search & Navigation guide.
| Subpart F | Audit Requirements | 200.500 – 200.521 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
31 U.S.C. 503; 31 U.S.C. 6101-6106; 31 U.S.C. 6307; 31 U.S.C. 7501-7507.
89 FR 30136, Apr. 22, 2024, unless otherwise noted.
Generate PDF (approximately 25+ pages)
This content is from the eCFR and may include recent changes applied to the CFR. The official, published CFR, is updated annually and available below under "Published Edition". You can learn more about the process here.
The eCFR is displayed with paragraphs split and indented to follow the hierarchy of the document. This is an automated process for user convenience only and is not intended to alter agency intent or existing codification.
A separate drafting site is available with paragraph structure matching the official CFR formatting. If you work for a Federal agency, use this drafting site when drafting amendatory language for Federal regulations: switch to eCFR drafting site.
Subscribe to: 2 CFR Part 200 Subpart F
View the most recent official publication:
These links go to the official, published CFR, which is updated annually. As a result, it may not include the most recent changes applied to the CFR. Learn more.
This document is available in the following developer friendly formats:
Information and documentation can be found in our developer resources.
The Code of Federal Regulations (CFR) is the official legal print publication containing the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the Federal Government. The Electronic Code of Federal Regulations (eCFR) is a continuously updated online version of the CFR. It is not an official legal edition of the CFR.
Learn more about the eCFR, its status, and the editorial process.
This part sets forth standards for obtaining consistency and uniformity among Federal agencies for the audit of non-Federal entities expending Federal awards.
(a) Audit required. A non-Federal entity that expends $1,000,000 or more during the non-Federal entity's fiscal year in Federal awards must have a single or program-specific audit conducted for that year in accordance with the provisions of this part.
(b) Single audit. A non-Federal entity that expends $1,000,000 or more in Federal awards during the non-Federal entity's fiscal year must have a single audit conducted in accordance with § 200.514 except when it elects to have a program-specific audit conducted in accordance with paragraph (c) or (d) of this section.
(c) Program-specific audit election (in general). A non-Federal entity may elect to have a program-specific audit conducted in accordance with § 200.507 if the following conditions are met:
(1) The non-Federal entity expends Federal awards under only one Federal program (excluding research and development); and
(2) The Federal program's statutes or regulations, or terms and conditions of the Federal award, do not require a financial statement audit of the non-Federal entity.
(d) Program-specific audit election for research and development. A non-Federal entity may elect to have a program-specific audit for research and development conducted in accordance with § 200.507, but only if all of the following conditions are met:
(1) The non-Federal entity expends Federal awards only from the same Federal agency, or the same Federal agency and the same pass-through entity; and
(2) The Federal agency, or pass-through entity in the case of a subrecipient, approves a program-specific audit in advance.
(e) Exemption when Federal awards expended are less than $1,000,000. A non-Federal entity that expends less than $1,000,000 in Federal awards during its fiscal year is exempt from Federal audit requirements for that year, except as noted in § 200.503. However, in all instances, the records of the non-Federal entity must be available for review or audit by appropriate officials of the Federal agency, pass-through entity, and the Government Accountability Office (GAO).
(f) Federally Funded Research and Development Centers (FFRDC). Management of an auditee that owns or operates a FFRDC may elect to treat the FFRDC as a separate entity for purposes of this part.
(g) Subrecipients and contractors. An auditee may simultaneously be a recipient, a subrecipient, and a contractor. Unless a program is exempt by Federal statute, Federal awards expended as a recipient or a subrecipient are subject to audit under this part. Payments received for goods or services provided as a contractor under a Federal award (see § 200.331) are not subject to audit under this part.
(h) Compliance responsibility for contractors. In most cases, the auditee's compliance responsibility for contractors is to ensure that the procurement, receipt, and payment for goods and services comply with Federal statutes, regulations, and the terms and conditions of a Federal award. Federal award compliance requirements normally do not flow down to contractors. However, for procurement transactions in which the contractor is made responsible for meeting program requirements, the auditee must ensure those requirements are met, including by clearly stating the contractor's responsibilities within the contract and reviewing the contractor's records to determine compliance. Also, when these procurement transactions relate to a major program, the scope of the audit must include a determination of whether these transactions comply with Federal statutes, regulations, and the terms and conditions of a Federal award. See also § 200.318(b).
(i) For-profit subrecipient. This subpart does not apply to for-profit organizations. As necessary, the pass-through entity is responsible for establishing requirements to ensure compliance by for-profit subrecipients. The subaward with a for-profit subrecipient must describe applicable compliance requirements and the for-profit subrecipient's compliance responsibility. Methods to ensure compliance for Federal awards made to for-profit subrecipients may include pre-award audits, monitoring throughout the performance of the subaward, and post-award audits (see § 200.332).
(a) Determining Federal awards expended. The determination of when a Federal award is expended must be based on when the activity related to the Federal award occurs. Generally, the activity related to the Federal award pertains to events that require the non-Federal entity to comply with Federal statutes, regulations, and the terms and conditions of Federal awards, such as:
(1) Expenditure/expense transactions associated with grants, cooperative agreements, cost-reimbursement contracts under the FAR, compacts with Indian Tribes, and direct appropriations;
(2) The disbursement of funds to subrecipients;
(3) The use of loan proceeds under loan and loan guarantee programs;
(4) The receipt of property (including surplus property);
(5) The receipt or use of program income;
(6) The distribution or use of food commodities;
(7) The disbursement of amounts entitling the non-Federal entity to an interest subsidy; and
(8) The period when insurance is in force.
(b) Loan and loan guarantees (loans). The Federal Government is at risk for loans until the debt is repaid. Therefore, the following guidelines must be used to calculate the value of Federal awards expended under loan programs (except as noted in paragraphs (c) and (d)):
(1) The value of new loans made or received during the audit period; plus
(2) The balance of loans from previous years at the beginning of the audit period for which the Federal Government imposes continuing compliance requirements; plus
(3) Any interest subsidy, cash, or administrative cost allowance received.
(c) Loan and loan guarantees (loans) at Institutions of Higher Education (IHE). When loans are made to students of an IHE, but the IHE itself does not have continuing compliance requirements for the loans, then only the value of loans made during the audit period are considered Federal awards expended in that audit period. The balance of loans for previous audit periods is not included as Federal awards expended because the lender accounts for the prior balances.
(d) Prior loan and loan guarantees (loans). Loans, the proceeds of which were received and expended in prior years, are not considered Federal awards expended under this part when Federal statutes, regulations, and the terms and conditions of Federal awards pertaining to such loans impose no continuing compliance requirements other than to repay the loans.
(e) Endowment funds. The cumulative balance of Federal awards for endowment funds that are federally restricted is considered Federal awards expended in each audit period in which the funds are still restricted.
(f) Free rent. Free rent received by itself is not considered a Federal award expended under this part. However, free rent received as part of a Federal award to carry out a Federal program must be included in determining Federal awards expended and is subject to audit under this part.
(g) Valuing non-cash assistance. Federal non-cash assistance (such as free rent, food commodities, donated property, or donated surplus property that is received as part of a Federal award to carry out a Federal program) must be valued at fair market value at the time of receipt or the assessed value provided by the Federal agency and must be included in determining Federal awards expended under this part.
(h) Medicare. Medicare payments to a non-Federal entity for providing patient care services to Medicare-eligible individuals are not considered Federal awards expended under this part.
(i) Medicaid. Medicaid payments to a subrecipient for providing patient care services to Medicaid-eligible individuals are not considered Federal awards expended under this part unless a State requires the funds to be treated as Federal awards expended because reimbursement is on a cost-reimbursement basis.
(j) Certain loans provided by the National Credit Union Administration. For purposes of this part, loans from the National Credit Union Share Insurance Fund and the Central Liquidity Facility funded by contributions from insured non-Federal entities are not considered Federal awards expended.
(a) Other financial audits. An audit conducted in accordance with this part must be in lieu of any financial audit of Federal awards which a non-Federal entity is required to undergo under any other Federal statute or regulation. To the extent that such an audit provides a Federal agency with the information it requires to carry out its responsibilities under Federal statute or regulation, a Federal agency must rely upon and use that information.
(b) Conducting additional audits. Notwithstanding paragraph (a) of this section, a Federal agency, Inspectors General, or GAO may conduct or arrange additional audits to carry out its responsibilities under Federal statute or regulation. The provisions of this part do not authorize any non-Federal entity to constrain, in any manner, such Federal agency from carrying out or arranging for such additional audits, except that the Federal agency must plan such audits not to be duplicative of other audits of Federal awards. Prior to commencing such an audit, the Federal agency or pass-through entity must review the FAC for recent audits submitted by the non-Federal entity, and to the extent such audits meet a Federal agency or pass-through entity's needs, the Federal agency or pass-through entity must rely upon and use such audits. Any additional audits must be planned and performed in such a way as to build upon work performed, including the audit documentation, sampling, and testing already performed by other auditors.
(c) Authority to conduct additional audits. The provisions of this part do not limit the authority of Federal agencies to conduct, or arrange for the conduct of, audits and evaluations of Federal awards, nor limit the authority of any Federal agency Inspector General or other Federal officials. For example, requirements that may be applicable under the FAR or CAS and the terms and conditions of a cost-reimbursement contract may include additional applicable audits to be conducted or arranged for by Federal agencies.
(d) Federal agency to pay for additional audits. A Federal agency that conducts or arranges for additional audits must, consistent with other applicable Federal statutes and regulations, arrange for funding the full cost of such additional audits.
(e) Request for a program to be audited as a major program. A Federal agency may request that an auditee have a particular Federal program audited as a major program in lieu of the Federal agency conducting or arranging for the additional audits. Such requests should be made at least 180 calendar days prior to the end of the fiscal year to be audited to allow for planning. After consultation with its auditor, the auditee should promptly respond to such a request by informing the Federal agency whether the program would otherwise be audited as a major program using the risk-based audit approach described in § 200.518 and, if not, the estimated incremental cost. The Federal agency must then promptly confirm to the auditee whether it wants the program audited as a major program. If the program is to be audited as a major program based upon this Federal agency request, and the Federal agency agrees to pay the full incremental costs, then the auditee must have the program audited as a major program. With approval of the Federal agency, a pass-through entity may use the provisions of this paragraph for a subrecipient.
Audits required by this part must be performed annually unless biennial audits are permitted under paragraph (a) or (b) of this section. Biennial audits must cover both fiscal years within the biennial period.
(a) A State, local government, or Indian Tribe that is required by constitution or statute, in effect on January 1, 1987, to undergo its audits less frequently than annually, is permitted to undergo biennial (every other year) audits pursuant to this part. This requirement must still be in effect for the biennial period.
(b) Any nonprofit organization that had biennial audits for all biennial periods ending between July 1, 1992, and January 1, 1995, is permitted to undergo biennial audits pursuant to this part.
In cases of continued inability or unwillingness of a non-federal entity to have an audit conducted in accordance with this part, Federal agencies or pass-through entities must take appropriate action as provided in § 200.339.
See § 200.425.
(a) Program-specific audit guide available. In some cases, a program-specific audit guide will be available to provide specific guidance to the auditor concerning internal controls, compliance requirements, suggested audit procedures, and audit reporting requirements. A listing of current program-specific audit guides can be found in the compliance supplement (Appendix VI, Program-Specific Audit Guides). When a current program-specific audit guide is available, the auditor must follow Generally Accepted Government Auditing Standards (GAGAS) and the guide when performing a program-specific audit.
(b) Program-specific audit guide not available.
(1) When a current program-specific audit guide is not available, the auditee and auditor must have basically the same responsibilities for the Federal program as they would have for an audit of a major program in a single audit.
(2) The auditee must prepare the financial statement(s) for the Federal program that includes a schedule of expenditures of Federal awards for the program and notes that describe the significant accounting policies used in preparing the schedule, a summary schedule of prior audit findings consistent with the requirements of § 200.511(b), and a corrective action plan consistent with the requirements of § 200.511(c).
(3) The auditor must:
(i) Perform an audit of the financial statement(s) for the Federal program in accordance with GAGAS;
(ii) Obtain an understanding of internal controls and perform tests of internal controls over the Federal program consistent with the requirements for a major program in accordance with§ 200.514(c);
(iii) Determine whether the auditee has complied with Federal statutes, regulations, and the terms and conditions of Federal awards that could have a direct and material effect on the Federal program consistent with the requirements for a major program under § 200.514(d);
(iv) Follow up on prior audit findings and perform procedures to assess the reasonableness of the summary schedule of prior audit findings prepared by the auditee in accordance with the requirements of § 200.511 When the auditor concludes that the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding, the auditor must report this condition as a current-year audit finding.; and
(v) Report any audit findings consistent with the requirements of § 200.516.
(4) The auditor's report(s) may be in the form of either combined or separate reports. It may be organized differently from the manner presented in this section. The auditor's report(s) must state that the audit was conducted in accordance with this part and include the following:
(i) An opinion (or disclaimer of opinion) as to whether the financial statement(s) of the Federal program is presented fairly in all material respects in accordance with the stated accounting policies;
(ii) A report on internal control related to the Federal program, which must describe the scope of testing of internal control and the results of the tests;
(iii) A report on compliance that includes an opinion (or disclaimer of opinion) as to whether the auditee complied with laws, regulations, and the terms and conditions of Federal awards which could have a direct and material effect on the Federal program; and
(iv) A schedule of findings and questioned costs for the Federal program that includes a summary of the auditor's results relative to the Federal program in a format consistent with § 200.515(d)(1) and findings and questioned costs consistent with the requirements of § 200.515(d)(3).
(c) Report submission for program-specific audits.
(1) Submission deadline and public availability. The audit must be completed and submitted in accordance with paragraph (c)(2) or (c)(3) of this section. Unless a different period is specified in the program-specific audit guide, the audit must be submitted within 30 calendar days after the auditee receives the auditor's report(s) or nine months after the end of the audit period (whichever is earlier). The submission is due the next business day when the due date falls on a Saturday, Sunday, or Federal holiday. Unless restricted by Federal law or regulation, the auditee must make copies of the reporting package available for public inspection. Auditees and auditors must ensure that their respective parts of the reporting package do not include protected personally identifiable information.
(2) Program-specific audit guide available. When a program-specific audit guide is available, the auditee must electronically submit the data collection form prepared in accordance with § 200.512(b), as applicable to the program-specific audit, to the Federal Audit Clearinghouse (FAC). The submission must also include the reporting required by the program-specific audit guide.
(3) Program-specific audit guide not available. When a program-specific audit guide is not available, the auditee must electronically submit the data collection form prepared in accordance with § 200.512(b) to the FAC. The submission must also include the financial statement(s) of the Federal program, summary schedule of prior audit findings, and corrective action plan as described in paragraph § 200.507(b)(2) and the auditor's report(s) described in paragraph § 200.507(b)(4).
(d) Other sections of this part may apply. Program-specific audits are subject to:
(1) 200.500 Purpose through 200.503 Relation to other audit requirements, paragraph (d);
(2) 200.504 Frequency of audits through 200.506 Audit costs;
(3) 200.508 Auditee responsibilities through 200.509 Auditor selection;
(4) 200.511 Audit findings follow-up;
(5) 200.512 Report submission, paragraphs (e) through (h);
(6) 200.513 Responsibilities;
(7) 200.516 Audit findings through 200.517 Audit documentation;
(8) 200.521 Management decision; and
(9) Other referenced provisions of this part unless contrary to the provisions of this section, a program-specific audit guide, or program statutes and regulations.
The auditee must:
(a) Arrange for the audit required by this part in accordance with § 200.509, and ensure it is properly performed and submitted in accordance with § 200.512.
(b) Prepare financial statements, including the schedule of expenditures of Federal awards in accordance with § 200.510.
(c) Promptly follow up and take corrective action on audit findings. This includes preparing a summary schedule of prior audit findings and a corrective action plan in accordance with § 200.511(b) and (c), respectively.
(d) Provide the auditor access to personnel, accounts, books, records, supporting documentation, and any other information needed for the auditor to perform the audit required by this part.
(a) Auditor procurement. When procuring audit services, the auditee must follow the procurement standards in §§ 200.317 through 200.327 of subpart D or the FAR (48 CFR part 42), as applicable. When requesting proposals for audit services, the objectives and scope of the audit must be made clear, and the non-Federal entity must request a copy of the audit organization's peer review report, which the auditor must provide under GAGAS. Factors to be considered in evaluating each proposal for audit services include the responsiveness to the request for proposal, relevant experience, availability of staff with professional qualifications and technical abilities, the results of peer and external quality control reviews, and price. Whenever possible, the auditee must make efforts to contract with businesses as stated in § 200.321 or the FAR (48 CFR part 42), as applicable.
(b) Restriction on auditor preparing indirect cost proposals. An auditor who prepares the indirect cost proposal or cost allocation plan may not be selected to perform the audit required by this part when the indirect costs recovered by the auditee during the prior year exceed $1 million. This restriction applies to the base year used to prepare the indirect cost proposal or cost allocation plan and any subsequent years in which the resulting indirect cost agreement or cost allocation plan is used to recover costs.
(c) Use of Federal auditors. Federal auditors may perform all or part of the work required under this part if they fully comply with the requirements of this part.
(a) Financial statements. The auditee must prepare financial statements that reflect its financial position, results of operations or changes in net assets, and, where appropriate, cash flows for the fiscal year audited. The financial statements must be for the same organizational unit and fiscal year chosen to meet this part's requirements. However, organization-wide financial statements of the non-Federal entity may also include departments, agencies, and other organizational units that have separate audits in accordance with § 200.514(a) and prepare separate financial statements.
(b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee's financial statements. The schedule must include the total Federal awards expended as determined in accordance with § 200.502. The auditee may choose to provide information requested by Federal agencies or pass-through entities to make the schedule easier to use. For example, when a Federal program has multiple Federal award years, the auditee may separately list the amount of Federal awards expended for each year of a Federal award. The schedule must:
(1) List individual Federal programs by Federal agency using the applicable Assistance Listing number(s). For a cluster of programs, the non-Federal entity must provide the cluster name, a list of individual Federal programs within the cluster, and provide the Federal agency name and the applicable Assistance Listing number(s). For research and development, total Federal awards expended must be shown either by individual Federal award or by Federal agency and major subdivision within the Federal agency. For example, the National Institutes of Health is a major subdivision within the Department of Health and Human Services.
(2) For Federal awards received as a subrecipient, the name of the pass-through entity and identifying number assigned by the pass-through entity must be included.
(3) Provide total Federal awards expended for each individual Federal program and the Assistance Listings number or other identifying number when the Assistance Listings information is unavailable. For a cluster of programs, the auditee must also provide the total for the cluster.
(4) Include the total amount provided to subrecipients from each Federal program.
(5) For loan or loan guarantee programs described in § 200.502(b), identify in the notes to the schedule the balances outstanding at the end of the audit period. This requirement is in addition to including the total Federal awards expended for loan or loan guarantee programs in the schedule.
(6) Include notes describing the significant accounting policies used in preparing the schedule and whether the auditee elected to use the de minimis indirect cost rate of up to 15 percent (see § 200.414).
(a) General. The auditee is responsible for follow-up and corrective action on all audit findings. As part of this responsibility, the auditee must prepare a summary schedule of prior audit findings. The auditee must also prepare a corrective action plan for current year audit findings. The summary schedule of prior audit findings and the corrective action plan must include the reference numbers the auditor assigns to audit findings under § 200.516(c). Since the summary schedule may include audit findings from multiple years, it must include the fiscal year in which the finding initially occurred. The corrective action plan and summary schedule of prior audit findings must include financial statement findings that the auditor was required to report in accordance with GAGAS.
(b) Summary schedule of prior audit findings. The summary schedule of prior audit findings must report the status of all audit findings included in the prior audit's schedule of findings and questioned costs. The summary schedule must also include audit findings reported in the prior audit's summary schedule of prior audit findings except audit findings listed as corrected in accordance with paragraph (b)(1) of this section or no longer valid or not warranting further action in accordance with paragraph (b)(3) of this section.
(1) When audit findings were fully corrected, the summary schedule need only list the audit findings and state that corrective action was taken.
(2) When audit findings were not corrected or only partially corrected, the summary schedule must describe the reasons for the finding's recurrence, planned corrective action, and any partial corrective action taken. When the corrective action taken significantly differs from the corrective action previously reported in a corrective action plan or the Federal agency's or pass-through entity's management decision, the summary schedule must provide an explanation.
(3) When the auditee believes the audit findings are no longer valid or do not warrant further action, the reasons for this position must be described in the summary schedule. A valid reason for considering an audit finding as not warranting further action is that all of the following have occurred:
(i) Two years have passed since the audit report in which the finding occurred was submitted to the FAC;
(ii) The Federal agency or pass-through entity is not currently following up with the auditee on the audit finding; and
(iii) A management decision was not issued.
(c) Corrective action plan. At the completion of the audit, the auditee must prepare a corrective action plan to address each audit finding included in the auditor's report for the current year. The corrective action plan must be a document separate from the auditor's findings described in § 200.516. The corrective action plan must also provide the name(s) of the contact person(s) responsible for the corrective action, the corrective action to be taken, and the anticipated completion date. When the auditee does not agree with the audit findings or believes corrective action is not required, the corrective action plan must include a detailed explanation of the reasons.
(a) General.
(1) The audit, the data collection form, and the reporting package must be submitted within 30 calendar days after the auditee receives the auditor's report(s) or nine months after the end of the audit period (whichever is earlier). The cognizant agency for audit or oversight agency for audit (in the absence of a cognizant agency for audit) may authorize an extension when the nine-month timeframe would place an undue burden on the auditee. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
(2) The auditee must make copies available for public inspection unless restricted by Federal statute or regulation. Auditees and auditors must ensure that their respective parts of the reporting package do not include protected personally identifiable information.
(b) Data collection. The FAC is the repository of record for subpart F reporting packages and the data collection form. All Federal agencies, pass-through entities and others interested in a reporting package and data collection form must obtain it by accessing the FAC.
(1) The auditee must submit the required data collection form described in Appendix X of this part. This form provides information about the auditee, its Federal programs, the results of the audit, and whether the audit was completed in accordance with this part. The form must include all information required by this part that is necessary for Federal agencies to use the audit to ensure the integrity of Federal programs. The form includes data elements and a format that OMB must approve, is available from the FAC, and include collections of information from the reporting package described in paragraph (c).
(2) A senior-level representative of the auditee (for example, a State controller, director of finance, chief executive officer, or chief financial officer) must sign a statement to be included as part of the data collection form stating that the auditee complied with the requirements of this part, including that:
(i) The data collection form was prepared in accordance with this part (and the instructions accompanying the form);
(ii) The reporting package does not include protected personally identifiable information;
(iii) The information included in its entirety is accurate and complete; and
(iv) The FAC is authorized to make the reporting package and the form publicly available on a website.
(3) An auditee that is an Indian Tribe or a tribal organization (as defined in the Indian Self-Determination, Education and Assistance Act (ISDEAA), 25 U.S.C. 450b(l)) may opt not to authorize the FAC to make the reporting package publicly available on a website. To opt-out, an Indian Tribe or tribal organization must exclude the authorization described in paragraph (b)(2)(iv) of this section. In these instances, the Indian Tribe is responsible for submitting the reporting package directly to any pass-through entities through which it has received a Federal award and to pass-through entities for which the summary schedule of prior audit findings reported the status of any findings related to those Federal awards that the pass-through entity provided. Unless restricted by Federal statute or regulation, if the Indian Tribe opts not to authorize publication, it must make copies of the reporting package available for public inspection.
(4) The auditor must complete the applicable data elements of the data collection form using the information included in the reporting package described in paragraph (c) of this section. The auditor must sign a statement to be included as part of the data collection form stating:
(i) The source of information included in the data collection form;
(ii) The auditor's responsibility for the information;
(iii) The data collection form is not a substitute for the reporting package described in paragraph (c); and
(iv) The content of the form is limited to the collection of information prescribed by OMB.
(c) Reporting package. The reporting package must include the following:
(1) Financial statements and schedule of expenditures of Federal awards discussed in § 200.510(a) and (b), respectively;
(2) Summary schedule of prior audit findings discussed in § 200.511(b);
(3) Auditor's report(s) discussed in § 200.515; and
(4) Corrective action plan discussed in § 200.511(c).
(d) Submission to FAC. The auditee must electronically submit the data collection form described in paragraph (b) of this section and the reporting package described in paragraph (c) of this section to the FAC.
(e) Requests for management letters issued by the auditor. Auditees must submit, when requested by a Federal agency or pass-through entity, a copy of any management letters issued by the auditor.
(f) Report retention requirements. Auditees must keep a copy of the data collection form described in paragraph (b) of this section and a copy of the reporting package described in paragraph (c) on file for three years from the date of submission to the FAC. Copies of audit records must be maintained in accordance with § 200.336.
(g) FAC responsibilities. The FAC must make available the reporting packages received in accordance with paragraph (c) of this section and § 200.507(c) to the public, except for Indian Tribes exercising the option in paragraph (b)(3) of this section, and maintain a database of completed audits, provide appropriate information to Federal agencies, and follow up with known auditees that have not submitted the required data collection forms and reporting packages.
(h) Electronic filing. Nothing in this part must preclude electronic submissions to the FAC in such a manner as may be approved by OMB.
(a) Cognizant agency for audit responsibilities.
(1) A non-Federal entity expending more than $50 million a year in Federal awards must have a cognizant agency for audit. The cognizant agency for audit must be the Federal agency that provides the largest amount of direct funding (as listed on the non-Federal entity's Schedule of expenditures of Federal awards, see § 200.510(b)) unless OMB designates a specific cognizant agency for audit. When the direct funding represents less than 25 percent of the total expenditures (as direct and subawards) by the non-Federal entity, then the Federal agency with the predominant amount of total funding is the designated cognizant agency for audit.
(2) To provide for continuity of cognizance, the determination of the predominant amount of direct funding must be based upon direct Federal awards expended in the non-Federal entity's fiscal years ending in 2019 and every fifth year after that.
(3) Notwithstanding how audit cognizance is determined, a Federal agency may reassign cognizance to another Federal agency that provides substantial funding to an auditee if it agrees to be the cognizant agency for audit. Within 30 calendar days after any reassignment, both the old and the new cognizant agency for audit must notify the FAC, the auditee, and the auditor (if known) of the change.
(4) The cognizant agency for audit must:
(i) Provide technical audit advice and liaison assistance to auditees and auditors.
(ii) Obtain or conduct quality control reviews on selected audits made by non-Federal auditors and provide the results to other interested organizations.
(iii) Cooperate and support the Federal agency designated by OMB to lead a government-wide analysis to assess the quality of single audits. The government-wide analysis may rely on the current and ongoing quality control review work performed by Federal agencies, State auditors, and professional audit associations. This government-wide audit analysis must be performed at an interval determined by OMB, and the results must be posted publicly. In providing support to the government-wide analysis, a Federal agency must provide the following:
(A) An assessment of the extent to which single audits conform to the requirements, standards, and procedures of this part; and
(B) Recommendations to address audit quality issues, including recommendations for any changes to this part's requirements, standards, and procedures.
(iv) Promptly inform the appropriate Federal law enforcement officials and impacted Federal agencies of any direct reporting by the auditee or its auditor required by GAGAS, Federal statute, or regulation.
(v) Advise the community of independent auditors of any noteworthy or important factual trends related to the quality of audits stemming from quality control reviews. Significant problems or quality issues consistently identified through quality control reviews of audit reports must be referred to appropriate State licensing agencies and professional bodies.
(vi) Advise the auditor, Federal awarding agencies, and, where appropriate, the auditee of any deficiencies found in the audits when the deficiencies require corrective action by the auditor. When advised of deficiencies, the auditee must work with the auditor to take corrective action. If corrective action is not taken, the cognizant agency for audit must notify the auditor, the auditee, and applicable Federal awarding agencies and pass-through entities of the facts and make recommendations for follow-up action. Major inadequacies or repetitive substandard performance by auditors must be referred to appropriate State licensing agencies and professional bodies for disciplinary action.
(vii) Coordinate, to the extent practical, audits or reviews made by or for Federal agencies that are in addition to the audits made pursuant to this part, so that the additional audits or reviews build upon, rather than duplicate, audits performed in accordance with this part.
(viii) Coordinate a management decision for cross-cutting audit findings that affect the Federal programs of more than one agency when requested by any Federal agency whose awards are included in the audit finding of the auditee. Cross-cutting audit finding means an audit finding where the same underlying condition or issue affects all Federal awards (including Federal awards of more than one Federal agency or pass-through entity); for example, a cross-cutting audit finding may include an issue related to the recipient's accounting system.
(ix) Coordinate the audit work and reporting responsibilities among auditors to achieve the most cost-effective audit.
(x) Provide advice to auditees as to how to handle changes in fiscal year.
(b) Oversight agency for audit responsibilities. An auditee who does not have a designated cognizant agency for audit will be under the general oversight of the Federal agency determined in accordance with § 200.1 oversight agency for audit. A Federal agency with oversight for an auditee may reassign oversight to another Federal agency that agrees to be the oversight agency for audit. Within 30 calendar days after any reassignment, both the old and the new oversight agency for audit must provide notice of the change to the FAC, the auditee, and, if known, the auditor. The oversight agency for audit:
(1) Must provide technical advice and assistance to auditees and auditors.
(2) May assume all or some of the responsibilities normally performed by a cognizant agency for audit.
(c) Awarding Federal agency responsibilities. In addition to all other requirements of this part, the awarding Federal agency must:
(1) Ensure that audits are completed, and reports are received in a timely manner in accordance with the requirements of this part.
(2) Provide technical advice and assistance to auditees and auditors.
(3) Follow-up on audit findings to ensure that non-Federal entities take appropriate and timely corrective action. Follow-up includes:
(i) Issuing a management decision in accordance with § 200.521;
(ii) Monitoring the non-Federal entity's progress implementing a corrective action;
(iii) Using a cooperative audit resolution approach to improve Federal program outcomes through better audit resolution, follow-up, and corrective action, which means the use of audit follow-up techniques promoting prompt corrective action by improving communication, fostering collaboration, promoting trust, and developing an understanding between the Federal agency and the non-Federal entity. This approach is based upon:
(A) A strong commitment by Federal agency and non-Federal entity leadership to Federal program integrity;
(B) Federal agencies strengthening partnerships and working cooperatively with non-Federal entities and their auditors; non-Federal entities and their auditors working cooperatively with Federal agencies;
(C) A focus on current conditions and corrective action going forward;
(D) Federal agencies offering appropriate relief for past noncompliance when audits show prompt corrective action has occurred; and
(E) Federal agency leadership sending a clear message that continued failure to correct conditions identified by audits likely to cause improper payments, fraud, waste, or abuse is unacceptable and will result in sanctions.
(iv) Tracking the effectiveness of the Federal agency's follow-up processes, the effectiveness of single audits in improving non-Federal entity accountability, and the use of single audits in making Federal award decisions. The Federal agency should develop a baseline, metrics, and targets to track, over time, the effectiveness of the Federal agency's process to follow up on audit findings.
(4) Provide OMB with annual updates to the compliance supplement. These updates include working with OMB to ensure that the compliance supplement focuses the auditor on testing the compliance requirements most likely to cause improper payments, fraud, waste, abuse, or generate audit findings for which the Federal agency will take action in accordance with § 200.505. Prior to submitting compliance supplement drafts to OMB, Federal agencies should engage with external audit stakeholders, the Federal agency's Office of Inspector General, and the National Single Audit Coordinator (NSAC).
(5) Provide OMB with the name of a single audit accountable official from among the senior policy officials of the Federal agency. The accountable official must be:
(i) Responsible for ensuring that the Federal agency fulfills the requirements of this section and effectively uses the single audit process to reduce improper payments and improve Federal program outcomes.
(ii) Accountable for improving the effectiveness of the Federal agency's single audit processes in accordance with paragraph (c)(3)(iv).
(iii) Responsible for designating the Federal agency's key management single audit liaison.
(6) Provide OMB with the name of a key management single audit liaison. The liaison must:
(i) Serve as the Federal agency's point of contact for the single audit process within and outside the Federal Government.
(ii) Promote interagency coordination, consistency, and information sharing. This includes coordinating audit follow-up, identifying higher risk non-Federal entities, providing input on single audit and follow-up policy, enhancing the utility of the FAC, and identifying ways to use single audit results to improve Federal award accountability and best practices.
(iii) Oversee training for the Federal agency's program management personnel related to the single audit process.
(iv) Promote the Federal agency's use of a cooperative audit resolution approach as described in paragraph (c)(3)(iii) of this section.
(v) Coordinate the Federal agency's audit follow-up processes and ensure non-Federal entities implement corrective actions for audit findings.
(vi) Ensure the Federal agency fulfills its responsibility, as a cognizant agency for audit, to coordinate a management decision for cross-cutting audit findings under (a)(4)(viii) of this section. Cross-cutting audit findings means an audit finding where the same underlying condition or issue affects all Federal awards (including Federal awards of more than one Federal agency or pass-through entity). For example, this may include an issue related to the recipient's accounting system.
(vii) Ensure the Federal agency provides OMB with annual updates to the compliance supplement consistent with the compliance supplement preparation guide.
(viii) Support the mission of the Federal agency's single audit accountable official and coordinate with the Federal agency's Office of Inspector General and National Single Audit Coordinator (NSAC).
(a) General. The audit must be conducted in accordance with GAGAS. The audit must also cover the entire operations of the auditee, or, at the option of the auditee, such audit must include a series of audits that cover departments, agencies, and other organizational units that expended or otherwise administered Federal awards during the audit period. In these instances, the audit must include the financial statements and schedule of expenditures of Federal awards for each such department, agency, and other organizational unit, which must be considered to be a non-Federal entity. The financial statements and schedule of expenditures of Federal awards must be for the same audit period.
(b) Financial statements. The auditor must determine whether the auditee's financial statements are presented fairly in all material respects in accordance with generally accepted accounting principles (or a special purpose framework such as cash, modified cash, or regulatory as required by State law). The auditor must also determine whether the schedule of expenditures of Federal awards is stated fairly in all material respects in relation to the auditee's financial statements as a whole.
(c) Internal control.
(1) The compliance supplement provides guidance on internal controls over Federal programs based upon the guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States and the Internal Control-Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
(2) In addition to the requirements of GAGAS, the auditor must perform procedures to obtain an understanding of internal control over Federal programs sufficient to plan the audit to support a low assessed level of control risk of noncompliance for major programs.
(3) Except as provided in paragraph (c)(4) of this section, the auditor must:
(i) Plan the testing of internal control over compliance for major programs to support a low assessed level of control risk for assertions relevant to the compliance requirements for each major program; and
(ii) Perform testing of internal control as planned in paragraph (c)(3)(i) of this section.
(4) When internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(3) of this section are not required for those compliance requirements. However, the auditor must report a significant deficiency or material weakness in accordance with § 200.516, assess the related control risk at the maximum, and consider whether additional compliance tests are required because of ineffective internal control.
(d) Compliance.
(1) In addition to the requirements of GAGAS, the auditor must determine whether the auditee has complied with Federal statutes, regulations, and the terms and conditions of Federal awards that may have a direct and material effect on each of its major programs.
(2) The principal compliance requirements applicable to most Federal programs and the compliance requirements of the largest Federal programs are included in the compliance supplement.
(3) For the compliance requirements related to Federal programs contained in the compliance supplement, an audit of these compliance requirements will meet the requirements of this part. Where there have been changes to the compliance requirements, and the changes are not reflected in the compliance supplement, the auditor must determine the current compliance requirements and modify the audit procedures accordingly. For those Federal programs not covered in the compliance supplement, the auditor must follow the compliance supplement's guidance for programs not included.
(4) The compliance testing must include tests of transactions or other auditing procedures necessary to provide the auditor with sufficient appropriate audit evidence to support an opinion on compliance.
(e) Audit follow-up. The auditor must follow up on prior audit findings regardless of whether a prior audit finding is related to a major program in the current year. Audit follow-up includes performing procedures to assess the reasonableness of the summary schedule of prior audit findings prepared by the auditee in accordance with the requirements of § 200.511. When the auditor concludes that the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding, the auditor must report this condition as a current-year audit finding.
(f) Data collection form. As required in § 200.512(b)(4), the auditor must complete and sign specified sections of the data collection form.
The auditor's report(s) may be in the form of either combined or separate reports. It may be organized differently from the manner presented in this section. The auditor's report(s) must state that the audit was conducted in accordance with this part and include the following:
(a) An opinion (or disclaimer of opinion) on whether the financial statement(s) of the auditee is presented fairly in all material respects in accordance with generally accepted accounting principles (or a special purpose framework such as cash, modified cash, or regulatory as required by State law). The auditor must also decide whether the schedule of expenditures of Federal awards is stated fairly in all material respects in relation to the auditee's financial statements as a whole.
(b) A report on internal control over financial reporting and compliance with provisions of laws, regulations, contracts, and award agreements, noncompliance with which could have a material effect on the financial statements. This report must describe the scope of internal control and compliance testing and the results of the tests. Where applicable, the report must refer to the separate schedule of findings and questioned costs described in paragraph (d) of this section.
(c) A report on compliance for each major program and a report on internal control over compliance. This report must describe the scope of testing of internal control over compliance and include an opinion (or disclaimer of opinion) as to whether the auditee complied with Federal statutes, regulations, and the terms and conditions of Federal awards that could have a direct and material effect on each major program and refer to the separate schedule of findings and questioned costs described in paragraph (d) of this section.
(d) A schedule of findings and questioned costs which must include the following three components:
(1) A summary of the auditor's results, which must include:
(i) The type of report the auditor issued (unmodified opinion, qualified opinion, adverse opinion, or disclaimer of opinion) on whether the audited financial statements were prepared in accordance with GAAP;
(ii) A statement about whether significant deficiencies or material weaknesses in internal control were disclosed by the audit of the financial statements;
(iii) A statement as to whether the audit disclosed any noncompliance that is material to the financial statements of the auditee;
(iv) A statement about whether significant deficiencies or material weaknesses in internal control over major programs were disclosed by the audit;
(v) The type of report the auditor issued (unmodified opinion, qualified opinion, adverse opinion, or disclaimer of opinion) on compliance for major programs;
(vi) A statement as to whether the audit disclosed any audit findings that the auditor is required to report under § 200.516(a);
(vii) An identification of major programs by listing each individual major program; however, in the case of a cluster of programs, only the cluster name as shown on the schedule of expenditures of Federal Awards is required;
(viii) The dollar threshold used to distinguish between Type A and Type B programs, as described in § 200.518(b)(1) or (3) when a recalculation of the Type A threshold is required for large loan or loan guarantees; and
(ix) A statement as to whether the auditee qualified as a low-risk auditee under§ 200.520.
(2) Findings relating to the financial statements required to be reported in accordance with GAGAS.
(3) Findings and questioned costs for Federal awards which must include audit findings as defined in § 200.516(a) and be reported in the following manner:
(i) Audit findings (for example, internal control findings, compliance findings, questioned costs, or fraud) that relate to the same issue must be presented as a single audit finding. Where practical, audit findings should be organized by Federal agency or pass-through entity.
(ii) Audit findings that relate to both the financial statements (paragraph (d)(2) of this section) and Federal awards (this paragraph (d)(3)) must be reported in both sections of the schedule. However, the reporting in one section of the schedule may be in summary form and reference a detailed reporting in the other section.
(e) Nothing in this part precludes combining the reporting required by this section with the reporting required by § 200.512(b) when allowed by GAGAS and Appendix X of this part.
(a) Audit findings reported. The auditor must report the following as an audit finding in the schedule of findings and questioned costs:
(1) Significant deficiencies and material weaknesses in internal control over major programs. The auditor's determination of whether a deficiency in internal control is a significant deficiency or a material weakness for the purpose of reporting an audit finding is in relation to a type of compliance requirement for a major program identified in the compliance supplement.
(2) Material noncompliance with the provisions of Federal statutes, regulations, or the terms and conditions of Federal awards related to a major program. The auditor's determination of whether noncompliance with the provisions of Federal statutes, regulations, or the terms and conditions of Federal awards is material for the purpose of reporting an audit finding is in relation to a type of compliance requirement for a major program identified in the compliance supplement.
(3) Known questioned costs when either known or likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program. When reporting questioned costs, the auditor must include information to provide proper perspective for evaluating the prevalence and consequences of the questioned costs.
(4) Known questioned costs greater than $25,000 for a Federal program that is not audited as a major program. Except for audit follow-up, the auditor is not required to perform audit procedures for such a Federal program; therefore, the auditor will normally not find questioned costs for a program that is not audited as a major program. However, if the auditor does become aware of questioned costs for a Federal program that is not audited as a major program (for example, as part of audit follow-up or other audit procedures) and the known questioned costs are greater than $25,000, the auditor must report this as an audit finding.
(5) The circumstances concerning why the auditor's report on compliance for each major program is other than an unmodified opinion. This must be included unless the circumstances are otherwise reported as audit findings in the schedule of findings and questioned costs.
(6) Known or likely fraud affecting a Federal award, unless the fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs. This paragraph does not require the auditor to publicly report information that could compromise investigative or legal proceedings or to make an additional reporting when the auditor confirms that the fraud was reported outside the auditor's reports under the direct reporting requirements of GAGAS.
(7) Instances where the results of audit follow-up procedures disclosed that the summary schedule of prior audit findings prepared by the auditee in accordance with § 200.511(b) materially misrepresents the status of any prior audit finding.
(b) Audit finding detail and clarity. Audit findings must be presented with sufficient detail and clarity for the auditee to prepare a corrective action plan and take corrective action and for Federal agencies or pass-through entities to arrive at a management decision. As applicable, the following information must be included in audit findings:
(1) The Federal program and specific Federal award identification, including the Assistance Listings title and number, Federal award identification number and year, the name of the Federal agency, and name of the applicable pass-through entity. When information, such as the Assistance Listings title and number or Federal award identification number, is unavailable, the auditor must provide the best information available to describe the Federal award.
(2) The criteria or specific requirement for the audit finding (for example, the specific Federal statute, regulation, or term and condition of the Federal award). The criteria or specific requirement provides a context for evaluating evidence and understanding findings. The criteria should generally identify the required or desired state or expectation with respect to the program or operation.
(3) The condition found, including facts that support the deficiency identified in the audit finding.
(4) A statement of cause that identifies the reason or explanation for the condition or the factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective action
(5) The possible asserted effect to provide sufficient information to the auditee and Federal agency or pass-through entity to permit them to determine the cause and effect to facilitate prompt and proper corrective action. A statement of the effect or potential effect should provide a clear, logical link to establish the impact or potential impact of the difference between the condition and the criteria.
(6) The identification of known questioned costs, by applicable Assistance Listing number(s) and Federal award identification number(s), and how these questioned costs were computed.
(7) When there are known questioned costs but the dollar amount is undetermined or not reported, a description of why the dollar amount was undetermined or otherwise could not be reported.
(8) Information to provide proper perspective for evaluating the prevalence and consequences of the audit finding. For example, whether the audit finding represents an isolated instance or a systemic problem. Where appropriate, instances identified must be related to the universe and the number of cases examined and be quantified in terms of dollar value. In addition, the audit finding should indicate whether the sampling was a statistically valid sample.
(9) The identification of whether the audit finding is a repeat of a finding in the immediately prior audit. The audit finding must identify the applicable prior year audit finding reference numbers in these instances.
(10) Recommendations to prevent future occurrences of the deficiency identified in the audit finding.
(11) Views of responsible officials of the auditee.
(c) Reference numbers. Each audit finding in the schedule of findings and questioned costs must include a reference number in the format meeting the requirements of the data collection form submission (see § 200.512(b)).
(a) Retention of audit documentation. The auditor must retain audit documentation and reports for a minimum of three years after the date of issuance of the auditor's report(s) to the auditee. The cognizant agency for audit, oversight agency for audit, cognizant agency for indirect costs, or pass-through entity may extend the retention period by providing written notification to the auditor. When the auditor is aware that the Federal agency, pass-through entity, or auditee is contesting an audit finding, the auditor must contact the parties contesting the audit finding for guidance prior to the destruction of the audit documentation and reports.
(b) Access to audit documentation. Audit documentation must be made available upon request to the cognizant or oversight agency for audit or its designee, cognizant agency for indirect cost, a Federal agency, or GAO at the completion of the audit, as part of a quality review, to resolve audit findings, or to carry out oversight responsibilities consistent with the purposes of this part. Access to audit documentation includes the right of Federal agencies to obtain copies of audit documentation as is reasonable and necessary.
(a) General. The auditor must use a risk-based approach to determine which Federal programs are major programs. This risk-based approach must consider current and prior audit experience, oversight by Federal agencies and pass-through entities, and the inherent risk of the Federal program. The process described in paragraphs (b) through (h) of this section must be followed.
(b) Step one.
(1) The auditor must identify and label the larger Federal programs as Type A programs. Type A programs are defined as Federal programs with Federal awards expended during the audit period exceeding the levels outlined in table 1:
| Total Federal awards expended | Type A threshold |
|---|---|
| Equal to or exceed $1,000,000 but less than or equal to $34 million | $1,000,000. |
| Exceed $34 million but less than or equal to $100 million | Total Federal awards expended times .03. |
| Exceed $100 million but less than or equal to $1 billion | $3 million. |
| Exceed $1 billion but less than or equal to $10 billion | Total Federal awards expended times .003. |
| Exceed $10 billion but less than or equal to $20 billion | $30 million. |
| Exceed $20 billion | Total Federal awards expended times .0015. |
(2) Federal programs not labeled Type A under paragraph (b)(1) of this section must be labeled Type B programs.
(3) Including large loans and loan guarantees (loans) must not result in the exclusion of other programs as Type A programs. A Federal program providing loans is considered a large loan program when it exceeds four times the largest non-loan program. The auditor must identify each large loan program as a Type A program and exclude its values in determining other Type A programs. This recalculation of the Type A program is performed after removing the total of all large loan programs. For this paragraph, a program is only considered a Federal program providing loans if the value of Federal awards expended for loans within the program comprises 50 percent or more of the total Federal awards expended for the program. A cluster of programs is treated as one program, and the value of Federal awards expended under a loan program is determined as described in § 200.502.
(4) For biennial audits (see § 200.504), the determination of Type A and Type B programs must be based on the Federal awards expended during the two-year audit period.
(c) Step two.
(1) The auditor must identify Type A programs that are low-risk. In making this determination, the auditor must consider whether the requirements in § 200.519(c), the results of audit follow-up, or any changes in personnel or systems affecting the program indicate significantly increased risk and preclude the program from being low-risk. For a Type A program to be considered low-risk, it must have been audited as a major program in at least one of the two most recent audit periods (in the most recent audit period in the case of a biennial audit), and, in the most recent audit period, the program must not have had:
(i) Internal control deficiencies that were identified as material weaknesses in the auditor's report on internal control for major programs as required under § 200.515(c);
(ii) A modified opinion on the program in the auditor's report on major programs as required under § 200.515(c); or
(iii) Known or likely questioned costs that exceed five percent of the total Federal awards expended for the program.
(2) Notwithstanding paragraph (c)(1) of this section, OMB may approve a Federal agency request that a Type A program not be considered low-risk for a specific recipient. For example, it may be necessary for a large Type A program to be audited as a major program each year for a particular recipient for the Federal agency to comply with 31 U.S.C. 3515. The Federal agency must notify the auditee and, if known, the auditor of OMB's approval at least 180 calendar days prior to the end of the fiscal year to be audited.
(d) Step three.
(1) The auditor must identify high-risk Type B programs using professional judgment and the criteria in § 200.519. However, the auditor is not required to identify more high-risk Type B programs than at least one-fourth of the number of low-risk Type A programs identified as low-risk under step two. Except for known material weakness in internal control or compliance problems as discussed in § 200.519(b)(1), (2), and (c)(1), a single criterion in risk would rarely cause a Type B program to be considered high-risk. When identifying which Type B programs to assess for risk, the auditor is encouraged to use an approach that provides an opportunity for different high-risk Type B programs to be audited as major programs over a period of time.
(2) The auditor is not expected to perform risk assessments on relatively small Federal programs. Therefore, the auditor is only required to perform risk assessments on Type B programs that exceed 25 percent (0.25) of the Type A threshold determined in step one.
(e) Step four. At a minimum, the auditor must audit all of the following as major programs:
(1) All Type A programs not identified as low-risk under step two.
(2) All Type B programs identified as high-risk under step three.
(3) Additional programs as necessary to comply with the percentage of coverage rule described in paragraph (f). This rule may require the auditor to audit more programs as major programs than the number of Type A programs.
(f) Percentage of coverage rule. When the auditee meets the criteria in § 200.520, the auditor only needs to audit the major programs identified in paragraphs (e)(1) and (2) of this section and such additional Federal programs with Federal awards expended that, in the aggregate, all major programs encompass at least 20 percent (0.20) of total Federal awards expended. Otherwise, the auditor must audit the major programs identified in paragraphs (e)(1) and (2) of this section and such additional Federal programs with Federal awards expended that, in the aggregate, all major programs encompass at least 40 percent (0.40) of total Federal awards expended.
(g) Documentation of risk. The auditor must include in the audit documentation the risk analysis used for determining major programs.
(h) Auditor's judgment. The auditor's judgment in applying the risk-based approach to determine major programs must be presumed correct when the determination was performed and documented in accordance with this part. Challenges by a Federal agency or pass-through entity must only be for clearly improper use of the requirements in this part. However, a Federal agency or pass-through entity may provide auditors guidance about the risk of a particular Federal program. The auditor must consider this guidance in determining major programs in audits not yet completed.
(a) General. The auditor's determination should be based on an overall evaluation of the risk of noncompliance occurring that could be material to the Federal program. The auditor must consider criteria, such as those described in paragraphs (b), (c), and (d) of this section, to identify risk in Federal programs. Also, as part of the risk analysis, the auditor may wish to discuss a particular Federal program with auditee management and the Federal agency or pass-through entity.
(b) Current and prior audit experience.
(1) Weaknesses in internal control over Federal programs would indicate higher risk. Therefore, consideration should be given to the control environment over Federal programs. This includes considering factors such as the expectation of management's adherence to Federal statutes, regulations, and the terms and conditions of Federal awards, and the competence and experience of personnel who administer the Federal programs.
(i) A Federal program administered under multiple internal control structures may have higher risk. When assessing risk in a large single audit, the auditor must consider whether weaknesses are isolated in a single operating unit (for example, one college campus) or pervasive throughout the entity.
(ii) A weak system for monitoring subrecipients would indicate higher risk when significant parts of a Federal program are passed to subrecipients through subawards.
(2) Prior audit findings would indicate higher risk, especially when the situations identified in the audit findings could significantly impact a Federal program or have not been corrected.
(3) Federal programs not recently audited as major programs may be of higher risk than those recently audited as major programs without audit findings.
(c) Oversight exercised by Federal agencies and pass-through entities.
(1) The oversight exercised by Federal agencies or pass-through entities may be used to assess risk. For example, recent monitoring or other reviews performed by an oversight entity that disclosed no significant problems would indicate lower risk, whereas monitoring that disclosed significant problems would indicate higher risk.
(2) With the concurrence of OMB, a Federal agency may identify Federal programs that are higher risk. OMB will identify these Federal programs in the compliance supplement.
(d) Inherent risk of the Federal program.
(1) The nature of a Federal program may indicate risk. Consideration should be given to the complexity of the program and the extent to which the Federal program contracts for goods and services. For example, Federal programs that disburse funds through third-party contracts or have eligibility criteria may be higher risk. Federal programs primarily involving staff payroll costs may be at high risk for noncompliance with the requirements of § 200.430 but otherwise be at low risk.
(2) The phase of a Federal program in its lifecycle at the Federal agency may indicate risk. For example, a new Federal program with new or interim regulations may have higher risk than an established program with time-tested regulations. Also, significant changes in Federal programs, statutes, regulations, or the terms and conditions of Federal awards may increase risk.
(3) The phase of a Federal program in its lifecycle at the auditee may indicate risk. For example, during the first and last years that an auditee participates in a Federal program, the risk may be higher due to the start-up or closeout of program activities and staff.
(4) Type B programs with larger Federal awards expended would be of higher risk than programs with substantially smaller Federal awards expended.
An auditee that meets all of the following conditions for each of the preceding two audit periods must qualify as a low-risk auditee and be eligible for reduced audit coverage in accordance with § 200.518.
(a) Single audits were performed on an annual basis in accordance with the provisions of this subpart, including submitting the data collection form and the reporting package to the FAC within the timeframe specified in § 200.512. A non-Federal entity that has biennial audits does not qualify as a low-risk auditee.
(b) The auditor's opinion on whether the financial statements were prepared in accordance with generally accepted accounting principles (or a special purpose framework such as cash, modified cash, or regulatory as required by State law), and the auditor's in-relation-to opinion on the schedule of expenditures of Federal awards were unmodified.
(c) No internal control deficiencies were identified as material weaknesses under the requirements of GAGAS.
(d) The auditor did not report a substantial doubt about the auditee's ability to continue as a going concern.
(e) None of the Federal programs had audit findings from any of the following in either of the preceding two audit periods in which they were classified as Type A programs:
(1) Internal control deficiencies that were identified as material weaknesses in the auditor's report on internal control for major programs as required under § 200.515(c);
(2) A modified opinion on a major program in the auditor's report on major programs as required under § 200.515(c); or
(3) Known or likely questioned costs that exceeded five percent (.05) of the total Federal awards expended for a Type A program during the audit period.
(a) General. The management decision must clearly state whether or not the audit finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments or take other action. If the auditee has not completed corrective action, a timetable for follow-up should be given. Prior to issuing the management decision, the Federal agency or pass-through entity may request additional information or documentation from the auditee, including a request for auditor assurance related to the documentation, as a way of mitigating disallowed costs. The management decision should describe any appeal process available to the auditee. While not required, the Federal agency or pass-through entity may also issue a management decision on findings relating to the financial statements, which are required to be reported in accordance with GAGAS.
(b) Federal agency. The cognizant agency for audit is responsible for coordinating a management decision for audit findings that affect the programs of more than one Federal agency (see § 200.513(a)(4)(viii)). The awarding Federal agency is responsible for issuing a management decision for audit findings that affect the Federal awards it makes to a non-Federal entity (see § 200.513(c)(3)(i)).
(c) Pass-through entity. The pass-through entity is responsible for issuing a management decision for audit findings that affect subawards it issues to subrecipients under a Federal award (see § 200.332(e)).
(d) Time requirements. The Federal agency or pass-through entity responsible for issuing a management decision must do so within six months of the FAC's acceptance of the audit report. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report.
(e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with § 200.516(c).