Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

§ 200.104 Supersession.

As described in § 200.110 Effective/applicability date, this part supersedes the following OMB guidance documents and regulations under Title 2 of the Code of Federal Regulations:

...

OMB will review this part at least every five years after December 26, 2013.

§ 200.110 Effective/applicability date.

(a) The standards set forth in this part which affect administration of Federal awards issued by Federal agencies become effective once implemented by Federal agencies or when any future amendment to this part becomes final. Federal agencies must implement the policies and procedures applicable to Federal awards by promulgating a regulation to be effective by December 26, 2014 unless different provisions are required by statute or approved by OMB.

...

(b) Single audit. A non-Federal entity that expends $750,000 or more during the non-Federal entity's fiscal year in Federal awards must have a single audit conducted in accordance with § 200.514 Scope of audit except when it elects to have a program-specific audit conducted in accordance with paragraph (c) of this section.

(c) Program-specific audit election. When an auditee expends Federal awards under only one Federal program (excluding R&D) and the Federal program's statutes, regulations, or the terms and conditions of the Federal award do not require a financial statement audit of the auditee, the auditee may elect to have a program-specific audit conducted in accordance with § 200.507 Program-specific audits. A program-specific audit may not be elected for R&D unless all of the Federal awards expended were received from the same Federal agency, or the same Federal agency and the same pass-through entity, and that Federal agency, or pass-through entity in the case of a subrecipient, approves in advance a program-specific audit.

...

(f) Subrecipients and Contractors. An auditee may simultaneously be a recipient, a subrecipient, and a contractor. Federal awards expended as a recipient or a subrecipient are subject to audit under this part. The payments received for goods or services provided as a contractor are not Federal awards. Section § 200.330 Subrecipient and contractor determinations should be considered in determining whether payments constitute a Federal award or a payment for goods or services provided as a contractor.

...

(h) For-profit subrecipient. Since this part does not apply to for-profit subrecipients, the pass-through entity is responsible for establishing requirements, as necessary, to ensure compliance by for-profit subrecipients. The agreement with the for-profit subrecipient should describe applicable compliance requirements and the for-profit subrecipient's compliance responsibility. Methods to ensure compliance for Federal awards made to for-profit subrecipients may include pre-award audits, monitoring during the agreement, and post-award audits. See also § 200.331 Requirements for pass-through entities.

...

(b) Loan and loan guarantees (loans). Since the Federal government is at risk for loans until the debt is repaid, the following guidelines must be used to calculate the value of Federal awards expended under loan programs, except as noted in paragraphs (c) and (d) of this section:

(1) Value of new loans made or received during the audit period; plus

(2) Beginning of the audit period balance of loans from previous years for which the Federal government imposes continuing compliance requirements; plus

(3) Any interest subsidy, cash, or administrative cost allowance received.

(c) Loan and loan guarantees (loans) at IHEs. When loans are made to students of an IHE but the IHE does not make the loans, then only the value of loans made during the audit period must be considered Federal awards expended in that audit period. The balance of loans for previous audit periods is not included as Federal awards expended because the lender accounts for the prior balances.

...

(e) Request for a program to be audited as a major program. A Federal awarding agency may request that an auditee have a particular Federal program audited as a major program in lieu of the Federal awarding agency conducting or arranging for the additional audits. To allow for planning, such requests should be made at least 180 calendar days prior to the end of the fiscal year to be audited. The auditee, after consultation with its auditor, should promptly respond to such a request by informing the Federal awarding agency whether the program would otherwise be audited as a major program using the risk-based audit approach described in § 200.518 Major program determination and, if not, the estimated incremental cost. The Federal awarding agency must then promptly confirm to the auditee whether it wants the program audited as a major program. If the program is to be audited as a major program based upon this Federal awarding agency request, and the Federal awarding agency agrees to pay the full incremental costs, then the auditee must have the program audited as a major program. A pass-through entity may use the provisions of this paragraph for a subrecipient.

...

In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in § 200.338 Remedies for noncompliance.

§ 200.506 Audit costs.

See § 200.425 Audit services.

§ 200.507 Program-specific audits.

...

(b) Program-specific audit guide not available. (1) When a program-specific audit guide is not available, the auditee and auditor must have basically the same responsibilities for the Federal program as they would have for an audit of a major program in a single audit.

(2) The auditee must prepare the financial statement(s) for the Federal program that includes, at a minimum, a schedule of expenditures of Federal awards for the program and notes that describe the significant accounting policies used in preparing the schedule, a summary schedule of prior audit findings consistent with the requirements of § 200.511 Audit findings follow-up, paragraph (b), and a corrective action plan consistent with the requirements of § 200.511 Audit findings follow-up, paragraph (c).

(3) The auditor must:

(i) Perform an audit of the financial statement(s) for the Federal program in accordance with GAGAS;

(ii) Obtain an understanding of internal controls and perform tests of internal controls over the Federal program consistent with the requirements of § 200.514 Scope of audit, paragraph (c) for a major program;

(iii) Perform procedures to determine whether the auditee has complied with Federal statutes, regulations, and the terms and conditions of Federal awards that could have a direct and material effect on the Federal program consistent with the requirements of § 200.514 Scope of audit, paragraph (d) for a major program;

(iv) Follow up on prior audit findings, perform procedures to assess the reasonableness of the summary schedule of prior audit findings prepared by the auditee in accordance with the requirements of § 200.511 Audit findings follow-up, and report, as a current year audit finding, when the auditor concludes that the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding; and

(v) Report any audit findings consistent with the requirements of § 200.516 Audit findings.

(4) The auditor's report(s) may be in the form of either combined or separate reports and may be organized differently from the manner presented in this section. The auditor's report(s) must state that the audit was conducted in accordance with this part and include the following:

(i) An opinion (or disclaimer of opinion) as to whether the financial statement(s) of the Federal program is presented fairly in all material respects in accordance with the stated accounting policies;

(ii) A report on internal control related to the Federal program, which must describe the scope of testing of internal control and the results of the tests;

(iii) A report on compliance which includes an opinion (or disclaimer of opinion) as to whether the auditee complied with laws, regulations, and the terms and conditions of Federal awards which could have a direct and material effect on the Federal program; and

(iv) A schedule of findings and questioned costs for the Federal program that includes a summary of the auditor's results relative to the Federal program in a format consistent with § 200.515 Audit reporting, paragraph (d)(1) and findings and questioned costs consistent with the requirements of § 200.515 Audit reporting, paragraph (d)(3).

(c) Report submission for program-specific audits.

(1) The audit must be completed and the reporting required by paragraph (c)(2) or (c)(3) of this section submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period, unless a different period is specified in a program-specific audit guide. Unless restricted by Federal law or regulation, the auditee must make report copies available for public inspection. Auditees and auditors must ensure that their respective parts of the reporting package do not include protected personally identifiable information.

(2) When a program-specific audit guide is available, the auditee must electronically submit to the FAC the data collection form prepared in accordance with § 200.512 Report submission, paragraph (b), as applicable to a program-specific audit, and the reporting required by the program-specific audit guide.

(3) When a program-specific audit guide is not available, the reporting package for a program-specific audit must consist of the financial statement(s) of the Federal program, a summary schedule of prior audit findings, and a corrective action plan as described in paragraph (b)(2) of this section, and the auditor's report(s) described in paragraph (b)(4) of this section. The data collection form prepared in accordance with § 200.512 Report submission, paragraph (b), as applicable to a program-specific audit, and one copy of this reporting package must be electronically submitted to the FAC.

(d) Other sections of this part may apply. Program-specific audits are subject to:

(1) 200.500 Purpose through 200.503 Relation to other audit requirements, paragraph (d);

(2) 200.504 Frequency of audits through 200.506 Audit costs;

(3) 200.508 Auditee responsibilities through 200.509 Auditor selection;

(4) 200.511 Audit findings follow-up;

(5) 200.512 Report submission, paragraphs (e) through (h);

(6) 200.513 Responsibilities;

(7) 200.516 Audit findings through 200.517 Audit documentation;

(8) 200.521 Management decision, and

(9) Other referenced provisions of this part unless contrary to the provisions of this section, a program-specific audit guide, or program statutes and regulations.

Auditees

§ 200.508 Auditee responsibilities.

The auditee must:

(a) Procure or otherwise arrange for the audit required by this part in accordance with § 200.509 Auditor selection, and ensure it is properly performed and submitted when due in accordance with § 200.512 Report submission.

(b) Prepare appropriate financial statements, including the schedule of expenditures of Federal awards in accordance with § 200.510 Financial statements.

(c) Promptly follow up and take corrective action on audit findings, including preparation of a summary schedule of prior audit findings and a corrective action plan in accordance with § 200.511 Audit findings follow-up, paragraph (b) and § 200.511 Audit findings follow-up, paragraph (c), respectively.

...

(a) Auditor procurement. In procuring audit services, the auditee must follow the procurement standards prescribed by the Procurement Standards in §§ § 200.317 Procurement by states through 20 § 200.326 Contract provisions of Subpart D- Post Federal Award Requirements of this part or the FAR (48 CFR part 42), as applicable. When procuring audit services, the objective is to obtain high-quality audits. In requesting proposals for audit services, the objectives and scope of the audit must be made clear and the non-Federal entity must request a copy of the audit organization's peer review report which the auditor is required to provide under GAGAS. Factors to be considered in evaluating each proposal for audit services include the responsiveness to the request for proposal, relevant experience, availability of staff with professional qualifications and technical abilities, the results of peer and external quality control reviews, and price. Whenever possible, the auditee must make positive efforts to utilize small businesses, minority-owned firms, and women's business enterprises, in procuring audit services as stated in § 200.321 Contracting with small and minority businesses, women's business enterprises, and labor surplus area firms, or the FAR (48 CFR part 42), as applicable.

...

(a) Financial statements. The auditee must prepare financial statements that reflect its financial position, results of operations or changes in net assets, and, where appropriate, cash flows for the fiscal year audited. The financial statements must be for the same organizational unit and fiscal year that is chosen to meet the requirements of this part. However, non-Federal entity-wide financial statements may also include departments, agencies, and other organizational units that have separate audits in accordance with § 200.514 Scope of audit, paragraph (a) and prepare separate financial statements.

(b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of Federal awards for the period covered by the auditee's financial statements which must include the total Federal awards expended as determined in accordance with § 200.502 Basis for determining Federal awards expended. While not required, the auditee may choose to provide information requested by Federal awarding agencies and pass-through entities to make the schedule easier to use. For example, when a Federal program has multiple Federal award years, the auditee may list the amount of Federal awards expended for each Federal award year separately. At a minimum, the schedule must:

(1) List individual Federal programs by Federal agency. For a cluster of programs, provide the cluster name, list individual Federal programs within the cluster of programs, and provide the applicable Federal agency name. For R&D, total Federal awards expended must be shown either by individual Federal award or by Federal agency and major subdivision within the Federal agency. For example, the National Institutes of Health is a major subdivision in the Department of Health and Human Services.

(2) For Federal awards received as a subrecipient, the name of the pass-through entity and identifying number assigned by the pass-through entity must be included.

(3) Provide total Federal awards expended for each individual Federal program and the CFDA number or other identifying number when the CFDA information is not available. For a cluster of programs also provide the total for the cluster.

(4) Include the total amount provided to subrecipients from each Federal program.

(5) For loan or loan guarantee programs described in § 200.502 Basis for determining Federal awards expended, paragraph (b), identify in the notes to the schedule the balances outstanding at the end of the audit period. This is in addition to including the total Federal awards expended for loan or loan guarantee programs in the schedule.

(6) Include notes that describe that significant accounting policies used in preparing the schedule, and note whether or not the non-Federal entity elected to use the 10% de minimis cost rate as covered in § 200.414 Indirect (F&A) costs.

§ 200.511 Audit findings follow-up.

(a) General. The auditee is responsible for follow-up and corrective action on all audit findings. As part of this responsibility, the auditee must prepare a summary schedule of prior audit findings. The auditee must also prepare a corrective action plan for current year audit findings. The summary schedule of prior audit findings and the corrective action plan must include the reference numbers the auditor assigns to audit findings under § 200.516 Audit findings, paragraph (c). Since the summary schedule may include audit findings from multiple years, it must include the fiscal year in which the finding initially occurred. The corrective action plan and summary schedule of prior audit findings must include findings relating to the financial statements which are required to be reported in accordance with GAGAS.

(b) Summary schedule of prior audit findings. The summary schedule of prior audit findings must report the status of all audit findings included in the prior audit's schedule of findings and questioned costs. The summary schedule must also include audit findings reported in the prior audit's summary schedule of prior audit findings except audit findings listed as corrected in accordance with paragraph (b)(1) of this section, or no longer valid or not warranting further action in accordance with paragraph (b)(3) of this section.

(1) When audit findings were fully corrected, the summary schedule need only list the audit findings and state that corrective action was taken.

(2) When audit findings were not corrected or were only partially corrected, the summary schedule must describe the reasons for the finding's recurrence and planned corrective action, and any partial corrective action taken. When corrective action taken is significantly different from corrective action previously reported in a corrective action plan or in the Federal agency's or pass-through entity's management decision, the summary schedule must provide an explanation.

(3) When the auditee believes the audit findings are no longer valid or do not warrant further action, the reasons for this position must be described in the summary schedule. A valid reason for considering an audit finding as not warranting further action is that all of the following have occurred:

(i) Two years have passed since the audit report in which the finding occurred was submitted to the FAC;

(ii) The Federal agency or pass-through entity is not currently following up with the auditee on the audit finding; and

(iii) A management decision was not issued.

(c) Corrective action plan. At the completion of the audit, the auditee must prepare, in a document separate from the auditor's findings described in § 200.516 Audit findings, a corrective action plan to address each audit finding included in the current year auditor's reports. The corrective action plan must provide the name(s) of the contact person(s) responsible for corrective action, the corrective action planned, and the anticipated completion date. If the auditee does not agree with the audit findings or believes corrective action is not required, then the corrective action plan must include an explanation and specific reasons.

§ 200.512 Report submission.

(a) General.

(1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.

(2) Unless restricted by Federal statutes or regulations, the auditee must make copies available for public inspection. Auditees and auditors must ensure that their respective parts of the reporting package do not include protected personally identifiable information.

(b) Data Collection. The FAC is the repository of record for Subpart F—Audit Requirements of this part reporting packages and the data collection form. All Federal agencies, pass-through entities and others interested in a reporting package and data collection form must obtain it by accessing the FAC.

(1) The auditee must submit required data elements described in Appendix X to Part 200—Data Collection Form (Form SF-SAC), which state whether the audit was completed in accordance with this part and provides information about the auditee, its Federal programs, and the results of the audit. The data must include information available from the audit required by this part that is necessary for Federal agencies to use the audit to ensure integrity for Federal programs. The data elements and format must be approved by OMB, available from the FAC, and include collections of information from the reporting package described in paragraph (c) of this section. A senior level representative of the auditee (e.g., state controller, director of finance, chief executive officer, or chief financial officer) must sign a statement to be included as part of the data collection that says that the auditee complied with the requirements of this part, the data were prepared in accordance with this part (and the instructions accompanying the form), the reporting package does not include protected personally identifiable information, the information included in its entirety is accurate and complete, and that the FAC is authorized to make the reporting package and the form publicly available on a Web site.

(2) Exception for Indian Tribes. An auditee that is an Indian tribe may opt not to authorize the FAC to make the reporting package publicly available on a Web site, by excluding the authorization for the FAC publication in the statement described in paragraph (b)(1) of this section. If this option is exercised, the auditee becomes responsible for submitting the reporting package directly to any pass-through entities through which it has received a Federal award and to pass-through entities for which the summary schedule of prior audit findings reported the status of any findings related to Federal awards that the pass-through entity provided. Unless restricted by Federal statute or regulation, if the auditee opts not to authorize publication, it must make copies of the reporting package available for public inspection.

(3) Using the information included in the reporting package described in paragraph (c) of this section, the auditor must complete the applicable data elements of the data collection form. The auditor must sign a statement to be included as part of the data collection form that indicates, at a minimum, the source of the information included in the form, the auditor's responsibility for the information, that the form is not a substitute for the reporting package described in paragraph (c) of this section, and that the content of the form is limited to the collection of information prescribed by OMB.

(c) Reporting package. The reporting package must include the:

(1) Financial statements and schedule of expenditures of Federal awards discussed in § 200.510 Financial statements, paragraphs (a) and (b), respectively;

(2) Summary schedule of prior audit findings discussed in § 200.511 Audit findings follow-up, paragraph (b);

(3) Auditor's report(s) discussed in § 200.515 Audit reporting; and

(4) Corrective action plan discussed in § 200.511 Audit findings follow-up, paragraph (c).

(d) Submission to FAC. The auditee must electronically submit to the FAC the data collection form described in paragraph (b) of this section and the reporting package described in paragraph (c) of this section.

...

(g) FAC responsibilities. The FAC must make available the reporting packages received in accordance with paragraph (c) of this section and § 200.507 Program-specific audits, paragraph (c) to the public, except for Indian tribes exercising the option in (b)(2) of this section, and maintain a data base of completed audits, provide appropriate information to Federal agencies, and follow up with known auditees that have not submitted the required data collection forms and reporting packages.

...

§ 200.513 Responsibilities.

(a)

(1) Cognizant agency for audit responsibilities. A non-Federal entity expending more than $50 million a year in Federal awards must have a cognizant agency for audit. The designated cognizant agency for audit must be the Federal awarding agency that provides the predominant amount of direct funding to a non-Federal entity unless OMB designates a specific cognizant agency for audit.

(2) To provide for continuity of cognizance, the determination of the predominant amount of direct funding must be based upon direct Federal awards expended in the non-Federal entity's fiscal years ending in 2009, 2014, 2019 and every fifth year thereafter. For example, audit cognizance for periods ending in 2011 through 2015 will be determined based on Federal awards expended in 2009.

(3) Notwithstanding the manner in which audit cognizance is determined, a Federal awarding agency with cognizance for an auditee may reassign cognizance to another Federal awarding agency that provides substantial funding and agrees to be the cognizant agency for audit. Within 30 calendar days after any reassignment, both the old and the new cognizant agency for audit must provide notice of the change to the FAC, the auditee, and, if known, the auditor. The cognizant agency for audit must:

(i) Provide technical audit advice and liaison assistance to auditees and auditors.

(ii) Obtain or conduct quality control reviews on selected audits made by non-Federal auditors, and provide the results to other interested organizations. Cooperate and provide support to the Federal agency designated by OMB to lead a governmentwide project to determine the quality of single audits by providing a statistically reliable estimate of the extent that single audits conform to applicable requirements, standards, and procedures; and to make recommendations to address noted audit quality issues, including recommendations for any changes to applicable requirements, standards and procedures indicated by the results of the project. This governmentwide audit quality project must be performed once every 6 years beginning in 2018 or at such other interval as determined by OMB, and the results must be public.

(iii) Promptly inform other affected Federal agencies and appropriate Federal law enforcement officials of any direct reporting by the auditee or its auditor required by GAGAS or statutes and regulations.

(iv) Advise the community of independent auditors of any noteworthy or important factual trends related to the quality of audits stemming from quality control reviews. Significant problems or quality issues consistently identified through quality control reviews of audit reports must be referred to appropriate state licensing agencies and professional bodies.

(v) Advise the auditor, Federal awarding agencies, and, where appropriate, the auditee of any deficiencies found in the audits when the deficiencies require corrective action by the auditor. When advised of deficiencies, the auditee must work with the auditor to take corrective action. If corrective action is not taken, the cognizant agency for audit must notify the auditor, the auditee, and applicable Federal awarding agencies and pass-through entities of the facts and make recommendations for follow-up action. Major inadequacies or repetitive substandard performance by auditors must be referred to appropriate state licensing agencies and professional bodies for disciplinary action.

(vi) Coordinate, to the extent practical, audits or reviews made by or for Federal agencies that are in addition to the audits made pursuant to this part, so that the additional audits or reviews build upon rather than duplicate audits performed in accordance with this part.

(vii) Coordinate a management decision for cross-cutting audit findings (as defined in § 200.30 Cross-cutting audit finding) that affect the Federal programs of more than one agency when requested by any Federal awarding agency whose awards are included in the audit finding of the auditee.

(viii) Coordinate the audit work and reporting responsibilities among auditors to achieve the most cost-effective audit.

(ix) Provide advice to auditees as to how to handle changes in fiscal years.

(b) Oversight agency for audit responsibilities. An auditee who does not have a designated cognizant agency for audit will be under the general oversight of the Federal agency determined in accordance with § 200.73 Oversight agency for audit. A Federal agency with oversight for an auditee may reassign oversight to another Federal agency that agrees to be the oversight agency for audit. Within 30 calendar days after any reassignment, both the old and the new oversight agency for audit must provide notice of the change to the FAC, the auditee, and, if known, the auditor. The oversight agency for audit:

(1) Must provide technical advice to auditees and auditors as requested.

(2) May assume all or some of the responsibilities normally performed by a cognizant agency for audit.

(c) Federal awarding agency responsibilities. The Federal awarding agency must perform the following for the Federal awards it makes (See also the requirements of § 200.210 Information contained in a Federal award):

(1) Ensure that audits are completed and reports are received in a timely manner and in accordance with the requirements of this part.

(2) Provide technical advice and counsel to auditees and auditors as requested.

(3) Follow-up on audit findings to ensure that the recipient takes appropriate and timely corrective action. As part of audit follow-up, the Federal awarding agency must:

(i) Issue a management decision as prescribed in § 200.521 Management decision;

(ii) Monitor the recipient taking appropriate and timely corrective action;

(iii) Use cooperative audit resolution mechanisms (see § 200.25 Cooperative audit resolution) to improve Federal program outcomes through better audit resolution, follow-up, and corrective action; and

(iv) Develop a baseline, metrics, and targets to track, over time, the effectiveness of the Federal agency's process to follow-up on audit findings and on the effectiveness of Single Audits in improving non-Federal entity accountability and their use by Federal awarding agencies in making award decisions.

(4) Provide OMB annual updates to the compliance supplement and work with OMB to ensure that the compliance supplement focuses the auditor to test the compliance requirements most likely to cause improper payments, fraud, waste, abuse or generate audit finding for which the Federal awarding agency will take sanctions.

(5) Provide OMB with the name of a single audit accountable official from among the senior policy officials of the Federal awarding agency who must be:

(i) Responsible for ensuring that the agency fulfills all the requirement of § 200.513 Responsibilities and effectively uses the single audit process to reduce improper payments and improve Federal program outcomes.

(ii) Held accountable to improve the effectiveness of the single audit process based upon metrics as described in paragraph (c)(3)(iv) of this section.

(iii) Responsible for designating the Federal agency's key management single audit liaison.

(6) Provide OMB with the name of a key management single audit liaison who must:

(i) Serve as the Federal awarding agency's management point of contact for the single audit process both within and outside the Federal government.

(ii) Promote interagency coordination, consistency, and sharing in areas such as coordinating audit follow-up; identifying higher-risk non-Federal entities; providing input on single audit and follow-up policy; enhancing the utility of the FAC; and studying ways to use single audit results to improve Federal award accountability and best practices.

(iii) Oversee training for the Federal awarding agency's program management personnel related to the single audit process.

(iv) Promote the Federal awarding agency's use of cooperative audit resolution mechanisms.

(v) Coordinate the Federal awarding agency's activities to ensure appropriate and timely follow-up and corrective action on audit findings.

(vi) Organize the Federal cognizant agency for audit's follow-up on cross-cutting audit findings that affect the Federal programs of more than one Federal awarding agency.

(vii) Ensure the Federal awarding agency provides annual updates of the compliance supplement to OMB.

(viii) Support the Federal awarding agency's single audit accountable official's mission.

Auditors

§ 200.514 Scope of audit.

...

(b) Financial statements. The auditor must determine whether the financial statements of the auditee are presented fairly in all material respects in accordance with generally accepted accounting principles. The auditor must also determine whether the schedule of expenditures of Federal awards is stated fairly in all material respects in relation to the auditee's financial statements as a whole.

(c) Internal control.

(1) The compliance supplement provides guidance on internal controls over Federal programs based upon the guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States and the Internal Control—Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

(2) In addition to the requirements of GAGAS, the auditor must perform procedures to obtain an understanding of internal control over Federal programs sufficient to plan the audit to support a low assessed level of control risk of noncompliance for major programs.

(3) Except as provided in paragraph (c)(4) of this section, the auditor must:

(i) Plan the testing of internal control over compliance for major programs to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program; and

(ii) Perform testing of internal control as planned in paragraph (c)(3)(i) of this section.

(4) When internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(3) of this section are not required for those compliance requirements. However, the auditor must report a significant deficiency or material weakness in accordance with § 200.516 Audit findings, assess the related control risk at the maximum, and consider whether additional compliance tests are required because of ineffective internal control.

(d) Compliance.

(1) In addition to the requirements of GAGAS, the auditor must determine whether the auditee has complied with Federal statutes, regulations, and the terms and conditions of Federal awards that may have a direct and material effect on each of its major programs.

(2) The principal compliance requirements applicable to most Federal programs and the compliance requirements of the largest Federal programs are included in the compliance supplement.

(3) For the compliance requirements related to Federal programs contained in the compliance supplement, an audit of these compliance requirements will meet the requirements of this part. Where there have been changes to the compliance requirements and the changes are not reflected in the compliance supplement, the auditor must determine the current compliance requirements and modify the audit procedures accordingly. For those Federal programs not covered in the compliance supplement, the auditor should follow the compliance supplement's guidance for programs not included in the supplement.

(4) The compliance testing must include tests of transactions and such other auditing procedures necessary to provide the auditor sufficient appropriate audit evidence to support an opinion on compliance.

(e) Audit follow-up. The auditor must follow-up on prior audit findings, perform procedures to assess the reasonableness of the summary schedule of prior audit findings prepared by the auditee in accordance with § 200.511 Audit findings follow-up paragraph (b), and report, as a current year audit finding, when the auditor concludes that the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding. The auditor must perform audit follow-up procedures regardless of whether a prior audit finding relates to a major program in the current year.

(f) Data Collection Form. As required in § 200.512 Report submission paragraph (b)(3), the auditor must complete and sign specified sections of the data collection form.

...

(d) A schedule of findings and questioned costs which must include the following three components:

(1) A summary of the auditor's results, which must include:

(i) The type of report the auditor issued on whether the financial statements audited were prepared in accordance with GAAP (i.e., unmodified opinion, qualified opinion, adverse opinion, or disclaimer of opinion);

(ii) Where applicable, a statement about whether significant deficiencies or material weaknesses in internal control were disclosed by the audit of the financial statements;

(iii) A statement as to whether the audit disclosed any noncompliance that is material to the financial statements of the auditee;

(iv) Where applicable, a statement about whether significant deficiencies or material weaknesses in internal control over major programs were disclosed by the audit;

(v) The type of report the auditor issued on compliance for major programs (i.e., unmodified opinion, qualified opinion, adverse opinion, or disclaimer of opinion);

(vi) A statement as to whether the audit disclosed any audit findings that the auditor is required to report under § 200.516 Audit findings paragraph (a);

(vii) An identification of major programs by listing each individual major program; however in the case of a cluster of programs only the cluster name as shown on the Schedule of Expenditures of Federal Awards is required;

(viii) The dollar threshold used to distinguish between Type A and Type B programs, as described in § 200.518 Major program determination paragraph (b)(1), or (b)(3) when a recalculation of the Type A threshold is required for large loan or loan guarantees; and

(ix) A statement as to whether the auditee qualified as a low-risk auditee under § 200.520 Criteria for a low-risk auditee.

(2) Findings relating to the financial statements which are required to be reported in accordance with GAGAS.

(3) Findings and questioned costs for Federal awards which must include audit findings as defined in § 200.516 Audit findings, paragraph (a).

(i) Audit findings (e.g., internal control findings, compliance findings, questioned costs, or fraud) that relate to the same issue should be presented as a single audit finding. Where practical, audit findings should be organized by Federal agency or pass-through entity.

(ii) Audit findings that relate to both the financial statements and Federal awards, as reported under paragraphs (d)(2) and (d)(3) of this section, respectively, should be reported in both sections of the schedule. However, the reporting in one section of the schedule may be in summary form with a reference to a detailed reporting in the other section of the schedule.

(e) Nothing in this part precludes combining of the audit reporting required by this section with the reporting required by § 200.512 Report submission, paragraph (b) Data Collection when allowed by GAGAS and Appendix X to Part 200—Data Collection Form (Form SF-SAC).

...

(a) Audit findings reported. The auditor must report the following as audit findings in a schedule of findings and questioned costs:

(1) Significant deficiencies and material weaknesses in internal control over major programs and significant instances of abuse relating to major programs. The auditor's determination of whether a deficiency in internal control is a significant deficiency or material weakness for the purpose of reporting an audit finding is in relation to a type of compliance requirement for a major program identified in the Compliance Supplement.

(2) Material noncompliance with the provisions of Federal statutes, regulations, or the terms and conditions of Federal awards related to a major program. The auditor's determination of whether a noncompliance with the provisions of Federal statutes, regulations, or the terms and conditions of Federal awards is material for the purpose of reporting an audit finding is in relation to a type of compliance requirement for a major program identified in the compliance supplement.

(3) Known questioned costs that are greater than $25,000 for a type of compliance requirement for a major program. Known questioned costs are those specifically identified by the auditor. In evaluating the effect of questioned costs on the opinion on compliance, the auditor considers the best estimate of total costs questioned (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program. In reporting questioned costs, the auditor must include information to provide proper perspective for judging the prevalence and consequences of the questioned costs.

(4) Known questioned costs that are greater than $25,000 for a Federal program which is not audited as a major program. Except for audit follow-up, the auditor is not required under this part to perform audit procedures for such a Federal program; therefore, the auditor will normally not find questioned costs for a program that is not audited as a major program. However, if the auditor does become aware of questioned costs for a Federal program that is not audited as a major program (e.g., as part of audit follow-up or other audit procedures) and the known questioned costs are greater than $25,000, then the auditor must report this as an audit finding.

(5) The circumstances concerning why the auditor's report on compliance for each major program is other than an unmodified opinion, unless such circumstances are otherwise reported as audit findings in the schedule of findings and questioned costs for Federal awards.

(6) Known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. This paragraph does not require the auditor to report publicly information which could compromise investigative or legal proceedings or to make an additional reporting when the auditor confirms that the fraud was reported outside the auditor's reports under the direct reporting requirements of GAGAS.

(7) Instances where the results of audit follow-up procedures disclosed that the summary schedule of prior audit findings prepared by the auditee in accordance with § 200.511 Audit findings follow-up, paragraph (b) materially misrepresents the status of any prior audit finding.

(b) Audit finding detail and clarity. Audit findings must be presented in sufficient detail and clarity for the auditee to prepare a corrective action plan and take corrective action, and for Federal agencies and pass-through entities to arrive at a management decision. The following specific information must be included, as applicable, in audit findings:

(1) Federal program and specific Federal award identification including the CFDA title and number, Federal award identification number and year, name of Federal agency, and name of the applicable pass-through entity. When information, such as the CFDA title and number or Federal award identification number, is not available, the auditor must provide the best information available to describe the Federal award.

(2) The criteria or specific requirement upon which the audit finding is based, including the Federal statutes, regulations, or the terms and conditions of the Federal awards. Criteria generally identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding findings.

(3) The condition found, including facts that support the deficiency identified in the audit finding.

(4) A statement of cause that identifies the reason or explanation for the condition or the factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective action.

(5) The possible asserted effect to provide sufficient information to the auditee and Federal agency, or pass-through entity in the case of a subrecipient, to permit them to determine the cause and effect to facilitate prompt and proper corrective action. A statement of the effect or potential effect should provide a clear, logical link to establish the impact or potential impact of the difference between the condition and the criteria.

(6) Identification of questioned costs and how they were computed. Known questioned costs must be identified by applicable CFDA number(s) and applicable Federal award identification number(s).

(7) Information to provide proper perspective for judging the prevalence and consequences of the audit findings, such as whether the audit findings represent an isolated instance or a systemic problem. Where appropriate, instances identified must be related to the universe and the number of cases examined and be quantified in terms of dollar value. The auditor should report whether the sampling was a statistically valid sample.

(8) Identification of whether the audit finding was a repeat of a finding in the immediately prior audit and if so any applicable prior year audit finding numbers.

(9) Recommendations to prevent future occurrences of the deficiency identified in the audit finding.

(10) Views of responsible officials of the auditee.

(c) Reference numbers. Each audit finding in the schedule of findings and questioned costs must include a reference number in the format meeting the requirements of the data collection form submission required by § 200.512 Report submission, paragraph (b) to allow for easy referencing of the audit findings during follow-up.

...

(3) The inclusion of large loan and loan guarantees (loans) should not result in the exclusion of other programs as Type A programs. When a Federal program providing loans exceeds four times the largest non-loan program it is considered a large loan program, and the auditor must consider this Federal program as a Type A program and exclude its values in determining other Type A programs. This recalculation of the Type A program is performed after removing the total of all large loan programs. For the purposes of this paragraph a program is only considered to be a Federal program providing loans if the value of Federal awards expended for loans within the program comprises fifty percent or more of the total Federal awards expended for the program. A cluster of programs is treated as one program and the value of Federal awards expended under a loan program is determined as described in § 200.502 Basis for determining Federal awards expended.

...

(f) Percentage of coverage rule. If the auditee meets the criteria in § 200.520 Criteria for a low-risk auditee, the auditor need only audit the major programs identified in Step 4 (paragraph (e)(1) and (2) of this section) and such additional Federal programs with Federal awards expended that, in aggregate, all major programs encompass at least 20 percent (0.20) of total Federal awards expended. Otherwise, the auditor must audit the major programs identified in Step 4 (paragraphs (e)(1) and (2) of this section) and such additional Federal programs with Federal awards expended that, in aggregate, all major programs encompass at least 40 percent (0.40) of total Federal awards expended.

...

(b) Current and prior audit experience.

(1) Weaknesses in internal control over Federal programs would indicate higher risk. Consideration should be given to the control environment over Federal programs and such factors as the expectation of management's adherence to Federal statutes, regulations, and the terms and conditions of Federal awards and the competence and experience of personnel who administer the Federal programs.

(i) A Federal program administered under multiple internal control structures may have higher risk. When assessing risk in a large single audit, the auditor must consider whether weaknesses are isolated in a single operating unit (e.g., one college campus) or pervasive throughout the entity.

(ii) When significant parts of a Federal program are passed through to subrecipients, a weak system for monitoring subrecipients would indicate higher risk.

(2) Prior audit findings would indicate higher risk, particularly when the situations identified in the audit findings could have a significant impact on a Federal program or have not been corrected.

(3) Federal programs not recently audited as major programs may be of higher risk than Federal programs recently audited as major programs without audit findings.

(c) Oversight exercised by Federal agencies and pass-through entities.

(1) Oversight exercised by Federal agencies or pass-through entities could be used to assess risk. For example, recent monitoring or other reviews performed by an oversight entity that disclosed no significant problems would indicate lower risk, whereas monitoring that disclosed significant problems would indicate higher risk.

(2) Federal agencies, with the concurrence of OMB, may identify Federal programs that are higher risk. OMB will provide this identification in the compliance supplement.

(d) Inherent risk of the Federal program.

(1) The nature of a Federal program may indicate risk. Consideration should be given to the complexity of the program and the extent to which the Federal program contracts for goods and services. For example, Federal programs that disburse funds through third party contracts or have eligibility criteria may be of higher risk. Federal programs primarily involving staff payroll costs may have high risk for noncompliance with requirements of § 200.430 Compensation—personal services, but otherwise be at low risk.

(2) The phase of a Federal program in its life cycle at the Federal agency may indicate risk. For example, a new Federal program with new or interim regulations may have higher risk than an established program with time-tested regulations. Also, significant changes in Federal programs, statutes, regulations, or the terms and conditions of Federal awards may increase risk.

(3) The phase of a Federal program in its life cycle at the auditee may indicate risk. For example, during the first and last years that an auditee participates in a Federal program, the risk may be higher due to start-up or closeout of program activities and staff.

(4) Type B programs with larger Federal awards expended would be of higher risk than programs with substantially smaller Federal awards expended.

§ 200.520 Criteria for a low-risk auditee.

An auditee that meets all of the following conditions for each of the preceding two audit periods must qualify as a low-risk auditee and be eligible for reduced audit coverage in accordance with § 200.518 Major program determination.

(a) Single audits were performed on an annual basis in accordance with the provisions of this Subpart, including submitting the data collection form and the reporting package to the FAC within the timeframe specified in § 200.512 Report submission. A non-Federal entity that has biennial audits does not qualify as a low-risk auditee.

...

(e) None of the Federal programs had audit findings from any of the following in either of the preceding two audit periods in which they were classified as Type A programs:

(1) Internal control deficiencies that were identified as material weaknesses in the auditor's report on internal control for major programs as required under § 200.515 Audit reporting, paragraph (c);

(2) A modified opinion on a major program in the auditor's report on major programs as required under § 200.515 Audit reporting, paragraph (c); or

(3) Known or likely questioned costs that exceeded five percent of the total Federal awards expended for a Type A program during the audit period.

Management Decisions

§ 200.521 Management decision.

...

(b) Federal agency. As provided in § 200.513 Responsibilities, paragraph (a)(7), the cognizant agency for audit must be responsible for coordinating a management decision for audit findings that affect the programs of more than one Federal agency. As provided in § 200.513 Responsibilities, paragraph (c)(3), a Federal awarding agency is responsible for issuing a management decision for findings that relate to Federal awards it makes to non-Federal entities.

(c) Pass-through entity. As provided in § 200.331 Requirements for pass-through entities, paragraph (d), the pass-through entity must be responsible for issuing a management decision for audit findings that relate to Federal awards it makes to subrecipients.

...

(e) Reference numbers. Management decisions must include the reference numbers the auditor assigned to each audit finding in accordance with § 200.516 Audit findings paragraph (c).

...