You are using an unsupported browser. This web site is designed for the current versions of Microsoft Edge, Google Chrome, Mozilla Firefox, or Safari.
The Office of the Federal Register publishes documents on behalf of Federal agencies but does not have any authority over their programs. We recommend you directly contact the agency associated with the content in question.
If you have comments or suggestions on how to improve the www.ecfr.gov website or have questions about using www.ecfr.gov, please choose the 'Website Feedback' button below.
If you would like to comment on the current content, please use the 'Content Feedback' button below for instructions on contacting the issuing agency
Enhanced content is provided to the user to provide additional context.
This content is from the eCFR and is authoritative but unofficial.
Navigate by entering citations or phrases (eg: 1 CFR 1.1 49 CFR 172.101 Organization and Purpose 1/1.1 Regulation Y FAR).
Choosing an item from citations and headings will bring you directly to the content. Choosing an item from full text search results will bring you to those results. Pressing enter in the search box will also bring you to search results.
Background and more details are available in the Search & Navigation guide.
| Auditors | 200.514 – 200.520 | ||||||||||||||||||||||
| |||||||||||||||||||||||
78 FR 78608, Dec. 26, 2013, unless otherwise noted.
Generate PDF (approximately 10+ pages)
This content is from the eCFR and may include recent changes applied to the CFR. The official, published CFR, is updated annually and available below under "Published Edition". You can learn more about the process here.
The eCFR is displayed with paragraphs split and indented to follow the hierarchy of the document. This is an automated process for user convenience only and is not intended to alter agency intent or existing codification.
A separate drafting site is available with paragraph structure matching the official CFR formatting. If you work for a Federal agency, use this drafting site when drafting amendatory language for Federal regulations: switch to eCFR drafting site.
Subscribe to: 2 CFR Part 200 Subpart F - Auditors
View the most recent official publication:
These links go to the official, published CFR, which is updated annually. As a result, it may not include the most recent changes applied to the CFR. Learn more.
This document is available in the following developer friendly formats:
Information and documentation can be found in our developer resources.
The Code of Federal Regulations (CFR) is the official legal print publication containing the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the Federal Government. The Electronic Code of Federal Regulations (eCFR) is a continuously updated online version of the CFR. It is not an official legal edition of the CFR.
Learn more about the eCFR, its status, and the editorial process.
(a) General. The audit must be conducted in accordance with GAGAS. The audit must cover the entire operations of the auditee, or, at the option of the auditee, such audit must include a series of audits that cover departments, agencies, and other organizational units that expended or otherwise administered Federal awards during such audit period, provided that each such audit must encompass the financial statements and schedule of expenditures of Federal awards for each such department, agency, and other organizational unit, which must be considered to be a non-Federal entity. The financial statements and schedule of expenditures of Federal awards must be for the same audit period.
(b) Financial statements. The auditor must determine whether the financial statements of the auditee are presented fairly in all material respects in accordance with generally accepted accounting principles. The auditor must also determine whether the schedule of expenditures of Federal awards is stated fairly in all material respects in relation to the auditee's financial statements as a whole.
(c) Internal control.
(1) The compliance supplement provides guidance on internal controls over Federal programs based upon the guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States and the Internal Control—Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
(2) In addition to the requirements of GAGAS, the auditor must perform procedures to obtain an understanding of internal control over Federal programs sufficient to plan the audit to support a low assessed level of control risk of noncompliance for major programs.
(3) Except as provided in paragraph (c)(4) of this section, the auditor must:
(i) Plan the testing of internal control over compliance for major programs to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program; and
(ii) Perform testing of internal control as planned in paragraph (c)(3)(i) of this section.
(4) When internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(3) of this section are not required for those compliance requirements. However, the auditor must report a significant deficiency or material weakness in accordance with § 200.516, assess the related control risk at the maximum, and consider whether additional compliance tests are required because of ineffective internal control.
(d) Compliance.
(1) In addition to the requirements of GAGAS, the auditor must determine whether the auditee has complied with Federal statutes, regulations, and the terms and conditions of Federal awards that may have a direct and material effect on each of its major programs.
(2) The principal compliance requirements applicable to most Federal programs and the compliance requirements of the largest Federal programs are included in the compliance supplement.
(3) For the compliance requirements related to Federal programs contained in the compliance supplement, an audit of these compliance requirements will meet the requirements of this part. Where there have been changes to the compliance requirements and the changes are not reflected in the compliance supplement, the auditor must determine the current compliance requirements and modify the audit procedures accordingly. For those Federal programs not covered in the compliance supplement, the auditor must follow the compliance supplement's guidance for programs not included in the supplement.
(4) When internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(3) of this section are not required for those compliance requirements. However, the auditor must report a significant deficiency or material weakness in accordance with § 200.516, assess the related control risk at the
(e) Audit follow-up. The auditor must follow-up on prior audit findings, perform procedures to assess the reasonableness of the summary schedule of prior audit findings prepared by the auditee in accordance with § 200.511(b), and report, as a current year audit finding, when the auditor concludes that the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding. The auditor must perform audit follow-up procedures regardless of whether a prior audit finding relates to a major program in the current year.
(f) Data collection form. As required in § 200.512(b)(3), the auditor must complete and sign specified sections of the data collection form.
[78 FR 78608, Dec. 26, 2013, as amended at 79 FR 75887, Dec. 19, 2014; 85 FR 49574, Aug. 13, 2020; 86 FR 10440, Feb. 22, 2021]
The auditor's report(s) may be in the form of either combined or separate reports and may be organized differently from the manner presented in this section. The auditor's report(s) must state that the audit was conducted in accordance with this part and include the following:
(a) Financial statements. The auditor must determine and provide an opinion (or disclaimer of opinion) whether the financial statements of the auditee are presented fairly in all materials respects in accordance with generally accepted accounting principles (or a special purpose framework such as cash, modified cash, or regulatory as required by state law). The auditor must also decide whether the schedule of expenditures of Federal awards is stated fairly in all material respects in relation to the auditee's financial statements as a whole.
(b) A report on internal control over financial reporting and compliance with provisions of laws, regulations, contracts, and award agreements, noncompliance with which could have a material effect on the financial statements. This report must describe the scope of testing of internal control and compliance and the results of the tests, and, where applicable, it will refer to the separate schedule of findings and questioned costs described in paragraph (d) of this section.
(c) A report on compliance for each major program and a report on internal control over compliance. This report must describe the scope of testing of internal control over compliance, include an opinion or disclaimer of opinion as to whether the auditee complied with Federal statutes, regulations, and the terms and conditions of Federal awards which could have a direct and material effect on each major program and refer to the separate schedule of findings and questioned costs described in paragraph (d) of this section.
(d) A schedule of findings and questioned costs which must include the following three components:
(1) A summary of the auditor's results, which must include:
(i) The type of report the auditor issued on whether the financial statements audited were prepared in accordance with GAAP (i.e., unmodified opinion, qualified opinion, adverse opinion, or disclaimer of opinion);
(ii) Where applicable, a statement about whether significant deficiencies or material weaknesses in internal control were disclosed by the audit of the financial statements;
(iii) A statement as to whether the audit disclosed any noncompliance that is material to the financial statements of the auditee;
(iv) Where applicable, a statement about whether significant deficiencies or material weaknesses in internal control over major programs were disclosed by the audit;
(v) The type of report the auditor issued on compliance for major programs (i.e., unmodified opinion, qualified opinion, adverse opinion, or disclaimer of opinion);
(vi) A statement as to whether the audit disclosed any audit findings that the auditor is required to report under § 200.516(a);
(vii) An identification of major programs by listing each individual major program; however, in the case of a cluster of programs, only the cluster name as shown on the Schedule of Expenditures of Federal Awards is required;
(viii) The dollar threshold used to distinguish between Type A and Type B programs, as described in § 200.518(b)(1) or (3) when a recalculation of the Type A threshold is required for large loan or loan guarantees; and
(ix) A statement as to whether the auditee qualified as a low-risk auditee under § 200.520.
(2) Findings relating to the financial statements which are required to be reported in accordance with GAGAS.
(3) Findings and questioned costs for Federal awards which must include audit findings as defined in § 200.516(a).
(i) Audit findings (e.g., internal control findings, compliance findings, questioned costs, or fraud) that relate to the same issue must be presented as a single audit finding. Where practical, audit findings should be organized by Federal agency or pass-through entity.
(ii) Audit findings that relate to both the financial statements and Federal awards, as reported under paragraphs (d)(2) and (d)(3) of this section, respectively, must be reported in both sections of the schedule. However, the reporting in one section of the schedule may be in summary form with a reference to a detailed reporting in the other section of the schedule.
(e) Nothing in this part precludes combining of the audit reporting required by this section with the reporting required by § 200.512(b) when allowed by GAGAS and appendix X to this part.
[78 FR 78608, Dec. 26, 2013, as amended at 79 FR 75887, Dec. 19, 2014; 85 FR 49574, Aug. 13, 2020]
(a) Audit findings reported. The auditor must report the following as audit findings in a schedule of findings and questioned costs:
(1) Significant deficiencies and material weaknesses in internal control over major programs and significant instances of abuse relating to major programs. The auditor's determination of whether a deficiency in internal control is a significant deficiency or a material weakness for the purpose of reporting an audit finding is in relation to a type of compliance requirement for a major program identified in the Compliance Supplement.
(2) Material noncompliance with the provisions of Federal statutes, regulations, or the terms and conditions of Federal awards related to a major program. The auditor's determination of whether a noncompliance with the provisions of Federal statutes, regulations, or the terms and conditions of Federal awards is material for the purpose of reporting an audit finding is in relation to a type of compliance requirement for a major program identified in the compliance supplement.
(3) Known questioned costs that are greater than $25,000 for a type of compliance requirement for a major program. Known questioned costs are those specifically identified by the auditor. In evaluating the effect of questioned costs on the opinion on compliance, the auditor considers the best estimate of total costs questioned (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor must also report known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program. In reporting questioned costs, the auditor must include information to provide proper perspective for judging the prevalence and consequences of the questioned costs.
(4) Known questioned costs that are greater than $25,000 for a Federal program which is not audited as a major program. Except for audit follow-up, the auditor is not required under this part to perform audit procedures for such a Federal program; therefore, the auditor will normally not find questioned costs for a program that is not audited as a major program. However, if the auditor does become aware of questioned costs for a Federal program that is not audited as a major program (e.g., as part of audit follow-up or other audit procedures) and the known questioned costs are greater than $25,000, then the auditor must report this as an audit finding.
(5) The circumstances concerning why the auditor's report on compliance for each major program is other than an unmodified opinion, unless such circumstances are otherwise reported as audit findings in the schedule of findings and questioned costs for Federal awards.
(6) Known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. This paragraph does not require the auditor to report publicly information which could compromise investigative or legal proceedings or to make an additional reporting when the auditor confirms that the fraud was reported outside the auditor's reports under the direct reporting requirements of GAGAS.
(7) Instances where the results of audit follow-up procedures disclosed that the summary schedule of prior audit findings prepared by the auditee in accordance with § 200.511(b) materially misrepresents the status of any prior audit finding.
(b) Audit finding detail and clarity. Audit findings must be presented in sufficient detail and clarity for the auditee to prepare a corrective action plan and take corrective action, and for Federal agencies and pass-through entities to arrive at a management decision. The following specific information must be included, as applicable, in audit findings:
(1) Federal program and specific Federal award identification including the Assistance Listings title and number, Federal award identification number and year, name of Federal agency, and name of the applicable pass-through entity. When information, such as the Assistance Listings title and number or Federal award identification number, is not available, the auditor must provide the best information available to describe the Federal award.
(2) The criteria or specific requirement upon which the audit finding is based, including the Federal statutes, regulations, or the terms and conditions of the Federal awards. Criteria generally identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding findings.
(3) The condition found, including facts that support the deficiency identified in the audit finding.
(4) A statement of cause that identifies the reason or explanation for the condition or the factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective action.
(5) The possible asserted effect to provide sufficient information to the auditee and Federal agency, or pass-through entity in the case of a subrecipient, to permit them to determine the cause and effect to facilitate prompt and proper corrective action. A statement of the effect or potential effect should provide a clear, logical link to establish the impact or potential impact of the difference between the condition and the criteria.
(6) Identification of questioned costs and how they were computed. Known questioned costs must be identified by applicable Assistance Listings number(s) and applicable Federal award identification number(s).
(7) Information to provide proper perspective for judging the prevalence and consequences of the audit findings, such as whether the audit findings represent an isolated instance or a systemic problem. Where appropriate, instances identified must be related to the universe and the number of cases examined and be quantified in terms of dollar value. The auditor should report whether the sampling was a statistically valid sample.
(8) Identification of whether the audit finding was a repeat of a finding in the immediately prior audit and if so any applicable prior year audit finding numbers.
(9) Recommendations to prevent future occurrences of the deficiency identified in the audit finding.
(10) Views of responsible officials of the auditee.
(c) Reference numbers. Each audit finding in the schedule of findings and questioned costs must include a reference number in the format meeting the requirements of the data collection form submission required by § 200.512(b) to allow for easy referencing of the audit findings during follow-up.
[78 FR 78608, Dec. 26, 2013, as amended at 85 FR 49574, Aug. 13, 2020]
(a) Retention of audit documentation. The auditor must retain audit documentation and reports for a minimum of three years after the date of issuance of the auditor's report(s) to the auditee, unless the auditor is notified in writing by the cognizant agency for audit, oversight agency for audit, cognizant agency for indirect costs, or pass-through entity to extend the retention period. When the auditor is aware that the Federal agency, pass-through entity, or auditee is contesting an audit finding, the auditor must contact the parties contesting the audit finding for guidance prior to destruction of the audit documentation and reports.
(b) Access to audit documentation. Audit documentation must be made available upon request to the cognizant or oversight agency for audit or its designee, cognizant agency for indirect cost, a Federal agency, or GAO at the completion of the audit, as part of a quality review, to resolve audit findings, or to carry out oversight responsibilities consistent with the purposes of this part. Access to audit documentation includes the right of Federal agencies to obtain copies of audit documentation, as is reasonable and necessary.
(a) General. The auditor must use a risk-based approach to determine which Federal programs are major programs. This risk-based approach must include consideration of: current and prior audit experience, oversight by Federal agencies and pass-through entities, and the inherent risk of the Federal program. The process in paragraphs (b) through (h) of this section must be followed.
(b) Step one.
(1) The auditor must identify the larger Federal programs, which must be labeled Type A programs. Type A programs are defined as Federal programs with Federal awards expended during the audit period exceeding the levels outlined in the table in this paragraph (b)(1):
| Total Federal awards expended | Type A/B threshold |
|---|---|
| Equal to or exceed $750,000 but less than or equal to $25 million | $750,000. |
| Exceed $25 million but less than or equal to $100 million | Total Federal awards expended times .03. |
| Exceed $100 million but less than or equal to $1 billion | $3 million. |
| Exceed $1 billion but less than or equal to $10 billion | Total Federal awards expended times .003. |
| Exceed $10 billion but less than or equal to $20 billion | $30 million. |
| Exceed $20 billion | Total Federal awards expended times .0015. |
(2) Federal programs not labeled Type A under paragraph (b)(1) of this section must be labeled Type B programs.
(3) The inclusion of large loan and loan guarantees (loans) must not result in the exclusion of other programs as Type A programs. When a Federal program providing loans exceeds four times the largest non-loan program it is considered a large loan program, and the auditor must consider this Federal program as a Type A program and exclude its values in determining other Type A programs. This recalculation of the Type A program is performed after removing the total of all large loan programs. For the purposes of this paragraph a program is only considered to be a Federal program providing loans if the value of Federal awards expended for loans within the program comprises fifty percent or more of the total Federal awards expended for the program. A cluster of programs is treated as one program and the value of Federal awards expended under a loan program is determined as described in § 200.502.
(4) For biennial audits permitted under § 200.504, the determination of Type A and Type B programs must be based upon the Federal awards expended during the two-year period.
(c) Step two.
(1) The auditor must identify Type A programs which are low-risk. In making this determination, the auditor must consider whether the requirements in § 200.519(c), the results of audit follow-up, or any changes in personnel or systems affecting the program indicate significantly increased risk and preclude the program from being low risk. For a Type A program to be considered low-risk, it must have been audited as a major program in at least one of the two most recent audit periods (in the most recent audit period in the case of a biennial audit), and, in the most recent audit period, the program must have not had:
(i) Internal control deficiencies which were identified as material weaknesses in the auditor's report on internal control for major programs as required under § 200.515(c);
(ii) A modified opinion on the program in the auditor's report on major programs as required under § 200.515(c); or
(iii) Known or likely questioned costs that exceed five percent of the total Federal awards expended for the program.
(2) Notwithstanding paragraph (c)(1) of this section, OMB may approve a Federal awarding agency's request that a Type A program may not be considered low risk for a certain recipient. For example, it may be necessary for a large Type A program to be audited as a major program each year at a particular recipient to allow the Federal awarding agency to comply with 31 U.S.C. 3515. The Federal awarding agency must notify the recipient and, if known, the auditor of OMB's approval at least 180 calendar days prior to the end of the fiscal year to be audited.
(d) Step three.
(1) The auditor must identify Type B programs which are high-risk using professional judgment and the criteria in § 200.519. However, the auditor is not required to identify more high-risk Type B programs than at least one fourth the number of low-risk Type A programs identified as low-risk under Step 2 (paragraph (c) of this section). Except for known material weakness in internal control or compliance problems as discussed in § 200.519(b)(1) and (2) and (c)(1), a single criterion in risk would seldom cause a Type B program to be considered high-risk. When identifying which Type B programs to risk assess, the auditor is encouraged to use an approach which provides an opportunity for different high-risk Type B programs to be audited as major over a period of time.
(2) The auditor is not expected to perform risk assessments on relatively small Federal programs. Therefore, the auditor is only required to perform risk assessments on Type B programs that exceed twenty-five percent (0.25) of the Type A threshold determined in Step 1 (paragraph (b) of this section).
(e) Step four. At a minimum, the auditor must audit all of the following as major programs:
(1) All Type A programs not identified as low risk under step two (paragraph (c)(1) of this section).
(2) All Type B programs identified as high-risk under step three (paragraph (d) of this section).
(3) Such additional programs as may be necessary to comply with the percentage of coverage rule discussed in paragraph (f) of this section. This may require the auditor to audit more programs as major programs than the number of Type A programs.
(f) Percentage of coverage rule. If the auditee meets the criteria in § 200.520, the auditor need only audit the major programs identified in Step 4 (paragraphs (e)(1) and (2) of this section) and such additional Federal programs with Federal awards expended that, in aggregate, all major programs encompass at least 20 percent (0.20) of total Federal awards expended. Otherwise, the auditor must audit the major programs identified in Step 4 (paragraphs (e)(1) and (2) of this section) and such additional Federal programs with Federal awards expended that, in aggregate, all major programs encompass at least 40 percent (0.40) of total Federal awards expended.
(g) Documentation of risk. The auditor must include in the audit documentation the risk analysis process used in determining major programs.
(h) Auditor's judgment. When the major program determination was performed and documented in accordance with this Subpart, the auditor's judgment in applying the risk-based approach to determine major programs must be presumed correct. Challenges by Federal agencies and pass-through entities must only be for clearly improper use of the requirements in this part. However, Federal agencies and pass-through entities may provide auditors guidance about the risk of a particular Federal program and the auditor must consider this guidance in determining major programs in audits not yet completed.
[78 FR 78608, Dec. 26, 2013, as amended at 79 FR 75887, Dec. 19, 2014; 85 FR 49574, Aug. 13, 2020]
(a) General. The auditor's determination should be based on an overall evaluation of the risk of noncompliance occurring that could be material to the Federal program. The auditor must consider criteria, such as described in paragraphs (b), (c), and (d) of this section, to identify risk in Federal programs. Also, as part of the risk analysis, the auditor may wish to discuss a particular Federal program with auditee management and the Federal agency or pass-through entity.
(b) Current and prior audit experience.
(1) Weaknesses in internal control over Federal programs would indicate higher risk. Consideration should be given to the control environment over Federal programs and such factors as the expectation of management's adherence to Federal statutes, regulations, and the terms and conditions of Federal awards and the competence and experience of personnel who administer the Federal programs.
(i) A Federal program administered under multiple internal control structures may have higher risk. When assessing risk in a large single audit, the auditor must consider whether weaknesses are isolated in a single operating unit (e.g., one college campus) or pervasive throughout the entity.
(ii) When significant parts of a Federal program are passed through to subrecipients, a weak system for monitoring subrecipients would indicate higher risk.
(2) Prior audit findings would indicate higher risk, particularly when the situations identified in the audit findings could have a significant impact on a Federal program or have not been corrected.
(3) Federal programs not recently audited as major programs may be of higher risk than Federal programs recently audited as major programs without audit findings.
(c) Oversight exercised by Federal agencies and pass-through entities.
(1) Oversight exercised by Federal agencies or pass-through entities could be used to assess risk. For example, recent monitoring or other reviews performed by an oversight entity that disclosed no significant problems would indicate lower risk, whereas monitoring that disclosed significant problems would indicate higher risk.
(2) Federal agencies, with the concurrence of OMB, may identify Federal programs that are higher risk. OMB will provide this identification in the compliance supplement.
(d) Inherent risk of the Federal program.
(1) The nature of a Federal program may indicate risk. Consideration should be given to the complexity of the program and the extent to which the Federal program contracts for goods and services. For example, Federal programs that disburse funds through third-party contracts or have eligibility criteria may be of higher risk. Federal programs primarily involving staff payroll costs may have high risk for noncompliance with requirements of § 200.430, but otherwise be at low risk.
(2) The phase of a Federal program in its life cycle at the Federal agency may indicate risk. For example, a new Federal program with new or interim regulations may have higher risk than an established program with time-tested regulations. Also, significant changes in Federal programs, statutes, regulations, or the terms and conditions of Federal awards may increase risk.
(3) The phase of a Federal program in its life cycle at the auditee may indicate risk. For example, during the first and last years that an auditee participates in a Federal program, the risk may be higher due to start-up or closeout of program activities and staff.
(4) Type B programs with larger Federal awards expended would be of higher risk than programs with substantially smaller Federal awards expended.
[78 FR 78608, Dec. 26, 2013, as amended at 85 FR 49575, Aug. 13, 2020]
An auditee that meets all of the following conditions for each of the preceding two audit periods must qualify as a low-risk auditee and be eligible for reduced audit coverage in accordance with § 200.518.
(a) Single audits were performed on an annual basis in accordance with the provisions of this Subpart, including submitting the data collection form and the reporting package to the FAC within the timeframe specified in § 200.512. A non-Federal entity that has biennial audits does not qualify as a low-risk auditee.
(b) The auditor's opinion on whether the financial statements were prepared in accordance with GAAP, or a basis of accounting required by state law, and the auditor's in relation to opinion on the schedule of expenditures of Federal awards were unmodified.
(c) There were no deficiencies in internal control which were identified as material weaknesses under the requirements of GAGAS.
(d) The auditor did not report a substantial doubt about the auditee's ability to continue as a going concern.
(e) None of the Federal programs had audit findings from any of the following in either of the preceding two audit periods in which they were classified as Type A programs:
(1) Internal control deficiencies that were identified as material weaknesses in the auditor's report on internal control for major programs as required under § 200.515(c);
(2) A modified opinion on a major program in the auditor's report on major programs as required under § 200.515(c); or
(3) Known or likely questioned costs that exceeded five percent of the total Federal awards expended for a Type A program during the audit period.
[78 FR 78608, Dec. 26, 2013, as amended at 85 FR 49575, Aug. 13, 2020]