Uniform Guidance for Single Audits
When entities receive and expend significant amounts of federal financial assistance, they are subject to heightened accountability requirements. The Uniform Guidance (formally codified in 2 CFR Part 200), issued by the Office of Management and Budget (OMB), provides a comprehensive framework governing the administration, cost principles, and audit requirements for federal awards. Subpart F of the Uniform Guidance specifically addresses audit requirements, including the single audit—a rigorous, organization-wide audit designed to ensure that recipients of federal funds comply with applicable laws, regulations, and program requirements. Understanding single audit concepts is essential for the AUD section of the CPA exam, particularly blueprint topics II.G.4 and III.E.6.
The Single Audit Act Amendments of 1996 established the legal foundation for the single audit. The Uniform Guidance (2 CFR Part 200, Subpart F) implements the Act and replaces the former OMB Circulars A-133, A-87, A-21, and A-122, consolidating audit, cost, and administrative requirements into a single framework.
When Is a Single Audit Required?
The single audit requirement is triggered by the total amount of federal awards expended during an entity's fiscal year, not by the number of programs or grants.
| Federal Awards Expended | Audit Requirement |
|---|---|
| Less than $750,000 | No single audit or program-specific audit required |
| $750,000 or more | Single audit required under 2 CFR Part 200, Subpart F |
Example: Bear Co., a nonprofit community health organization, expended $620,000 in federal awards during its fiscal year. Because this amount is below the $750,000 threshold, Bear Co. is not required to have a single audit performed. However, if Bear Co. also receives a new $200,000 federal grant the following year (bringing total expenditures to $820,000), a single audit would be required for that year.
The $750,000 threshold applies to expenditures, not to the amount of awards received or the award balances. An entity may hold large federal award balances but only trigger the single audit if it actually expends $750,000 or more during the fiscal year.
Relationship to Government Auditing Standards (Yellow Book)
A single audit conducted under the Uniform Guidance must also be performed in accordance with Government Auditing Standards (the Yellow Book / GAGAS) issued by the Government Accountability Office (GAO). This means the auditor must comply with:
- All applicable AICPA auditing standards (GAAS)
- All additional Yellow Book requirements (enhanced independence, CPE, reporting on internal control and compliance over financial reporting)
- All Uniform Guidance requirements (major program determination, compliance testing, SEFA, schedule of findings)
Think of the single audit as a layered set of requirements: GAAS forms the foundation, Yellow Book adds governmental requirements on top, and the Uniform Guidance adds federal award–specific requirements on top of that. All three layers apply simultaneously.
The Schedule of Expenditures of Federal Awards (SEFA)
The SEFA is a critical component of the single audit. It provides a complete listing of all federal awards expended by the auditee during the audit period.
Key SEFA Requirements
| Element | Description |
|---|---|
| Federal agency | Identifies the pass-through entity or direct federal awarding agency |
| Program name | The title of the federal program |
| CFDA/ALN number | The Assistance Listing Number (formerly CFDA number) that uniquely identifies each federal program |
| Award identification | Grant or contract numbers |
| Expenditures | Total federal awards expended during the period for each program |
| Pass-through awards | Separately identifies amounts passed through to subrecipients |
| Loans and loan guarantees | Outstanding balances at year-end for federal loan programs |
Example: Gies Co., a state university, prepares its SEFA listing 14 federal programs totaling $18.5 million in expenditures. The SEFA includes the ALN number, awarding agency, and expenditure amount for each program, and separately identifies $2.1 million passed through to subrecipient research partners.
The auditor must audit the SEFA in relation to the financial statements as a whole. The SEFA must be prepared by the auditee, and the auditor must determine whether it is fairly stated in all material respects in relation to the financial statements taken as a whole.
Identification of Federal Awards and Major Programs
Not every federal program is subject to full compliance testing. The auditor must determine which programs are major programs using a risk-based approach.
Type A and Type B Programs
Programs are first classified based on a dollar threshold:
| Classification | Criteria | Default Treatment |
|---|---|---|
| Type A | Programs exceeding the larger of: (1) $750,000, or (2) a sliding-scale percentage of total federal expenditures | Presumed to be major unless assessed as low risk |
| Type B | All programs below the Type A threshold | Presumed to be non-major unless assessed as high risk |
The Type A threshold uses a sliding scale:
| Total Federal Expenditures | Type A Threshold |
|---|---|
| Up to $25 million | The larger of $750,000 or 3% of total |
| $25 million – $100 million | $1.875 million |
| $100 million – $1 billion | The larger of $3 million or 0.3% of total |
| Over $1 billion | $30 million |
Risk-Based Approach to Determining Major Programs
The auditor performs a four-step process to determine major programs:
- Identify Type A programs using the dollar threshold
- Assess risk for each Type A program — classify as low risk or high risk
- Identify high-risk Type B programs — at least one high-risk Type B must be tested as major for every low-risk Type A excluded from testing (with a cap equal to 25% of the number of low-risk Type A programs)
- Verify coverage — total major programs must cover at least 20% (low-risk auditee) or 40% (non-low-risk auditee) of total federal expenditures
Example: Kingfisher Industries, a large nonprofit, expended $12 million in federal awards across 10 programs. Using the 3% threshold ($360,000 is less than $750,000, so the threshold is $750,000), four programs exceed $750,000 and are classified as Type A. The auditor assesses one Type A program as low risk (clean findings for two consecutive years) and three as high risk. The auditor also identifies one high-risk Type B program with prior-year findings. All four high-risk programs are tested as major, covering 72% of total federal expenditures.
A low-risk auditee is one that has had single audits for the prior two years with: (1) unmodified opinions on the financial statements and SEFA, (2) no material weaknesses in internal control, (3) no known or likely questioned costs exceeding 5% of a major program's expenditures, and (4) timely submission of the reporting package.
Compliance Requirements for Federal Awards
For each major program, the auditor tests the entity's compliance with requirements that could have a direct and material effect on the program. The Uniform Guidance identifies 12 types of compliance requirements:
| Compliance Requirement | Description |
|---|---|
| Activities allowed or unallowed | Funds must be used only for authorized purposes |
| Allowable costs/cost principles | Costs charged must meet federal cost principles (reasonable, allocable, consistent) |
| Cash management | Federal funds must be drawn down on a timely basis to minimize federal cash on hand |
| Eligibility | Only eligible participants or entities may receive benefits |
| Equipment and real property management | Proper tracking, use, and disposition of federally funded assets |
| Matching, level of effort, earmarking | Entity must meet cost-sharing or matching requirements and earmark funds as required |
| Period of performance | Costs must be incurred within the authorized grant period |
| Procurement and suspension/debarment | Purchases must follow federal procurement standards; contractors must not be suspended or debarred |
| Program income | Income generated by the program must be handled according to federal requirements |
| Reporting | Required financial and performance reports must be accurate and timely |
| Subrecipient monitoring | Pass-through entities must monitor subrecipients for compliance |
| Special tests and provisions | Program-specific requirements unique to certain federal programs |
Example: MAS Inc. receives a $1.2 million federal workforce development grant. The auditor tests key compliance requirements: (1) Eligibility — verifying that program participants met income thresholds, (2) Activities allowed — confirming that training expenditures aligned with the grant agreement, (3) Reporting — checking that quarterly performance reports were filed on time, and (4) Period of performance — ensuring no costs were incurred outside the grant period.
Not all 12 compliance requirements apply to every program. The auditor must consult the Compliance Supplement to determine which requirements are applicable to each specific federal program being tested.
The Compliance Supplement
The Compliance Supplement (officially the OMB Compliance Supplement) is an annual publication that provides:
- Program-specific guidance for the largest federal programs, detailing which compliance requirements apply and suggested audit procedures
- A generic section (Part 2) for programs not specifically listed, describing the compliance requirements that may apply
- Internal control guidance describing the controls the auditor should expect over each compliance requirement
- Guidance on audit sampling and testing approaches
The Compliance Supplement is the auditor's primary reference for determining which compliance requirements apply to a specific federal program. It is issued annually by OMB and updated to reflect changes in federal programs and requirements.
Internal Control Over Compliance
In addition to testing compliance, the auditor must understand and test internal controls over compliance for each major program. This includes:
- Planning: Obtain an understanding of internal controls relevant to each direct and material compliance requirement
- Risk assessment: Evaluate the design and implementation of controls
- Testing: Test the operating effectiveness of controls to support a low assessed level of control risk (if planned)
- Deficiency evaluation: Evaluate whether identified deficiencies constitute significant deficiencies or material weaknesses in internal control over compliance
Example: Illini Entertainment operates a federal arts education program. The auditor identifies the following internal controls over compliance: (1) a checklist used to verify participant eligibility before enrollment, (2) supervisory review of quarterly financial reports before submission, and (3) automated system controls that prevent expenditure entries outside the grant period. The auditor tests each control and concludes they are operating effectively.
Internal control over compliance is separate from internal control over financial reporting. An entity may have strong financial reporting controls but weak compliance controls for its federal programs (or vice versa). The auditor must evaluate and report on both.
Reporting Requirements
The single audit produces a comprehensive reporting package consisting of several components.
Auditor's Reports
The auditor issues multiple reports as part of the single audit:
| Report | Purpose |
|---|---|
| Opinion on financial statements | Standard GAAS audit opinion |
| Report on internal control over financial reporting and compliance (GAGAS) | Yellow Book report on controls and compliance related to the financial statement audit |
| Opinion on compliance for each major program | Expresses whether the entity complied, in all material respects, with requirements applicable to each major program |
| Report on internal control over compliance | Describes the scope of testing and any deficiencies in controls over compliance with federal award requirements |
The compliance opinion for major programs can be unmodified, qualified, adverse, or a disclaimer, following the same framework as financial statement opinions.
Schedule of Findings and Questioned Costs
This schedule is a critical deliverable that contains three sections:
- Summary of auditor's results — the type of opinion on the financial statements, whether material weaknesses or significant deficiencies were identified (for both financial reporting and compliance), the type of compliance opinion for major programs, and whether the auditee qualifies as low risk
- Financial statement findings — findings related to the financial statement audit under GAGAS
- Federal award findings and questioned costs — compliance findings for major programs, including the ALN number, program name, federal agency, and the specific compliance requirement involved
Example: BIF Partners, a regional transit authority, receives a qualified opinion on compliance for its Federal Transit Administration grant due to unallowable expenditures totaling $85,000. The schedule of findings and questioned costs reports: (1) the finding number, (2) the federal program and ALN, (3) a description of the condition (unallowable travel expenditures), (4) the criteria (grant agreement and 2 CFR Part 200 cost principles), (5) the questioned cost amount ($85,000), (6) the cause and effect, and (7) a recommendation.
Each finding must include the following elements: condition, criteria, cause, effect, questioned costs (if applicable), and a recommendation. The auditee must also prepare a corrective action plan for each finding and a summary schedule of prior audit findings showing the status of findings from the previous audit.
Data Collection Form and Federal Audit Clearinghouse
Data Collection Form (SF-SAC)
The Data Collection Form (SF-SAC) is a standardized form that summarizes key information from the single audit, including:
- The type of audit report issued
- The list of federal programs and expenditures
- Whether findings or questioned costs were identified
- The auditee's contact information and fiscal year
Federal Audit Clearinghouse (FAC)
The Federal Audit Clearinghouse serves as the central repository for all single audit submissions:
- Operated by the U.S. Census Bureau on behalf of OMB
- The complete reporting package (including the SF-SAC, audited financial statements, SEFA, and all auditor reports) must be submitted electronically
- Submission deadline: the earlier of 30 days after receipt of the auditor's report or 9 months after the end of the audit period
Example: Illini Security, a county government, completes its single audit for the fiscal year ended June 30. The auditor's report is dated October 15. Illini Security must submit the complete reporting package to the Federal Audit Clearinghouse by November 14 (30 days after receipt of the report), since this is earlier than the 9-month deadline of March 31.
Failure to submit the single audit reporting package to the Federal Audit Clearinghouse by the deadline can result in the entity being designated as high risk, potential withholding of federal funds, or other sanctions by federal awarding agencies.
Summary
| Topic | Key Point |
|---|---|
| Single audit threshold | Required when an entity expends $750,000 or more in federal awards during a fiscal year |
| Governing framework | Uniform Guidance — 2 CFR Part 200, Subpart F |
| Relationship to GAGAS | Single audits must also comply with Government Auditing Standards (Yellow Book) and GAAS |
| SEFA | Lists all federal awards expended; audited in relation to the financial statements as a whole |
| Type A programs | Larger programs exceeding a dollar threshold; presumed major unless assessed as low risk |
| Type B programs | Smaller programs below the Type A threshold; presumed non-major unless assessed as high risk |
| Coverage requirement | Major programs must cover at least 20% (low-risk auditee) or 40% of total federal expenditures |
| Compliance requirements | 12 types, including activities allowed, eligibility, cash management, matching, reporting, subrecipient monitoring |
| Compliance Supplement | OMB publication that identifies which compliance requirements apply to each federal program |
| Internal control over compliance | Must be understood, tested, and reported on separately from financial reporting controls |
| Auditor's reports | Financial statement opinion, GAGAS reports, major program compliance opinion, internal control over compliance report |
| Schedule of findings | Includes summary of results, financial statement findings, and federal award findings with questioned costs |
| Data Collection Form | SF-SAC summarizing audit results, submitted to the Federal Audit Clearinghouse |
| Submission deadline | Earlier of 30 days after auditor's report or 9 months after fiscal year-end |