The Single Audit Requirement
Subpart F (§200.500–521) of the Uniform Guidance establishes the audit requirements for non-federal entities that expend federal awards. The cornerstone of Subpart F is the Single Audit — a comprehensive, organization-wide audit that examines both the financial statements and the entity's compliance with federal award requirements. The Single Audit replaced the program-specific audits that were previously required under OMB Circular A-133 and brought all federal audit requirements into a single, unified framework.
For detailed guidance on preparing for and managing a Single Audit, including timeline planning, documentation preparation, and corrective action plan development, see our comprehensive Single Audit compliance hub. This chapter focuses on the regulatory framework that Subpart F establishes.
Audit Threshold (§200.501)
Under the 2024 revisions to the Uniform Guidance, organizations that expend $1,000,000 or more in federal awards during their fiscal year must have a Single Audit performed. The previous threshold was $750,000. This increase is significant for smaller organizations that were previously subject to the Single Audit requirement but now fall below the threshold.
The threshold is based on expenditures, not award amounts. An organization may receive $2 million in federal awards but only expend $800,000 during the fiscal year — in that case, no Single Audit is required for that year. However, expenditures include both direct spending and amounts passed through to subrecipients, so organizations must carefully track total federal expenditures across all awards.
Organizations below the threshold are exempt from Single Audit but are not exempt from audit requirements entirely. They must still maintain records available for review and may still be subject to program-specific audits at the discretion of the federal awarding agency.
The Schedule of Expenditures of Federal Awards (SEFA)
Every organization subject to Single Audit must prepare a Schedule of Expenditures of Federal Awards (SEFA) as part of the audit package (§200.510). The SEFA lists all federal awards expended during the fiscal year, including:
- The name of the federal agency providing the award
- The Assistance Listing (formerly CFDA) number and program name
- The federal award identification number (FAIN)
- Whether the award was received directly from a federal agency or as a subaward through a pass-through entity
- Total federal expenditures for each award
- Amounts passed through to subrecipients
An accurate SEFA is the foundation of the entire Single Audit. Errors in the SEFA — missing programs, incorrect expenditure amounts, or wrong Assistance Listing numbers — can cause the auditor to misidentify major programs and produce an audit that does not meet federal requirements.
Type A and Type B Program Classification (§200.518)
The auditor classifies all federal programs on the SEFA as either Type A or Type B to determine which programs will be tested as major programs. The classification is based on expenditure thresholds:
| Total Federal Expenditures | Type A Threshold |
|---|---|
| Up to $100 million | The larger of $750,000 or 3% of total federal expenditures |
| $100 million to $10 billion | $3 million |
| Over $10 billion | $30 million or 0.3% of total (whichever is less) |
Programs with expenditures at or above the Type A threshold are classified as Type A. All other programs are Type B. Type A programs are the primary candidates for major program testing, though the auditor's risk assessment may also elevate certain Type B programs to major program status.
Major Program Determination (§200.518)
The auditor determines which programs will be audited as “major programs” through a risk-based approach. This is not a random selection — the methodology is designed to focus audit effort on the programs with the highest risk and largest expenditures.
The process follows these steps:
- Step 1: Identify all Type A programs from the SEFA based on the expenditure threshold
- Step 2: Assess each Type A program as low-risk or high-risk based on prior audit results, oversight by the federal agency, and the nature and complexity of the program
- Step 3: All high-risk Type A programs are audited as major programs. Low-risk Type A programs may be excluded from major program testing
- Step 4: For each low-risk Type A program excluded, the auditor must test at least one high-risk Type B program as a major program
- Step 5: The auditor must audit as major programs at least 40% of total federal expenditures (20% if the entity qualifies as low-risk)
The Compliance Supplement
The Compliance Supplement (formally titled the “OMB Compliance Supplement”) is the auditor's primary reference for testing compliance with federal award requirements. Published annually by OMB, it identifies the specific compliance requirements that apply to each major federal program and provides the audit objectives and procedures the auditor should follow.
The Compliance Supplement organizes compliance testing into 12 types of compliance requirements:
| Letter | Compliance Requirement |
|---|---|
| A | Activities Allowed or Unallowed |
| B | Allowable Costs/Cost Principles |
| C | Cash Management |
| E | Eligibility |
| F | Equipment and Real Property Management |
| G | Matching, Level of Effort, Earmarking |
| H | Period of Performance |
| I | Procurement, Suspension, and Debarment |
| J | Program Income |
| L | Reporting |
| M | Subrecipient Monitoring |
| N | Special Tests and Provisions |
Not all 12 compliance requirements apply to every program. The Compliance Supplement specifies which requirements are applicable to each federal program by its Assistance Listing number.
Audit Findings Classification
When the auditor identifies noncompliance or internal control deficiencies, the findings are classified by severity. Understanding these classifications helps organizations prioritize corrective action and communicate effectively with auditors and federal agencies.
Material Weakness
A deficiency, or combination of deficiencies, in internal control over compliance such that there is a reasonable possibility that material noncompliance with a compliance requirement will not be prevented or detected and corrected on a timely basis. A material weakness is the most severe finding classification and indicates a fundamental breakdown in the organization's ability to comply with federal requirements.
Significant Deficiency
A deficiency, or combination of deficiencies, in internal control over compliance that is less severe than a material weakness but important enough to merit the attention of those charged with governance. A significant deficiency indicates that the internal control system has weaknesses that could lead to noncompliance, though the risk is not as high as with a material weakness.
Questioned Costs
Costs identified by the auditor as potentially unallowable. Under §200.516, the auditor must report questioned costs when they find:
- A violation of a provision of a federal statute, regulation, or grant term that results in a cost being charged to the award
- Costs where adequate documentation was not available to support the amount charged
- Costs that appear unreasonable and do not reflect the actions a prudent person would take
Questioned costs are reported when they exceed $25,000 for a type of compliance requirement for a major program. The federal awarding agency makes the final determination on whether questioned costs must be repaid — the auditor identifies them, but the agency decides.
Federal Audit Clearinghouse (FAC) Submission
The complete Single Audit reporting package must be submitted to the Federal Audit Clearinghouse (FAC) within 30 days after receipt of the auditor's report, or no later than 9 months after the end of the audit period, whichever is earlier (§200.512). The FAC is now operated by the General Services Administration (GSA) and the submission is made electronically.
The reporting package includes:
- The financial statements and the auditor's report on those statements
- The Schedule of Expenditures of Federal Awards (SEFA)
- The auditor's report on internal control over financial reporting and on compliance
- The Schedule of Findings and Questioned Costs
- A corrective action plan for each finding
- A summary schedule of prior audit findings and their current status
- The Data Collection Form (SF-SAC)
Auditor Selection and Independence
The Single Audit must be performed by an independent auditor — a licensed certified public accountant (CPA) or a federal, state, local, or tribal government audit organization that meets generally accepted government auditing standards (GAGAS) as published in the Government Accountability Office's (GAO) Yellow Book. The auditor must be independent of the organization being audited and must have adequate professional proficiency and external quality control.
Organizations should evaluate potential auditors based on their experience with federal programs relevant to the organization, their familiarity with the Compliance Supplement, and their capacity to complete the audit within the required timeline. For healthcare organizations, auditors with experience in HRSA, SAMHSA, and CDC programs will be more efficient and effective than generalists.
Corrective Action Plans
For each finding included in the audit report, the auditee must prepare a corrective action plan (§200.511(c)). The plan must include the name of the responsible contact person, the planned corrective action, and the anticipated completion date. If the auditee does not agree with the finding, the plan must include an explanation and specific reasons for disagreement.
Corrective action plans are not paperwork exercises — federal agencies review them and follow up. Repeat findings (the same finding appearing in consecutive audits) are treated more seriously and may trigger additional federal oversight, specific award conditions, or remedies under §200.339. Organizations should implement corrective actions promptly and document implementation so the status can be reported accurately in the following year's summary schedule of prior audit findings.
Low-Risk Auditee Criteria (§200.520)
An organization qualifies as a low-risk auditee if it meets all of the following criteria for each of the two most recent audit periods:
- Single Audits were performed annually in accordance with Subpart F
- The auditor's opinion on the financial statements was unmodified
- There were no material weaknesses identified
- None of the federal programs had audit findings from the most recent audit cycle
Low-risk auditees benefit from reduced audit coverage: the auditor need only test 20% of total federal expenditures as major programs (instead of 40%). This reduces audit scope, cost, and the administrative burden on the organization. Maintaining low-risk status should be a strategic objective for every grants-funded organization.
For a comprehensive guide to Single Audit preparation, timelines, and best practices, visit our Single Audit compliance hub. For information on how audit requirements interact with subrecipient monitoring, see our subrecipient monitoring chapter.