Single Audit major program determination can be challenging. And if this determination is wrong, your Single Audit will be wrong.
So in this article, I explain how you can correctly determine your major programs in four steps.
First, understand that Single Audits focus on major programs. This is how you know which programs to test. So if your auditee has multiple federal programs, it's important to determine which are major and which are not.
Here is a summary of the four steps of Single Audit major program determination:
- Identify Type A programs
- Identify Type A low-risk programs
- Identify Type B high-risk programs
- Determine major programs
(If you desire a deeper dive, watch the following video with a case study.)
Before you do any of these, create a list of all federal programs, similar to the schedule of expenditure of federal awards (the SEFA). The list is comprised of each federal program and the amounts expended.
Next, apply the four steps to this list. We'll start by identifying the type A programs.
1. Identify Type A Programs
The type A threshold is $750,000 when the total federal awards expended are $25 million or less. So if you have a federal program of $750,000 or greater, then it's a type A program. Type B programs are those of less than $750,000.
When total federal awards exceed $25 million, see the table below.
Total federal awards expended
≥$750,000 and ≤ $25 million
>$25 million but ≤ $100 million
total federal awards expended times .03
>$100 million but ≤ $ 1 billion
> $1 billion but ≤ $10 billion
total federal awards expended times .003
>$10 billion but ≤ $20 billion
total federal awards expended times .0015
Remove the Large-Loan Program Distortion
Large loan programs can potentially cause some type A programs to be excluded. In other words, large loan programs can cause some programs to be deemed type B though they should be type A. Therefore, the auditor subtracts any large loan balances from the total federal programs before determining what programs are type A.
And what are large loan balances? They are loan programs that exceed four times the largest non-loan program.
So see what the largest non-loan program is and multiply that amount times four. Then see if any loan programs exceed that amount. If they do, subtract the large loan program from the total federal awards before determining the A/B thresholds. See §200.518 (b)(3) for more information.
Clusters are One Program
Additionally, if the entity has a cluster such as student financial aid, then treat that program as one program. Clusters have multiple CFDA numbers for each grant but are treated as one program when performing a Single Audit. The Compliance Supplement states "a cluster of programs means a grouping of closely related programs that share common compliance requirements." So if you have a cluster, add all the grants together to see if the total cluster exceeds the type A threshold. (See part 5 of the Compliance Supplement for additional information about clusters.)
No Type A Programs
What if there are no type A programs? Then go to step 4 and pick enough programs to satisfy the coverage requirement.
Next, we'll see how to identify low-risk type A programs.
2. Identify Low-Risk Type A Programs
The Uniform Guidance provides the auditor with criteria in §200.518 (c) for determining whether a type A program is low risk. Type A programs that meet these criteria are low-risk. Programs that do not meet these criteria are not low-risk.
The Uniform Guidance says,
For a Type A program to be considered low-risk, it must have been audited as a major program in at least one of the two most recent audit periods.
Consequently, a type A program will be major at least once every three years.
Additionally, the Uniform Guidance goes on to say:
in the most recent audit period, the program must have not had:
(i) Internal control deficiencies which were identified as material weaknesses in the auditor's report on internal control for major programs as required under §200.515 Audit reporting, paragraph (c);
(ii) A modified opinion on the program in the auditor's report on major programs as required under §200.515 Audit reporting, paragraph (c); or
(iii) Known or likely questioned costs that exceed five percent of the total Federal awards expended for the program.
Additionally, federal agencies can request that programs not be considered low-risk for certain recipients. If such a request is made, the program will not be low risk.
But if the factors listed above don't lead to a high-risk classification, can the auditor use inherent risk factors such as size and complexity to move the assessment to high risk? No. The auditor must use the criteria listed above.
And what if there are no low-risk programs?
No Low-Risk Type A Programs
If there are no low-risk type A programs then step 3, identifying high-risk type B programs, is not necessary. Go directly to step 4: Determine major programs.
Now, let's take a look at step 3: Identifying high-risk type B programs.
3. Identifying High-Risk Type B Programs
The auditor identifies the type B programs by using their judgment and criteria such as that listed below. But how many high-risk type B programs should the auditor identify? No more than at least one-fourth the number of low-risk type A programs.
Additionally, the auditor is only required to perform risk assessments of type B programs that exceed 25% of the type A threshold (e.g., 25% of 750,000 is $187,500). If all of the type B programs are less than this amount, then none are assessed. And you skip step 3. But if you have type B programs greater than this 25% amount, perform risk assessments.
In determining whether a type B program is high-risk, the auditor should use factors such as:
- The complexity of the program
- The phase of the program in its life cycle (newer programs may be higher risk)
- The degree of significant changes in the program or related statutes and regulations
- The size of the program (programs with larger expenditures are higher risk)
- Weaknesses in internal controls as related to compliance requirements (e.g., controls to ensure allowability of costs)
- Prior audit findings
- The structure of the internal control system (multiple structures tend to be higher risk)
- Federal programs not recently audited as a major program
- Oversight by a federal agency (if their review noted issues, then the program could be higher risk)
Other than known material control weaknesses in internal controls pertaining to compliance requirements or known compliance problems, a single risk criterion will seldom cause the program to be high risk.
But what if there are no high-risk type B programs?
No High-Risk Type B Programs
If there are no high-risk type B programs, then none are major. This is true even if there are low-risk type A programs. You can't make a type B program high-risk just because a low-risk type A program exists (and you're trying to meet the one-fourth of type A low-risk requirement). So, assess the program in light of the criteria. And let it be what it is, whether high-risk or low-risk.
If, however, there are multiple high-risk type B programs, a potential problem arises: identifying too many high-risk programs.
Identify Only What is Required
Don't make the mistake of identifying more high-risk type B programs than what is necessary. If you do, then you must test them all (those you identified as high-risk). So, once you have identified the requisite number of high-risk type B programs, stop.
If there are multiple potential type B high-risk programs and not all are identified as high-risk, then consider rotating the programs tested each year.
Rotate Programs Tested
The Uniform Guidance (§200.518) encourages providing "an opportunity for different high-risk type B programs to be audited as major over a period of time." So if the auditor only needs one type B high-risk program, for example, and there are multiple potential high-risk type B programs, then it is desirable to identify a different one as major each year. That way, different type B high-risk programs will be audited over time.
We're almost done. Now, let's determine the major programs.
4. Determine Major Programs
At a minimum, the following will be your major programs:
- All type A programs not identified as low risk
- All type B programs identified as high-risk
- Any additional programs needed to comply with the percentage of coverage rule
So what is the percentage of coverage rule? It's 20% for low-risk auditees and 40% for those that are not low-risk auditees. But what does this mean? Well, let's look at an example to clarify.
Suppose the entity is a low-risk auditee. And suppose the entity has type A program that is not low risk (it's a major program). It makes up 17% of the total federal awards. All other programs are type B and none is considered major. What should be done? Pick a type B program and test it. But the program picked must bring the total tested to at least 20% of the total federal awards. Now you've complied with the coverage rule.
The low-risk auditee criteria follows below. Though there are similarities with program risk assessment criteria shown above, there are differences as well.
An auditee must meet all of the following conditions for each of the preceding two audit periods to qualify as a low-risk auditee:
- An annual Single Audit was performed and the reporting package was timely filed with the Federal Audit Clearinghouse
- The auditor issued an unmodified opinion on the financial statements and on the schedule of expenditures of federal awards
- There were no internal control material weaknesses in the Yellow Book report
- The auditor's opinion did not report substantial doubt about the entity's ability to continue as a going concern
- No federal programs had findings from any of the following in the preceding two years:
- No material weaknesses in internal control for a major program
- No modified opinion on a major program
- No known or likely questioned costs that exceeded five percent of the total federal awards expended for a type A program during the audit period
So if the entity meets all of these conditions, it is a low-risk auditee and you can use the 20% threshold. If not, use 40%.
Meeting the percentage of coverage rule does not by itself permit the auditor to skip remaining steps. Suppose in step 2. that one type A program is 50% of the total federal awards and is identified as a major program, can the auditor skip step 3.? Not necessarily. Coverage does not exempt the auditor from following the remaining steps.
Four Steps of Major Program Determination
Now you know how to determine which programs are major. These are the programs you'll test for compliance. You'll also test related compliance internal controls.
Additionally, you now know how to determine whether an entity is a low-risk auditee.
You may want to save this article and keep it handy. Why? Well, the four-step determination is relevant in every Single Audit.
If you're looking for information about whether an entity is required to have a Single Audit, see my article.