Uncategorized

Single Audit Under Uniform Guidance: The $1M Threshold, Major Programs, the SEFA

A single audit under Uniform Guidance is the compliance examination a non-federal entity must obtain once it spends a large amount of federal grant money in one year. The rules sit in 2 CFR Part 200, Subpart F, and they were rewritten in 2024. The most consequential change raised the trigger from $750,000 to $1 million in federal awards expended.

Key takeaways

  • A single audit is required when a non-federal entity expends $1,000,000 or more in federal awards in its fiscal year, per 2 CFR 200.501, a threshold raised from $750,000 by the April 2024 OMB revision and effective for fiscal years beginning on or after October 1, 2024.
  • The auditor performs both a financial statement audit and a compliance audit; the compliance side tests “major programs” selected through a risk-based process defined in 2 CFR 200.518 (the Type A/Type B program split).
  • The entity must prepare a Schedule of Expenditures of Federal Awards (the SEFA) under 2 CFR 200.510, which drives the entire major program determination.
  • Compliance is tested against the OMB Compliance Supplement, which lists the specific requirements (allowable costs, eligibility, reporting, and others) for each federal program.
  • Results are filed on the Data Collection Form (SF-SAC) and the reporting package through the Federal Audit Clearinghouse, now hosted on GSA’s portal, generally within nine months of fiscal year-end (2 CFR 200.512).

What is a single audit under Uniform Guidance?

A single audit is one combined audit that satisfies the audit requirements of every federal program a recipient touches, instead of a separate audit for each grant. Before 1984, each federal agency could demand its own audit, and a university or city with grants from a dozen agencies faced a dozen overlapping reviews. The Single Audit Act of 1984, amended in 1996, replaced that with one organization-wide audit. The operating rules now live in Title 2 of the Code of Federal Regulations, Part 200, Subpart F, commonly called Uniform Guidance.

The single audit has two halves. The first is an audit of the entity’s financial statements under generally accepted auditing standards and the standards in the GAO Yellow Book. The second is the compliance audit: the auditor tests whether the entity followed the rules attached to its federal money. That compliance work is what distinguishes a single audit from an ordinary financial statement audit (and from a review or compilation). The compliance opinion addresses whether the entity complied, in all material respects, with the requirements that could have a direct and material effect on each major program.

The audit is performed by an independent CPA following the Yellow Book, not by a federal agency. Yellow Book independence rules are stricter than the standard AICPA framework, and they govern every single audit. For the full picture of those rules, see our piece on the Yellow Book and government auditing standards.

It helps to be precise about what a single audit is not. It is not a federal program evaluation, and it does not opine on whether a grant achieved its policy goals. It is not a forensic investigation, though it can surface fraud the auditor must report. And it is not optional once the threshold is crossed: a federal awarding agency or pass-through entity can withhold funding, impose special conditions, or recover funds from an entity that fails to obtain a required single audit. The cost of the audit itself is generally an allowable charge to federal awards, allocated across programs, which is why the rules treat it as a shared compliance obligation rather than an overhead expense the entity must absorb alone.

Who must comply

The single audit reaches non-federal entities: states, local governments, Indian tribes, institutions of higher education, and nonprofit organizations. For-profit subrecipients are handled differently and generally fall outside Subpart F, though the pass-through entity must still arrange for monitoring of their federal money.

The trigger is expenditure, not receipt. Under 2 CFR 200.501, an entity that expends $1,000,000 or more in federal awards during its fiscal year must have a single audit. The word “expended” matters: a nonprofit that drew down $900,000 of a $5 million multi-year grant in the current year is measured on the $900,000, not the full award. Federal awards include grants, cost-reimbursement contracts, loan and loan guarantee programs, donated surplus property, food commodities, interest subsidies, and insurance.

An entity that spends federal money from only one program, or one cluster of programs, may elect a “program-specific audit” instead of a full single audit when the program’s laws do not require a financial statement audit. That option is set out in 2 CFR 200.501(c) and is most common for smaller nonprofits with a single grant stream.

An entity below the $1 million threshold is exempt from the single audit requirement for that year, but it remains subject to its grant terms and to records access by federal agencies and the Government Accountability Office (2 CFR 200.503). Crossing the threshold is the moment many organizations first need a Yellow Book auditor. Determining when any entity first needs an external audit is its own question, covered in when a company needs an audit.

How it works: the mechanics

The engine of a single audit is the Schedule of Expenditures of Federal Awards. Under 2 CFR 200.510(b), the entity prepares a SEFA listing federal expenditures by program, organized by federal agency and by the Assistance Listing Number (formerly the CFDA number). The SEFA also discloses the total expended for each cluster of programs and any amounts passed through to subrecipients. The auditor’s first job is to confirm the SEFA is complete and accurate, because everything downstream depends on it.

From the SEFA, the auditor performs the risk-based major program determination in four steps under 2 CFR 200.518:

Step one identifies Type A programs by dollar size. For most entities, a Type A program is one whose federal expenditures meet or exceed $1,000,000 (the floor scales up for larger entities). All other programs are Type B. Step two assesses each Type A program as low-risk or not; a Type A program generally cannot be low-risk if it was not audited as a major program in one of the two most recent years or had audit findings. Step three assesses Type B programs for high risk, but only those above a defined dollar floor. Step four selects the programs to audit: all high-risk Type A programs, plus a number of high-risk Type B programs, until the audit covers the required percentage of total federal expenditures.

That coverage percentage is the “percentage of coverage rule.” A normal-risk entity must audit major programs covering at least 20 percent of total federal expenditures. An entity that does not qualify as low-risk must cover at least 40 percent (2 CFR 200.518(f)). Low-risk auditee status, defined in 2 CFR 200.520, requires clean opinions, timely filings, and no material weaknesses in the prior two years.

For each major program, the auditor tests compliance and tests the internal controls over compliance. The requirements come from the OMB Compliance Supplement, updated annually, which maps the applicable requirements (such as activities allowed, allowable costs, cash management, eligibility, reporting, and subrecipient monitoring) to each program. The auditor then reports findings, including questioned costs of $25,000 or more, in a schedule of findings and questioned costs.

The auditor must also issue a specific set of reports. Beyond the opinion on the entity’s financial statements, the single audit produces a report on internal control over financial reporting and on compliance based on the Yellow Book audit, plus a separate report on compliance for each major program and on internal control over compliance required by Uniform Guidance. The schedule of findings and questioned costs ties them together. It is organized into three sections: a summary of the auditor’s results, findings relating to the financial statements, and findings and questioned costs for federal awards. Each federal award finding must include the program name and number, the criteria, the condition, the cause, the effect, the questioned costs, and the auditor’s recommendation, so the entity and its federal agencies can act on it.

The audited entity does not simply receive the findings; it must respond. Under 2 CFR 200.511, the entity prepares a corrective action plan for each current-year finding and a summary schedule of prior audit findings showing the status of earlier findings. The corrective action plan names the contact responsible, the planned action, and the anticipated completion date. A history of unresolved or repeat findings is one of the factors that pushes an entity out of low-risk auditee status and raises its required coverage percentage in the next cycle.

Thresholds at a glance

Item Rule Citation
Single audit trigger $1,000,000 federal awards expended in the fiscal year (raised from $750,000) 2 CFR 200.501(a)
Effective date of new threshold Fiscal years beginning on or after October 1, 2024 2024 OMB revision (89 FR 30046)
Type A program floor (most entities) $1,000,000 of program expenditures (scales up by entity size) 2 CFR 200.518(b)
Minimum coverage, low-risk auditee 20% of total federal expenditures 2 CFR 200.518(f)
Minimum coverage, not low-risk 40% of total federal expenditures 2 CFR 200.518(f)
Questioned cost reporting floor $25,000 (raised from $10,000 in 2024) 2 CFR 200.516(a)
Reporting deadline Earlier of 30 days after receiving the report or 9 months after fiscal year-end 2 CFR 200.512(a)

Worked example

Assume the Riverside Community Health Coalition, a nonprofit with a June 30 fiscal year-end, expended federal awards in the year beginning July 1, 2025. Because that fiscal year begins after October 1, 2024, the $1,000,000 threshold applies. Its SEFA shows the following:

Program A, a Health Resources and Services Administration grant, $1,400,000. Program B, a Community Development Block Grant pass-through, $620,000. Program C, a USDA nutrition grant, $310,000. Program D, a small AmeriCorps grant, $95,000. Total federal expenditures: $2,425,000.

The total exceeds $1,000,000, so a single audit is required. Next, the Type A floor for an entity this size is $1,000,000. Only Program A clears it, so Program A is the only Type A program; B, C, and D are Type B. The auditor reviews Program A’s history: it was last audited as a major program three years ago and had a prior reporting finding, so it cannot be treated as low-risk and must be audited.

Program A’s $1,400,000 already covers 57.7 percent of the $2,425,000 total, comfortably above both the 20 percent and 40 percent coverage rules. If the entity qualifies as a low-risk auditee, auditing Program A alone satisfies coverage. If it does not qualify, the auditor still meets the 40 percent floor with Program A, though the firm would also assess whether any Type B program is high-risk enough to warrant testing. The auditor tests Program A against the HRSA section of the Compliance Supplement, evaluates controls over those requirements, and reports any questioned costs of $25,000 or more.

Recent changes 2024 to 2026

The April 2024 OMB revision to Uniform Guidance, published in the Federal Register at 89 FR 30046, was the largest rewrite since 2013. It applies to federal awards issued on or after October 1, 2024, and to single audits for fiscal years beginning on or after that date.

The headline change raised the single audit threshold from $750,000 to $1,000,000 (2 CFR 200.501). The Type A program floor rose in step. OMB estimated the change would lift roughly 5,000 entities out of the single audit requirement each year. The questioned cost reporting threshold also rose, from $10,000 to $25,000 (2 CFR 200.516).

Other 2024 changes raised the de minimis indirect cost rate an entity may elect without a negotiated rate from 10 percent to 15 percent of modified total direct costs (2 CFR 200.414), and raised the equipment capitalization threshold and the threshold for supplies. The revision also restructured several definitions and added plain-language drafting throughout Part 200. The Compliance Supplement continues to be reissued each year; auditors must use the supplement that matches the audit period.

The practical consequence of the higher de minimis rate is worth noting for grantees. An organization without a federally negotiated indirect cost rate may now recover 15 percent of modified total direct costs as indirect cost, up from 10 percent, which materially helps smaller nonprofits fund their administrative backbone. The change interacts with the single audit because indirect cost recovery is a frequent area of questioned costs; an entity that applies the rate it actually elected, and documents the election, avoids one of the more common findings.

Auditors and grantees should also track the timing carefully. Because the new threshold and the other changes key to fiscal years beginning on or after October 1, 2024, an entity with a June 30 year-end did not feel the change until its fiscal year beginning July 1, 2025, while an entity with a December 31 year-end felt it for the year beginning January 1, 2025. Two otherwise similar organizations can therefore sit on opposite sides of the $750,000-versus-$1,000,000 line in the same calendar period purely because of their fiscal year-ends, and applying the wrong threshold to either is a scoping error.

Common pitfalls

Frequently asked questions

What is the single audit threshold for 2026?
A single audit is required when an entity expends $1,000,000 or more in federal awards in its fiscal year, under 2 CFR 200.501. The threshold rose from $750,000 in the April 2024 OMB revision and applies to fiscal years beginning on or after October 1, 2024.
Is the threshold based on money received or money spent?
Money spent. The rule measures federal awards expended during the fiscal year, not cash received and not the total award amount, per 2 CFR 200.501(a).
What is the SEFA?
The Schedule of Expenditures of Federal Awards. The entity prepares it under 2 CFR 200.510, listing federal expenditures by program and Assistance Listing Number. It drives the major program determination and the audit’s scope.
How are major programs selected?
Through the four-step risk-based process in 2 CFR 200.518: identify Type A programs by dollar size, assess Type A risk, assess Type B risk, then select programs until coverage reaches at least 20 percent (low-risk auditee) or 40 percent (not low-risk) of total federal expenditures.
What standards govern a single audit?
Generally accepted auditing standards, the GAO Yellow Book (Government Auditing Standards), and Subpart F of 2 CFR Part 200. The Compliance Supplement supplies the program-specific requirements to be tested.
When is the report due?
The earlier of 30 days after the entity receives the auditor’s report or nine months after the end of the audit period, filed through the Federal Audit Clearinghouse, per 2 CFR 200.512(a).
Can a small entity avoid a full single audit?
If it expends federal money under only one program (and that program’s law does not require a financial statement audit), it may elect a program-specific audit under 2 CFR 200.501(c) instead.
What is a low-risk auditee?
An entity that met the criteria in 2 CFR 200.520 for the prior two years, including clean opinions, timely filings, and no material weaknesses. Low-risk auditees need only 20 percent program coverage rather than 40 percent.

Bottom line

The single audit converts a recipient’s grant compliance into one organization-wide examination, triggered at $1,000,000 of federal awards expended since the 2024 OMB revision. The SEFA and the risk-based major program determination drive the whole engagement, and the work must follow the Yellow Book, the Compliance Supplement, and Subpart F of 2 CFR Part 200.

Sources and methodology

This article relies on primary sources: 2 CFR Part 200, Subpart F (Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards), specifically sections 200.501, 200.502, 200.503, 200.510, 200.512, 200.516, 200.518, and 200.520; the Single Audit Act Amendments of 1996; the April 2024 OMB revision published at 89 FR 30046; the annual OMB Compliance Supplement; and GAO Government Auditing Standards. Filing mechanics reflect the Federal Audit Clearinghouse procedures hosted by GSA. Dollar thresholds and effective dates were verified against the 2024 final rule.