programs not covered in the compliance supplement, the auditor should use the types of compliance requirements contained in the compliance supplement as guidance for identifying the types of compliance requirements to test, and determine the requirements governing the Federal program by reviewing the provisions of contracts and grant agreements and the laws and regulations referred to in such contracts and grant agreements.

(4) The compliance testing shall include tests of transactions and such other auditing procedures necessary to provide the auditor sufficient evidence to support an opinion on compliance.

(e) Audit follow-up. The auditor shall follow-up on prior audit findings, perform procedures to assess the reasonableness of the summary schedule of prior audit findings prepared by the auditee in accordance with § 3052.315(b), and report, as a current year audit finding, when the auditor concludes that the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding. The auditor shall perform audit follow-up procedures regardless of whether a prior audit finding relates to a major program in the current year.

(f) Data collection form. As required in § 3052.320(b)(3), the auditor shall complete and sign specified sections of the data collection form.

§ 3052.505 Audit reporting.

The auditor's report(s) may be in the form of either combined or separate reports and may be organized differently from the manner presented in this section. The auditor's report(s) shall state that the audit was conducted in accordance with this part and include the following:

(a) An opinion (or disclaimer of opinion) as to whether the financial statements are presented fairly in all material respects in conformity with generally accepted accounting principles and an opinion (or disclaimer of opinion) as to whether the schedule of expenditures of Federal awards is presented fairly in all material respects in relation to the financial statements taken as a whole.

(b) A report on internal control related to the financial statements and

major programs. This report shall describe the scope of testing of internal control and the results of the tests, and, where applicable, refer to the separate schedule of findings and questioned costs described in paragraph (d) of this section.

(c) A report on compliance with laws, regulations, and the provisions of contracts or grant agreements, noncompliance with which could have a material effect on the financial statements. This report shall also include an opinion (or disclaimer of opinion) as to whether the auditee complied with laws, regulations, and the provisions of contracts or grant agreements which could have a direct and material effect on each major program, and, where applicable, refer to the separate schedule of findings and questioned costs described in paragraph (d) of this section.

(d) A schedule of findings and questioned costs which shall include the following three components:

(1) A summary of the auditor's results which shall include:

(i) The type of report the auditor issued on the financial statements of the auditee (i.e., unqualified opinion, qualified opinion, adverse opinion, or disclaimer of opinion);

(ii) Where applicable, a statement that reportable conditions in internal control were disclosed by the audit of the financial statements and whether any such conditions were material weaknesses;

(iii) A statement as to whether the audit disclosed any noncompliance which is material to the financial statements of the auditee;

(iv) Where applicable, a statement that reportable conditions in internal control over major programs were disclosed by the audit and whether any such conditions were material weaknesses;

(v) The type of report the auditor issued on compliance for major programs (i.e., unqualified opinion, qualified opinion, adverse opinion, or disclaimer of opinion);

(vi) A statement as to whether the audit disclosed any audit findings which the auditor is required to report under § 3052.510(a);

(vii) An identification of major programs;

(viii) The dollar threshold used to distinguish between Type A and Type B programs, as described in §3052.520(b); and

(ix) A statement as to whether the auditee qualified as a low-risk auditee under § 3052.530.

(2) Findings relating to the financial statements which are required to be reported in accordance with GAGAS.

(3) Findings and questioned costs for Federal awards which shall include audit findings as defined in §3052.510(a).

(i) Audit findings (e.g., internal control findings, compliance findings, questioned costs, or fraud) which relate to the same issue should be presented as a single audit finding. Where practical, audit findings should be organized by Federal agency or passthrough entity.

(ii) Audit findings which relate to both the financial statements and Federal awards, as reported under paragraphs (d)(2) and (d)(3) of this section, respectively, should be reported in both sections of the schedule. However, the reporting in one section of the schedule may be in summary form with a reference to a detailed reporting in the other section of the schedule.

§ 3052.510 Audit findings.

(a) Audit findings reported. The auditor shall report the following as audit findings in a schedule of findings and questioned costs:

(1) Reportable conditions in internal control over major programs. The auditor's determination of whether a deficiency in internal control is a reportable condition for the purpose of reporting an audit finding is in relation to a type of compliance requirement for a major program or an audit objective identified in the compliance supplement. The auditor shall identify reportable conditions which are individually or cumulatively material weak

nesses.

(2) Material noncompliance with the provisions of laws, regulations, contracts, or grant agreements related to a major program. The auditor's determination of whether a noncompliance with the provisions of laws, regulations, contracts, or grant agreements is material for the purpose of reporting an audit finding is in relation to a type

of compliance requirement for a major program or an audit objective identified in the compliance supplement.

(3) Known questioned costs which are greater than $10,000 for a type of compliance requirement for a major program. Known questioned costs are those specifically identified by the auditor. In evaluating the effect of questioned costs on the opinion on compliance, the auditor considers the best estimate of total costs questioned (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). The auditor shall also report known questioned costs when likely questioned costs are greater than $10,000 for a type of compliance requirement for a major program. In reporting questioned costs, the auditor shall include information to provide proper perspective for judging the prevalence and consequences of the questioned costs.

(4) Known questioned costs which are greater than $10,000 for a Federal program which is not audited as a major program. Except for audit follow-up, the auditor is not required under this part to perform audit procedures for such a Federal program; therefore, the auditor will normally not find questioned costs for a program which is not audited as a major program. However, if the auditor does become aware of questioned costs for a Federal program which is not audited as a major program (e.g., as part of audit follow-up or other audit procedures) and the known questioned costs are greater than $10,000, then the auditor shall report this as an audit finding.

(5) The circumstances concerning why the auditor's report on compliance for major programs is other than an unqualified opinion, unless such circumstances are otherwise reported as audit findings in the schedule of findings and questioned costs for Federal awards.

(6) Known fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. This paragraph does not require the auditor to make an additional reporting when the auditor confirms that the fraud was reported outside of the auditor's reports

under the direct reporting requirements of GAGAS.

(7) Instances where the results of audit follow-up procedures disclosed that the summary schedule of prior audit findings prepared by the auditee in accordance with §3052.315(b) materially misrepresents the status of any prior audit finding.

(b) Audit finding detail. Audit findings shall be presented in sufficient detail for the auditee to prepare a corrective action plan and take corrective action and for Federal agencies and passthrough entities to arrive at a management decision. The following specific information shall be included, as applicable, in audit findings:

(1) Federal program and specific Federal award identification including the CFDA title and number, Federal award number and year, name of Federal agency, and name of the applicable pass-through entity. When information, such as the CFDA title and number or Federal award number, is not available, the auditor shall provide the best information available to describe the Federal award.

(2) The criteria or specific requirement upon which the audit finding is based, including statutory, regulatory, or other citation.

(3) The condition found, including facts that support the deficiency identified in the audit finding.

(4) Identification of questioned costs and how they were computed.

(5) Information to provide proper perspective for judging the prevalence and consequences of the audit findings, such as whether the audit findings represent an isolated instance or a systemic problem. Where appropriate, instances identified shall be related to the universe and the number of cases examined and be quantified in terms of dollar value.

(6) The possible asserted effect to provide sufficient information to the auditee and Federal agency, or passthrough entity in the case of a subrecipient, to permit them to determine the cause and effect to facilitate prompt and proper corrective action.

(7) Recommendations to prevent future occurrences of the deficiency identified in the audit finding.

(8) Views of responsible officials of the auditee when there is disagreement with the audit findings, to the extent practical.

(c) Reference numbers. Each audit finding in the schedule of findings and questioned costs shall include a reference number to allow for easy referencing of the audit findings during follow-up.

§ 3052.515 Audit working papers.

(a) Retention of working papers. The auditor shall retain working papers and reports for a minimum of three years after the date of issuance of the auditor's report(s) to the auditee, unless the auditor is notified in writing by the cognizant agency for audit, oversight agency for audit, or passthrough entity to extend the retention period. When the auditor is aware that the Federal awarding agency, passthrough entity, or auditee is contesting an audit finding, the auditor shall contact the parties contesting the audit finding for guidance prior to destruction of the working papers and reports.

(b) Access to working papers. Audit working papers shall be made available upon request to the cognizant or oversight agency for audit or its designee, a Federal agency providing direct or indirect funding, or GAO at the completion of the audit, as part of a quality review, to resolve audit findings, or to carry out oversight responsibilities consistent with the purposes of this part. Access to working papers includes the right of Federal agencies to obtain copies of working papers, as is reasonable and necessary.

§ 3052.520 Major program determination.

(a) General. The auditor shall use a risk-based approach to determine which Federal programs are major programs. This risk-based approach shall include consideration of: Current and prior audit experience, oversight by Federal agencies and pass-through entities, and the inherent risk of the Federal program. The process in paragraphs (b) through (I) of this section shall be followed.

(b) Step 1. (1) The auditor shall identify the larger Federal programs, which

shall be labeled Type A programs. Type A programs are defined as Federal programs with Federal awards expended during the audit period exceeding the larger of:

(i) $300,000 or three percent (.03) of total Federal awards expended in the case of an auditee for which total Federal awards expended equal or exceed $300,000 but are less than or equal to $100 million.

(ii) $3 million or three-tenths of one percent (.003) of total Federal awards expended in the case of an auditee for which total Federal awards expended exceed $100 million but are less than or equal to $10 billion.

(iii) $30 million or 15 hundredths of one percent (.0015) of total Federal awards expended in the case of an auditee for which total Federal awards expended exceed $10 billion.

(2) Federal programs not labeled Type A under paragraph (b)(1) of this section shall be labeled Type B programs.

(3) The inclusion of large loan and loan guarantees (loans) should not result in the exclusion of other programs as Type A programs. When a Federal program providing loans significantly affects the number or size of Type A programs, the auditor shall consider this Federal program as a Type A program and exclude its values in determining other Type A programs.

(4) For biennial audits permitted under $3052.220, the determination of Type A and Type B programs shall be based upon the Federal awards expended during the two-year period.

(c) Step 2. (1) The auditor shall identify Type A programs which are lowrisk. For a Type A program to be considered low-risk, it shall have been audited as a major program in at least one of the two most recent audit periods (in the most recent audit period in the case of a biennial audit), and, in the most recent audit period, it shall have had no audit findings under §3052.510(a). However, the auditor may use judgment and consider that audit findings from questioned costs under § 3052.510(a)(3) and §3052.510(a)(4), fraud under §3052.510(a)(6), and audit followup for the summary schedule of prior audit findings under §3052.510(a)(7) do not preclude the Type A program from

being low-risk. The auditor shall consider: the criteria in § 3052.525(c), § 3052.525(d)(1), § 3052.525(d)(2), and § 3052.525(d)(3); the results of audit follow-up; whether any changes in personnel or systems affecting a Type A program have significantly increased risk; and apply professional judgment in determining whether a Type A program is low-risk.

(2) Notwithstanding paragraph (c)(1) of this section, OMB may approve a Federal awarding agency's request that a Type A program at certain recipients may not be considered low-risk. For example, it may be necessary for a large Type A program to be audited as major each year at particular recipients to allow the Federal agency to comply with the Government Management Reform Act of 1994 (31 U.S.C. 3515). The Federal agency shall notify the recipient and, if known, the auditor at least 180 days prior to the end of the fiscal year to be audited of OMB's approval.

(d) Step 3. (1) The auditor shall identify Type B programs which are highrisk using professional judgment and the criteria in §3052.525. However, should the auditor select Option 2 under Step 4 (paragraph (e)(2)(i)(B) of this section), the auditor is not required to identify more high-risk Type B programs than the number of lowrisk Type A programs. Except for known reportable conditions in internal control or compliance problems as discussed §3052.525(b)(1),

in

§ 3052.525(b)(2), and §3052.525(c)(1), a single criteria in §3052.525 would seldom cause a Type B program to be considered high-risk.

(2) The auditor is not expected to perform risk assessments on relatively small Federal programs. Therefore, the auditor is only required to perform risk assessments on Type B programs that exceed the larger of:

(i) $100,000 or three-tenths of one percent (.003) of total Federal awards expended when the auditee has less than or equal to $100 million in total Federal awards expended.

(ii) $300,000 or three-hundredths of one percent (.0003) of total Federal awards expended when the auditee has more than $100 million in total Federal awards expended.

(e) Step 4. At a minimum, the auditor shall audit all of the following as major programs:

(1) All Type A programs, except the auditor may exclude any Type A programs identified as low-risk under Step 2 (paragraph (c)(1) of this section).

(2)(i) High-risk Type B programs as identified under either of the following two options:

(A) Option 1. At least one half of the Type B programs identified as highrisk under Step 3 (paragraph (d) of this section), except this paragraph (e)(2)(1)(A) does not require the auditor to audit more high-risk Type B programs than the number of low-risk Type A programs identified as low-risk under Step 2.

(B) Option 2. One high-risk Type B program for each Type A program identified as low-risk under Step 2.

(ii) When identifying which high-risk Type B programs to audit as major under either Option 1 or 2 in paragraph (e)(2)(i) (A) or (B), the auditor is encouraged to use an approach which provides an opportunity for different highrisk Type B programs to be audited as major over a period of time.

(3) Such additional programs as may be necessary to comply with the percentage of coverage rule discussed in paragraph (f) of this section. This paragraph (e)(3) may require the auditor to audit more programs as major than the number of Type A programs.

(f) Percentage of coverage rule. The auditor shall audit as major programs Federal programs with Federal awards expended that, in the aggregate, encompass at least 50 percent of total Federal awards expended. If the auditee meets the criteria in §3052.530 for a low-risk auditee, the auditor need only audit as major programs Federal programs with Federal awards expended that, in the aggregate, encompass at least 25 percent of total Federal awards expended.

(g) Documentation of risk. The auditor shall document in the working papers the risk analysis process used in determining major programs.

(h) Auditor's judgment. When the major program determination was performed and documented in accordance with this part, the auditor's judgment in applying the risk-based approach to

determine major programs shall be presumed correct. Challenges by Federal agencies and pass-through entities shall only be for clearly improper use of the guidance in this part. However, Federal agencies and pass-through entities may provide auditors guidance about the risk of a particular Federal program and the auditor shall consider this guidance in determining major programs in audits not yet completed.

(i) Deviation from use of risk criteria. For first-year audits, the auditor may elect to determine major programs as all Type A programs plus any Type B programs as necessary to meet the percentage of coverage rule discussed in paragraph (f) of this section. Under this option, the auditor would not be required to perform the procedures discussed in paragraphs (c), (d), and (e) of this section.

(1) A first-year audit is the first year the entity is audited under this part or the first year of a change of auditors.

(2) To ensure that a frequent change of auditors would not preclude audit of high-risk Type B programs, this election for first-year audits may not be used by an auditee more than once in every three years.

§ 3052.525 Criteria for Federal program risk.

(a) General. The auditor's determination should be based on an overall evaluation of the risk of noncompliance occurring which could be material to the Federal program. The auditor shall use auditor judgment and consider criteria, such as described in paragraphs (b), (c), and (d) of this section, to identify risk in Federal programs. Also, as part of the risk analysis, the auditor may wish to discuss a particular Federal program with auditee management and the Federal agency or pass-through entity.

(b) Current and prior audit experience. (1) Weaknesses in internal control over Federal programs would indicate higher risk. Consideration should be given to the control environment over Federal programs and such factors as the expectation of management's adherence to applicable laws and regulations and the provisions of contracts and grant agreements and the competence and experience of personnel who administer the Federal programs.