(a) General. The auditor must use a risk-based approach to determine which Federal programs are major programs. This risk-based approach must include consideration of: Current and prior audit experience, oversight by Federal agencies and pass-through entities, and the inherent risk of the Federal this program. The process in paragraphs (b) through (h) of this section must be followed.
(b) Step one.
(1) The auditor must identify the larger Federal programs, which must be labeled Type A programs. Type A programs are defined as Federal programs with Federal awards expended during the audit period exceeding the levels outlined in the table in this paragraph (b)(1):
Total Federal awards expended | Type A/B threshold |
---|---|
(i) Equal to or exceed $750,000 but less than or equal to $25 million | $750,000. |
(ii) Exceed $25 million but less than or equal to $100 million | Total Federal awards expended times .03. |
(iii) Exceed $100 million but less than or equal to $1 billion | $3 million. |
(iv) Exceed $1 billion but less than or equal to $10 billion | Total Federal awards expended times .003. |
(v) Exceed $10 billion but less than or equal to $20 billion | $30 million. |
(vi) Exceed $20 billion | Total Federal awards expended times .0015. |
(2) Federal programs not labeled Type A under paragraph (b)(1) of this section must be labeled Type B programs.
(3) The inclusion of large loan and loan guarantees (loans) must not result in the exclusion of other programs as Type A programs. When a Federal program providing loans exceeds four times the largest non-loan program it is considered a large loan program, and the auditor must consider this Federal program as a Type A program and exclude its values in determining other Type A programs. This recalculation of the Type A program is performed after removing the total of all large loan programs. For the purposes of this paragraph a program is only considered to be a Federal program providing loans if the value of Federal awards expended for loans within the program comprises fifty percent or more of the total Federal awards expended for the program. A cluster of programs is treated as one program and the value of Federal awards expended under a loan program is determined as described in § 75.502.
(4) For biennial audits permitted under § 75.504, the determination of Type A and Type B programs must be based upon the Federal awards expended during the two-year period.
(c) Step two.
(1) The auditor must identify Type A programs which are low-risk. In making this determination, the auditor must consider whether the requirements in § 75.519(c), the results of audit follow-up, or any changes in personnel or systems affecting the program indicate significantly increased risk and preclude the program from being low risk. For a Type A program to be considered low-risk, it must have been audited as a major program in at least one of the two most recent audit periods (in the most recent audit period in the case of a biennial audit), and, in the most recent audit period, the program must have not had:
(i) Internal control deficiencies which were identified as material weaknesses in the auditor's report on internal control for major programs as required under § 75.515(c);
(ii) A modified opinion on the program in the auditor's report on major programs as required under § 75.515(c); or
(iii) Known or likely questioned costs that exceed five percent of the total Federal awards expended for the program.
(2) Notwithstanding paragraph (c)(1) of this section, OMB may approve an HHS awarding agency's request that a Type A program may not be considered low risk for a certain recipient. For example, it may be necessary for a large Type A program to be audited as a major program each year at a particular recipient to allow the HHS awarding agency to comply with 31 U.S.C. 3515. The HHS awarding agency must notify the recipient and, if known, the auditor of OMB's approval at least 180 calendar days prior to the end of the fiscal year to be audited.
(d) Step three.
(1) The auditor must identify Type B programs which are high-risk using professional judgment and the criteria in § 75.519. However, the auditor is not required to identify more high-risk Type B programs than at least one fourth the number of low-risk Type A programs identified as low-risk under Step 2 (paragraph (c) of this section). Except for known material weakness in internal control or compliance problems as discussed in § 75.519(b)(1), (b)(2), and (c)(1), a single criteria in risk would seldom cause a Type B program to be considered high-risk. When identifying which Type B programs to risk assess, the auditor is encouraged to use an approach which provides an opportunity for different high-risk Type B programs to be audited as major over a period of time.
(2) The auditor is not expected to perform risk assessments on relatively small Federal programs. Therefore, the auditor is only required to perform risk assessments on Type B programs that exceed twenty-five percent (0.25) of the Type A threshold determined in Step 1 (paragraph (b) of this section).
(e) Step four. At a minimum, the auditor must audit all of the following as major programs:
(1) All Type A programs not identified as low risk under step two (paragraph (c)(1) of this section).
(2) All Type B programs identified as high-risk under step three (paragraph (d) of this section).
(3) Such additional programs as may be necessary to comply with the percentage of coverage rule discussed in paragraph (f) of this section. This may require the auditor to audit more programs as major programs than the number of Type A programs.
(f) Percentage of coverage rule. If the auditee meets the criteria in § 75.520, the auditor need only audit the major programs identified in Step 4 (paragraph (e)(1) and (2) of this section) and such additional Federal programs with Federal awards expended that, in aggregate, all major programs encompass at least 20 percent (0.20) of total Federal awards expended. Otherwise, the auditor must audit the major programs identified in Step 4 (paragraphs (e)(1) and (2) of this section) and such additional Federal programs with Federal awards expended that, in aggregate, all major programs encompass at least 40 percent (0.40) of total Federal awards expended.
(g) Documentation of risk. The auditor must include in the audit documentation the risk analysis process used in determining major programs.
(h) Auditor's judgment. When the major program determination was performed and documented in accordance with this subpart, the auditor's judgment in applying the risk-based approach to determine major programs must be presumed correct. Challenges by Federal agencies and pass-through entities must only be for clearly improper use of the requirements in this part. However, Federal agencies and pass-through entities may provide auditors guidance about the risk of a particular Federal program and the auditor must consider this guidance in determining major programs in audits not yet completed.