Imagine your community health clinic just had a record year. A pandemic-era HRSA grant, a USDA nutrition program, and a HUD Continuum of Care award pushed your total federal spending past $1.2 million for the first time. Your board is celebrating—and then your auditor mentions, almost casually, that next year's audit will cost three times as much, take twice as long, and require you to prepare a document most of your staff has never heard of.
Welcome to the Single Audit.
For most organizations, crossing the federal funding threshold is invisible until the audit shows up. By then it's too late to redesign your chart of accounts, build out a Schedule of Expenditures of Federal Awards, or train staff on the dozen compliance areas an auditor is about to test. This guide walks through exactly what triggers a Single Audit, what auditors look at, and how to avoid the findings that have a habit of multiplying year over year.
What Is the Single Audit Act, and Why Does It Exist?
The federal government distributes hundreds of billions of dollars each year to state and local governments, tribal entities, universities, and nonprofits. Most of that money flows out the door as grants and cooperative agreements with strings attached: cost principles, eligibility rules, reporting deadlines, and procurement requirements.
Before 1984, each federal agency audited its own grants individually. A single university might be audited fifteen separate times by fifteen different agencies in a year—each audit looking at a different program, none of them looking at the entity as a whole. The Single Audit Act consolidated all that into one organization-wide audit that satisfies every federal funder at once.
Today, the rules live in Title 2 of the Code of Federal Regulations, Part 200—commonly called the "Uniform Guidance." Subpart F sets the audit requirements, and the Office of Management and Budget (OMB) publishes an annual Compliance Supplement that tells auditors what to test for each federal program.
The $1 Million Threshold: A Major 2024 Change Most Organizations Missed
The threshold that triggers a Single Audit just changed. For decades, any non-federal entity that expended $750,000 or more in federal awards during its fiscal year was required to have a Single Audit. OMB raised that threshold to $1,000,000 for audits covering fiscal years beginning on or after October 1, 2024.
If your fiscal year ends June 30, your first audit under the new threshold covers the year ending June 30, 2026. Calendar-year organizations got there a year earlier.
A few clarifications that trip up organizations every year:
- The threshold counts expenditures, not receipts. If you received a $2 million federal grant in March but spent only $400,000 by your fiscal year-end, you have $400,000 in federal expenditures. The unspent $1.6 million carries forward and counts when you spend it.
- Aggregate across all federal sources. Two $600,000 grants from two different agencies put you over the threshold even though no single award reaches $1 million.
- Pass-through funds count. Money you receive from a state agency that originally came from a federal source counts as federal expenditures for you. The state is the pass-through entity; you are the subrecipient.
- Loan programs are tricky. Federally guaranteed loans and outstanding loan balances often count toward the threshold, and the rules vary by program.
If you're under $1 million in federal expenditures, you may still be subject to your auditor's scope (a financial statement audit), a state-imposed audit, or a contract-specific audit. But you are not subject to a Single Audit under 2 CFR Part 200.
Single Audit vs. Program-Specific Audit
When an organization expends federal funds under only one program, the Uniform Guidance allows a program-specific audit instead of a full Single Audit. The auditor examines just that one program's compliance and the related schedule of expenditures, rather than the entity's full financial statements and every federal program.
Most organizations don't qualify. As soon as you have grants from two or more federal programs—even from the same agency—you need a Single Audit. The program-specific option is mostly useful for very small organizations with a single grant.
The Schedule of Expenditures of Federal Awards (SEFA): The Audit's Foundation
Every Single Audit starts with the SEFA. This is a schedule, prepared by the auditee (not the auditor), that lists every federal award the organization expended money under during the fiscal year. Auditors test the SEFA against the underlying accounting records and use it to determine which programs to audit in depth.
A complete SEFA includes:
- Federal grantor agency — the cabinet department or independent agency that originally awarded the funds (HHS, USDA, HUD, DOJ, etc.).
- Pass-through entity — if you received the funds through a state, county, or another nonprofit, identify that intermediary.
- Assistance Listing Number (ALN) — the five-digit identifier formerly known as the CFDA number, written as XX.XXX, that categorizes the program (e.g., 14.218 for CDBG).
- Federal award identification number — the grant or contract number.
- Pass-through identifying number — the number the pass-through entity assigned to you.
- Total federal expenditures — for the fiscal year, by program.
- Amounts passed through to subrecipients — if you re-granted funds to other organizations.
- Notes to the schedule — including the basis of accounting, whether you elected the 10% de minimis indirect cost rate, and any noncash assistance like food commodities or vaccines.
Two SEFA pitfalls cause more findings than anything else.
First, recognition timing. SEFA reports federal expenditures, not federal revenue received. If your books recognize revenue when cash arrives but you charged expenses to a federal program on accrual, the SEFA needs to match expenses, not cash receipts. Reconciling SEFA to the general ledger is non-negotiable.
Second, completeness. Federal funds sometimes arrive disguised as state pass-throughs. A state Department of Education grant labeled "Title I" is federal money. A state Medicaid managed-care payment can include federal pass-through dollars. Subrecipients who don't recognize the federal origin of a payment routinely omit it from the SEFA, then get caught when the pass-through entity's audit confirmation arrives.
The auditor isn't supposed to prepare your SEFA. They can review it, suggest corrections, and confirm it ties to your accounting records, but the responsibility for accuracy sits with management. If your auditor builds the SEFA from scratch, that's an independence problem that can disqualify the audit.
How Auditors Decide Which Programs to Audit: The Risk-Based Approach
A Single Audit doesn't test every federal program in depth. With dozens of federal awards, that would be impossibly expensive. Instead, auditors use a four-step risk-based approach to select "major programs" that get full compliance testing.
Step 1: Identify Type A and Type B Programs
Programs are sorted by size. For entities with total federal expenditures under $34 million, Type A programs are those with expenditures above the greater of $1,000,000 or 5% of total federal awards (the floor scales up for larger entities). Everything smaller is Type B.
Step 2: Identify Low-Risk Type A Programs
A Type A program may be considered low-risk only if both of the following are true:
- It was audited as a major program in at least one of the two most recent audit periods.
- In the most recent audit, it had no internal control material weaknesses, no modified opinions on compliance, and no questioned costs material to the program.
Low-risk Type A programs can be skipped this year. High-risk Type A programs must be audited as major programs.
Step 3: Identify High-Risk Type B Programs
For smaller Type B programs, the auditor performs risk assessments and identifies any with elevated risk. The auditor must audit, as a major program, a high-risk Type B program in numbers at least equal to one-fourth of the low-risk Type A programs.
Step 4: Apply the Coverage Rule
Auditors must audit enough major programs that the major programs collectively account for at least:
- 20% of total federal expenditures for low-risk auditees, or
- 40% of total federal expenditures for everyone else.
If steps 1–3 don't get you to the coverage percentage, the auditor adds more programs until they do.
What It Takes to Become a Low-Risk Auditee
The 20% vs. 40% gap is enormous. Doubling the audit's scope doubles your audit fees, your staff burden during fieldwork, and your exposure to findings. Achieving low-risk auditee status is the single biggest cost lever in a Single Audit.
To qualify, all of the following must be true for each of the preceding two audit periods:
- A Single Audit (not a program-specific audit) was performed.
- The reporting package was submitted to the Federal Audit Clearinghouse on time.
- The auditor issued an unmodified opinion on the financial statements.
- The auditor issued an unmodified opinion on the SEFA.
- No Yellow Book material weaknesses were reported.
- No going-concern doubt was raised.
- No Type A programs had material weaknesses, modified opinions, or material questioned costs.
A single late FAC submission or one material weakness disqualifies you for two years. That's why audit-ready organizations treat compliance like a continuous process, not an annual scramble.
The 12 Compliance Areas Auditors Test
For each major program, auditors test compliance with up to 12 categories of requirements. The exact mix depends on which categories are flagged for the program in the OMB Compliance Supplement. The 12 are:
- Activities Allowed or Unallowed — Did you use the funds for the program's authorized purpose?
- Allowable Costs / Cost Principles — Were the costs reasonable, allocable, and consistent with Subpart E of 2 CFR 200?
- Cash Management — If you drew federal cash in advance, did you minimize time between draw and disbursement?
- Eligibility — Did the participants, beneficiaries, or subrecipients meet program eligibility rules?
- Equipment and Real Property Management — Are federally funded assets tracked, insured, and used per program rules?
- Matching, Level of Effort, Earmarking — Did you contribute required non-federal match and hit any earmarked spending floors?
- Period of Performance — Were costs incurred within the grant's start and end dates?
- Procurement, Suspension and Debarment — Did you follow federal procurement standards and check vendors against the SAM exclusions list?
- Program Income — Did you account for and use income generated by the program correctly?
- Reporting — Were financial and performance reports submitted accurately and on time?
- Subrecipient Monitoring — Did you risk-assess, monitor, and follow up on subrecipients?
- Special Tests and Provisions — Program-specific requirements unique to the grant.
Each tested requirement involves walkthroughs of your internal controls, sample testing of transactions, and verification that policies exist and are followed.
The Most Common Single Audit Findings
Across thousands of Single Audits filed annually, the same findings show up year after year:
- Procurement violations. Splitting a purchase to stay under a bidding threshold, failing to document sole-source justification, or not checking SAM.gov before contracting with a vendor.
- Subrecipient monitoring gaps. Many organizations re-grant federal funds to other nonprofits without performing risk assessments, requiring single audits from subrecipients above the threshold, or following up on findings.
- Missing or weak documentation. Time-and-effort certifications for personnel split across funding sources are a perennial problem. So is signed approval of journal entries that move costs between grants.
- Eligibility errors. Wrong income calculation for a low-income housing tenant; incorrect citizenship verification for a workforce program; participation files missing required documentation.
- Late or inaccurate reporting. Federal Financial Reports (SF-425) filed past the due date, or reporting that doesn't tie to the general ledger.
- Cash management failures. Drawing federal funds days or weeks before disbursing them, generating interest the organization should have remitted.
- Cost allocations using oversized cost pools. When you bury small unallowable items inside a large cost pool, the auditor samples one bad item and the entire pool gets questioned.
Most of these failures share a root cause: federal funds were treated like any other revenue source, with no special tracking, no segregated accounts, and no documentation discipline. The cost of catching up at audit time vastly exceeds the cost of doing it right from grant award onward.
Solid Bookkeeping Is the Foundation
Behind every clean Single Audit is a chart of accounts that segregates federal funds by award, by funding source, and by allowable cost category. When an auditor asks for "all expenditures charged to Award No. 2024-XYZ during the period of performance," you should be able to pull that list in minutes—with supporting documentation linked to each line.
The organizations that struggle the most are the ones that comingle federal and non-federal money in a single program code, then try to reconstruct grant-specific expenditures after the fact. The ones who pass cleanly built tracking discipline into their accounting from day one.
Reporting Package and Federal Audit Clearinghouse Submission
Once fieldwork is complete, the auditor produces a reporting package that includes:
- Financial statements and the auditor's opinion on them.
- The SEFA and the auditor's opinion on it.
- A summary schedule of prior audit findings.
- The Yellow Book report on internal control over financial reporting and compliance.
- The Uniform Guidance report on compliance with major program requirements.
- A schedule of findings and questioned costs.
- A corrective action plan prepared by management.
The complete package must be electronically submitted to the Federal Audit Clearinghouse (FAC), now operated by GSA, within the earlier of:
- 30 calendar days after the auditor's report is issued, or
- 9 months after the end of the audited fiscal year.
A calendar-year auditee has until September 30 of the following year. A June 30 fiscal year-end auditee has until March 31. Federal cognizant agencies can grant extensions, but missing the deadline without an extension is grounds for designation as a high-risk auditee, future-year additional testing, and reputational damage with federal funders.
What Happens When Findings Hit the Reporting Package
Every audit finding requires management to prepare a corrective action plan with a specific responsible person, an implementation date, and a description of what changed. Federal awarding agencies review findings and decide whether to:
- Accept the corrective action and close the finding.
- Demand repayment of questioned costs—any unallowable cost exceeding $25,000 must be reported as a questioned cost.
- Impose special conditions on future awards (additional reporting, reimbursement-only funding, pre-approval requirements).
- In severe cases, suspend or debar the organization from future federal funding.
Findings don't disappear after one year. They show up in the next audit's "summary schedule of prior audit findings," and the auditor checks whether your corrective actions worked. Recurring findings are red flags that often lead to special agency monitoring.
Practical Steps to Prepare Before You Cross the Threshold
If you're approaching the $1 million expenditure threshold, the time to prepare is before you cross it, not after.
- Set up grant-specific accounting. Use class tracking, project codes, or restricted fund accounting so every federal dollar is traceable from award to expenditure.
- Document your indirect cost methodology. Either negotiate a federally approved indirect cost rate, elect the 10% de minimis rate, or maintain a clear allocation plan that ties to actual costs.
- Build written policies. Procurement, cash management, conflict of interest, allowable costs, subrecipient monitoring, equipment tracking, travel—federal regulations expect written policies, not just informal practices.
- Train program staff. Federal compliance can't live entirely in finance. Program managers approve expenditures, oversee subrecipients, and certify time and effort.
- Schedule mock audits. Many CPA firms offer compliance readiness reviews before your first Single Audit. The findings are private; the prep time is gold.
- Confirm your auditor's qualifications. Single Audits must be performed by independent auditors qualified under Government Auditing Standards (the "Yellow Book"). Not every CPA firm is qualified.
Keep Your Financial Records Audit-Ready Year-Round
Whether you're a 501(c)(3) approaching the Single Audit threshold or a municipal government with decades of federal awards on the books, the underlying discipline is the same: every federal dollar needs a clear paper trail from award to expenditure, from invoice to general ledger, from journal entry to authorized approver. Beancount.io provides plain-text accounting that makes that trail explicit—every transaction is a line of text, every change is version-controlled, and every report can be reproduced from source data. For organizations that need to prove every entry to a federal auditor, that transparency is exactly the property that turns audit week from a fire drill into a routine. Get started for free and see why finance teams choose plain-text accounting when accuracy and accountability matter.