The first time a development director realizes their organization has crossed into single audit territory, it usually isn't a regulator who delivers the news. It's the CFO, sitting in a board meeting in October, doing back-of-the-envelope math on a federally-funded contract that came in larger than expected, plus a pass-through state grant nobody flagged as originating from a federal source, plus a year-end FEMA reimbursement nobody planned around. Suddenly the entity has expended just over $1 million in federal awards in a single fiscal year, and the standard financial statement audit they've always had isn't enough anymore.
A single audit—formally known as a Subpart F audit under Title 2 of the Code of Federal Regulations Part 200—is a different animal from the routine financial statement audit a nonprofit or local government typically files. It's a compliance audit that tests whether federal money was spent the way Congress and the awarding agencies required, and it can be triggered without anyone signing up for it. Crossing the threshold is involuntary. Failing to comply is expensive.
This is the practical guide every controller, executive director, and finance committee chair should read before fiscal year end.
What a Single Audit Actually Is
A single audit combines two things into one engagement:
- An audit of the entity's financial statements in accordance with Generally Accepted Government Auditing Standards (GAGAS, the "Yellow Book").
- An audit of compliance with the requirements applicable to each federal program the entity participated in during the year.
It exists because before the Single Audit Act of 1984, every federal agency could demand its own audit of every program it funded. A nonprofit drawing from four federal agencies might face four separate audits, each duplicating work. The single audit consolidated that into one efficient engagement, designed to satisfy every federal funder simultaneously. The Uniform Guidance under 2 CFR Part 200 governs how it works today, including the audit requirements in Subpart F.
The output is a reporting package containing:
- Audited financial statements and the Schedule of Expenditures of Federal Awards (SEFA)
- The independent auditor's opinion on the financial statements and on internal control over financial reporting
- The auditor's report on compliance for each major program
- The schedule of findings and questioned costs
- A summary schedule of prior audit findings showing the status of corrective actions
- A corrective action plan signed by management
All of this gets submitted electronically to the Federal Audit Clearinghouse (FAC), where it becomes a public record that every federal awarding agency, pass-through entity, and grantmaker reviewing future applications can pull up.
The New $1 Million Threshold and Why It Matters
The single audit threshold sat at $750,000 of federal expenditures for years. On October 1, 2024, the Office of Management and Budget revised 2 CFR Part 200 and raised it to $1,000,000 in federal awards expended in a single fiscal year. The change applies to audits for periods beginning on or after October 1, 2024, so most non-federal entities are first feeling its effects in audits of fiscal years ending September 30, 2025, and later. Calendar-year entities saw the first impact with their 2025 audit, and fiscal years ending June 30, 2026, are now within scope.
A few mechanics that trip people up:
- "Expended," not "received." The threshold is based on what your organization spent during the fiscal year, not what was awarded, drawn down, or accrued for cash purposes. Loan programs, loan guarantees, and noncash assistance like donated commodities have their own rules under 2 CFR 200.502 for how to compute expenditures.
- Federal pass-through dollars still count. A state department of education grant to a school district may be funded entirely by federal money. The school district reports those expenditures under the federal award number, not the state's. This is one of the most common SEFA errors in single audits.
- Multiple programs aggregate. The threshold is the total of all federal awards expended, summed across every program from every federal source.
- Same threshold, same rules, regardless of entity type. Nonprofits, state and local governments, tribal governments, institutions of higher education, and for-profit subrecipients (where applicable) are all subject to the same $1 million bright line.
If you're under $1 million but over a smaller program-specific threshold, you may still face a program-specific audit instead of a full single audit, but the principle is the same: federal money triggers federal compliance testing.
SEFA: The Document Everything Else Hangs On
The Schedule of Expenditures of Federal Awards is the single most important deliverable in a single audit. The auditor uses it to determine which programs to test, the federal government uses it to monitor compliance, and finding errors in it is itself one of the most common audit findings.
A complete SEFA includes, for every federal program:
- The federal awarding agency name
- The pass-through entity name, if applicable
- The federal Assistance Listing Number (ALN, formerly the CFDA number)
- The federal award identification number and year
- The total federal awards expended during the period
- The amount passed through to subrecipients
- Any clusters of programs aggregated under a single cluster name (research and development, student financial assistance, etc.)
- A required notes section disclosing the basis of accounting, indirect cost rates used, and de minimis rate elections
A SEFA that omits federal pass-through dollars is the most frequent material weakness. Programs originating from a federal agency but received from a state, county, or other pass-through entity must appear under the original federal program. The pass-through entity is required by 2 CFR 200.332 to identify the federal source and ALN when it issues a subaward, but in practice the subrecipient often has to chase that information down. Don't rely on the grant award letter alone—if the dollars touch federal hands at any point, dig until you confirm the ALN.
How the Auditor Picks Which Programs to Audit
You will not be tested on every federal program in your SEFA. The auditor uses a four-step risk-based major program determination under 2 CFR 200.518 to decide which programs receive detailed compliance testing. Understanding this process is the difference between bracing for one focused review and bracing for the wrong one.
Step 1: Identify Type A Programs
A Type A program is a large program by dollar amount. For entities with total federal expenditures between $1 million and roughly $34 million, the Type A threshold is generally the greater of $1,000,000 or three percent of total federal awards expended, but the exact cutoffs scale up with total expenditures and are set in the regulation. Anything below the threshold is a Type B program.
Step 2: Assess Type A Programs for Low Risk
The auditor evaluates each Type A program against specific criteria. A Type A program is considered high-risk and must be audited if, in the most recent audit period, it was:
- Identified with a material weakness in internal control over compliance
- Reported with a modified opinion on compliance
- Found with known or likely questioned costs exceeding 5 percent of the federal expenditures for that program
A Type A program that doesn't trip any of those wires can be assessed as low-risk and skipped this cycle—but no Type A program can be considered low-risk if it hasn't been audited as a major program in at least one of the two most recent audit periods.
Step 3: Identify High-Risk Type B Programs
The auditor performs risk assessments on Type B programs, but only those that exceed 25 percent of the Type A threshold. If all Type B programs sit below that floor, none get assessed. For those above, the auditor weighs current and prior experience, complexity, federal monitoring, prior findings, and inherent program risk.
Step 4: Audit Until the Coverage Rule Is Met
The auditor must audit enough programs to cover a percentage of total federal awards expended:
- 40 percent of total federal expenditures for non-low-risk auditees
- 20 percent of total federal expenditures for low-risk auditees
To qualify as a low-risk auditee, the entity must have filed single audits on time for the prior two years with unmodified opinions, no material weaknesses, and questioned costs below specific thresholds. Low-risk status cuts the scope of compliance testing roughly in half. It's worth pursuing.
The Compliance Supplement: Your Audit Playbook
Every year, OMB issues the Compliance Supplement, a several-thousand-page document that tells auditors exactly what to test for each federal program. It identifies up to twelve compliance requirements that may apply, the most consequential being:
- Activities Allowed or Unallowed — Did the spending fit the program's purpose?
- Allowable Costs / Cost Principles — Did expenditures comply with the cost principles in 2 CFR 200 Subpart E?
- Cash Management — Was the time between draw-down and disbursement minimized?
- Eligibility — Were beneficiaries eligible for the program?
- Equipment and Real Property Management — Were federally-funded assets properly tracked, used, and disposed of?
- Matching, Level of Effort, Earmarking — Were cost-share requirements met?
- Period of Performance — Were costs incurred only within the allowable period?
- Procurement and Suspension/Debarment — Were vendors competitively selected and screened against the federal exclusion list?
- Program Income — Was income earned from the program properly accounted for?
- Reporting — Were required financial and performance reports filed accurately and on time?
- Subrecipient Monitoring — Did the primary recipient monitor pass-through awards?
- Special Tests and Provisions — Program-specific requirements unique to the award.
The Compliance Supplement specifies which of these apply to each program by ALN. Reading the relevant section before the audit—not during—is one of the highest-leverage things finance teams can do. It tells you exactly what evidence the auditor will request.
Where Single Audits Most Often Go Wrong
After years of FAC data and practitioner observation, the same handful of findings recur:
Procurement documentation. A vendor contract above the entity's procurement threshold was awarded without evidence of competition, or without checking SAM.gov to confirm the vendor isn't suspended or debarred. The fix is a centralized procurement function, written thresholds and procedures, mandatory SAM.gov screening for any vendor receiving federal dollars, and documentation retained for the entire period required.
Time and effort certification. Employees splitting time across multiple federal awards (or between federal and non-federal funds) without a methodology that allocates payroll based on actual time worked. 2 CFR 200.430 sets out the requirements; the typical fix is monthly personnel activity reports certified by the employee and a supervisor.
Subrecipient monitoring. Funds were passed through to a subaward, and the primary recipient never conducted a risk assessment, never reviewed the subrecipient's single audit (or confirmed they were under the threshold), and never followed up on findings. The remedy is a formal subrecipient monitoring policy with risk-tiered procedures, an annual risk assessment for each active subrecipient, and documented review of each subrecipient audit report.
SEFA completeness. Federal pass-through dollars omitted entirely, or reported under the state grant identifier instead of the federal ALN. This is typically a material weakness because the SEFA is the foundation of the audit.
Late or inaccurate reporting. Federal Financial Reports (SF-425), performance reports, or other deliverables filed late, with inconsistencies between the reports and the general ledger, or without supervisory review.
Cash management. Cash drawn down well before disbursement, leaving large federal cash balances earning interest that should have been returned. The fix is to draw down only as funds are needed for immediate disbursement and to remit any excess interest annually.
A single finding usually comes with a questioned cost—an amount of expenditure the auditor identifies as potentially unallowable. Questioned costs above $25,000 must be reported to the federal awarding agency, which may then sustain the disallowance and demand the money back.
The Reporting Package and the Nine-Month Clock
Once the audit is complete, you have a deadline that is not negotiable in most cases. Under 2 CFR 200.512, the audit reporting package must be submitted to the Federal Audit Clearinghouse by the earlier of:
- 30 calendar days after receipt of the auditor's report, or
- Nine months after the end of the audit period.
For a June 30 fiscal year, that means a March 31 hard deadline. For a September 30 fiscal year, June 30. Missing it has consequences: the entity loses its low-risk auditee status, which inflates the scope of next year's audit; federal awarding agencies may withhold reimbursements or place the entity on a high-risk monitoring list; and pass-through entities may suspend payments.
Submission is fully electronic through the GSA-administered Federal Audit Clearinghouse (the FAC moved from the Census Bureau to GSA in October 2023). The reporting package and a data collection form, signed by both the auditor and a designated representative of the auditee, must both be submitted. The package becomes a public record.
A federal cognizant or oversight agency may grant an extension under revised 2 CFR § 200.512(a)(2) where the nine-month deadline would create an undue burden, but the bar is high and extensions are not granted retroactively. Plan as if the deadline is firm.
Becoming a Low-Risk Auditee: The Payoff for Discipline
A low-risk auditee qualification cuts the percentage of federal expenditures the auditor must cover from 40 percent down to 20 percent, materially reducing audit hours and fees. To qualify, the entity must have, in each of the preceding two audit periods:
- Filed the single audit and submitted the package on time
- Received unmodified opinions on both the financial statements and on the SEFA
- No material weaknesses in internal control over financial reporting
- No material weaknesses or significant deficiencies in internal control over compliance for any major program
- No going concern doubt
- Questioned costs below 5 percent of total federal expenditures
The discipline required is essentially the discipline of any well-run nonprofit or local government: clean books, well-documented procurement, written policies, and timely reporting. The reward is roughly half the audit scope every year you maintain it. The penalty for losing it is more than just one bad year—it takes two clean cycles to win back.
A Twelve-Month Calendar to Land the Audit Cleanly
For organizations new to the single audit, or those who scraped through last year and don't want to repeat the experience, here's the cadence that works.
Three months before fiscal year end. Project total federal expenditures. If you're approaching or have crossed $1 million, alert the audit committee and the auditor. Confirm your auditor is independent (Yellow Book independence rules are stricter than AICPA standards) and that they have single audit experience. Smaller firms sometimes don't, and the wrong choice creates findings.
Fiscal year end. Draft the SEFA in parallel with closing the books. Reconcile federal expenditures to the general ledger by ALN. Identify every federal pass-through and confirm the ALN with the pass-through entity in writing.
Two months after fiscal year end. Pull the Compliance Supplement sections for each program likely to be a major program. Build a binder—physical or digital—of the evidence the auditor will request: procurement files, time and effort documentation, subrecipient agreements and monitoring reports, drawdown reconciliations, federal financial reports.
Audit fieldwork (typically four to six months after year end). The audit team will test the major programs they selected using the risk-based determination above. Be responsive. Document corrective actions for any prior-year findings before fieldwork begins so the prior-year finding can be reported as resolved.
Reporting package and FAC submission. Sign the data collection form, finalize the corrective action plan, and submit within the nine-month window. Calendar the deadline twice: at six months and at eight months.
The full year between audits. Treat compliance as a continuous control, not an annual scramble. Review procurement, subrecipient files, and time and effort each quarter. If something will be a finding, it's better to identify and fix it before the auditor arrives.
Keep Your Federal Award Books Clean from Day One
Single audits live and die on the quality of your bookkeeping. Every federal expenditure has to be traceable from the SEFA back to the source document—the invoice, the timesheet, the receiving report—and an auditor can ask for that trail for any transaction. Organizations that treat their accounting records as a defensible, version-controlled archive go into single audits with confidence; those that treat them as a black box pay for it in findings, questioned costs, and lost low-risk status.
Beancount.io offers plain-text accounting that gives nonprofits, governments, and federal contractors complete transparency and control over their financial data—every transaction is human-readable, every change is versioned, and nothing is locked away in a vendor's proprietary database. When a federal auditor or pass-through entity asks for documentation, you can produce it in seconds. Get started for free and build a federal award record that makes your next single audit a routine event instead of a fire drill. Pair it with the Fava dashboard to surface SEFA-ready balances by program and ALN throughout the year.