(a) General. The auditor shall use a risk-based approach to determine which Federal programs are major programs. This risk-based approach shall include consideration of: Current and prior audit experience, oversight by Federal agencies and pass-through entities, and the inherent risk of the Federal program. The process in paragraphs (b) through (i) of this section shall be followed.
(b) Step 1. (1) The auditor shall identify the larger Federal programs, which shall be labeled Type A programs. Type A programs are defined as Federal programs with Federal awards expended during the audit period exceeding the larger of:
(i) $300,000 (or $500,000 for fiscal years ending after December 31, 2003) or three percent (.03) of total Federal awards expended in the case of an auditee for which total Federal awards expended equal or exceed $300,000 but are less than or equal to $100 million.
(ii) $3 million or three-tenths of one percent (.003) of total Federal awards expended in the case of an auditee for which total Federal awards expended exceed $100 million but are less than or equal to $10 billion.
(iii) $30 million or 15 hundredths of one percent (.0015) of total Federal awards expended in the case of an auditee for which total Federal awards expended exceed $10 billion.
(2) Federal programs not labeled Type A under paragraph (b)(1) of this section shall be labeled Type B programs.
(3) The inclusion of large loan and loan guarantees (loans) should not result in the exclusion of other programs as Type A programs. When a Federal program providing loans significantly affects the number or size of Type A programs, the auditor shall consider this Federal program as a Type A program and exclude its values in determining other Type A programs.
(4) For biennial audits permitted under § 99.220, the determination of Type A and Type B programs shall be based upon the Federal awards expended during the two-year period.
(c) Step 2. (1) The auditor shall identify Type A programs which are low-risk. For a Type A program to be considered low-risk, it shall have been audited as a major program in at least one of the two most recent audit periods (in the most recent audit period in the case of a biennial audit), and, in the most recent audit period, it shall have had no audit findings under § 99.510(a). However, the auditor may use judgment and consider that audit findings from questioned costs under § 99.510(a)(3) and § 99.510(a)(4), fraud under § 99.510(a)(6), and audit follow-up for the summary schedule of prior audit findings under § 99.510(a)(7) do not preclude the Type A program from being low-risk. The auditor shall consider: the criteria in § 99.525(c), § 99.525(d)(1), § 99.525(d)(2), and § 99.525(d)(3); the results of audit follow-up; whether any changes in personnel or systems affecting a Type A program have significantly increased risk; and apply professional judgment in determining whether a Type A program is low-risk.
(2) Notwithstanding paragraph (c)(1) of this section, OMB may approve a Federal awarding agency's request that a Type A program at certain recipients may not be considered low-risk. For example, it may be necessary for a large Type A program to be audited as major each year at particular recipients to allow the Federal agency to comply with the Government Management Reform Act of 1994 (31 U.S.C. 3515). The Federal agency shall notify the recipient and, if known, the auditor at least 180 days prior to the end of the fiscal year to be audited of OMB's approval.
(d) Step 3. (1) The auditor shall identify Type B programs which are high-risk using professional judgment and the criteria in § 99.525. However, should the auditor select Option 2 under Step 4 (paragraph (e)(2)(i)(B) of this section), the auditor is not required to identify more high-risk Type B programs than the number of low-risk Type A programs. Except for known reportable conditions in internal control or compliance problems as discussed in § 99.525(b)(1), § 99.525(b)(2), and § 99.525(c)(1), a single criteria in § 99.525 would seldom cause a Type B program to be considered high-risk.
(2) The auditor is not expected to perform risk assessments on relatively small Federal programs. Therefore, the auditor is only required to perform risk assessments on Type B programs that exceed the larger of:
(i) $100,000 or three-tenths of one percent (.003) of total Federal awards expended when the auditee has less than or equal to $100 million in total Federal awards expended.
(ii) $300,000 (or $500,000 for fiscal years ending after December 31, 2003) or three-hundredths of one percent (.0003) of total Federal awards expended when the auditee has more than $100 million in total Federal awards expended.
(e) Step 4. At a minimum, the auditor shall audit all of the following as major programs:
(1) All Type A programs, except the auditor may exclude any Type A programs identified as low-risk under Step 2 (paragraph (c)(1) of this section).
(2)(i) High-risk Type B programs as identified under either of the following two options:
(A) Option 1. At least one half of the Type B programs identified as high-risk under Step 3 (paragraph (d) of this section), except this paragraph (e)(2)(i)(A) does not require the auditor to audit more high-risk Type B programs than the number of low-risk Type A programs identified as low-risk under Step 2.
(B) Option 2. One high-risk Type B program for each Type A program identified as low-risk under Step 2.
(ii) When identifying which high-risk Type B programs to audit as major under either Option 1 or 2 in paragraph (e)(2)(i)(A) or (B), the auditor is encouraged to use an approach which provides an opportunity for different high-risk Type B programs to be audited as major over a period of time.
(3) Such additional programs as may be necessary to comply with the percentage of coverage rule discussed in paragraph (f) of this section. This paragraph (e)(3) may require the auditor to audit more programs as major than the number of Type A programs.
(f) Percentage of coverage rule. The auditor shall audit as major programs Federal programs with Federal awards expended that, in the aggregate, encompass at least 50 percent of total Federal awards expended. If the auditee meets the criteria in § 99.530 for a low-risk auditee, the auditor need only audit as major programs Federal programs with Federal awards expended that, in the aggregate, encompass at least 25 percent of total Federal awards expended.
(g) Documentation of risk. The auditor shall document in the working papers the risk analysis process used in determining major programs.
(h) Auditor's judgment. When the major program determination was performed and documented in accordance with this part, the auditor's judgment in applying the risk-based approach to determine major programs shall be presumed correct. Challenges by Federal agencies and pass-through entities shall only be for clearly improper use of the guidance in this part. However, Federal agencies and pass-through entities may provide auditors guidance about the risk of a particular Federal program and the auditor shall consider this guidance in determining major programs in audits not yet completed.
(i) Deviation from use of risk criteria. For first-year audits, the auditor may elect to determine major programs as all Type A programs plus any Type B programs as necessary to meet the percentage of coverage rule discussed in paragraph (f) of this section. Under this option, the auditor would not be required to perform the procedures discussed in paragraphs (c), (d), and (e) of this section.
(1) A first-year audit is the first year the entity is audited under this part or the first year of a change of auditors.
(2) To ensure that a frequent change of auditors would not preclude audit of high-risk Type B programs, this election for first-year audits may not be used by an auditee more than once in every three years.
[64 FR 14541, Mar. 25, 1999, as amended at 72 FR 37105, July 9, 2007]