(a) General. The auditor's determination should be based on an overall evaluation of the risk of noncompliance occurring which could be material to the Federal program. The auditor shall use auditor judgment and consider criteria, such as described in paragraphs (b), (c), and (d) of this section, to identify risk in Federal programs. Also, as part of the risk analysis, the auditor may wish to discuss a particular Federal program with auditee management and the Federal agency or pass-through entity.
(b) Current and prior audit experience. (1) Weaknesses in internal control over Federal programs would indicate higher risk. Consideration should be given to the control environment over Federal programs and such factors as the expectation of management's adherence to applicable laws and regulations and the provisions of contracts and grant agreements and the competence and experience of personnel who administer the Federal programs.
(i) A Federal program administered under multiple internal control structures may have higher risk. When assessing risk in a large single audit, the auditor shall consider whether weaknesses are isolated in a single operating unit (e.g., one college campus) or pervasive throughout the entity.
(ii) When significant parts of a Federal program are passed through to subrecipients, a weak system for monitoring subrecipients would indicate higher risk.
(iii) The extent to which computer processing is used to administer Federal programs, as well as the complexity of that processing, should be considered by the auditor in assessing risk. New and recently modified computer systems may also indicate risk.
(2) Prior audit findings would indicate higher risk, particularly when the situations identified in the audit findings could have a significant impact on a Federal program or have not been corrected.
(3) Federal programs not recently audited as major programs may be of higher risk than Federal programs recently audited as major programs without audit findings.
(c) Oversight exercised by Federal agencies and pass-through entities. (1) Oversight exercised by Federal agencies or pass-through entities could indicate risk. For example, recent monitoring or other reviews performed by an oversight entity which disclosed no significant problems would indicate lower risk. However, monitoring which disclosed significant problems would indicate higher risk.
(2) Federal agencies, with the concurrence of OMB, may identify Federal programs which are higher risk. The OMB plans to provide this identification in the compliance supplement.
(d) Inherent risk of the Federal program. (1) The nature of a Federal program may indicate risk. Consideration should be given to the complexity of the program and the extent to which the Federal program contracts for goods and services. For example, Federal programs that disburse funds through third party contracts or have eligibility criteria may be of higher risk. Federal programs primarily involving staff payroll costs may have a high-risk for time and effort reporting, but otherwise be at low-risk.
(2) The phase of a Federal program in its life cycle at the Federal agency may indicate risk. For example, a new Federal program with new or interim regulations may have higher risk than an established program with time-tested regulations. Also, significant changes in Federal programs, laws, regulations, or the provisions of contracts or grant agreements may increase risk.
(3) The phase of a Federal program in its life cycle at the auditee may indicate risk. For example, during the first and last years that an auditee participates in a Federal program, the risk may be higher due to start-up or closeout of program activities and staff.
(4) Type B programs with larger Federal awards expended would be of higher risk than programs with substantially smaller Federal awards expended.