(a) General. The audit must be conducted in accordance with GAGAS. The audit must cover the entire operations of the auditee, or, at the option of the auditee, such audit must include a series of audits that cover departments, agencies, and other organizational units that expended or otherwise administered Federal awards during such audit period, provided that each such audit must encompass the financial statements and schedule of expenditures of Federal awards for each such department, agency, and other organizational unit, which must be considered to be a non-Federal entity. The financial statements and schedule of expenditures of Federal awards must be for the same audit period.
(b) Financial statements. The auditor must determine whether the financial statements of the auditee are presented fairly in all material respects in accordance with generally accepted accounting principles. The auditor must also determine whether the schedule of expenditures of Federal awards is stated fairly in all material respects in relation to the auditee's financial statements as a whole.
(c) Internal control.
(1) The compliance supplement provides guidance on internal controls over Federal programs based upon the guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States and the Internal Control - Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
(2) In addition to the requirements of GAGAS, the auditor must perform procedures to obtain an understanding of internal control over Federal programs sufficient to plan the audit to support a low assessed level of control risk of noncompliance for major programs.
(3) Except as provided in paragraph (c)(4) of this section, the auditor must:
(i) Plan the testing of internal control over compliance for major programs to support a low assessed level of control risk for the assertions relevant to the compliance requirements for each major program; and
(ii) Perform testing of internal control as planned in paragraph (c)(3)(i) of this section.
(4) When internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(3) of this section are not required for those compliance requirements. However, the auditor must report a significant deficiency or material weakness in accordance with § 200.516, assess the related control risk at the maximum, and consider whether additional compliance tests are required because of ineffective internal control.
(1) In addition to the requirements of GAGAS, the auditor must determine whether the auditee has complied with Federal statutes, regulations, and the terms and conditions of Federal awards that may have a direct and material effect on each of its major programs.
(2) The principal compliance requirements applicable to most Federal programs and the compliance requirements of the largest Federal programs are included in the compliance supplement.
(3) For the compliance requirements related to Federal programs contained in the compliance supplement, an audit of these compliance requirements will meet the requirements of this part. Where there have been changes to the compliance requirements and the changes are not reflected in the compliance supplement, the auditor must determine the current compliance requirements and modify the audit procedures accordingly. For those Federal programs not covered in the compliance supplement, the auditor must follow the compliance supplement's guidance for programs not included in the supplement.
(4) When internal control over some or all of the compliance requirements for a major program are likely to be ineffective in preventing or detecting noncompliance, the planning and performing of testing described in paragraph (c)(3) of this section are not required for those compliance requirements. However, the auditor must report a significant deficiency or material weakness in accordance with § 200.516, assess the related control risk at the
(e) Audit follow-up. The auditor must follow-up on prior audit findings, perform procedures to assess the reasonableness of the summary schedule of prior audit findings prepared by the auditee in accordance with § 200.511(b), and report, as a current year audit finding, when the auditor concludes that the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding. The auditor must perform audit follow-up procedures regardless of whether a prior audit finding relates to a major program in the current year.
(f) Data collection form. As required in § 200.512(b)(3), the auditor must complete and sign specified sections of the data collection form.