(a) General. The auditor's determination should be based on an overall evaluation of the risk of noncompliance occurring that could be material to the Federal program. The auditor must consider criteria, such as described in paragraphs (b), (c), and (d) of this section, to identify risk in Federal programs. Also, as part of the risk analysis, the auditor may wish to discuss a particular Federal program with auditee management and the Federal agency or pass-through entity.
(b) Current and prior audit experience.
(1) Weaknesses in internal control over Federal programs would indicate higher risk. Consideration should be given to the control environment over Federal programs and such factors as the expectation of management's adherence to Federal statutes, regulations, and the terms and conditions of Federal awards and the competence and experience of personnel who administer the Federal programs.
(i) A Federal program administered under multiple internal control structures may have higher risk. When assessing risk in a large single audit, the auditor must consider whether weaknesses are isolated in a single operating unit (e.g., one college campus) or pervasive throughout the entity.
(ii) When significant parts of a Federal program are passed through to subrecipients, a weak system for monitoring subrecipients would indicate higher risk.
(2) Prior audit findings would indicate higher risk, particularly when the situations identified in the audit findings could have a significant impact on a Federal program or have not been corrected.
(3) Federal programs not recently audited as major programs may be of higher risk than Federal programs recently audited as major programs without audit findings.
(c) Oversight exercised by Federal agencies and pass-through entities.
(1) Oversight exercised by Federal agencies or pass-through entities could be used to assess risk. For example, recent monitoring or other reviews performed by an oversight entity that disclosed no significant problems would indicate lower risk, whereas monitoring that disclosed significant problems would indicate higher risk.
(2) Federal agencies, with the concurrence of OMB, may identify Federal programs that are higher risk. OMB will provide this identification in the compliance supplement.
(d) Inherent risk of the Federal program.
(1) The nature of a Federal program may indicate risk. Consideration should be given to the complexity of the program and the extent to which the Federal program contracts for goods and services. For example, Federal programs that disburse funds through third-party contracts or have eligibility criteria may be of higher risk. Federal programs primarily involving staff payroll costs may have high risk for noncompliance with requirements of § 200.430, but otherwise be at low risk.
(2) The phase of a Federal program in its life cycle at the Federal agency may indicate risk. For example, a new Federal program with new or interim regulations may have higher risk than an established program with time-tested regulations. Also, significant changes in Federal programs, statutes, regulations, or the terms and conditions of Federal awards may increase risk.
(3) The phase of a Federal program in its life cycle at the auditee may indicate risk. For example, during the first and last years that an auditee participates in a Federal program, the risk may be higher due to start-up or closeout of program activities and staff.
(4) Type B programs with larger Federal awards expended would be of higher risk than programs with substantially smaller Federal awards expended.