Section 200.519 - [Effective 10/1/2024] Criteria for Federal program risk(a)General. The auditor's determination should be based on an overall evaluation of the risk of noncompliance occurring that could be material to the Federal program. The auditor must consider criteria, such as those described in paragraphs (b), (c), and (d) of this section, to identify risk in Federal programs. Also, as part of the risk analysis, the auditor may wish to discuss a particular Federal program with auditee management and the Federal agency or pass-through entity.(b)Current and prior audit experience.(1) Weaknesses in internal control over Federal programs would indicate higher risk. Therefore, consideration should be given to the control environment over Federal programs. This includes considering factors such as the expectation of management's adherence to Federal statutes, regulations, and the terms and conditions of Federal awards, and the competence and experience of personnel who administer the Federal programs.(i) A Federal program administered under multiple internal control structures may have higher risk. When assessing risk in a large single audit, the auditor must consider whether weaknesses are isolated in a single operating unit (for example, one college campus) or pervasive throughout the entity.(ii) A weak system for monitoring subrecipients would indicate higher risk when significant parts of a Federal program are passed to subrecipients through subawards.(2) Prior audit findings would indicate higher risk, especially when the situations identified in the audit findings could significantly impact a Federal program or have not been corrected.(3) Federal programs not recently audited as major programs may be of higher risk than those recently audited as major programs without audit findings.(c)Oversight exercised by Federal agencies and pass-through entities.(1) The oversight exercised by Federal agencies or pass-through entities may be used to assess risk. For example, recent monitoring or other reviews performed by an oversight entity that disclosed no significant problems would indicate lower risk, whereas monitoring that disclosed significant problems would indicate higher risk.(2) With the concurrence of OMB, a Federal agency may identify Federal programs that are higher risk. OMB will identify these Federal programs in the compliance supplement.(d)Inherent risk of the Federal program.(1) The nature of a Federal program may indicate risk. Consideration should be given to the complexity of the program and the extent to which the Federal program contracts for goods and services. For example, Federal programs that disburse funds through third-party contracts or have eligibility criteria may be higher risk. Federal programs primarily involving staff payroll costs may be at high risk for noncompliance with the requirements of § 200.430 but otherwise be at low risk.(2) The phase of a Federal program in its lifecycle at the Federal agency may indicate risk. For example, a new Federal program with new or interim regulations may have higher risk than an established program with time-tested regulations. Also, significant changes in Federal programs, statutes, regulations, or the terms and conditions of Federal awards may increase risk.(3) The phase of a Federal program in its lifecycle at the auditee may indicate risk. For example, during the first and last years that an auditee participates in a Federal program, the risk may be higher due to the start-up or closeout of program activities and staff.(4) Type B programs with larger Federal awards expended would be of higher risk than programs with substantially smaller Federal awards expended.85 FR 49575, 11/12/2020; 89 FR 30136, 10/1/2024