Any organization that spends $1,000,000 or more in federal funds during a single fiscal year must undergo a Single Audit.1 That audit does not simply confirm whether money was spent on the right things. It examines whether adequate internal controls were in place while the spending occurred. The distinction matters: you can spend every dollar correctly and still receive audit findings if your control environment was weak.
The Government Accountability Office and the Federal Audit Clearinghouse publish data on Single Audit findings every year, and the patterns are remarkably stable.2 The same five control gaps appear over and over. They are not obscure technicalities buried in regulatory appendices. They are foundational requirements that federal awarding agencies assume you already have in place before you receive a single dollar. When auditors find them missing, the consequences are concrete: questioned costs, mandatory corrective action plans, and restrictions on future funding that can take years to lift.3
This post breaks down each of the five gaps, explains what creates the risk, and offers a starting point for closing it.
1. Failure to Segregate Duties
The Uniform Guidance requires that organizations maintain internal controls providing reasonable assurance that federal awards are managed in compliance with applicable requirements.4 Segregation of duties is the most basic of those controls. The principle is straightforward: no single person should control an entire financial transaction from initiation through approval, processing, and reconciliation.
When one staff member can authorize a payment, process it, and reconcile the bank statement afterward, auditors cannot verify that errors or misuse would have been caught. In small organizations with two- or three-person finance teams, this gap is almost universal. That does not make it acceptable to auditors. It makes it predictable.
The fix does not require hiring additional staff. Map every step where a single person has end-to-end control and assign a second individual to approve or review at a critical point. A board treasurer reviewing monthly bank reconciliations, for example, functions as a compensating control that satisfies the segregation requirement even in a lean organization.5
2. Missing Time-and-Effort Documentation
Personnel costs typically represent the single largest line item in a federal grant budget. The Uniform Guidance requires that charges for salaries and wages be based on records that accurately reflect the work performed, and those records must be supported by a system of internal controls that provides reasonable assurance of accuracy.6 In practical terms, this means contemporaneous timesheets or personnel activity reports showing how each employee’s time was distributed across funding sources.
The word “contemporaneous” is critical. Records created at the time the work was performed satisfy the requirement. Records reconstructed weeks or months later, often in response to an auditor’s request, do not. When an organization cannot produce adequate time documentation, every dollar of personnel costs charged to that award becomes a questioned cost. Questioned costs can trigger repayment obligations to the federal government, and they create a documented history that follows the organization into future award applications.7
A compliant system can be as simple as a spreadsheet, provided employees record their time by funding source at least semi-monthly and a supervisor reviews and signs off on each submission. The mechanism matters less than the consistency and the contemporaneous nature of the records.
3. Procurement Threshold Violations
The Uniform Guidance establishes specific procurement standards that govern how organizations solicit and document purchases made with federal funds.8 These standards are threshold-based: micro-purchases below $10,000 require minimal documentation, small purchases between $10,000 and $250,000 require price or rate quotations from an adequate number of sources, and purchases above $250,000 require full competitive procurement procedures.9
Auditors sample procurement transactions and verify that the process matched the dollar threshold in effect at the time of purchase. Common findings include sole-source purchases that should have been competitively bid and missing documentation for vendor selection rationale. Even a single undocumented purchase can trigger broader scrutiny, because procurement violations signal that costs may not have been necessary, reasonable, or allocable, the three-part test that applies to every federal expenditure.10
Publish a written procurement policy that explicitly references current federal thresholds and maps each threshold to its required documentation. Make sure every staff member who approves purchases has read the policy. Review it annually, since threshold amounts are periodically updated by federal regulation.
4. Inadequate Subrecipient Monitoring
When an organization passes federal funds through to another entity (a subrecipient), it takes on pass-through entity responsibilities that are among the most heavily scrutinized areas in a Single Audit.11 The pass-through entity must conduct a risk assessment before awarding funds, include all required terms in the subaward agreement, review financial and programmatic reports, and verify the subrecipient’s audit results through the Federal Audit Clearinghouse.
The critical point that many organizations miss: accountability does not transfer with the funds. If a subrecipient misuses federal dollars and the pass-through entity cannot demonstrate that it monitored the subrecipient’s use of those funds, the liability flows back upstream. The pass-through entity bears the corrective action burden and the potential repayment obligation, regardless of who actually misspent the money.12
Build a subrecipient monitoring checklist covering pre-award risk assessment, subaward agreement terms, periodic financial and programmatic reporting, and Federal Audit Clearinghouse verification. Complete and retain a checklist for every active subaward. If you manage multiple subrecipients, risk-stratify them and allocate monitoring effort proportionally.
5. Absent or Outdated Written Policies
The Uniform Guidance assumes that grant-receiving organizations have written policies governing financial management, procurement, conflict of interest, cash management, and allowable costs.13 When those policies do not exist, or when they reference superseded regulations, auditors treat the gap as a finding even if nothing went wrong during the period under review. The logic is sound: an organization without written policies is operating on institutional knowledge that cannot be verified, tested, or transferred to new staff.
This gap compounds over time. Staff turnover erodes unwritten practices. New hires inherit responsibilities without documentation. By the time an auditor requests the policy manual, the organization discovers it either does not exist or describes processes the organization stopped following years ago. Both outcomes produce findings.
Inventory your current policies and compare them against the areas where the Uniform Guidance requires written documentation. Identify gaps and assign ownership for drafting or updating each one. A clear, one-page policy with a review date is more defensible than a lengthy manual that no one has opened in five years.
Why These Gaps Persist
These five gaps recur because their consequences are deferred. A missing timesheet does not cause an immediate problem. An undocumented procurement decision does not trigger an alert. The problem surfaces during an audit covering a period one to two years in the past, and by then the gap has been compounding quietly. That time lag makes it rational, in the short term, to deprioritize controls in favor of program delivery. It also makes the eventual audit findings more severe, because the gap has been in place longer and affects more transactions.
The cost of audit findings is not abstract. A 2024 GAO analysis of federal grant oversight found that questioned costs across Single Audits routinely range from tens of thousands to hundreds of thousands of dollars per finding.14 Corrective action plans consume staff time and organizational attention for months. Restrictions placed on future funding can limit an organization’s ability to compete for new awards precisely when it needs them most.
Closing these gaps does not require a large compliance department or expensive software. It requires documented processes, assigned ownership, and periodic review. Most organizations can address all five with existing staff and organizational commitment, not additional budget.
Assess Your Own Control Environment
Our Grant Readiness Assessment evaluates your organization against these gaps and more across five compliance domains. It takes about 10 minutes, requires no signup, and produces a scored report identifying your highest-risk areas with specific findings rather than generic recommendations.
Take the Grant Readiness Assessment
Notes
1 The Single Audit threshold was raised from $750,000 to $1,000,000 effective for fiscal years beginning on or after October 1, 2024, per the 2024 OMB Guidance revision. See 2 CFR 200.501(a). Organizations that meet or exceed this threshold in federal expenditures during their fiscal year must have a Single Audit conducted in accordance with generally accepted government auditing standards (GAGAS).
2 The Federal Audit Clearinghouse (FAC), maintained by the U.S. Census Bureau on behalf of OMB, collects and publishes Single Audit data submissions. Audit finding types and frequencies are available at https://facweb.census.gov/.
3 Consequences for audit findings are outlined in 2 CFR 200.339 (remedies for noncompliance), including suspension, withholding of payments, and disallowance of costs.
4 2 CFR 200.303 requires non-Federal entities to establish and maintain effective internal controls over Federal awards, providing reasonable assurance that awards are managed in compliance with applicable statutes, regulations, and award terms.
5 Compensating controls for small organizations are recognized in the COSO Internal Control framework and referenced in the GAO Standards for Internal Control in the Federal Government (the “Green Book”), GAO-14-704G.
6 2 CFR 200.430(i) establishes the standards for documentation of personnel expenses, requiring that charges to Federal awards be based on records that accurately reflect the work performed and be supported by a system of internal control.
7 Questioned costs are defined in 2 CFR 200.84. The resolution process for audit findings involving questioned costs is described in 2 CFR 200.521.
8 Procurement standards for non-Federal entities are codified in 2 CFR 200.317 through 200.327.
9 The micro-purchase threshold ($10,000) and simplified acquisition threshold ($250,000) are established in 2 CFR 200.320. These thresholds are periodically adjusted; verify current amounts at acquisition.gov.
10 The “necessary, reasonable, and allocable” standard for cost allowability is established in 2 CFR 200.403 (factors affecting allowability) and further defined in 2 CFR 200.404 (reasonable costs) and 2 CFR 200.405 (allocable costs).
11 Pass-through entity responsibilities are defined in 2 CFR 200.332, which details requirements for pre-award risk assessment, subaward terms, monitoring activities, and verification of subrecipient audit results.
12 2 CFR 200.332(d) through (g) establish the pass-through entity’s ongoing monitoring obligations. The OMB Compliance Supplement (annually updated) provides additional guidance on subrecipient monitoring as a compliance requirement subject to audit.
13 Written policy requirements appear throughout 2 CFR Part 200, including financial management (200.302), procurement (200.318), conflict of interest (200.318(c)(1)), and cash management (200.305).
14 GAO reports on federal grant oversight, including GAO-24-106510 and related work, document recurring patterns in Single Audit findings. Per-finding cost data is derived from Federal Audit Clearinghouse submissions and OMB’s annual summaries of Single Audit results.
Leave a Reply