Audit Readiness
A Continuous State, Not a Preparation Activity
The Single Audit arrives every year, on schedule. There is nothing unpredictable about it. Non-federal entities that expend $750,000 or more in federal awards during their fiscal year must undergo an audit conducted in accordance with 2 CFR 200 Subpart F and the Government Accountability Office’s Generally Accepted Government Auditing Standards (GAGAS), commonly known as the Yellow Book. For healthcare organizations operating HRSA, SAMHSA, or CMS-funded programs, crossing the $750,000 threshold is not an edge case — a single CCBHC demonstration grant, a Health Center Cluster award, or a combination of two modest discretionary grants will trigger the requirement. The question is not whether the audit will happen. The question is whether the organization will experience it as a routine verification or a crisis reconstruction.
The distinction between these two experiences is not auditor temperament, grant complexity, or organizational size. It is infrastructure. Organizations that maintain continuous audit readiness — current reconciliations, contemporaneous documentation, functioning internal controls, real-time compliance monitoring — experience audits as confirmation of work already done. Organizations that defer compliance maintenance until audit notification experience audits as forensic projects: reconstructing records, locating missing documentation, and discovering violations months or years after they occurred. The first approach costs modestly and continuously. The second costs enormously and episodically — and produces findings that the first approach prevents.
This is not a preference. It is an empirical pattern visible in every federal OIG semiannual report, in AICPA audit quality data, and in the Federal Audit Clearinghouse database where Single Audit results are publicly filed. The organizations with the fewest findings are not the ones with the best auditors or the luckiest grant portfolios. They are the ones whose compliance infrastructure operates continuously, making audit preparation indistinguishable from normal operations.
The Single Audit: Structure and Stakes
The Single Audit is codified in 2 CFR 200 Subpart F (sections 200.500-200.521) and implements the Single Audit Act Amendments of 1996. Its purpose is to provide a uniform, organization-wide audit of federal award expenditures, replacing the prior system of individual grant-by-grant audits that created duplicative effort for both grantees and auditors. The audit has three components, each governed by distinct standards.
Financial statement audit. The auditor examines the organization’s financial statements for material misstatement, following GAGAS (the Yellow Book) and AICPA auditing standards. This component tests whether the organization’s financial reporting is reliable — not whether it spent grant money correctly, but whether its overall financial picture is fairly presented. For healthcare organizations, this means the balance sheet, income statement, and cash flow statement must reflect actual financial position, with disclosures adequate for a reasonable user.
Compliance audit of major programs. The auditor identifies “major programs” based on a risk-based approach defined in 200.518, tests the organization’s compliance with federal requirements applicable to those programs, and reports findings. The compliance requirements tested are organized into twelve types in the OMB Compliance Supplement (now the OMB Compliance Supplement for Single Audits): activities allowed or unallowed, allowable costs, cash management, eligibility, equipment and real property management, matching and level of effort, period of performance, procurement and suspension and debarment, program income, reporting, subrecipient monitoring, and special tests. Each major program is tested against the applicable compliance types.
Internal controls over compliance. The auditor evaluates whether the organization has controls in place that provide reasonable assurance of compliance with federal requirements. This is not a binary pass/fail. The auditor assesses control design (are the right controls in place?) and control operation (are the controls functioning as designed?). A control that exists on paper but is not executed — a procurement checklist that no one completes, an effort certification process that is always backdated — is a control deficiency even if no compliance violation has yet resulted.
The stakes of findings are tiered. A material weakness in internal controls indicates that a control deficiency, or combination of deficiencies, creates a reasonable possibility that a material noncompliance will not be prevented or detected. A significant deficiency is less severe but still noteworthy. A qualified or adverse opinion on compliance for a major program indicates that the organization did not comply with federal requirements in a way that is material. Questioned costs are expenditures where documentation is insufficient, the cost appears unallowable, or the compliance requirement was not met. Under 200.516(a)(3), the auditor must report known questioned costs greater than $25,000 for each compliance type, and known or likely questioned costs greater than $25,000 in total for a major program.
For healthcare organizations, the downstream consequences extend beyond the immediate audit. Findings are reported to the Federal Audit Clearinghouse, where they become part of the organization’s public compliance record. Federal awarding agencies review this record when making future award decisions. An organization with repeated findings — particularly material weaknesses or unresolved corrective action plans — faces heightened scrutiny, additional monitoring requirements, and potentially restrictive award conditions under 2 CFR 200.208. For FQHCs, findings can trigger enhanced oversight from HRSA’s Bureau of Primary Health Care. For behavioral health providers dependent on SAMHSA funding, findings can jeopardize continuation awards during competitive renewal cycles.
Common Audit Findings in Healthcare Grants
The HHS Office of Inspector General, HRSA-specific audits, and the AICPA’s Government Auditing Standards and Single Audits reference materials reveal a consistent pattern. The same finding types appear repeatedly, across organizations of different sizes and in different geographies. These are not exotic failures. They are ordinary operational gaps in ordinary organizations.
Inadequate time-and-effort documentation. This is the single most frequent finding in healthcare grant audits. Under 2 CFR 200.430, charges for salaries and wages must be supported by records that accurately reflect the work performed. When an employee works on multiple activities — which is the norm at FQHCs, rural hospitals, and community behavioral health centers where a single clinician may serve grant-funded patients, Medicaid patients, and sliding-scale patients in the same day — the organization must maintain records that distribute effort across funding sources based on actual activity. The finding occurs when these records do not exist, are completed retroactively without contemporaneous support, show static allocations that never change regardless of actual work patterns, or contradict other evidence (e.g., calendar records showing the employee at a non-grant clinic on days when full effort was charged to the grant).
Missing procurement documentation. Federal procurement standards under 2 CFR 200.318-200.327 require documented procurement procedures, competition, cost or price analysis, and specific methods depending on dollar thresholds — micro-purchase (below $10,000), small purchase (below $250,000), and formal competitive methods above that. The finding occurs when purchases lack documentation of the competitive process, when sole source procurements lack the justification required by 200.320(c), or when the organization’s procurement policies do not meet the minimum standards in 200.318. Healthcare organizations frequently trip on technology purchases, consulting engagements, and subcontracted clinical services where the procurement was handled informally — a phone call to a known vendor, a verbal agreement, a contract signed without documented competition.
Budget overruns without prior approval. Under 2 CFR 200.308, transfers of funds between direct cost categories require prior written approval from the federal awarding agency when the cumulative amount exceeds 10% of the total budget. The finding occurs when budget categories exceed the approved amount without a modification request, or when the modification was requested after the overspend rather than before. Healthcare programs are particularly vulnerable to personnel cost overruns when key positions take longer to fill than planned and the organization hires at a higher salary than budgeted, or when turnover forces the use of temporary staff at premium rates.
Subrecipient monitoring gaps. Under 2 CFR 200.332, pass-through entities must evaluate subrecipient risk at the time of the subaward, monitor the subrecipient’s use of federal funds through reporting and site visits, verify that the subrecipient obtains required audits, and issue management decisions on audit findings within six months. The finding occurs when any of these steps is missing. Healthcare grant programs frequently involve subrecipient relationships — a lead FQHC passing funds to partner clinics, a hospital subaward to a community behavioral health organization, a health department distributing funds to local providers. Each relationship carries monitoring obligations. Each gap is a finding.
Cost allocation errors. When an organization receives multiple federal awards and has shared costs — administrative staff, facilities, IT systems — those costs must be allocated using a methodology that is documented, reasonable, and consistently applied, per 2 CFR 200.405. The finding occurs when allocation methodologies are undocumented, inconsistent (different bases used for the same type of cost in different periods), or unsupported by the data they claim to use. Healthcare organizations with multiple grants from different agencies are particularly exposed because each grant’s share of shared costs must be defensible not only to the primary auditor but potentially to each federal awarding agency.
The Always Audit-Ready Principle
The economics of audit readiness are asymmetric. Maintaining continuous readiness costs a predictable, moderate amount — mostly the incremental effort of doing compliance work at the right time rather than deferring it. Preparing for an audit from a standing start costs dramatically more, produces worse outcomes, and diverts staff from program delivery precisely when they should be focused on patients and services.
The principle rests on a structural observation: every compliance requirement tested in a Single Audit is a requirement that applies continuously during the performance period, not just during the audit. Effort documentation is required every pay period. Procurement documentation is required at the time of purchase. Financial reconciliations should be performed monthly. Subrecipient monitoring should occur per the monitoring plan established at subaward. If these activities are current, an audit is a verification exercise — the auditor reviews evidence that already exists in organized, accessible form. If these activities are deferred, an audit is a reconstruction project — the staff must create, locate, or assemble evidence that should have been generated months or years earlier.
The cost differential is not marginal. Based on patterns reported across OIG audits and practitioner literature, reconstruction-mode audit preparation typically consumes 3-5 times the staff hours that maintenance-mode preparation requires. The additional cost comes from three sources: the inherent inefficiency of reconstructing records after the fact (memories fade, staff turn over, source documents are harder to locate), the discovery of problems that could have been corrected in real time but are now audit findings, and the corrective action plan effort that findings generate. An organization in maintenance mode detects a procurement documentation gap in the month it occurs and corrects it. An organization in reconstruction mode discovers the same gap during audit fieldwork, when it becomes a finding that requires formal corrective action, management response, and follow-up verification.
Healthcare Example: Two FQHCs, Same Grant Size, Different Outcomes
Consider two Federally Qualified Health Centers, each operating approximately $3M in federal awards — a combination of Health Center Cluster funding and a SAMHSA discretionary behavioral health grant. Both organizations cross the $750,000 threshold and are subject to Single Audit. Both engage independent audit firms following GAGAS and the AICPA Audit Guide for Government Auditing Standards and Single Audits. The differences are entirely in compliance infrastructure.
FQHC A: Continuous readiness. This organization has built audit readiness into its operational rhythm. Monthly bank reconciliations are completed within 15 business days of month-end. Effort certifications are completed semi-annually and reviewed against payroll data — discrepancies are investigated and resolved before the next certification cycle. A procurement checklist is completed for every purchase above $3,000, documenting the competition method, vendor selection rationale, and cost analysis. The grants administrator performs quarterly subrecipient desk reviews and an annual site visit for each subaward above $25,000. Cost allocation is performed monthly using a documented methodology approved by the CFO and reviewed annually. The grants management team maintains a compliance binder for each award — organized by the twelve compliance types in the OMB Compliance Supplement — that is updated continuously as documentation is generated.
When the audit firm arrives, fieldwork takes three weeks. The auditor requests samples of transactions, effort certifications, procurement files, and subrecipient monitoring records. Each request is fulfilled from existing, organized files. The audit produces a clean opinion on financial statements, an unmodified opinion on compliance for both major programs, and zero findings. The total incremental staff time for audit support — responding to auditor requests, pulling samples, answering questions — is approximately 120 hours across the grants and finance teams.
FQHC B: Scramble mode. This organization treats compliance as a periodic event. Monthly reconciliations are sporadic — some months are current, others are three to four months behind. Effort documentation consists of budgeted percentages applied uniformly to payroll, with no after-the-fact confirmation that charges reflect actual work. Procurement files are incomplete: some purchases have quotes on file, others have only an invoice. The subaward with a partner clinic has no documented risk assessment, no monitoring visits, and no verification of the subrecipient’s audit status. Cost allocation is performed at year-end using a methodology that the controller reconstructs each time because last year’s approach was not documented.
When the audit notification arrives, the CFO declares a compliance emergency. The controller and grants manager spend six weeks reconstructing records: locating missing procurement documentation, creating retroactive effort certifications (which the auditor will note as non-contemporaneous), performing a belated subrecipient risk assessment, and documenting the cost allocation methodology for the first time. Fieldwork extends to five weeks because the auditor encounters missing documentation and must expand sample sizes per AICPA AU-C 530 when initial samples reveal exceptions.
The audit produces three material findings. First: effort documentation does not meet the standards of 200.430 — charges are based on budget rather than actual effort, with no system to confirm accuracy. Questioned costs: $87,000, representing the unsupported portion of personnel charges for employees working across multiple activities. Second: subrecipient monitoring requirements under 200.332 were not met — no risk assessment, no monitoring plan, no verification of subrecipient audit. Third: procurement for a $45,000 EHR consulting engagement lacks evidence of competition or sole source justification, producing $33,000 in questioned costs (the portion charged to the federal award). Total questioned costs: $120,000. A corrective action plan is required within 30 days. The federal awarding agency will impose additional monitoring conditions on the organization’s next award cycle.
The total staff time consumed: approximately 480 hours of reconstruction effort, plus 200 hours of audit support during extended fieldwork, plus the corrective action plan development and implementation. The opportunity cost — what those staff would have done if they were not reconstructing compliance records — is substantial but unmeasured. It is measured only in the programs that did not improve, the patients who waited, and the sustainability planning that did not happen.
Same grant size. Same audit requirements. Different compliance infrastructure investment. The difference is not talent, luck, or audit firm. It is whether compliance operates as a continuous function or a periodic event.
When Findings Occur: The Corrective Action Plan
Findings are not the end. The response to findings determines whether the organization emerges stronger or enters a cycle of repeated deficiencies. Under 2 CFR 200.511(c), the auditee must prepare a corrective action plan that addresses each finding, identifies the responsible official, specifies the planned corrective action, and provides an anticipated completion date. The federal awarding agency must issue a management decision on each finding within six months of the audit report (200.521).
The constructive response follows a four-step pattern.
Acknowledge the finding without deflection. Accept the factual basis. If effort documentation was inadequate, say so. Disputing factual findings that are well-supported by audit evidence consumes credibility that is better spent on demonstrating the quality of the corrective response. The management response in the corrective action plan should state clearly: “The organization concurs with this finding.”
Fix the root cause systemically. A finding about missing procurement documentation is not fixed by locating the missing documents. It is fixed by redesigning the procurement workflow so that documentation is required before the purchase is approved — a structural control, not a behavioral commitment. A finding about effort documentation is not fixed by promising to do better. It is fixed by implementing a time reporting system tied to payroll, with supervisory review, that produces the records required by 200.430 as a byproduct of normal operations. The corrective action must change the system, not exhort the people.
Document the fix with evidence. The corrective action plan must be specific enough that a follow-up auditor can verify implementation. “We have improved our procurement procedures” is not verifiable. “We have implemented a procurement checklist required for all purchases above $3,000, routed through the grants administrator for federal-fund purchases, with completed checklists filed in the award compliance binder. See attached checklist template, workflow diagram, and samples from three procurements completed since implementation” is verifiable. The documentation standard for the fix should be at least as rigorous as the documentation standard that was originally deficient.
Verify the fix is working before the next audit. Internal monitoring — a self-audit of the corrected process three to six months after implementation — demonstrates that the corrective action is operational, not theoretical. An organization that can show a follow-up auditor six months of clean procurement files, contemporaneous effort certifications, and documented subrecipient monitoring has not merely fixed the finding. It has demonstrated that its compliance infrastructure is now functional. This is the difference between a resolved finding and a repeat finding. Repeat findings — the same deficiency appearing in consecutive audit cycles — escalate consequences rapidly, potentially triggering the federal awarding agency’s enforcement options under 200.339, including withholding disbursements, disallowing costs, or suspending the award.
The defensive response — minimizing the finding, disputing the auditor’s interpretation, making cosmetic changes that address the appearance without changing the underlying control — is recognizable to every experienced auditor and federal program officer. It signals that the organization does not understand the finding, does not take compliance seriously, or both. The consequence is heightened scrutiny in the next audit cycle, expanded sample sizes, and a federal program officer who is now paying attention to an organization that previously received routine oversight.
Documentation Standards: The Four Cs
Audit-ready documentation meets four criteria that auditors assess even when they do not name them explicitly. These criteria distinguish evidence that supports a clean opinion from evidence that generates findings.
Contemporaneous. Created at the time of the activity, not reconstructed later. An effort certification completed within 30 days of the reporting period is contemporaneous. An effort certification completed 11 months later during audit preparation is not — and the auditor will note the date, reducing its evidentiary value. Contemporaneous documentation is more reliable because it is closer to the event, less susceptible to recall bias, and consistent with the internal control standards in GAGAS Chapter 4 that require controls to operate on a timely basis.
Complete. All required elements are present. A procurement file for a federal-funds purchase above the small purchase threshold must contain the solicitation, the evaluation criteria, the responses received, the evaluation, the selection rationale, the cost or price analysis, and the contract or purchase order. A file with only the contract and the invoice is incomplete — and “incomplete” in audit terms means “unsupported,” which means “questioned cost.”
Consistent. Standard formats applied uniformly across transactions, awards, and periods. When every procurement file follows the same checklist, every effort certification uses the same template, and every subrecipient monitoring visit uses the same protocol, the auditor gains confidence that the controls are systematic rather than ad hoc. Inconsistency — different documentation standards for different grants, different procurement procedures in different quarters — signals that the control environment is person-dependent rather than system-dependent, which is itself a control deficiency.
Connected. Every expenditure must be traceable from the transaction through the accounting records to the award budget, the award terms, and the program purpose. This is the audit trail — the chain of evidence that connects a dollar spent to the public purpose it was intended to serve. A travel expenditure is connected when the file contains the travel authorization (showing the trip’s relevance to the grant), the receipts (showing the amount), the reimbursement form (showing the per diem calculation), the general ledger posting (showing the correct award and cost category), and the progress report (showing the activity the trip supported). Breaking any link in this chain creates a gap that auditors are trained to identify and required to report.
Warning Signs
These indicators suggest that an organization is not audit-ready and will experience the next Single Audit as a reconstruction project rather than a verification exercise:
- Monthly bank reconciliations are more than 45 days behind — if the books are not reconciled, the financial statement audit will identify discrepancies that should have been caught in real time
- Effort certifications are completed only when auditors request them, or are completed in batch at year-end rather than at regular intervals during the period
- Procurement files are maintained by the purchasing department with no grants compliance review — the file contains purchasing documentation but not the federal compliance documentation
- Subrecipient monitoring consists of receiving invoices and paying them — no risk assessment, no programmatic monitoring, no audit verification
- The organization cannot produce a list of its federal awards, their major program status, and their compliance requirements within 24 hours of a request
- Cost allocation is performed as an annual year-end exercise rather than applied monthly to transactions as they are recorded
- Last year’s corrective action plan is not implemented, or implementation cannot be demonstrated with evidence
- The grants administrator and the controller do not have a regular (at least monthly) reconciliation meeting
Integration Points
PF Module 1: Cost Principles (01-cost-principles.md). Cost principles define what must be documented; audit readiness determines whether that documentation exists when the auditor asks for it. The four-part allowability test — necessary and reasonable, allocable, consistent, conforming — establishes the substantive standard. Audit readiness is the operational capacity to demonstrate, on demand, that every charged cost meets that standard. An organization that understands cost principles but lacks audit readiness infrastructure will have well-intentioned spending and no evidence. The cost principles page defines the rules; this page addresses whether the organization can prove it followed them.
PF Module 6: Budget Management (06-budget-management.md). Budget management produces the financial data that audits verify. Monthly budget-to-actual variance reports, burn rate tracking, and budget modification requests are both operational finance tools and audit evidence. When budget management is current — variances identified monthly, modifications requested when cumulative transfers approach the 10% threshold under 200.308, burn rate projections updated quarterly — the financial data that auditors test is accurate, current, and internally consistent. When budget management is deferred or performed only at reporting deadlines, the financial data contains the same gaps and inconsistencies that auditors are trained to detect. Budget management and audit readiness are not separate functions. They are the same function viewed from different angles — one prospective (managing the budget), one retrospective (proving the budget was managed).
Product Owner Lens
What is the funding/compliance/execution problem? Organizations treat audit readiness as a preparation activity triggered by audit notification rather than as a continuous compliance function, resulting in expensive reconstruction efforts, avoidable findings, questioned costs, and corrective action obligations that consume capacity better spent on program delivery.
What mechanism explains the operational bottleneck? Compliance documentation and controls require continuous, small-increment effort distributed across the performance period. When that effort is deferred, it accumulates as a compliance debt that compounds — records become harder to reconstruct, gaps become harder to close, and the probability of findings increases with every month of deferral. The mechanism is identical to technical debt in software: small ongoing investment prevents large remediation costs, but the ongoing investment is invisible while the remediation cost is dramatic.
What controls or workflows improve it? A compliance calendar that schedules every recurring compliance activity — monthly reconciliations, semi-annual effort certifications, quarterly subrecipient desk reviews, annual cost allocation methodology review — with automated reminders and completion tracking. A compliance-ready documentation workflow where procurement checklists, effort templates, and monitoring protocols are integrated into the operational systems that staff already use, rather than maintained as separate compliance files. An annual internal audit or self-assessment against the twelve compliance types in the OMB Compliance Supplement, performed at least six months before the expected external audit.
What should software surface? A compliance readiness score by award, updated continuously, that reflects the current status of each compliance requirement: effort documentation currency (are certifications current within one period?), procurement file completeness (do all purchases above threshold have complete documentation?), subrecipient monitoring status (are all monitoring activities current per the monitoring plan?), reconciliation currency (are bank and general ledger reconciliations within 30 days?), and cost allocation status (has the monthly allocation been performed?). The score should degrade visibly as items become overdue, creating a leading indicator of audit risk that is observable months before the auditor arrives.
What metric reveals risk earliest? Compliance documentation currency — the percentage of required compliance activities (effort certifications, reconciliations, procurement reviews, subrecipient monitoring actions) that are current versus overdue. When this metric drops below 80%, the organization is accumulating compliance debt at a rate that will produce reconstruction effort at audit time. The metric is calculable from operational data (completion dates of scheduled activities versus their due dates) and requires no audit-specific data collection. It is the compliance equivalent of the budget burn rate: a velocity measure that predicts whether the organization will arrive at the audit in a state of readiness or a state of emergency.