U.S. Code of Federal Regulations
Regulations most recently checked for updates: Jan 30, 2023
(a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor's report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day.
(2) Unless restricted by Federal statutes or regulations, the auditee must make copies available for public inspection. Auditees and auditors must ensure that their respective parts of the reporting package do not include protected personally identifiable information.
(b) Data collection. The FAC is the repository of record for subpart F of this part reporting packages and the data collection form. All Federal agencies, pass-through entities and others interested in a reporting package and data collection form must obtain it by accessing the FAC.
(1) The auditee must submit required data elements described in Appendix X to Part 200, which state whether the audit was completed in accordance with this part and provides information about the auditee, its Federal programs, and the results of the audit. The data must include information available from the audit required by this part that is necessary for Federal agencies to use the audit to ensure integrity for Federal programs. The data elements and format must be approved by OMB, available from the FAC, and include collections of information from the reporting package described in paragraph (c) of this section. A senior level representative of the auditee (e.g., state controller, director of finance, chief executive officer, or chief financial officer) must sign a statement to be included as part of the data collection that says that the auditee complied with the requirements of this part, the data were prepared in accordance with this part (and the instructions accompanying the form), the reporting package does not include protected personally identifiable information, the information included in its entirety is accurate and complete, and that the FAC is authorized to make the reporting package and the form publicly available on a website.
(2) Exception for Indian Tribes and Tribal Organizations. An auditee that is an Indian tribe or a tribal organization (as defined in the Indian Self-Determination, Education and Assistance Act (ISDEAA), 25 U.S.C. 450b(l)) may opt not to authorize the FAC to make the reporting package publicly available on a Web site, by excluding the authorization for the FAC publication in the statement described in paragraph (b)(1) of this section. If this option is exercised, the auditee becomes responsible for submitting the reporting package directly to any pass-through entities through which it has received a Federal award and to pass-through entities for which the summary schedule of prior audit findings reported the status of any findings related to Federal awards that the pass-through entity provided. Unless restricted by Federal statute or regulation, if the auditee opts not to authorize publication, it must make copies of the reporting package available for public inspection.
(3) Using the information included in the reporting package described in paragraph (c) of this section, the auditor must complete the applicable data elements of the data collection form. The auditor must sign a statement to be included as part of the data collection form that indicates, at a minimum, the source of the information included in the form, the auditor's responsibility for the information, that the form is not a substitute for the reporting package described in paragraph (c) of this section, and that the content of the form is limited to the collection of information prescribed by OMB.
(c) Reporting package. The reporting package must include the:
(1) Financial statements and schedule of expenditures of Federal awards discussed in § 200.510(a) and (b), respectively;
(2) Summary schedule of prior audit findings discussed in § 200.511(b);
(3) Auditor's report(s) discussed in § 200.515; and
(4) Corrective action plan discussed in § 200.511(c).
(d) Submission to FAC. The auditee must electronically submit to the FAC the data collection form described in paragraph (b) of this section and the reporting package described in paragraph (c) of this section.
(e) Requests for management letters issued by the auditor. In response to requests by a Federal agency or pass-through entity, auditees must submit a copy of any management letters issued by the auditor.
(f) Report retention requirements. Auditees must keep one copy of the data collection form described in paragraph (b) of this section and one copy of the reporting package described in paragraph (c) of this section on file for three years from the date of submission to the FAC.
(g) FAC responsibilities. The FAC must make available the reporting packages received in accordance with paragraph (c) of this section and § 200.507(c) to the public, except for Indian tribes exercising the option in (b)(2) of this section, and maintain a data base of completed audits, provide appropriate information to Federal agencies, and follow up with known auditees that have not submitted the required data collection forms and reporting packages.
(h) Electronic filing. Nothing in this part must preclude electronic submissions to the FAC in such manner as may be approved by OMB.