TLDR
Nonprofit audit requirements come from three sources simultaneously — your state's registration requirements, your federal funding thresholds, and your funders' grant agreements — and the most expensive surprise is discovering mid-year that all three apply and you aren't prepared for any of them. The federal single audit threshold is $1,000,000 in federal expenditures in a fiscal year (raised from $750,000 for fiscal years ending September 30, 2025 or later); state thresholds start as low as $750,000 in New York and reach $2 million in California.
The single audit threshold was raised from $500,000 to $750,000 in December 2014 under the Uniform Guidance revision, effective for fiscal years beginning after December 26, 2014. Organizations that crossed the old threshold and got relieved of single audit requirements at the new one sometimes maintained the compliance infrastructure they had built. Those that did not tend to discover the threshold again — on the wrong side — years later. Understanding the full landscape of audit requirements before you are in the middle of one is the only way to prepare properly.
Three Types of Nonprofit Financial Review
Not all financial reviews are equal. The three categories — compilation, review, and audit — provide different levels of assurance and carry different costs and obligations.
Compilation is the lowest level. The accountant prepares financial statements from information provided by management without verifying or testing the underlying data. Compilations provide no assurance that the statements are accurate — the accountant is simply formatting data in conformity with an applicable financial reporting framework. Some smaller funders accept compiled financial statements; most foundations require at minimum a reviewed statement.
Review involves the accountant applying analytical procedures and making inquiries to provide limited assurance that the financial statements are free from material misstatement. A review is substantially less comprehensive than an audit — the accountant does not verify internal controls, test transactions, or confirm account balances with third parties. Many foundations with revenue thresholds of $250,000–$750,000 accept reviewed statements.
Audit is the highest level of assurance. The auditor obtains sufficient, appropriate audit evidence to provide a reasonable basis for expressing an opinion on whether the financial statements present fairly, in all material respects, the organization’s financial position and results of activities in conformity with GAAP. Audits involve internal control testing, substantive testing of transactions, third-party confirmations (bank accounts, investment accounts, legal counsel), and analytical review procedures.
The distinction matters for planning purposes. An organization that needs a full audit but has only prepared for a review is months of documentation preparation behind schedule.
What Triggers Audit Requirements
Federal expenditure threshold. A single audit is required when you expend $1,000,000 or more in federal awards (raised from $750,000 for fiscal years ending September 30, 2025 or later) in a fiscal year. “Expend” means spend — the measurement is based on when you use the funds, not when you receive the award or when the grant period ends. Subawards from a pass-through entity (a state agency that receives federal funds and re-grants them) count toward this threshold. If you are uncertain whether a state grant is federally sourced, the award document should identify the Assistance Listing (formerly CFDA) number.
State registration requirements. Most states that require charitable solicitation registration also set revenue thresholds for financial reviews or audits. California requires an audit when gross revenue exceeds $2,000,000. New York requires an audit when gross revenue exceeds $750,000. Florida requires an audit at $1,000,000. Texas has no state audit requirement. Thresholds apply based on where you solicit donations — organizations that fundraise across multiple states may face multiple state requirements.
Funder requirements in grant agreements. Many foundations require an audited financial statement as a grant condition, typically at thresholds of $250,000–$500,000 in annual revenue. These requirements are contractual — failing to provide an audited statement when required is a grant condition violation.
If your state threshold, your federal threshold, and a funder requirement all trigger in the same year, you have one audit engagement that satisfies all three — provided your auditor’s scope and the engagement letter cover all applicable requirements.
What Auditors Actually Test — Beyond the Financials
A GAAP financial audit involves more than reviewing your financial statements. Auditors test the systems and controls that produce those statements.
Internal controls testing. Auditors assess whether your internal controls over financial reporting are adequate to prevent or detect material misstatements. For small nonprofits with limited staff, the common internal control weakness is inadequate segregation of duties — the same person who approves payments also records transactions and reconciles bank accounts. This is a structural weakness that auditors will flag in the management letter or, if severe, as a significant deficiency.
Restricted fund testing. For every significant restricted fund, auditors will request the grant agreement, confirm the restriction terms, test expenditures against those terms, and verify that releases from restriction were properly documented and recorded. This is typically the most time-intensive section of a nonprofit audit.
Revenue recognition testing. For grants treated as contributions under FASB ASU 2018-08, auditors will test whether conditional grants were recognized when qualifying conditions were met (not when cash was received) and whether unconditional grants were recognized appropriately.
Related party transactions. Transactions involving board members, executive leadership, or their related organizations receive heightened scrutiny under auditing standards. These transactions must be disclosed in the financial statement notes.
Single audit program compliance testing. For organizations subject to single audit, auditors identify your “major programs” (typically the largest federal programs by expenditure amount) and test compliance with the specific program requirements defined in the Compliance Supplement published by the Office of Management and Budget. Compliance requirements tested include allowable activities, allowable costs, cash management, reporting, procurement, and program-specific requirements.
The PBC List: What It Is and How to Build It
The Prepared by Client list is the auditor’s document request. It typically includes: trial balance and chart of accounts, prior year audited statements, bank reconciliations for all accounts, investment account statements, grant agreements for all significant restricted funds, schedule of expenditures of federal awards (for single audit), board meeting minutes for the full fiscal year, fixed asset schedule with additions and disposals, accounts payable aging, accounts receivable aging, insurance certificates, and executed contracts for any significant obligations.
An efficient PBC response is organized to match the auditor’s list exactly, with each item labeled to correspond to the request number. Providing an organized, complete PBC response at the start of fieldwork reduces audit hours and therefore fees. An incomplete or disorganized PBC response that requires follow-up requests extends the fieldwork timeline.
Build your PBC response capability before you receive the auditor’s list. If your financial system cannot produce a fund-level trial balance for each restricted grant, that gap will become visible during auditor onboarding — and it will extend the timeline.
Single Audit vs. GAAP Audit: The Difference
The GAAP financial audit examines whether your financial statements are fairly presented. The single audit adds a second examination: whether your federal award programs were administered in compliance with program requirements.
The single audit produces three reports: the auditor’s report on financial statements (same as a GAAP audit), the auditor’s report on internal control over financial reporting and on compliance and other matters, and the auditor’s report on compliance for each major program and on internal control over compliance. Findings from the compliance audit go into a Schedule of Findings and Questioned Costs, which must identify the federal program, the criteria violated, the condition, the cause, and the effect.
The Schedule of Findings and Questioned Costs is submitted to the Federal Audit Clearinghouse and is publicly accessible. A finding that includes questioned costs — expenditures the auditor cannot confirm were allowable — requires a corrective action plan and may result in a repayment demand from the awarding agency.
How to Choose an Auditor
Nonprofit audits require an auditor with specific sector expertise. The auditing standards for nonprofits — FASB ASC 958, Uniform Guidance compliance testing, Government Auditing Standards (Yellow Book) for single audits — are specialized knowledge that not every CPA firm has.
Four criteria: First, verify that the firm has active nonprofit clients of comparable size and funding mix to your organization. Second, if you are subject to single audit, confirm that the firm is enrolled in peer review and has received a pass rating — this is a Yellow Book requirement. Third, ask specifically about experience with your major federal programs — Head Start, CDBG, USDA nutrition programs, and others have program-specific compliance requirements that require experience to audit effectively. Fourth, request a reference from a nonprofit client that received a finding in the prior year — how the auditor communicated findings and worked through the corrective action process is as important as their technical competence.
Typical Cost by Organization Size
Organizations under $1M in annual revenue with no federal awards: $5,000–$10,000. Organizations $1M–$5M with limited grant complexity: $10,000–$18,000. Organizations $5M–$10M with significant restricted fund activity: $18,000–$28,000. Organizations subject to single audit add $8,000–$20,000 to the base audit cost depending on the number of major programs tested. Single audit fees are allowable as an indirect cost on federal grants and may be charged to awards as a direct cost with funder approval.
Audit fees increase significantly — often 20–40% — when the auditor encounters disorganized records, inadequate PBC preparation, or significant prior-year adjustments. The most reliable way to control audit cost is to maintain organized, reconciled grant files throughout the year rather than constructing them before the audit.
The Management Letter and What It Means
The management letter is separate from the audit report. It contains the auditor’s observations about internal control weaknesses, operational inefficiencies, and compliance gaps that did not rise to the level of a formal finding in the audit report but that the auditor believes management should address.
A management letter comment is not a finding — it does not get reported to federal agencies or posted to the Federal Audit Clearinghouse. But it is a written record of a weakness that your auditor identified. If the same comment appears in two consecutive years, it signals to the auditor that management has not prioritized the issue — which increases the risk of the comment being elevated to a significant deficiency or material weakness in the third year.
Common management letter comments at nonprofits: inadequate segregation of duties for cash handling and accounting, undocumented functional expense allocation methodology, restricted fund releases recorded without supporting documentation, and incomplete or late board meeting minutes.
For a practical audit preparation checklist, see Nonprofit Audit Readiness. For a glossary definition of single audit including how findings are reported, see Single Audit. For a catalog of the most frequently cited single audit findings and how to prevent them, see Common Single Audit Findings.
Free resource
Get the Nonprofit Grant Compliance Checklist
A practical checklist for post-award grant compliance: restricted funds, reporting cadence, audit prep, and common failure points. Delivered by email.
- Single audit
- A compliance audit required under 2 CFR Part 200 (Uniform Guidance) when a nonprofit expends $1,000,000 or more in federal awards (raised from $750,000 for fiscal years ending September 30, 2025 or later) in a fiscal year. Includes a GAAP financial statement audit and a separate compliance examination of major federal award programs. Results are submitted to the Federal Audit Clearinghouse and are publicly accessible.
DEFINITION
- Prepared by Client (PBC) list
- The list of documents, schedules, and reports that the auditor requests the nonprofit to prepare before the audit fieldwork begins. A well-organized PBC response — providing exactly what is requested in a logically organized format — reduces audit hours and therefore audit fees.
DEFINITION
- Management letter
- A written communication from the auditor to management (separate from the audit report) identifying internal control deficiencies, inefficiencies, or compliance weaknesses that did not rise to the level of a material weakness or significant deficiency but that the auditor believes warrant management's attention.
DEFINITION
Q&A
Do nonprofits have to be audited?
It depends on three factors: your state's registration requirements (California requires audits above $2M in gross revenue; New York above $750K; many states have lower thresholds or no requirement), your federal funding level (single audit required at $1,000,000 in federal expenditures, raised from $750,000 for fiscal years ending September 30, 2025 or later), and your grant agreements (many foundations require an audited financial statement as a condition of grant funding, often at thresholds lower than state requirements). Most nonprofits with revenues over $500,000 will be subject to at least one of these requirements.
Frequently asked