As an Audit Director, I’ve seen firsthand how quickly the regulatory ground beneath federal grants can shift—and how important it is for organizations that depend on public funding to shift with it. The new uniform guidance brings several significant changes: the single audit threshold has been raised to one million dollars, the de minimis indirect cost rate has been lifted to fifteen percent, and the equipment capitalization threshold has doubled to ten thousand dollars. These adjustments were designed to cut friction, reduce administrative burden, and direct more funds toward mission. But they also create a new compliance map that leaders must navigate carefully. Programs that once triggered a single audit may now fall out, major program selection will tilt with the new Type A threshold, and internal control expectations now explicitly include cybersecurity.

One of the biggest misunderstandings I encounter after any rule change is the assumption that “less audit” means “less control.” The opposite is true. Even entities under the single audit threshold must still prove allowability, track time and effort, reconcile their Schedule of Expenditures of Federal Awards (SEFA) to the general ledger, and follow program rules. The de minimis rate at fifteen percent is not a windfall unless it is calculated correctly, applied only to the proper base, and reflected in budgets and billings. Likewise, the higher equipment threshold simplifies capitalization, but only if policies are updated so procurement, accounting, and program leads follow the same rules. Subrecipient monitoring remains a core duty for pass-through entities, including checking suspension and debarment status and documenting risk assessments and oversight.

Audit readiness today looks less like a binder pulled together at year end and more like a living system. I recommend starting with a complete, running SEFA that ties directly to the general ledger and grant files. Map OMB compliance requirements to specific controls, owners, and evidence. Test key controls over eligibility, reporting, and procurement so issues surface early. Document subrecipient risk, monitoring steps, and results. Build approval chains that show who reviews costs, time charges, and draws. Train staff who code expenses so they understand allowability and match grant conditions. Above all, layer cybersecurity into internal controls with policies for access, incident response, data protection, and vendor risk wherever federal information is touched.

From my perspective as an auditor, scrutiny increases where risk is highest. You should expect deeper review of internal control design and implementation, not just the presence of a policy. Expect verification that subrecipients are eligible to receive federal funds and that monitoring fits their risk profile. Expect questions about how the fifteen percent de minimis was set, budgeted, and applied. Expect to see updated procurement thresholds, adequate competition documentation, and capital asset policies aligned to ten thousand dollars. And expect focus on how financial data reconciles: grants ledgers to general ledger, draws to support, and SEFA totals to trial balances.

Strong collaboration between finance and grants teams is the fastest way to lower audit risk. Joint policies eliminate gray areas, while segregation of duties keeps oversight intact. Shared dashboards can track spend, match, milestones, and reporting deadlines by grant. Monthly SEFA reconciliations prevent variances from piling up. Where possible, adopt grant management software that separates funding streams, enforces cost categories, and flags overbilling. Standardize templates for time and effort, procurement documentation, subrecipient reviews, and draw requests. Schedule training across teams when thresholds change to prevent old rules from lingering in daily work.

The practical takeaway is straightforward: update your policies and your habits. Raise the equipment threshold in writing, reset procurement standards, and document how the de minimis rate is applied. Refresh subrecipient procedures and embed cybersecurity into control narratives. Confirm your SEFA ties out every month, not just at year end. By turning these updates into routine practice, organizations can comply with the new guidance, reduce surprises, and keep more attention on mission and outcomes.

—Sharon Blazejowski, Audit Director