Preparing for the Future of Single Audits: Navigating the Latest AICPA Guidance

by Brittney Williams, CPA, CGFM, Audit Partner

Posted on June 8, 2026

The AICPA’s 2025 edition of the Government Auditing Standards and Single Audits Guide (the Guide) introduces some of the most significant updates to single audit methodology in recent years. While the core compliance requirements remain unchanged, the new guidance enhances audit quality, improves consistency, and better aligns single audit procedures with modern risk assessment and sampling practices.

For firms performing Uniform Guidance audits, these changes deserve immediate attention. Although the most significant revisions currently appear in Appendix B of the 2025 Guide, they will become authoritative Part II guidance in the 2026 edition. Now is the ideal time to prepare.

Why the Guide Was Updated

The revisions were developed over multiple years by the AICPA Governmental Audit Quality Center Executive Committee, with extensive input from practitioners, federal agencies, the GAO, and the Auditing Standards Board. An academic statistician was also engaged to refine the sampling methodology and related sample size tables.

The result is a more robust, risk-focused framework that reflects current auditing standards, recent Uniform Guidance revisions, and the 2024 Government Auditing Standards update.

Understanding the Transition Timeline

The AICPA has adopted a phased implementation approach:

  • October 2025: The updated guidance is introduced in Appendix B.
  • October 2026: Appendix B content becomes the official Part II of the Guide.

This approach gives auditors a full year to familiarize themselves with the new concepts, update methodologies, and train engagement teams before mandatory implementation.

Key Enhancements Auditors Will Focus On

Expanded Entity-Wide Risk Assessment

The new guidance formalizes the concept of entity-wide procedures. Auditors are now expected to perform risk assessment procedures collectively across multiple major programs within the same organizational unit.

This includes gaining a deeper understanding of:

  • The entity and its environment
  • All five components of internal control
  • Information technology systems and general IT controls
  • Fraud considerations
  • Prior audit results and monitoring activities

Importantly, the Guide distinguishes between direct and indirect controls, emphasizing how entity-level controls support compliance across multiple programs.

A More Granular Risk Assessment Process

Risk identification now follows a six-step framework designed to improve precision and responsiveness:

  1. Understand the major program.
  2. Determine program-level materiality.
  3. Identify applicable compliance requirements.
  4. Determine which requirements are direct and material (D&M).
  5. Identify risks of material noncompliance (RMNCs).
  6. Assess inherent and control risk.

This structured approach encourages auditors to identify risks at a disaggregated level rather than assessing risk broadly at the compliance requirement level. That distinction leads to more targeted testing and stronger audit evidence.

Clarified Direct and Material Determinations

The Guide provides expanded guidance on determining whether compliance requirements are direct and material.

For monetary compliance requirements, a useful indicator is whether expenditures in a particular cost category exceed program materiality. However, qualitative considerations remain essential, particularly for non-monetary compliance requirements.

Auditors must also separately evaluate individual compliance categories within certain compliance requirements, such as:

  • Equipment and real property management
  • Matching, level of effort, and earmarking
  • Procurement and suspension and debarment
  • Each individual special test and provision

If a compliance requirement is determined not to be direct and material, that conclusion must be documented.

New Focus on Risks of Material Noncompliance

The revised Guide emphasizes identifying specific RMNCs for each direct and material compliance requirement.

Rather than simply assessing “allowable costs” as a whole, auditors should identify distinct risks related to payroll, fringe benefits, contractual costs, subrecipient expenditures, and other significant transaction streams.

This disaggregated approach better connects risk assessment, control testing, and substantive procedures.

Modernized Internal Control Testing

Chapter 13 of the Guide introduces substantial enhancements to testing internal control over compliance. Highlights include:

  • A formal four-step process for understanding control activities
  • Guidance on evaluating the relevance and reliability of information used in controls
  • Introduction of a new concept: Risk Associated With the Control (RAWTC)

RAWTC helps auditors determine how much evidence is necessary when relying on controls. It directly affects recommended sample sizes and should never be assessed below the inherent risk of the related RMNC.

Updated Sampling Methodology

Sampling guidance has been significantly refined for both control testing and substantive compliance testing. Notable changes include:

  • New sample size tables based on RAWTC for controls
  • Separate compliance sample size tables depending on whether controls are effective
  • Simplified tables for small and large populations
  • Enhanced guidance for evaluating deviations and exceptions

These changes are intended to improve consistency and better align sample sizes with assessed risk.

Individually Important Items

A new concept introduced in Chapter 14 of the Guide is the identification of individually important items. These are items that, by themselves, are significantly different from the rest of the population. Testing these items separately can substantially reduce detection risk.

For example, if a single expenditure represents 30% of a population, an auditor may test it individually and exclude it from the remaining sample population. This can lead to more efficient and effective substantive testing.

Responding to Identified Noncompliance

The revised Guide provides a clearer roadmap when instances of noncompliance are discovered.

Auditors should:

  • Stop attribute sampling when exceptions are identified.
  • Investigate the nature and cause of the exception.
  • Request management to assess the extent of noncompliance.
  • Obtain additional audit evidence.

Importantly, attribute sampling should not be used to quantify the financial impact of noncompliance across the population.

Changes to Evaluation and Reporting

The new guidance sharpens the distinction between evaluating control deficiencies and evaluating compliance findings. Auditors must assess control deficiencies at multiple levels:

  • Individual compliance requirement
  • Major program
  • Schedule of Expenditures of Federal Awards (SEFA)

The Guide also clarifies reporting thresholds for noncompliance, including the continued requirement to report:

  • Material noncompliance for major programs
  • Known or likely questioned costs exceeding $25,000 for major programs
  • Known questioned costs exceeding $25,000 for non-major programs

Materiality for reporting findings will often be lower than materiality used during planning and performance.

What Firms Should Do Now

Although the most significant changes are not yet mandatory, firms should begin to address changes now by:

  • Updating single audit methodologies
  • Revising sampling templates
  • Training engagement teams
  • Evaluating software and documentation tools
  • Performing pilot testing during 2025 and 2026 engagements

Early adoption will help ensure a smooth transition and reduce implementation challenges.

What These Changes Mean for Audit Clients

While the updated Guide is directed at auditors, clients will also feel the impact. Organizations subject to Single Audit requirements should expect more focused inquiries, expanded documentation requests, and increased attention to internal controls and compliance processes.

Auditors will likely spend more time understanding program operations, information systems, and entity-wide controls before substantive testing begins. This may require earlier engagement with management and greater involvement from program personnel, finance teams, and IT staff. Clients that are well-prepared can help streamline the audit process and minimize disruption.

In particular, entities should anticipate:

  • More detailed discussions about their compliance processes and internal control structure.
  • Greater scrutiny over how management identifies and monitors compliance risks.
  • Additional requests for documentation supporting direct and material compliance requirements.
  • More targeted testing of significant transaction streams and individually important items.
  • Increased focus on the completeness and reliability of reports used in internal controls and compliance monitoring.

Organizations may also notice auditors asking more questions when exceptions are identified. The revised guidance places greater emphasis on understanding the cause, extent, and potential impact of noncompliance. Management may be asked to perform additional analysis or quantify questioned costs more promptly than in prior years.

The good news is that these changes should ultimately lead to a more efficient and effective audit. Clients with strong documentation, well-designed controls, and clear compliance processes are likely to benefit from a smoother engagement. Proactive preparation-particularly in areas such as internal controls, system-generated reports, and subrecipient monitoring-can help organizations navigate the transition successfully.

For entities that receive federal funding, now is an excellent time to discuss these upcoming changes with your auditors and evaluate whether your current compliance framework is ready for the enhanced expectations.

Final Thoughts

The 2025 GAS-SA Guide represents a meaningful evolution in single audit practice. Its enhanced focus on risk assessment, internal controls, sampling, and audit evidence should lead to higher-quality audits and more consistent execution across the profession.

For auditors, the key takeaway is simple: Appendix B of the Guide is not optional reading. It is the roadmap for the future of Uniform Guidance compliance auditing.

Now is the time to get ready.

Print-ready version: Click here