The AERO Era: What HHS’s New AI Audit Enforcement Program Means for Every Nonprofit Receiving $1M+ in Federal Funds

Keywords: HHS AERO program, Audit Enforcement and Risk Oversight, Single Audit compliance 2026, 2 CFR 200 enforcement, federal grantee audit findings, nonprofit compliance infrastructure, corrective action plan, Single Audit Act, AI grantee oversight, Cynotex Strategy Partners insights.

Why this matters now

On May 21, 2026, the U.S. Department of Health and Human Services announced the Audit Enforcement and Risk Oversight (AERO) program — a federal initiative that uses artificial intelligence to re-score at least five years of Single Audit data for every entity receiving more than $1 million annually in federal awards (HHS press releaseFeldesman LLP client alert).

If you are a nonprofit executive, a CFO, a board chair, or a finance committee member at any organization with federal awards — directly or as a subrecipient — this announcement should change what is on your next board agenda. Not in six months. In the next thirty days.

Twenty years inside this sector tells me three things about how this will land:

  1. Most organizations are not ready. The compliance issues AERO is designed to surface — late submissions, recurring findings, weak corrective action plans, inexperienced audit firms — are exactly the issues that have been quietly tolerated for years because no one had the bandwidth to flag them.

  2. AI enforcement does not forget. Unlike a human reviewer who looks at the current year, AERO is built to find patterns across five years of audit history and watch every future submission (HHS).

  3. The sanctions are not theoretical. Withholding of payments, cost disallowances, award termination, and suspension or debarment under 2 CFR Part 180 are all on the table.

This insight is for the executives and boards who need to make a decision this quarter, not next year.

TL;DR — what AERO does and why it is different

  • Launched May 21, 2026 by HHS to track grantee compliance with federal audit requirements under the Single Audit Act and Subpart F of 2 CFR Part 200.

  • Reviews at least five years of historical Single Audit data across all 50 states using advanced AI analytical tools (Polsinelli).

  • Triggers include repeatedly delinquent submissions, recurring or unresolved findings, missing or weak corrective action plans, and use of audit firms lacking meaningful Single Audit experience (Feldesman).

  • Sanctions available include payment withholding, cost disallowance, award suspension or termination, suspension and debarment, and withholding of future federal funding (HHS).

  • Threshold is $1 million in annual federal expenditures, applying to states, local governments, nonprofits, institutions of higher education, and other grantees (OMB / 2 CFR 200).

  • Subrecipients are also exposed, because AERO findings against a pass-through entity (a state Medicaid agency, for example) can flow downstream to the nonprofits receiving subawards (Polsinelli).

The shift is not philosophical. The shift is operational: federal audit compliance is moving from human, episodic review to algorithmic, continuous review.

What is the AERO program?

AERO — Audit Enforcement and Risk Oversight — is an HHS initiative announced on May 21, 2026 to use AI analytical tools to identify federal grantees with persistent noncompliance in their Single Audits (HHS press release).

Three design choices make AERO meaningfully different from prior federal oversight:

1. Lookback is mandatory, not discretionary. AERO will examine audit histories spanning at least the past five years. HHS has stated that a recent review of audit data shows “hundreds” of grantees have submitted audits with considerable delay, some delinquent over multiple years, and that some have failed to remediate serious internal control deficiencies (Feldesman).

2. Monitoring is continuous, not episodic. AERO is also designed to monitor future Single Audit submissions on an ongoing basis. The implication: a single year of weak compliance now creates a five-year exposure window.

3. AI is the screening layer. Funding agencies have always had the authority to review Single Audits. What is new is that an AI system will surface patterns of concern before a human reviewer engages — which dramatically increases the throughput of enforcement and reduces the practical likelihood that a problem stays quiet.

Key insight: Federal compliance has effectively shifted from “submit and hope” to “submit and be scored.” If your last five Single Audits include unresolved findings, late submissions, or weak corrective action plans, you are already in AERO’s review window.

Who is covered by AERO?

Any non-federal entity that expends $1 million or more in federal awards during its fiscal year is subject to Single Audit requirements under 2 CFR Part 200, Subpart F. That threshold rose from $750,000 effective for fiscal years beginning on or after October 1, 2024 (BPMFederal Audit Clearinghouse).

Covered entities include:

  • Nonprofit organizations receiving federal grants directly or as subrecipients

  • Institutions of higher education including community colleges

  • State and local governments and their agencies

  • Hospitals and health systems receiving Medicaid DSH, GME, NIH, or HRSA funding (Polsinelli)

  • Tribal organizations and other non-federal recipients of federal awards

A nonprofit that has never been audited under a federal Single Audit before — but that crossed the $1 million expenditure threshold in FY 2025 — is now in the AERO universe whether or not the executive team has internalized it.

Key insight: Subrecipient status does not protect you. If your pass-through entity (a state agency, a prime contractor, a federally qualified intermediary) fails AERO scrutiny, the enforcement consequences flow downstream to your organization.

What triggers AERO scrutiny?

HHS has identified six categories of grantee behavior likely to attract scrutiny (Feldesman):

Trigger What it looks like in practice
Repeatedly delinquent Single Audit submissions Missing the 30-day-after-auditor’s-report or 9-months-after-fiscal-year-end deadline, year after year
Recurring or unresolved audit findings The same internal control deficiency or noncompliance issue appearing in multiple years’ Schedule of Findings
Failure to implement corrective action plans A CAP submitted but not executed, or executed without documentation
Inadequate remediation of previously identified deficiencies Surface-level fixes that do not address the root cause
Failure to periodically rebid audit services Using the same audit firm for many years without competitive procurement under 2 CFR 200, Subpart D
Use of audit firms lacking meaningful Single Audit experience Engaging a generalist CPA firm without specialized federal audit expertise

 

Most of these are operationally invisible to a board that does not have audit findings as a standing agenda item. Most are easy to address — if they are surfaced before AERO surfaces them.

What are the actual consequences of an AERO finding?

This is where the conversation tends to shift from compliance theater to genuine fiduciary risk. The available sanctions under Subpart F of 2 CFR 200 and 2 CFR Part 180 include:

  • Temporarily withholding federal payments until compliance is restored

  • Disallowing costs for all or part of the noncompliant activity — meaning your organization must repay funds already spent

  • Suspending or terminating a grant award in whole or in part

  • Initiating suspension or debarment proceedings — effectively excluding the organization from future federal funding for a defined period

  • Withholding future federal funds, including both new awards and continuation funding for the project or program

For a nonprofit operating with thin reserves and a federal-heavy revenue base — the operating profile of much of the sector today — even a temporary withholding of payments is an existential cash-flow event.

Strategic value: AERO is not designed to be a learning conversation. It is designed to identify patterns that justify enforcement. The time to address compliance gaps is before the algorithm flags them, not after.

What should boards and executive teams do in the next 90 days?

Here are five operational moves I am recommending to every Cynotex client with federal awards. None require external counsel to begin. All can be initiated in a single board meeting.

1. Pull your last five years of Single Audits and Schedules of Findings. Read them. Identify every finding, every corrective action, and every “no current year findings” claim. If a finding repeats, that is a flag. If a corrective action was promised but not documented as completed, that is a flag. If you cannot locate all five years, that is itself a flag.

2. Audit your audit firm. When was the last competitive procurement for audit services? Does the firm have a substantive Single Audit practice — not just an annual financial statement practice? Have they ever been peer reviewed on a Single Audit engagement? Inexperienced audit firms are specifically called out as an AERO trigger (Feldesman).

3. Make corrective action plans executable, not aspirational. A CAP that says “management will strengthen controls” is not a CAP. A CAP that names the responsible officer, the implementation date, the documentation that will prove completion, and the board committee that will receive the verification — that is a CAP. Re-draft yours accordingly.

4. Put Single Audit status on every quarterly finance committee agenda. Three line items: (a) status of the current-year audit, (b) status of corrective actions from prior years, (c) any pass-through-entity audit issues that could affect us as a subrecipient. This is fifteen minutes of standing time. It is the single highest-leverage governance move in the AERO era.

5. Map your subrecipient exposure — both directions. If you receive funds as a subrecipient, get your prime’s most recent Single Audit. If you pass funds to subrecipients, document that you are monitoring them under 2 CFR 200.332. AERO will not distinguish between deficiencies you created and deficiencies you inherited.

Key insight: Compliance infrastructure that scales independently of grant volume is no longer a “nice to have.” Under AERO, it is the fixed cost of being eligible to receive federal awards at all.

How does AERO connect to the broader 2025 structural shift?

AERO did not appear in a vacuum. It is consistent with the larger pattern I wrote about earlier this year in The Structural Shift: a federal funding environment that is simultaneously contracting, consolidating, and tightening enforcement.

Three reinforcing currents to recognize:

  • The pie is smaller. With foreign aid contracted by roughly 88 percent and one in three U.S. nonprofits losing government funding in early 2025, federal funders are under pressure to demonstrate that remaining dollars are well-stewarded (Council on Foreign RelationsUrban Institute).

  • The bar is higher. Increased enforcement intensity through AI-driven oversight programs like AERO is a logical extension of that pressure.

  • The downside is asymmetric. Sixty-six percent of nonprofits report increased demand even as funding contracts (CEP). In that environment, losing a federal award to a compliance issue is harder to absorb than at any point in the last twenty years.

The organizations that will weather this period are not the ones with the most awards. They are the ones with the most disciplined compliance infrastructure relative to their award volume.

FAQ: AERO, Single Audit compliance, and what to do now

Q: We are under the $1 million threshold. Does AERO apply to us?
The Single Audit requirement does not apply, but two cautions: (1) if your awards are growing, the threshold can be crossed mid-cycle, and (2) state and pass-through-entity audit requirements may still apply. State audit requirements vary; the National Council of Nonprofits maintains a state-by-state guide.

Q: How soon will AERO start producing enforcement actions?
HHS has not published a specific enforcement calendar, but the program is operational now and has stated it will analyze audit histories spanning at least the past five years (HHS). Counsel familiar with the program is recommending that grantees be prepared to respond to inquiries in the second half of 2026 (Polsinelli).

Q: What if we have a recurring finding we have been working on for years?
Document the work. A finding that recurs but is paired with a substantive, dated, documented corrective action with measurable progress is materially different from a finding that simply reappears. Bring this to your auditor and to your board now, not after AERO flags it.

Q: Should we file a FOIA request before responding to any AERO inquiry?
Some legal counsel is recommending exactly that — seeking the AI methodology, validation studies, and federal approval records before substantively responding to an AERO finding (Polsinelli). This is a decision to make with qualified federal grants counsel, but it should be on the table from the moment any AERO correspondence arrives.

Q: We use the de minimis 15 percent indirect cost rate. Does AERO change that?
No. The de minimis rate under 2 CFR 200.414(f) — recently raised from 10 percent to 15 percent of MTDC — remains available. AERO is about audit compliance, not rate negotiation. That said, organizations using de minimis often have less mature compliance infrastructure overall, which is precisely the profile AERO is designed to surface.

Q: Our audit firm is local and inexpensive but does not specialize in Single Audits. Is that a problem?
Under AERO, yes. Use of audit firms lacking meaningful Single Audit experience is explicitly listed as a trigger for scrutiny (Feldesman). Plan to issue a competitive RFP for audit services for the next fiscal year, with Single Audit experience as a scored criterion.

Case in point: how a small university got ahead of AERO before it was announced

In a recent engagement I wrote about in From Chaos to Compliance, a small university with a roughly $7 million federal portfolio rebuilt its 2 CFR 200 compliance infrastructure in less than nine months. The work included:

  • A negotiated indirect cost rate moving from 32 percent to 37 percent MTDC

  • A 40 percent reduction in late report submissions

  • Zero audit findings in the next Single Audit cycle

  • A 20 percent increase in successful grant applications

None of that work was done with AERO in mind, because AERO did not exist yet. It was done because compliance infrastructure that scales — and scales independently of any one grant — is the fixed cost of being a credible federal grantee.

Under AERO, that work is no longer an enhancement. It is the price of admission.

How Cynotex Strategy Partners helps

At Cynotex, we work with executive teams and boards navigating exactly this terrain. In the AERO era, our engagements typically include:

  • Strategy development and implementation — translating AERO exposure into a board-level compliance roadmap with named owners, dates, and verification triggers.

  • Organizational development and leadership coaching — preparing executives and boards for the difficult conversations that follow a five-year audit lookback.

  • Nonprofit risk management — designing systemic-risk frameworks, corrective-action templates, subrecipient monitoring tools, and board oversight rhythms aligned to 2 CFR 200, Subpart F.

  • Grant writing and funder research — focusing limited capacity on the federal opportunities your compliance infrastructure can actually win and sustain.

  • AI tools for operational efficiency — including grant document management, deadline tracking, and program-cost modeling that reduce the unit cost of compliance.

Protect your mission. Strengthen your organization. Federal audit compliance has just moved from episodic to continuous. So has the work.

Back to Insights

Subscribe to Our
Newsletter for Exclusive
Insights.