By Mark Tessar, CPA, CIA | Nonprofit Audit Supervisor
By their nature, tax-exempt entities are under extraordinary scrutiny. With the IRS, external auditors, donors, watchdogs and stakeholders all analyzing their finances, nonprofit organizations must implement effective internal controls that decrease the likelihood of fraud, accounting mistakes or other inappropriate accounting practices that could impact the organization’s finances and reputation. Many organizations who have established an internal audit function benefit not only from process improvements (including strengthened internal controls), but also an enhanced ability to respond to internal and external risk. Robust internal audit programs offer the added benefit of helping the organization’s leadership to develop and implement effective strategic plans. Who wouldn’t want a crystal ball? Internal audits are no longer the exclusive domain of large nonprofit organizations. Nonprofits of all sizes are establishing internal audit functions to protect the future of their organizations.
Internal Audit vs. External Financial Statement Audit
The primary objective of an internal audit is to provide leadership (including the board of directors and the organization’s executive team) with the highest level of independent assurance and recommendations related to the effectiveness of internal controls, governance and risk management processes. The primary differences between internal audit and an external financial statement audit is the concept of materiality and scope. External audit focuses on providing assurance that financial statements are free from material misstatement. This means that external financial statement auditors focus primarily on financial reporting risks. Internal auditors use a broader risk assessment process which places less weight on the financial materiality of an audit area and focuses more on the holistic impact a risk event could have on the organization.
One similarity between internal and external audit is the concept of independence. It is crucial that an internal auditor not only be independent of the entity under review, but also report directly to the organization’s board or audit committee. This means some organizations would benefit from an outsourced internal audit function in cases where independence cannot be assured internally.
While beneficial to all organizations, those that receive federal funding (subject to Uniform Guidance) or organizations that must comply with other specific program guidelines or requirements due to their funding sources gain the most from an internal audit. Among them, international organizations with local field offices are particularly good candidates. International Non-Governmental Organizations (INGOs) with an internal audit function perform field audits and report back to their headquarters regarding any control deficiencies with recommendations for mitigating action plans. This assurance gives the organization’s leadership and donors greater confidence in field office operations, which is one the highest risk areas for any INGO.
Where to Start
The first step of an effective internal audit process is to evaluate enterprise wide risks with the potential to impact the organization. After the risks are identified, the next step is to develop an audit plan to review the processes and controls already in place around those high risk areas, and then various levels of procedures are performed (agreed upon procedures, review and audit) to identify any deficiencies. For organizations new to internal audit, the process does not have to be “all or nothing”. From an auditor’s perspective it is perfectly acceptable to prioritize risk areas from the beginning and focus attention where it is needed most. Top priority should always be given to those areas that keep the organization’s audit committee and leadership up at night.
The internal audit function is an important investment in a nonprofit’s commitment to their mission and maintaining the public’s trust. If your organization is exploring the benefits of an internal audit, a great first step is to consult an auditor specializing in nonprofit organizations. Watch our recorded webinar, Enterprise Risk Management for Nonprofits & Associations: Where Strategy Meets Risk to learn more about mitigating risk to your organization. For more information or to discuss an internal audit for your organization, contact Mark Tessar, CPA, CIA, Nonprofit Audit Supervisor at firstname.lastname@example.org or 301-951-9090.