For personal job security, of course I will say, ‘Yes!’ a nonprofit organization needs an internal audit function. Now isn’t that a thoroughly independent opinion?
First of all, the kinds of intentional and unintentional errors and mistakes that happen in any organization can and does happen at nonprofit organizations. The extent to which errors happen can negatively impact an organization if it is relevant to a key process, and if that process is a driver to an organization’s success and contributes to the accomplishment of mission.
There are many different kinds of nonprofit organizations and many have similar processes to a for-profit or commercial organization. All organizations handle and process cash, pay vendors, track and manage revenue and expenses, and manage financial reporting consistent with the standards acceptable in their jurisdiction of operation (i.e. Generally Accepted Accounting Principles in the U.S.). The uniqueness of nonprofits (at least those that are supported by donations) is that they are stewards of the public’s trust and are held to a high standard of integrity that the organization will use donations as promised. The public does not have the opportunity they would have in an exchange transaction when they are purchasing a product or service whereby they can return the product or ask for a refund for poor service. Additionally, there are unique compliance requirements for nonprofits especially for those that are considered tax-exempt (exempt from federal income taxes) and for those charitable organizations that have the added benefit of tax-deductible contributions.
In any organization, internal controls are set up to give the key processes the best chance of functioning as designed and ultimately for meeting the objectives of the organization. The role of internal auditors in most organizations is to provide independent assurance through the review and testing internal controls to assess if they are designed and functioning appropriately. Additionally, they help to assess if there is a deficiency of internal controls or possibly an abundance of internal controls in areas where the inherent risks are low. Internal auditors also assist the organization in improving risk management and governance processes.
Auditors typically begin with an overall risk assessment of the organization to understand overall strategy and objectives, and then within the framework of strategy, understand the key processes that drive and support accomplishment of strategy and the inherent risks to the accomplishment of objectives. Once the areas of high risk (areas susceptible to error or fraud in an uncontrolled environment) have been identified, different types of procedures (agreed upon procedures, reviews, audits) are performed to identify the strength of controls in the high risk areas.
The internal audit function is typically the function within an organization that can provide independent assurance on internal controls. However, in smaller organizations, Management and the Board of Trustees can oversee and monitor the internal control framework. The Board and management should proactively periodically review a selection of internal controls over noted high risk areas. As a start, it is important for the Board to work with management to have a sound methodology to assess risks. At the point where an organization is too large for the Board and management to review all key controls, and if there are risks that are significant to accomplishment of the organization’s mission, then it would be a good time to assess if an internal audit function should be established, or if internal audit functions should be outsourced for those key risks.
In the last decade, there has been increased scrutiny on nonprofit organizations in terms of ensuring adequate governance, accountability and transparency. It would be prudent for all nonprofit organizations to assess their risks both for the sake of organizational success as well as to preserve the public’s trust.
This is an excellent article that provides a good overview of how to establish, maintain and structure an effective internal audit function.
Some resources and links:
Institute of Internal Auditors
Association of Certified Fraud Examiners
Information Systems Audit and Control Association
bderosia
brwillia
cam0511
ejwcpa
Hannah
Jennifer Brenner
Jonathan Ferguson
Uma Maheswaran
Eline Nelson
NFP Audit and Accounting 