In recent years, nonprofits have been the target of increased scrutiny over governance, accountability and compliance. Despite this, many organizations dismiss the importance of their internal audit function. This isn’t a wise move. All nonprofits face heightened expectations from regulators and the public, as well as an ever-expanding field of risks. Even though your budget may be tight, you can’t afford mistakes or fraud incidents as a result of a weak or nonexistent internal audit function.
What Role Does Internal Audit Serve?
On its most basic level, the internal audit function provides independent assurance of a not-for- profit’s compliance with its internal controls and their effectiveness in the areas of financial and operational risk. Potential risks include fraud, insufficient funds to support programming, and reputational damage. Such risks are, of course, of concern to all types of organizations, but they’re particularly critical for nonprofits, which are often held to a higher standard of integrity by the public. Moreover, noncompliance with regulations could cost a nonprofit its tax-exempt status.
Internal audit is typically charged with:
- Identifying risks and prioritizing them from high to low;
- assessing the effectiveness of internal controls through testing and other methods;
- evaluating compliance with laws, regulations and contracts;
- mitigating risks with targeted audit plans that give greater attention to high-risk areas and producing reports with recommendations for improvement;
- following up on its own recommendations and management’s remediation actions to eliminate identified risks; and
- assisting external auditors.
The overall objective is to help the not-for-profit accomplish its goals through proactive risk management and informed governance.
How Do Internal Auditors Work?
Internal auditors typically begin with an overall risk assessment of the nonprofit. Their wide- ranging review will consider everything involved in accomplishing the organization’s objectives, including financial procedures and processes (from cash and banking practices to financial reporting).
When high-risk areas are identified, auditors use various methods, such as testing of transactions, interviews of staff, or electronic data extraction techniques, to assess the strength of internal controls.
Smaller organizations aren’t exempt from the internal audit imperative. Their board and management can oversee internal controls with the assistance of a qualified third party.
What Ensures Success?
The effectiveness of the internal audit function hinges on several factors, including:
- Independence. Internal auditors should be independent from management and other functions they review to avoid bias or a conflict of interest. They should report directly to the board of directors or its audit committee.
- Executive support. The board and executive management must provide clear support for the internal audit function and its activities to convey their importance to the full organization. Leadership must indicate its support both verbally and by its actions. For example, the board must meet regularly with internal auditors to discuss their findings and should visibly act on their recommendations.
- Resources. Not surprisingly, the quality of the internal audit function’s work is directly related to its capacity, yet one of the major handicaps suffered by many internal audit functions is insufficient resources. Even where the function is manned by individuals with extensive audit expertise, it might lack employees with the requisite knowledge of relevant program areas. For peak performance, internal audit should engage internal or outsourced staff with experience in compliance and controls, program areas, operations, and specialized areas (such as IT), especially those identified as high-risk.
- Quality assurance review (QAR). A QAR assesses the overall effectiveness of an internal audit function by applying three criteria: 1) compliance with professional standards; 2) effectiveness and efficiency of function activities, organization, resources and skill capabilities; and 3) evaluation and fulfillment of stakeholder needs. A resulting report includes recommendations for improving and enhancing the internal audit function’s role. The Institute of Internal Auditors suggests that internal auditors conduct QAR self-assessments periodically, with third-party QARs done every five years.
An Indispensable Function
With proper independence and support, the internal audit function can prove invaluable for nonprofits of all sizes. Proper assessment of risk — whether by an in-house or outsourced internal audit function — is crucial for nonprofits that want to thrive in today’s rigorous environment.
Beyond Compliance: Internal Audit as a Strategic Partner
Although the internal audit function is often viewed mainly through the prism of compliance and internal controls, it has a lot to offer beyond risk assessments and audit plans. Savvy organizations have begun to tap internal audit for strategic purposes.
For these organizations, the internal audit function serves almost as an internal consultant, providing critical insights gathered in the course of compliance and assessment work on issues such as operational efficiencies. For example, in the course of reviewing invoices, internal audit may discover a way to streamline invoice processing.
The internal audit function’s familiarity with the organization’s inner workings also affords it an unusual perspective for evaluating strategic opportunities and investments. For instance, does your not-for-profit have an operational or financial weakness that could undermine plans for a new program? Your internal auditor should know the answer.
Contact MFA's Nonprofit Team to discuss whether it makes sense for your organization to establish its own internal audit function or if outsourcing or co-sourcing the internal audit function is a more appropriate solution for you.