The internal audit function has evolved in recent years. The key role of a nonprofit’s internal auditors was once limited largely to testing financial and compliance controls and reporting their findings to the organization’s leadership. But today, with its cross-departmental perspective, the internal audit staff (whether employees or outsourced help) can help anticipate and mitigate a variety of risks, improve financial and operational processes — and even help evaluate the nonprofit’s strategies.
An independent function
On its most basic level, the internal audit function provides independent assurance of a not-for-profit’s compliance with its internal controls and their effectiveness in the areas of financial and operational risk. Potential risks include fraud, insufficient funds to support programming, and reputational damage.
Such risks are, of course, of concern to all types of organizations. But they’re particularly critical for nonprofits, which are often held to a higher public standard of integrity. Moreover, noncompliance with regulations could cost your nonprofit its tax-exempt status.
Internal auditors are typically charged with some of the most central — and critical — duties in an organization. These individuals, for example, should identify your nonprofit’s risks and prioritize them from high to low. They also must, through testing and other methods, assess the effectiveness of your internal controls. Further, your internal auditors should focus on the threats they’ve identified with targeted audit plans that give the greatest attention to high-risk areas. Their results should include reports with recommended improvements.
The internal audit function also typically includes evaluating compliance with laws, regulations and contracts; following up on management’s remediation actions to eliminate identified risks; and assisting external auditors, when applicable.
Internal audit’s overall objective is to help your not-for-profit accomplish its goals through proactive risk management and informed governance.
A wide-ranging review
The internal auditors’ wide-ranging review will consider everything involved in accomplishing the organization’s objectives, including financial procedures and processes (from cash and banking practices to financial reporting).
When high-risk areas are identified, auditors use various methods, such as the testing of transactions, interviews of staff and extraction of electronic data, to assess the strength of internal controls.
Smaller organizations aren’t exempt from the internal audit imperative. Their board and management can oversee internal controls with the assistance of a qualified third party.
What it takes to be effective
The effectiveness of the internal audit function hinges on several factors, and independence tops the list. Internal auditors should be independent from management and all areas they review to avoid bias or a conflict of interest. They should report directly to the board of directors or its audit committee.
Your board of directors and executive management should provide clear support for the internal audit function’s activities, and convey their importance to the full organization. Leadership must indicate its support both verbally and by its actions. For example, the board must meet regularly with internal auditors to discuss their findings and should visibly act on their recommendations.
Not surprisingly, the quality of the internal audit function’s work is directly related to its capacity, yet one of the major handicaps suffered by many internal audit departments is insufficient resources. Even where the function is manned by individuals with extensive audit expertise, it might lack employees with the requisite knowledge of relevant program areas. For peak performance, internal audit should engage internal or outsourced staff with experience in compliance and controls, program areas, operations, and specialized areas (such as IT), especially those identified as high-risk.
Quality assurance reviews
A quality assurance review (QAR), required to be completed once every five years, evaluates the internal audit activity’s conformance with The Institute of Internal Auditors’ Definition of Internal Auditing, Code of Ethics, and Standards, and focuses on opportunities for improvement. The QAR can be in the form of a full external assessment or a self-assessment with independent external validation.
The final report will include recommendations for improving and enhancing the internal audit function’s role.
Although the internal audit function is often viewed mainly through the prism of compliance and internal controls, it has a lot to offer beyond risk assessments and audit plans. Savvy organizations have begun to tap internal audit for strategic purposes.
For those not-for-profits, the internal audit function serves almost as an internal consultant, providing critical insights gathered in the course of compliance and assessment work on issues such as operational efficiencies. For example, while reviewing invoices, internal auditors may discover a way to streamline invoice processing.
The internal audit function’s familiarity with the organization’s inner workings also affords it an unusual perspective for evaluating strategic opportunities. For instance, does your not-for-profit have an operational or financial weakness that could undermine plans for continuing your current programs or launching a new one? Your internal auditor should know the answer.
Bump up oversight
Internal auditors add an important layer of oversight to your organization. And in today’s environment, with increased public scrutiny of how nonprofits are governed and held accountable, this makes an effective internal audit function a must.