Not-for-profit leaders and staff often regard the word “audit” with dread. After all, audits can be disruptive and cumbersome processes that eat up time and resources. But different types of audits come with other obligations and benefits. Here is what you need to know before you engage a financial professional to conduct an audit.

Independent financial engagements

An independent — or external — financial audit is probably what comes to mind when most people think of audits. In this type, an independent auditor reviews financial statements, transactions, accounts, records, internal controls, and accounting and financial processes and procedures.

Following such examinations, auditors issue an opinion on whether financial statements:

• Fairly present the organization’s financial position as of the year-end date;
• Fairly present the organization’s changes in net assets and its cash flows for the year under audit; and
• Comply with U.S. generally accepted accounting principles.

Auditors may also provide recommendations and a letter to the not-for-profit’s audit committee, discussing the audit process and results. (See sidebar, “The case for audit committees.”)

Internal reviews

Internal audits, on the other hand, are performed by members of the not-for-profit’s staff. At a minimum, your team should scrutinize the adequacy of your internal controls and the accuracy of your records and reports, and their findings should be reported to your board of directors. They may go further by verifying proper authorization of activities and expenditures and confirming the physical existence of assets.

An internal audit can help you prepare for an independent audit. If you unearth and remedy shortcomings before the independent auditors arrive, you can streamline the overall process and potentially reduce audit-related costs. Even if you do not find any issues during an internal audit, you’ll have much of the information auditors require already collected and readily available.

Forensic examinations

A forensic audit of an organization’s financial operations is typically triggered by some type of lapse (for example, a data breach) or suspicion of employee wrongdoing. These audits can focus on specific transactions or areas where concerns about fraud have arisen.

Forensic audits should be conducted by an independent forensic auditor or certified fraud examiner who’s capable of thoroughly investigating red flags. The auditor you engage will approach the process with an eye toward collecting evidence that could be used in court (if necessary) and by quantifying any losses.

Focus on operations

As for operational audits, they can help your organization improve its processes and controls. This type of review evaluates systems, productivity, and efficiency (or lack thereof), and auditors may decide to observe and interview staff members to gather information. An operational audit report provides a comprehensive overview of how your organization operates on a daily basis.

The audit’s focus can be narrow — for example, homing in on HR or IT — or it can be broad. Either way, such audits can help your organization refine or significantly improve its practices. Although it may seem like a drain on limited resources during a time of financial uncertainty, an operational audit can help you achieve more with what you have.

Cybersecurity assessments

Increasingly, not-for-profits keep vast amounts of data about donors, clients, staffers and others. Your organization may also be subject to data privacy laws, such as the European Union’s General Data Protection Requirements or various state statutes. It’s essential to determine whether your safeguards are sufficient in protecting such data.

A cybersecurity audit can help determine the risks confronting your organization. These could range from employees using weak passwords or falling victim to phishing schemes to outsiders gaining unauthorized access to personally identifiable information. In addition to determining the effectiveness of your safeguards, these audits propose solutions to address any weaknesses.

Keep in mind that cyber risks are constantly evolving. So cybersecurity audits must be conducted periodically — ideally, at least once a year.

Doing your part

Regardless of the type of audit conducted, you and your staff can ease the process for audit professionals. For example, if you maintain accurate records and everyone in your organization closely adheres to internal controls, you can reduce the time and burden of audits.

Sidebar:   The case for audit committees

Among other things, your not-for-profit’s board of directors is charged with fiduciary oversight. One of the most effective ways of fulfilling this duty is to delegate it to an audit committee. A proactive audit committee can both enhance the benefits of an independent financial audit and reduce fraud.

Audit committees are separate from finance committees (which primarily monitor budgets, investments and financial statements). Your audit committee should oversee the conduct and integrity of your organization’s financial practices and reporting, including risk management, internal controls and, of course, the audit function.

The committee must work closely with external auditors, meeting with them before the audit to discuss the work plan. The committee should also review the auditors’ findings before they’re presented to the board and ensure the board responds appropriately to any recommendations. Finally, this committee plays a critical role in combating fraud. It’s responsible for reviewing whistleblower and antifraud policies, overseeing procedures for uncovering errors or illegal acts, and conducting fraud risk assessments.

For more information, contact Jurgita Kalina at 312.670.7444 or [email protected]. Visit ORBA.com to learn more about our Not-For-Profit Group. Sign up here to receive our blogs, newsletters and Client Alerts.