Preparing for Your School or Nonprofit Financial Audit: Identifying Risks and Establishing Strong Internal Controls
An unidentified risk is like that unmarked container in the back of the office fridge. No one is quite sure what’s in there or how bad the smell will be. And until someone is brave enough to take a close look at what’s inside, it will continue to grow.
But once the risk is identified, it can be measured and planned for. Until you are willing to peek under the lid, you don’t know if you are dealing with a forgotten bologna sandwich, or something much, much worse.
The annual financial audit is a great time to review your statements through a risk lens and search the corners of your financial statements for long-forgotten issues that could contaminate an entire balance sheet. When you are preparing for your annual nonprofit financial audit, you need to understand and identify the risks that could affect your organization so you can address and mitigate potential problems.
Identifying—and Mitigating—Risks as Part of your School or Nonprofit Financial Audit
While the financial team might have the most experience recognizing risk, the conversation should include all parts of your organization. An open dialogue about risks helps us move together as an organization to prioritize our time and resources so that you’re taking care of mundane responsibilities as well as our mission work.
As part of your regular discussion with your auditor, preferably at the start of your fiscal year, review your internal controls. Your auditor can help you identify any potential holes and opportunities for improvement. With those risk areas clarified, you can work with your internal control committee to prioritize the probability those potential problems might happen and what their impact might be. This will help you prioritize solutions.
Once risks are identified and prioritized, set procedures and processes to address them, and document those processes. This is where you need to pay close attention to “who” and “how.” Bring together a combination of individuals who have expertise, independence, and impact throughout the organization in order to make those adjustments to your controls.
The Importance of Organizational Culture in Risk Management
As you update your internal controls to address any new risks, take into account your organizational culture. If there is a general appreciation for internal controls and a standard practice of following them—from all levels of the organization—your risk management efforts will be easier than if your internal controls are seen as more of guidelines.
Once risks are agreed upon and prioritized, it’s important to have members of your senior management act as sponsors to provide guidance and resources during check-ins. Not only does this provide authority to the process—no matter what your organizational culture is—but it also enables the individuals who are close to the risks to do research and recommend appropriate procedures to plan for the identified risks.
If there is a gap between what the organization is currently doing and what it needs to do, commit to making the time to research best practices as well as invest in the technology and personnel to move forward.
As you develop your procedures, check in regularly with your auditors to make sure that you are on the right track. Your auditors can ensure you are using best practices and are effective and efficient with your resources. Remember, if it is too hard, no one will do it—not because they have a bad attitude, but when your staff is stretched thin, they must be selective as to what they can accomplish. And compliance usually gets the short end of the stick.
Procedures and processes that serve multiple purposes, such as compliance and information-related processes, have a much better chance of success than doing something just because it must be done. See if your new procedures for these prioritized risks can help other parts of your organization, such as program delivery. See if you can find a way to make a part of the process easier or remove a time-consuming task or incorporate it seamlessly into a task the team is already doing to make it easier to comply.
Preparing for the Annual Audit – Identifying Risks
Risk management is a larger process for a nonprofit than it is for a for-profit business. Nonprofit organizations often allocate fewer resources, yet have more risks, and the consequences of not managing those risks, frankly, may be bigger. All nonprofits serve the public good, and if you fail to meet outcomes, that failure can have a long shadow.
A Review of a Standard Risk: Failure to Meet Program Outcomes
The repercussions for nonprofits that fail to meet expected outcomes are not just larger, but they are also different. For a for-profit entity, the result may be missing a revenue target or spending too much to generate revenue. Nonprofits have that same risk, but you also have the risk of delivering the service but failing to document the service properly or the service recipient’s eligibility.
Insufficient data may have obscured the problem until it was too late. Too often it is Finance or an auditor who uncovers these problems during the audit. Often, the issue is not one of competence but of systems. You work hard and create complex processes, but it is just too manual and too laborious to get in front of issues.
Strategies to manage these risks include:
- Establishing standard, digitized processes to capture data and supporting documentation—financial and non-financial
- Use dashboards to communicate results in real-time
- Investing in systems that maintain records of whatever it is that you have committed to achieve and that provide sufficient information for you to take timely corrective actions
Your risks have wrinkles that are as unique as your nonprofit. Because you have agreed on the information that is shared and the information is accessible, you can work collaboratively with your Program delivery team to allow your data to inform you on how effectively you are meeting our mission and respond to any red or yellow flags that present themselves.
Taking Corrective Action Before Your School or Nonprofit Financial Audit
After creating procedures that maintain internal controls and manage risks, it is important that the cross-functional team has space in their work day to analyze and verify periodically. The last step is to follow through and turn corrective action into habit.
Corrective action should be punitive only as a last result. When a compliance failure occurs, look for the root cause. Do not leave the offender to fix it on their own. The cross-functional team must lean in with retraining and tools, along with the individual program manager to ensure success.
Retest areas that show weakness. It will allow you to know whether you solved the core issue, but it also shows that your plan has teeth to it.
Making Audit Processes a Part of Your Daily Workflow
Now your audit field work is a piece of cake. Why? Because the procedures have value beyond the audit. These documented processes help you deliver your mission more effectively. Plus, you have already performed and monitored the work. You only need to provide our auditors with a written standardized business process, a guide to stored reports, and view-only access to the system.
You may have to introduce them to the system, run a few reports and queries. This is a perfect job for a talented junior staff person. This same junior staff person can also schedule interviews for the auditors and prepare confirmations. The whole team no longer needs to stop the presses and work on the audit, because the work for the audit was part of your daily processes.
You do need to meet with auditors to plan and discuss issues and changing requirements, but you aren’t starting from scratch. You aren’t taking paper documents out of files for the auditors to review only to turn around and refile them. Planning efforts are largely forward-looking.
You may think you don’t have the resources to implement processes like these. Chances are you don’t if you aren’t using modern tools. The tools aren’t as expensive as they use to be. Yes, it costs money, but with the investment in time, education, and tools that fit your nonprofit, you will likely find that you have created the space for this critical work by spending less time sorting pencils—doing work that does not add value—and more time deploying your resources where they count.
Want to learn more about preparing for a successful audit? Check out our webinar with Paul Preziotti, CPA, nonprofit audit expert, and partner with Johnson Lambert, for tips on preparing for and running a successful audit.
Fund Accounting Software that Drives Impact
Find out how Blackbaud’s Financial Edge NXT® fits your organization.