Preparing for the Annual Audit—Identifying Risks and Establishing Strong Internal Controls

In my last blog, I talked about how the audit is often viewed as a chore. I introduced the idea of taking a step back—way back—and starting with a partnership with Program in which Finance brings our expertise in targeting risks and measuring performance and compliance.

An open dialogue about risks helps us move together as an organization to prioritize our time and resources so that we’re taking care of mundane responsibilities as well as our mission work. To start, risk areas should be identified and prioritized in the probability of occurrence and potential impact.

Once risks are identified and prioritized, the work of setting procedures and processes is the next step; this is where we need to pay close attention to “who” and “how.” A combination of individuals who have expertise, independence, and impact make a great team.

Careful consideration of the organization’s culture is important. Once risks are agreed upon and prioritized, if it fits within the organization’s culture and size, senior management may act as sponsors that provide guidance and resources during check-ins, leaving the individuals who are close to the risks and have the ability to alter their course to research and recommend procedures and processes.

If there is a gap between what the organization is currently doing and what it needs to do, the organization must commit to providing the time to research best practices and invest in the technology and personnel to move forward. As we develop our procedures, regular check-ins with our auditors will help ensure that we are on the right track and that we are using best practices to make sure we are effective and efficient with our resources. Remember, if it is too hard, no one will do it—not because they have a bad attitude, but when we overload our staff, they must be selective as to what they can accomplish. And compliance usually gets the short end of the stick.

Procedures and processes that serve multiple purposes (e.g. compliance and information) have a much better chance of success than doing something just because it must be done. Program is a great resource because they know what information they are missing today or is time-consuming to access. The right question is always, “What else is this information telling us?”

Preparing for the Annual Audit – Identifying Risks

A Review of a Standard Risk: Failure to Meet Program Outcomes

Risk management is a larger process for a nonprofit than it is for a for-profit business. For-profit entities were the first to develop systemic policies, procedures, and practices to identify, analyze, and assess risks as well as to communicate the context and outcomes of risk management. Nonprofit organizations often allocate fewer resources, yet we have more risks, and the consequences of not managing our risks, frankly, may be bigger. All nonprofits serve the public good, and if we fail to meet outcomes that failure has a long shadow.

The repercussions for nonprofits that fail to meet expected outcomes are not just larger, but they are also different. For a for-profit entity, the result may be missing a revenue target or spending too much to generate revenue. Nonprofits have that same risk, but we also have the risk of delivering the service but failing to document the service properly or the service recipient’s eligibility.

Insufficient data may have obscured the problem until it was too late. Too often it is Finance or an auditor who uncover these problems during the audit. In my experience, the issue is not one of competence but of systems. We work hard and create complex processes, but it is just too manual and too laborious to get in front of issues.

Strategies to manage these risks include:

  • Establishing standard, digitized processes to capture data and supporting documentation—financial and non-financial
  • Utilizing dashboards to communicate results in real-time
  • Investing in systems that maintain records of whatever it is that we have committed to achieve and that provide sufficient information for us to take timely corrective actions

In summary, our risks have wrinkles that are as unique as the nonprofits themselves. Because we have agreed on the information that is shared and the information is accessible, we can work collaboratively with Program to allow our data to inform us on how effectively we are meeting our mission and respond to any red or yellow flags that present themselves.  

The Big 7: Internal Controls that Don’t Control You

Internal control procedures in nonprofit accounting can be broken into seven categories, each designed to prevent fraud and identify errors before they become problems:

  1. Separation of Duties
  2. Access Controls
  3. Physical Audits
  4. Documentation
  5. Trial Balances
  6. Reconciliations
  7. Approval Authority

The list hasn’t changed since I was in college, and now I have a son in college. However, the tools to manage internal controls have evolved. I find I get the biggest bang for my buck by utilizing three simple system-based features: role based security; work flow; and a multi-dimensional system that allows for attributes and flexible fields to build in smart queries.

For the tags or custom fields to be effective, the system needs to have business rules that ensure the data is always captured. Data errors can be corrected, but omission is difficult to detect.

4 examples of how software can facilitate strong internal controls.

Organizations who receive governmental funds must check certain vendors against the federal and state debarment database. Of course, we test the vendor when the vendor is approved in the organization, but we also need to make sure vendors maintain their status.

  1. A simple way to create a periodic test is to tag vendors in your accounting software due for the next test. Download the list and match it against the debarment database. Import the results and the date of the test into the vendor record. Should a vendor fail the test take appropriate corrective action and inactivate the vendor preventing any future payments.   During the audit run a query showing the date of the test and results.
  2. Ultimately every transaction will end in the general ledger. Using your journal codes, you can create a system where it’s easy to analytically test for supporting documentation.  For example, using the “PA” for payroll accruals will allow you to run a query on all “PA” journal entries. You can test whether each “PA” has an attachment and then selectively sample whether the supporting documentation works. The auditors can perform the same test during field work. This same logic can be used for each type of transaction.
  3. Queries can also be running from your software to analyze payments, journal entries with large amounts, etc.
  4. You can build digitized records for employees or service recipients that capture the required compliance documentation and provide valuable insight into the demographics of the individuals you serve.  This allows for easy analytic review and for the auditors to test documents.

After creating procedures that maintain internal controls and manage risks, it is important that the cross-functional team has space in their work day to analyze and verify periodically. The last step is to follow through and turn corrective action into habit.

Corrective action should be punitive only as a last result. When a compliance failure occurs, look for the root cause. Do not leave the offender to fix it on their own. The cross-functional team must lean in with retraining, tools, etc., along with the individual program manager to ensure success. We win together.  

Retest areas that show weakness. It will allow you to know whether you solved the core issue but it also shows that your plan has teeth to it.

Now that we lead with Program first, our audit field work is now a piece of cake. Why? Because the procedures have value beyond the audit.  They help us deliver our mission more effectively.  Plus, we have already performed and monitored the work.  We only need to provide our auditors with a written standardized business process, a guide to stored reports, and view only access to the system. Folks—let them test.

Yes, you may have to introduce them to the system, run a few reports and queries. This is a perfect job for a talented junior staff person. This same junior staff person can also schedule interviews for the auditors, prepare confirmations, etc. The whole team no longer needs to stop the presses and work on the audit, because the work for the audit was part of your daily processes.

Yes, we do need to meet with auditors for planning and discussing issues and changing requirements, but we aren’t starting from scratch, and we aren’t taking paper documents out of files for the auditors to review only to turn around and refile them. Planning efforts are largely forward looking.

You may think you don’t have the resources to implement processes like these. Chances are you don’t if you aren’t using modern tools. The tools aren’t as expensive as they use to be. Yes, it costs money, but with the investment in time, education, and tools that fit your nonprofit, you will likely find that you have created the space for this critical work by spending less time sorting pencils (I.e. doing work that does not add value) and more time deploying your resources where they count.

Want to learn more about preparing for a successful audit? Check out our webinar series, Preparing for a Successful Audit: A Conversation between Auditor and Auditee.