The internal audit (IA) function is vital to the health of any nonprofit, regardless of mission or scope. The audit committee and its individual members are crucial partners in safeguarding the integrity, purpose and, ultimately, the success of organizations. They often face challenges navigating a strained regulatory environment, all while trying to do more with less. Here’s a list of the top 10 challenges keeping internal auditors up at night, and possible remedies to help continue the critical work.
1. CHANGES TO OPERATIONS OR STRATEGY : Change is inevitable. As the needs of communities, internal dynamics, priorities and leadership transform, nonprofit managers adjust their mission and strategies. While this dynamism is essential to further the work, change can create strain for internal auditors. Whether it’s expanding operations to a new location, working with new donors or rolling out a new organizational structure, internal auditors are often left scrambling to ensure compliance.
THE REMEDY: Compliance headaches don’t have to be unavoidable. Managers should be proactive about integrating internal audit into large scale organizational changes. This means allocating IA resources to evaluate emerging compliance and legal requirements, incorporating IA into the strategic decision-making process at the outset, revising policies and procedures with the new compliance environment, and developing succession plans to facilitate smooth personnel changes. IA should not just be involved in the change process. Managers should allow internal auditors to conduct post-implementation assessments to ensure ongoing compliance.
2. ORGANIZATIONAL CULTURE: A nonprofit’s organizational culture usually centers on a mission about which employees are passionate. This passion attracts staff personally motivated to help the overall organization succeed, but can come at the cost of internal controls. “The cause” can often be promoted at any cost. Mid-level management professionals can be highly skilled in technical areas, but might lack knowledge in compliance, financial accountability and oversight. A lack of interactive communication between key administrative and program units within the organization can result in insufficient internal controls.
THE REMEDY: Communication is essential to balance maintaining organizational culture with proper operational management. Nonprofits should develop a sound communication strategy that brings the internal audit and compliance functions in regular contact with the rest of the staff. During these interactions, IA professionals should be sure to communicate how risk management practices align with overall organizational strategy and mission objectives. Bringing people together in this way helps make IA an integral part of an organization, rather than an afterthought. Communications breakdowns are sometimes inevitable. Managers should conduct regular assessments of business processes to determine where breakdowns in communication between business units occur. These assessments should help identify gaps that could pose significant risks to the organization. Based on the results of these assessments, organizations should design and implement remediation plans, including scheduling necessary trainings for all employees and rolling out new process flows and accountability points to close any gaps.
3. NEW TECHNOLOGY: Technological advances help staff members store and share data, but new technology is often implemented without the knowledge or involvement of the internal audit function, to potentially disastrous and costly results. Ideally, internal auditors should assess new technology well before it’s utilized to review issues such as control over sensitive data, continuity of the technologies between offices, and adherence to compliance and regulatory requirements. Without this review, managers leave the organization open to a number of risky consequences, as well as operational inefficiencies.
THE REMEDY: Technology can be a huge boon to nonprofits, but only when it’s used wisely. IA should work with nonprofit leaders to first assess technology currently being used organization-wide, and then identify what still needs to be addressed. Internal auditors can assist with researching and proposing approved technologies for organization-wide usage, to facilitate cohesion and compliance and to help management improve system efficiencies. Managers also need to implement proper internal controls to ensure they’re mitigating technology risk. IA can conduct a risk assessment of each technology used and implement policies to restrict or prevent the use of high-risk programs or devices. Organizations should also require similar checks and risk assessments for all new technology prior to usage.
4. CYBERSECURITY: Cybersecurity risks abound with new technologies exploding in popularity. Nonprofit managers often mistakenly believe they aren’t of interest to cyber criminals, but the amount of personal data they store from donors and employees, and the tendency to underinvest in cybersecurity measures, make them an ideal target. It can be difficult to maintain up-to-date technology and hardware, keep pace with technological changes and navigate the shifting regulatory landscape with limited funding. Nonprofits also frequently are partnered with technology suppliers and other contractors that leave them open to third-party cyber risks.
THE REMEDY: The first step is to conduct an organization-wide cybersecurity risk assessment that includes partner, contractor and technology supplier cybersecurity as part of the due diligence process. This assessment should shed light on where internal and external gaps exist. Following the assessment, managers should implement additional controls by updating policies, procedures and internal controls to address identified gaps. A startling number of cyber incidents arise from employees unknowingly exposing the organization to bad actors. Training staff to recognize these exposures is fundamental to their prevention.
Leaders need to regularly communicate risks to employees and vendors to ensure everyone is adhering to established policies. Monitoring cyber risk needs to be an ongoing effort. A risk assessment schedule should be developed to examine internal partner, contractor and technology supplier cybersecurity on a quarterly or annual basis. Internal audit can assist with implementing these assessments.
5. COMPLIANCE WITH FUNDER REQUIREMENTS: Nonprofits often have the unique challenge of negotiating compliance requirements across multiple funding sources including government entities, individuals, private foundations or other organizations. This challenge is only growing as budget cuts force organizations to focus on diversifying revenue streams and expanding donor pools, and with a recent increase in donor audits of specific grant activity at the materiality level. Further complicating the matter is a growing emphasis on international accounting standards (as opposed to relying on U.S. Generally Accepted Accounting Principles.
THE REMEDY: To clarify exactly what funding requirements an organization faces, a compliance assessment should be conducted, comparing requirements across all donor agreements to determine areas of overlap and areas of discontinuity. These agreements should then be compared against written policies and current practices to identify gaps. Remediation plans can amend policies and procedures, and staff trainings should be conducted to ensure all levels and functions understand their role in maintaining compliance with funding requirements. Staying current is critical. Leaders should develop a compliance assessment schedule, and IA and compliance departments need to stay on top of new funding streams and emerging trends so they can pivot when necessary.
6. FINANCIAL CONTROLS: Even though most nonprofit leaders and staff are motivated by making an impact rather than money, there remain a host of hurdles when it comes to financial management. Many international nonprofits operate in countries with cash-based economies, making it tough to maintain adequate control of funds and sufficient supporting documentation. And new payment technologies, while enabling new and widespread operational tools, are often accompanied by verification and other control challenges. Nonprofits also face resource constraints and might have a limited number of finance staff to oversee financial management processes, which can be manual and prone to human error. For organizations with several offices, branches often operate with little to no centralized oversight of accounting and cash management procedures.
THE REMEDY: Managers should review cash management procedures and evaluate typical expenditure cycles to identify potential risk areas across the entirety of an organization. Internal audit is central in assisting management in testing cash management controls. Additional controls in keeping with best practices can be implemented, such as limiting cash handling or volume of cash transactions where possible. Nonprofit managers should consider investing in technologies and resources that limit high risk processes. Standardizing procedures will help cut down on variance of practices between offices. All branches should centralize accounting and reporting procedures. At a minimum, each location should maintain copies of supporting documentation of all expenditures and financial reporting and should regularly review them with staff.
7. RELIANCE ON THIRD PARTIES: Vendor actions can create extremely adverse consequences for nonprofits. Concerns range from reputation damage to the vendor’s illegal acts being attributed to the nonprofit. This risk applies to all types of organizational relationships with vendors and nonprofits, especially those administering federal grant programs given increased sub-recipient monitoring and due diligence requirements. Despite the risks, most nonprofits rely on partners or contractors for critical program functions. This makes it difficult to conduct due diligence reviews and monitoring activities, particularly when the partners/contractors are numerous, geographically dispersed or operating overseas. Partners are normally tasked with self-reporting, meaning frauds like ghost employee payments are easily hidden. Contractors also usually have access to organizational networks and information, creating an additional layer of risk.
THE REMEDY: Leaders should review current policies and procedures to ensure robust due diligence and monitoring processes are in place for all third-party relationships. This should include an assessment of partner/contractor access to project data, systems and networks, and the limitation of access where possible. Managers need to implement additional monitoring and verification processes, including:
* Conducting regular spot reviews or investigations of reported data;
* Requiring partners and contractors to certify financial and programmatic assertions;
* Verifying number of partner/contractor staff and salary payment amounts;
* Conducting unannounced site visits; and,
* Considering third-party verification systems These processes should be re-evaluated on a regular basis to ensure their effectiveness.
8. PROCUREMENT PROCEDURES: Nonprofit organizations rely heavily on non-competitive procurement processes for several reasons. Procurement procedures, selection criteria and selection decisions are often inadequately documented, leaving organizations unable to show that there was no bias in the selection process. Preferred vendor lists are rarely updated, and control of vendor solicitation, selection and site visits is often left with just a few individuals.
THE REMEDY: IA should review current procurement procedures against industry standards and donor requirements. They should also be transparent about their procurement policies including: * Publicly announcing tenders as much as possible; * Updating vendor lists through open competition as frequently as possible; * Verifying vendors and prices through in-person or third-party checks; * Comparing bids against market prices; * Documenting criteria and selection procedures to bid samples with procurement files; and, * Ensuring procurement/selection committees are rotated on a regular basis.
9. TRANSPORTATION AND DISTRIBUTION: For organizations that distribute goods, inventory management and oversight can prove to be major sources of stress for internal auditors. Managers often have difficulties verifying receipt of goods or services by their intended beneficiary, and confirming the goods provided are in the same quality and quantity as what was purchased. Diversion, theft and product substitution are especially difficult to identify. Despite resource and capacity issues, recent increased scrutiny of internal controls and supply chain management means that organizations need to address these issues sooner rather than later.
THE REMEDY: To help combat issues in the distribution chain, managers need to shore up monitoring procedures by:
* Establishing monitoring teams for critical points along the supply chain;
* Implementing two-step or three-step verification procedures at each critical stage;
* Hiring a third party to conduct site visits and monitor transportation and distribution;
* Using technology to assist in tracking and monitoring, including unique identifiers on products for inventory and tracking purposes and requiring distributors to take time-stamped photos/videos of deliveries; and,
* Another effective risk mitigation strategy is to communicate directly with beneficiaries. Leaders can hold pre-distribution meetings with communities to review any past issues or concerns.
Detailed packing lists and/or photographs of parcel contents should be inside packages. Nonprofits can include in the contract clauses with distributors to withhold payments to distributors until delivery is confirmed. This further ensures the distributor is holding up its end of the agreement.
10. FRAUD AND CORRUPTION: It’s the job of the internal audit function to uncover fraud, waste and abuse in nonprofit organizations, but often they are set up for failure. Due to a lack of communication between functional and program units within organizations, increased used of third parties, outdated systems, increased regulations (and the list goes on), the opportunity to exploit a nonprofit’s controls is growing at a time when IA resources are shrinking and reputational risk for organizations is at an all-time high.
THE REMEDY: Preventing fraud starts within an organization. Stakeholders should evaluate current fraud prevention, detection and investigation measures against regulatory requirements and develop a plan to remediate any identified gaps. They should also be sure to provide accessible fraud reporting mechanisms for all employees, partners, grantees/beneficiaries and stakeholders.
Despite resource constraints, organizations need to ensure IA has the appropriate level of resources to detect and investigate potential cases of fraud. Funds should also be set aside for visits to third parties and office locations and the establishment of a fraud hotline. Put a process in place to notify any impacted funders in a timely manner and in line with donor requirements to prevent exacerbating the impact when fraud does occur.
It’s also key to establish a fraud prevention and detection assessment schedule so practices can stay up-to-date and make sure nothing falls through the cracks. Internal auditors at nonprofits have a tough, but essential job that’s key to keeping the organization focused on mission fulfillment. By assessing current practices, developing action plans and regularly monitoring activities, organizations can mitigate risk and serve their beneficiaries more effectively.
Ken Eye is a director in the Nonprofit & Education Advisory Services practice at BDO. His email is firstname.lastname@example.org. Andrea Wilson is a partner and the leader of BDO’s Nonprofit & Education Advisory Services practice. Her email is email@example.com.