Audit committees face many challenges, especially when the members are volunteers with other “day jobs,” as is true in most nonprofits. And when it comes to accounting, other than one plus one generally equally two, there are constant changes in standards and processes.
While this article focuses on tools that a nonprofit audit committee might use to improve performance, evidence that nonprofit governance is improving, in general, can be found in the Grant Thornton Governance Survey:
- 83 percent of the respondents had an audit committee in place; and,
- 35 percent said their audit committee met in executive session once a year and 30 percent said it met two to three times. Surprisingly, more than one-quarter (26 percent) never met in executive session.
There has been a clear increase in the percentage of audit committees that include certified public accountants (CPA). Nearly three-quarters (74 percent) of responding organization include a CPA, which is up from two-thirds in 2008 and about one-quarter in 2006.
According to the Grant Thornton survey, more than half (52 percent) of audit committees met with their auditor either two or three times, which is up from 44 percent in 2008 and 35 percent in 2004. Conversely, the number of single meetings with the auditor is shrinking.
The AICPA (American Institute of Certified Public Accountants) Audit Committee Toolkit: Not-for-Profit Organizations (Toolkit) was created in 2005 to help committees, auditors and management in fulfilling the critical governance responsibilities of the committee. It can be used by all nonprofits regardless of size.
The task group members were very intentional in including language on applicability of each of the resources so they could be used by organizations with various budget sizes and staffing configurations. Just because a nonprofit is small doesn’t mean it isn’t required to be compliant or aware of best practices.
The Toolkit includes many customizable tools and guidance on how to handle certain issues specific to nonprofits. It is also a good resource for nonprofit board and audit committee members, so they are clear on what the governance expectations are in this area.
If a nonprofit does not have a separate audit committee, the duties referenced in the charter will need to be taken on by the finance committee and/or board of directors as discussed as part of the organization’s risk management. This resource can also be valuable to the C-Suite/C-Level staff within a nonprofit. Knowing the recommended practices and compliance issues can help staff change systems and record retention practices, as well as provide support to the board and committees in carrying out their responsibilities.
Finally, both internal and external auditors can benefit from the Toolkit. External auditors can share this information and provide guidance to their clients. Internal auditors can use it as a personal roadmap and to educate other organizational staff.
The original Toolkit was developed using the Toolkit for public companies as a model. Tools were restructured taking into account intricacies of nonprofits. Some tools were added, such as the tool for unique transactions, to ensure the toolkit was as complete as possible for all nonprofits.
The Second Edition was reorganized to better align the tools into natural categories. Details of each section are discussed below. In addition, the task group refined the tools, adding more details and clarifications, with particular emphasis on enterprise risk management (ERM). Finally, the tools have always been provided free of charge in Word format, to enable nonprofits to download and customize them for their specific organizations and situations.
The tools from the Second Edition are also provided free, but they are now housed in a different section of the AICPA’s website. Links to the tools for download, as well as the hard copy for purchase are listed below.
New Structure, Tools and Resources
The revised Toolkit has a new structure, which is broken down into five sections:
- General considerations;
- Management and the organization;
- Internal controls and internal audit;
- External auditors and resources; and,
Part I of the Toolkit, Audit Committee General Considerations, has six resources. A full review and updates were made to four of them, which include:
- Charter Matrix — This tool provides general considerations, a checklist, deliverables, timeframe and space to add the date when completed. Besides updating language the matrix was re-ordered and references to the tools in the toolkit were made.
- Financial Expertise Considerations — This is a favorite resource in the Toolkit, since it looks at how an audit committee can collectively get the required financial expertise it needs.
- Conducting An Executive Session — This tool helps the audit committee ask the right questions of various positions in the organization. Besides updating language, common questions for all positions were placed in the beginning instead of duplicating under each position.
- Conducting A Self-Evaluation — This tool helps the committee ask questions of themselves to evaluate performance and effectiveness. The questions were re-ordered and things to consider were included in the same area as the question.
In addition, two new resources were added:
- Audit Committee Member Roles and Responsibilities — The tool provides guidance on how to structure the committee and basic responsibilities needed. In addition, it offers a great distinction between an audit committee and finance committee, which was adapted from a Nonprofit Risk Institute resource.
- Enterprise Risk Management — The COSO Framework — The Toolkit needed to be strengthened with regard to the risk management responsibilities of the audit committee and this tool gives an overview of ERM, its opportunities and limitations, relationship between ERM and internal control, and risk management roles.
Part II of the Toolkit, Audit Committee – Management and the Organization, has four resources.
A full review and updates were made to three of them, Management’s Report to the Audit Committee, Independence and Related Topics and Unique Transactions and Financial Relationships.
The Management’s Report to the Audit Committee tool is more interactive and useful in how to go about identifying issues versus just defining and reporting them. Independence and Related Topics resource provides an overview of issues of independence, as well as a sample conflict of interest policy. Unique Transactions and Financial Relationships describes the types of transactions and relationships unique to nonprofits, as well provides sample questions that can be asked of management understanding this unique arrangement.
One new resource was added, a Sample Document Retention and Destruction Policy, which provides sample language, minimum requirements for documents, and specific resources on the topic.
Part III of the Toolkit, Internal Controls and Internal Audit, has five resources and did not see many changes. The tools were reviewed and tweaked slightly to include focus on ERM. These tools include:
- Internal Control: A Tool for the Audit Committee — This resource is intended to give audit committees basic information about internal control to understand what it is, what it is not, how it can be used most effectively in the organization, and the requirements of management with respect to the system of internal control over financial reporting.
- Fraud and the Responsibilities of the Audit Committee: An Overview – Audit committees are responsible for taking an active role on the prevention and detection of fraud, and should ensure appropriate action is taken when fraud is detected. This resource is intended to make audit committee members aware of their responsibilities as they undertake this role, and highlights areas of activity that may require additional scrutiny by the audit committee.
- Sample Whistle-Blower Tracking Report – This resource can be used by the audit committee and management to implement an appropriate whistle-blower policy and process, to review any complaints received regarding internal accounting controls or auditing matters, and to track complaints received to an appropriate resolution.
- Guidelines for Hiring the Chief Audit Executive (CAE) – While many nonprofits cannot justify the expense of an internal audit department, this resource is aimed at those that can, and it can be used to ensure when hiring a CAE that the person matches the nonprofit’s needs and technical expertise.
- Evaluating the Internal Audit Team: Guidelines and Questions – This resource includes sample questions for an nonprofit to use in evaluating the performance and effectiveness of the internal audit team.
Part IV of the Toolkit, External Auditors and Resources, has seven resources. No new resources were added, but the tool developed to assist nonprofits in searching for CPA services was updated to include an initial request for qualifications. This was intended to make the process more efficient for both the nonprofit and any potential service provider, allowing initial and basic qualifications of the service provider to be examined before requesting a full proposal. This tool is now entitled Sample Request for Qualifications and Request for Proposal Letter for CPA Services.
The remaining tools are:
- Evaluating the Auditor’s Engagement Letter: Questions to Consider – This resource is intended to assist management and the audit committee in ensuring the terms of the letter are consistent with the proposal originally submitted to the nonprofit.
- Required Communications with the External Auditors: What to Expect – This tool details and helps explain auditing standards issued by the AICPA regarding required communications with the audit committee and board of directors.
- Evaluating the External Auditors: Questions to Consider – This resources provides sample questions that may be used to evaluate the performance of external auditors, and includes questions that could be asked of the auditors as well as management.
- Single Audits— Office of Management and Budget Circular No. A-133: Audits of States, Local Governments, and Non-Profit Organizations – This resource is intended to assist nonprofits in complying with the requirements and expectations of the Single Audit Act.
- Peer Review of CPA Firms: An Overview – This resource is intended to inform the audit committee about the practice-monitoring programs over CPA firms, and to help committees understand the obligations under these programs.
Points to Consider When Engaging External Experts and Advisors – This resource is intended to assist the audit committee in understanding the process of engaging external experts and advisors.
Additional resources are included in the appendices, Part V of the Toolkit, and information added here, such as Analytical Procedures for Not-for-Profit Organizations and the Sample Not-for-Profit Audit Committee Charter is indicative of the task group’s desire to provide as much guidance as possible for audit committee members.
Audit committees should remain informed of sector trends. Over the past several years there has been much focus at the federal level on appropriate nonprofit governance and accountability. The first legislative reform of the nonprofit sector since 1969 occurred in the Pension Protection Act of 2006, with major provisions of the Act focusing on nonprofit oversight and accountability. In 2009, the Internal Revenue Service (IRS) introduced a revised Form 990, adding questions regarding governance and accountability. These revisions were clearly intended to add another level of transparency regarding an organization’s governance and oversight.
In addition to remaining informed of these types of issues at the federal level, committees should be aware of state legislation and regulations that may apply to their organizations. For instance, the State of California, mirroring the federal Sarbanes/Oxley legislation, enacted the California Nonprofit Integrity Act of 2004. While this legislation was enacted in California, it applies to organizations based in California and those that do business or raise funds in California, even if they are not based there or have no nexus in the state.
This act not only specifies which organizations are required to conduct an external audit, it also dictates audit committee composition.
Audit committees must also be aware of accounting pronouncements and statements pertaining to governance. According to Statement on Auditing Standards (SAS) 115 issued by the AICPA, meetings and communications between the audit committee and external auditors are now required and must be documented. While some have interpreted that meetings are only required post-audit, it’s always a good idea for the committee to meet pre-audit to discuss the audit plan and execution with the external auditors.
Finally, executive sessions provide the opportunity to ask open-ended questions in a safe environment. A good practice for audit committees is to hold executive sessions with various members of management, the financial management team, internal audit if applicable, and external auditor. Regardless, executive sessions should be held at every audit committee meeting involving external auditors and anyone who is not a member of the audit committee should be asked to leave the meeting.
Ellen Hobby is chief operating officer and chief financial officer of the National Academy for State Health Policy (NASHP), a nonprofit with offices in Portland, Maine, and Washington, D.C. Her email is firstname.lastname@example.org. Cheryl R. Olson, CPA, is the director, council financial consulting, for Girl Scouts of the USA, headquartered in New York City. Her email is email@example.com.