The internal audit (IA) function is vital to the health of any nonprofit, regardless of mission or scope. The audit committee and its individual members are crucial partners in safeguarding the integrity, purpose and, ultimately, the success of organizations.
Internal auditors often face challenges navigating a strained regulatory environment, all while trying to do more with less. Adjusting to these new realities means that proper management is more important than ever. This article outlines the top 10 challenges keeping internal auditors up at night, and providing remedies to help them continue their critical work.
- CHANGES TO OPERATIONS OR STRATEGY
For most nonprofit organizations, change is inevitable. As the needs of communities, internal dynamics, priorities and leadership transform, nonprofits adjust their missions and strategies. While this dynamism is essential for organizations to further their work, change can create strain for internal auditors. Whether its expanding operations to a new location, working with new donors or rolling out a new organizational structure, internal auditors are often left scrambling to ensure compliance.
THE REMEDY: Change is unavoidable, but compliance headaches don’t have to be. Nonprofits should be proactive about integrating internal audit into large scale organizational changes. This means allocating IA resources to evaluate emerging compliance and legal requirements, incorporating IA into the strategic decision-making process at the outset, revising policies and procedures with the new compliance environment, and developing succession plans to facilitate smooth personnel changes. IA should not just be involved in the change process—organizations should allow internal auditors to conduct post-implementation assessments to ensure ongoing compliance.
- ORGANIZATIONAL CULTURE
The organizational culture of nonprofit organizations usually centers on a mission that employees are passionate about. This passion attracts staff who are personally motivated to help the overall organization succeed, but can come at the cost of internal controls. For nonprofits, “the cause” can often be promoted at any cost. Mid-level management professionals can be highly skilled in technical areas, but may lack knowledge in compliance, financial accountability and oversight. A lack of interactive communication between key administrative and program units within the organization can result in insufficient internal controls.
THE REMEDY: To balance maintaining organizational culture with proper operational management, communication is essential. Nonprofits should develop a sound communication strategy that brings the internal audit and compliance functions in regular contact with the rest of the staff. During these interactions, IA professionals should be sure to communicate how risk management practices align with overall organizational strategy and mission objectives. Bringing people together in this way helps make IA an integral part of an organization, rather than an afterthought.
Even when strong communications are in place, breakdowns are sometimes inevitable. Organizations should conduct regular assessments of business processes to determine where breakdowns in communication between business units occur. These assessments should help identify gaps that could pose significant risks to the organization.
Based on the results of these assessments, organizations should design and implement remediation plans, including scheduling necessary trainings for all employees and rolling out new process flows and accountability points to close any gaps.
- NEW TECHNOLOGY
Technological advances help organizations store and share data, but new technology is often implemented without the knowledge or involvement of the internal audit function, to potentially disastrous and costly results. Ideally, internal auditors should assess new technology well before it’s utilized to review issues like control over sensitive data, continuity of the technologies between offices and adherence to compliance and regulatory requirements. Without this review, nonprofits leave themselves open to a number of risky consequences, as well as operational inefficiencies.
THE REMEDY: Technology can be a huge boon to nonprofit organizations, but only when it’s used wisely. IA should work with nonprofit leaders to first assess technology currently being used organization-wide, and then identify what the organization still needs to address. Internal auditors can assist with researching and proposing approved technologies for organization-wide usage, to facilitate cohesion and compliance and to help management improve system efficiencies.
Organizations also need to implement proper internal controls to ensure they’re mitigating technology risk as much as possible. IA can conduct a risk assessment of each technology used and implement policies to restrict or prevent the use of high-risk programs or devices. Organizations should also require similar checks and risk assessments for all new technology prior to usage.
With new technologies exploding in popularity, cybersecurity risks abound. Nonprofit organizations often mistakenly believe they aren’t of interest to cyber criminals, but the amount of personal data they store from donors and employees, and the tendency to underinvest in cybersecurity measures, make them an ideal target. It can be difficult for nonprofits to maintain up-to-date technology and hardware, keep pace with technological changes and navigate the shifting regulatory landscape with their limited funding. Nonprofits also frequently partner with technology suppliers and other contractors that leave them open to third-party cyber risks.
THE REMEDY: The first step to mitigating cyber risk is to conduct an organization-wide cybersecurity risk assessment that includes partner, contractor and technology supplier cybersecurity as part of the due diligence process. This assessment should shed light on where internal and external gaps exist. Following the assessment, organizations should implement additional controls by updating policies, procedures and internal controls to address identified gaps.
A startling number of cyber incidents arise from employees unknowingly exposing the organization to bad actors. Training staff to recognize these exposures is fundamental to their prevention. Nonprofits need to regularly communicate risks to employees and vendors to ensure everyone is adhering to established policies.
Monitoring cyber risk needs to be an ongoing effort. Nonprofits should develop a risk assessment schedule to examine internal partner, contractor and technology supplier cybersecurity on a quarterly or annual basis. Internal audit can assist with implementing these assessments.
- COMPLIANCE WITH FUNDER REQUIREMENTS
Nonprofit organizations often have the unique challenge of negotiating compliance requirements across multiple funding sources including government entities, individuals, private foundations or other organizations. This challenge is only growing as budget cuts force organizations to focus on diversifying revenue streams and expanding donor pools, and with a recent increase in donor audits of specific grant activity at the materiality level. Further complicating the matter is a growing emphasis on international accounting standards (as opposed to relying on U.S. generally accepted accounting principles).
THE REMEDY: To clarify exactly what funding requirements an organization faces, it should conduct a compliance assessment, comparing requirements across all donor agreements to determine areas of overlap and areas of discontinuity. These agreements should then be compared against written policies and current practices to identify gaps.
Remediation plans can amend policies and procedures, and staff trainings should be conducted to ensure all levels and functions understand their role in maintaining compliance with funding requirements.
Staying current is critical. Nonprofits should develop a compliance assessment schedule, and IA and compliance departments need to stay on top of new funding streams and emerging trends so they can pivot when necessary.
- FINANCIAL CONTROLS
Even though nonprofits are motivated by making an impact rather than money, organizations still face a host of hurdles when it comes to financial management. Many international nonprofits operate in countries with cash-based economies, making it tough to maintain adequate control of funds and sufficient supporting documentation. New payment technologies, while enabling new and widespread operational tools, are often accompanied by verification and other control challenges. Nonprofits also face resource constraints and may have a limited number of finance staff to oversee financial management processes, which can be manual and prone to human error. For organizations with several offices, branches often operate with little to no centralized oversight over their accounting and cash management procedures.
THE REMEDY: Nonprofits should review cash management procedures and evaluate typical expenditure cycles to identify potential risk areas across the entirety of an organization. Internal audit is central in assisting management in testing cash management controls.
- Organizations can then implement additional controls in keeping with best practices, like limiting cash handling or volume of cash transactions where possible. Nonprofit managers should consider investing in technologies and resources that limit high risk processes.
- Standardizing procedures will help cut down on variance of practices between offices. All branches should centralize accounting and reporting procedures. At a minimum, each location should maintain copies of supporting documentation of all expenditures and financial reporting and should regularly review them with staff.
- RELIANCE ON THIRD PARTIES
Vendor actions can create extremely adverse consequences for nonprofit organizations. Concerns range from reputation damage to the vendor’s illegal acts being attributed to the nonprofit organization. This risk applies to all types of organizational relationships with vendors and nonprofits, especially those administering federal grant programs given increased subrecipient monitoring and due diligence requirements.
Despite the risks, most nonprofits rely on partners or contractors for critical program functions. This makes it difficult to conduct due diligence reviews and monitoring activities, particularly when the partners/contractors are numerous, geographically dispersed or operating overseas. Partners are normally tasked with self-reporting, meaning frauds like ghost employee payments are easily hidden. Contractors also usually have access to organizational networks and information, creating an additional layer of risk.
THE REMEDY: Organizations should review current policies and procedures to ensure robust due diligence and monitoring processes are in place for all third-party relationships. This should include an assessment of partner/contractor access to project data, systems and networks and the limitation of access where possible.
Nonprofits need to implement additional monitoring and verification processes, including:
- Conducting regular spot reviews or investigations of reported data
- Requiring partners and contractors to certify financial and programmatic assertions
- Verifying number of partner/contractor staff and salary payment amounts
- Conducting unannounced site visits
- Considering third-party verification systems
- These processes should be re-evaluated on a regular basis to ensure their effectiveness.
- PROCUREMENT PROCEDURES
Nonprofit organizations rely heavily on non-competitive procurement processes due to several reasons. Often, procurement procedures, selection criteria and selection decisions are inadequately documented, leaving organizations unable to show that there was no bias in the selection process. Preferred vendor lists are rarely updated, and control of vendor solicitation, selection and site visits is often left with just a few individuals.
THE REMEDY: IA should review current procurement procedures against industry standards and donor requirements. They should also be transparent about their procurement policies including:
- Publicly announcing tenders as much as possible
- Updating vendor lists through open competition as frequently as possible
- Verifying vendors and prices through in-person or third-party checks
- Comparing bids against market prices
- Documenting criteria and selection procedures to bid samples with procurement files
- Ensuring procurement/selection committees are rotated on a regular basis
- TRANSPORTATION AND DISTRIBUTION
For organizations that distribute goods, inventory management and oversight can prove to be major sources of stress for internal auditors. Often, nonprofits have difficulties verifying receipt of goods or services by their intended beneficiary, and confirming the goods provided are in the same quality and quantity as what was purchased. Diversion, theft and product substitution are especially difficult to identify. Despite resource and capacity issues, recent increased scrutiny of internal controls and supply chain management means that organizations need to address these issues sooner rather than later.
THE REMEDY: To help combat issues in the distribution chain, organizations need to shore up monitoring procedures by:
- Establishing monitoring teams for critical points along the supply chain
- Implementing two-step or three-step verification procedures at each critical stage
- Hiring a third-party to conduct site visits and monitor transportation and distribution
- Using technology to assist in tracking and monitoring, including unique identifiers on products for inventory and tracking purposes and requiring distributors to take time-stamped photos/videos of deliveries
Another effective risk mitigation strategy is to communicate directly with beneficiaries. Organizations can hold pre-distribution meetings with communities to review any past issues or concerns. Detailed packing lists and/or photographs of parcel contents should be inside packages. Nonprofits can include in the contract clauses with distributors to withhold payments to distributors until delivery is confirmed. This further ensures the distributor is holding up its end of the agreement.
- FRAUD AND CORRUPTION
It’s the job of the internal audit function to uncover fraud, waste and abuse in nonprofit organizations, but often they are set up for failure. Due to a lack of communication between functional and program units within organizations, increased use of third parties, outdated systems, increased regulations (and the list goes on…), the opportunity to exploit a nonprofit’s controls is growing at a time when IA resources are shrinking and reputational risk for organizations is at an all-time high.
THE REMEDY: Preventing fraud starts within an organization itself. Stakeholders should evaluate current fraud prevention, detection and investigation measures against regulatory requirements and develop a plan to remediate any identified gaps. They should also be sure to provide accessible fraud reporting mechanisms for all employees, partners, grantees/beneficiaries and stakeholders.
It’s also key to establish a fraud prevention and detection assessment schedule so practices can stay up-to-date and make sure nothing falls through the cracks.
Despite resource constraints, organizations need to ensure IA has the appropriate level of resources to detect and investigate potential cases of fraud. Funds should also be set aside for visits to third parties and office locations and the establishment of a fraud hotline. Put a process in place to notify any impacted funders in a timely manner and in line with donor requirements to prevent exacerbating the impact when fraud does occur. Internal auditors at nonprofits have a tough, but essential job that’s key to keeping the organization focused on mission fulfillment. By assessing current practices, developing action plans and regularly monitoring activities, organizations can mitigate risk and serve their beneficiaries more effectively.
Warren Averett is an independent member of the BDO Alliance USA. This article was borrowed with permission from BDO USA, LLP.