THE EXTERNAL AUDIT
Part 1— The Who, How, and Why of the Nonprofit Audit
The Regulatory Environment
A newcomer to a nonprofit executive or board position will surely have questions about external rules and regulations. The passion for the mission brings people to the nonprofit table, but the external environment may seem a bit bewildering at first. Managers and board members worry about fraud and mismanagement as does the IRS, government funders, donors, and other private funders.
The Nonprofit Tax Return
The IRS does indeed want to keep tabs on the organizations to which it has granted tax-exempt status. A full 990 return is required for all nonprofits with revenues over $200,000, and a two-line “postcard” is filed by nonprofits with revenues under $50,000, with the 990EZ in the middle range. The detailed requirements can be found here:
Here are some questions you might have about the nonprofit audit.
1) Does my nonprofit need an independent financial statement audit?
Many people assume that all nonprofits must have an audit each year, but this is not the case. There is no IRS requirement to submit an audit report with the 990, and, absent federal funding, there is no federal agency (including the IRS) that requires nonprofits to file an annual audit report. But the picture changes drastically if the nonprofit receives federal funds. Most federal grant contracts have specific financial management and reporting requirements. Also, specific audit requirements apply when the funding dollars exceed $1 million. (This threshold increased from $750,000 on October 1, 2024.)
Other potential sources of an audit requirement are states, lending institutions, and private, public, and community foundations. Nonprofits usually have to register with their state and file an annual report, sometimes accompanied by an audit report. A bank may require an audit report when a loan is applied for and every year thereafter if the loan is given.
So the answer to the question is: sometimes—but I recommend consulting with a lawyer, CPA, and/or your funders to be sure. Audits are expensive. If you need financial statements prepared professionally but have no requirement for a full-blown audit, you could consider a review or compilation. Both are less expensive and involve less CPA involvement.
An excellent resource for all of these topics can be found here.
2) What does an independent financial statement audit accomplish?
A financial statement audit is conducted by a licensed CPA (and their staff) who is independent from the nonprofit. The content of the audit report is a set of financial statements and footnotes that adhere to Generally Accepted Accounting Principles (GAAP) along with the CPA’s opinion as to the reliability of the information presented in the statements.
For newcomers to nonprofit financial management: The source of the GAAP rules is not a governmental entity but rather a private, independent body called the Financial Statement Accounting Standards Board (FASB), which follows elaborate procedures for creating and updating the standards.
The required elements of the audit report are:
- An opinion—usually unqualified— by the independent CPA as to the reliability of the financial statements and their adherence to GAAP
- Statement of Activities (the GAAP term for income statement or profit and loss statement)
- Statement of Financial Position (the GAAP term for balance sheet)
- Statement of Cash Flows
- Functional Expense Statement
- Footnotes
An unqualified opinion is the gold standard which states that the CPA expresses “reasonable assurance” that the financial statements “fairly present” the financial position of the organization. This is the final result of the audit that the organization strives for. The other opinions, which I will not go into here, are “qualified,” “adverse,” and “disclaimer of opinion.”
To achieve an unqualified opinion, the financial statements must adhere to GAAP in every respect. Many CFOs do not have a CPA’s up-to-date knowledge of the standards. Your internal financial statements may not follow every GAAP rule. In fact, some of the features of GAAP are less than helpful to management and board for governance and decision-making. Chances are, therefore, that you will rely on the CPA and their team to advise you as to how to bring your statements into compliance with GAAP. This does not, however, remove the requirement for you to take full responsibility for the final product. Before the report is issued you and your ED will sign the “management representation letter” which states that you both take full responsibility for every number on every statement.
3) Do financial statement audits expose fraud?
Again, there is no definitive answer here. Theoretically, fraud could be turned up during a routine audit but it is not the primary focus. The language of the unqualified opinion is carefully crafted to state that the audit team’s procedures gave the CPA “reasonable assurance” that the financial statements are free from “material misstatement.” This means that the auditors can render an unqualified opinion without examining every transaction for fraud.
Materiality is a crucial concept in auditing. A first step in performing the audit is to calculate the materiality threshold based on the size of the organization’s revenues and perhaps some other qualitative considerations. For example, for a $20 million nonprofit, the auditor might determine the threshold to be $50,000. So, if all errors found in the organization’s financial data add up to less than that figure and all other criteria are met, the auditors will give an unqualified opinion.
Internal Controls Testing
Materiality aside, however, the auditors cannot begin their work in earnest until they have assessed the risk that fraud exists. Internal controls testing is foundational to the audit. By internal controls I mean: a set of policies and procedures designed to assure the accuracy of financial data and the prevention of fraud.
To assess the adequacy of the nonprofit’s internal controls, the audit team will interview finance department management and staff to understand their processes. They will also conduct interviews with a sample of other managers and sometimes board members to get a sense of the board’s and employees’ respect for internal controls.
Testing involves examining a statistical sample of payments to verify that the stated procedures are being followed. The team will check to see that each of the selected payments is accompanied by a valid invoice approved by the authorized person; that the expense was charged to the proper cost center; receipt of the items was confirmed; and that the expense was correctly recorded in the year under audit. The size of the sample depends on the size of the organization and is often somewhere between twenty and fifty disbursements.
While internal control testing in a nonprofit financial statement audit is far from exhaustive, it is an indispensable audit tool. The scope of the planned audit work is guided by the team’s confidence in the internal control systems. If the results of the testing show less than 100% compliance with policies the team will determine if “significant deficiencies” have been found and if it is necessary to adjust the audit program to include more testing or other additional procedures.
Any significant deficiencies will be reported to the board in the SAS 115 letter (see below). In a worst-case scenario where the team deems the risk of fraud to be too high the auditing firm may consider withdrawing from the job altogether.
4) What can I expect when the audit is performed?
At some period—usually two to four months—following the close of the fiscal year a team of accountants will set up shop in your conference room with their laptops for days or weeks at a time and request full access to your records. This is the fieldwork phase. To the extent that your financial operations are paperless they may be able to do a lot of their fieldwork remotely.
During fieldwork, the auditors will work through multiple checklists, their purpose being to build confidence in the accuracy of your revenue, expense, asset, and liability balances. They will confirm balances with external parties whenever possible and do analytic review procedures such as comparing revenue and expense balances to the budget and to the prior year.
When fieldwork is complete, they will create the drafts of your financial statements unless you prefer to do this yourself. Either way they must verify that your statements conform to GAAP.
The Audit Report Presentation
The audit report is presented by the CPA to the nonprofit’s board of directors. Along with the report, the CPA presents two letters addressed to the board:
- Statement of Auditing Standards (SAS) 114 Letter: a lengthy description of the scope and purpose of the audit and significant findings.
- SAS 115 Letter: reports the outcome of procedures they performed to assess the adequacy of the nonprofit’s internal controls. Note that the letter will only point out significant deficiencies that were found. As we have discussed, their testing is an assessment of fraud risk that guides their fieldwork. The purpose is not to express an opinion on the internal controls as a whole.
During the presentation the board should be given the opportunity to temporarily excuse all staff present so as to question the CPA about the financial operations of the organization. Your board members will draw comfort from hearing directly from the CPA that the books and records are well-managed and the reports coming from the GL (general ledger) system were found to be reliable.
5) How do I find a CPA to perform my audit?
Nonprofits contract directly with a CPA firm for their audits. As is the case for the creation and maintenance of the GAAP accounting rules, the audit function takes place in the private sector. Yes, every state has a board of accountancy that licenses and provides oversight of the CPA profession, but the American Institute of Certified Public Accountants (AICPA)—a nonprofit professional organization—sets the auditing standards that CPAs follow.
You can request bids for an audit from the firms in your area that have the capacity and a good reputation. It is important to understand that the nonprofit hires the CPA and thus becomes a paying client of the firm. Maintaining objectivity is a challenge that all auditors are aware of, especially with audit clients they have served for many years—decades sometimes. Nonprofits will sometimes change CPA firms regularly, say every five to ten years, to lower the risk of a decline in objectivity. There is no such requirement in the auditing standards and there is a trade-off in starting from scratch with a firm that has no knowledge or expertise in your operations.
As you might expect, the nonprofit’s board of directors will most likely focus on the objectivity of the CPA firm, while management’s priority is often the store of knowledge that the CPA firm has built up over years of working with the nonprofit. And management will argue that the firm is honor-bound to perform their services with integrity. Larger CPA firms can rotate partners and fieldwork staff to prevent long-standing relationships from forming. The AICPA and most state boards of accountancy provide an additional safety net by requiring that all CPA attestation services undergo periodic peer review.
In Sum: Auditors Make a Positive Contribution to the Nonprofit Environment
The nonprofit audit serves as a “report card” for the CFO in the eyes of the ED, and for the ED in the eyes of the board, and is often a factor in the ED’s annual compensation review. The audit keeps the finance department on its toes throughout the year and provides a relationship with trusted experts who will keep you informed of new standards and best practices.
The audit provides the transparency that funders, managers, and board members seek. The CPA community works hard to develop and maintain standards for reporting and auditing not primarily for the purpose of rooting out fraud and malfeasance but to inspire the public’s trust in the quality of the work that nonprofits do to fulfill their missions.