Not-for-profit organizations should take a page from the public company playbook when it comes to their governance. The Sarbanes-Oxley Act of 2002 (SOX), makes it a requirement for public companies to have an audit committee that follows several key mandates for reporting annual financial statements. Regardless of size, all not-for-profit organizations can benefit from having an audit committee as well, that can help with governance strategies and, ultimately, provide the best chance to ensure the organization's success.
Beyond the task of selecting an external auditor, an audit committee provides additional key functions to an organization that are of immense value. The committee is tasked with overseeing management as it executes the not-for-profit's strategic plans, in particular focusing efforts on areas that involve managing risks (e.g., operational, business interruption, cybersecurity, financial reporting, fraud, regulatory, etc.), ensuring compliance, establishing effective internal controls, and dealing with change management — all in an effort to create an organization that is sustainable for the long-term. The significance of these functions makes choosing the right composition of audit committee members and creating a well-defined and documented operational charter extremely important.
Who Should Serve on My Not-for-Profit's Audit Committee?
The right people with the right mindset and relevant expertise make an audit committee successful. While there is not a set size for an audit committee, it is typically made up of at least three people who should all, ideally, be independent from the not-for-profit. The ability to approach responsibilities with a questioning mind and healthy sense of professional skepticism is invaluable to an audit committee member. Audit committees may need to occasionally challenge the management team and hold them accountable, which can create uncomfortable situations, particularly if the committee is not made up of independent parties.
Maintaining independent audit committee members is also crucial to ensuring effectiveness. Members must be able to exercise their own judgement and not be unduly influenced by management or personal financial incentives that could cloud their ability to exercise their responsibilities. The communication of the financial reporting function to internal and external users of that information needs to be fair, transparent, and complete, so it's important that your organization's committee does not include employees or individuals that have a close relationship with the organization and/or its employees.
Public companies are required, under SOX, to have at least one audit committee member who is considered a financial expert, defined by certain qualifications related to his or her education and background. Applying those concepts in a not-for-profit environment is vital. Choosing audit committee members who have backgrounds and work experience in not-for-profits could provide even further benefit; however, it is not critical. Value can also be derived from having audit committee members who have experience in different industries that may experience similar challenges as the nonprofit sector.
Audit committees can also be good training ground for future board members. Audit committees do not require the same commitment of time and resources as a not-for-profit's board, which may make more appealing to a professional who is at an earlier stage in his or her career. Not-for-profit organizations may want to incorporate younger professionals into their audit committee pool to build relationships that could one day turn into great candidates to serve on their board.
Creating a Charter
Once your audit committee is chosen, the group should be tasked with developing a smart and responsible charter that outlines its roles, responsibilities and how it will function. As your organization grows and its risks and opportunities change, the audit committee's role will also expand. With that, audit committees should periodically review the audit committee charter for compliance with emerging best practices.
Monitor Financial Reporting
Perhaps the most common task audit committees will oversee is reviewing and approving your organization's financial statements to ensure they are complete, accurate, transparent, and fairly stated in accordance with the applicable standards of the reporting jurisdiction. They will also work directly with the external auditor (selected and vetted by the committee) to review findings.
Committee members should be able to understand and comprehend the external auditor's results and recommendations so they can effectively communicate them back to the organization and its board and monitor the implementation of any remediation or changes made. This role is one of the reasons why including a person with a financial background in your audit committee is so important. The more information members understand, the easier it is for them to make their own recommendations for how to improve your organization's financial reporting.
Provide Risk Management Oversight
On top of its essential financial reporting duties, the audit committee will work to identify your organization's major risks, as well as review the existing internal controls that are in place to protect your organization from those risks. This is particularly true for smaller not-for-profit organizations. Audit committees for smaller not-for-profit organizations may be reviewing executive expense reports, and unusual findings from internal audit reports, such as cash disbursement listings. An independent audit committee can be vital to a robust internal control function.
Increasingly, audit committees are identifying risks related to cybersecurity and lack of protections in information technology that are created by the suppliers and service providers that the organization uses.
Committee members should meet regularly with management to help notify them of potential risks, as well as ensure that those risks are being monitored and proactive efforts are in place to mitigate future risks to an acceptable level. Management should involve the audit committee in developing its enterprise risk management plan so members have an intimate knowledge of the plan and can be sure the organization is taking a holistic view of potential risks. The frequency of meetings will depend on the organization and its particular issues. Not-for-profit audit committee members are unpaid volunteers, so organizations should be cognizant of requests for their time.
Protect Your Company from Fraud
Lastly, as an independent entity, the audit committee helps ensure there are checks and balances in place to protect your organization from fraud. The committee should perform an assessment of your company's risks to determine what type of fraud would most likely affect you and provide effective monitoring of these identified risks.
Many not-for-profit organizations operate without a fraud tips hotline. An audit committee should establish separate mechanisms to promote the timely reporting of potential fraud directly to the committee so that any concerns can be promptly, thoroughly and completely investigated. They should review organizational policies for handling internal tips, ensuring there are no retaliatory measures being taken by the organization against an employee for reporting potential fraud or other possible violations of laws and regulations. The committee must act as a conduit between employees and executives so that issues do not go unreported and complaints are properly investigated.
For More Information
Not-for-profit organizations wanting to revamp their audit committees may want to look into the resources that the AICPA provides. For any other comments, questions or concerns about forming an audit committee, please contact us.
Published on September 25, 2018 Print