The Nonprofit Audit Committee’s Evolving Role

By Joseph J. Kanjamala  |  February 2, 2018

The Audit Committee is an indispensable part of any nonprofit organization’s governance structure. The roles and responsibilities of an audit committee vary from organization to organization. However, as the financial, operational and regulatory complexities of the environment in which nonprofits operate evolve, so must the roles and responsibilities of the Audit Committee. Traditionally, these responsibilities have included oversight of audit, compliance, financial reporting and internal controls, as well as reporting on these functions to the Board. Let’s examine how these responsibilities have recently started to take a new shape.

Compliance Oversight

One of the foremost risks faced by a nonprofit organization is its compliance with legal and regulatory requirements. Traditionally, the Audit Committee’s compliance oversight function entails ensuring compliance with regulations and requirements imposed by federal, state and local and other funding sources. These include:

• Medicaid rules
• Contractual compliance
• Donor-imposed restrictions and requirements
• State Attorney General mandates, etc.

Recently, Nonprofit Audit Committees have also been entrusted with overseeing adoption, implementation and compliance with an organization’s conflict of interest and whistleblower polices. As the governance body entrusted with the administration of conflicts of interest, the Audit Committee should review the annual conflict of interest sign off by the Board of Trustees/Directors and other key employees, document this review in its minutes and then report back to the Board of Trustees/Directors. In the process of reviewing conflicts, related-party transactions might be identified, and in such a situation, the Audit Committee should ensure that such conflicts and transactions are disclosed in the organization’s audited financial statements and IRS Form 990. To ensure compliance with contractual funder requirements, the Audit Committee should solicit counsel from the organization’s compliance officer or internal auditor. The administration of whistleblower policies is best enforced by reporting directly to the Audit Committee chair or an outside independent body.

In either case, the Audit Committee must ensure that activities reported back to them are not illegal, fraudulent, in violation of the organization’s policies and not resulting in retaliation or adverse actions against a whistleblowing employee. The Audit Committee’s final decision should be documented in the Audit Committee minutes and subsequently reported to the Board of Directors/Trustees.

An Audit Committee should take an active role in the prevention and deterrence of fraud. The Audit Committee should constantly challenge management to ensure that the organization has the appropriate antifraud programs and controls in place to identify potential fraud and ensuring that investigations are undertaken if fraud is detected. The Audit Committee should take an interest in ensuring that appropriate action is taken against known perpetrators of fraud. See also Recognizing the Symptoms of Fraud, the article, herein.

Audit Oversight

Optimal audit oversight is achieved through accuracy and transparency in financial reporting and internal/ external audit processes – and a nonprofit organization’s reputation among its funders depends largely on the integrity of its financial reporting. The Audit Committee is charged with hiring a new audit firm or annually retaining the organization’s existing auditor. The audit oversight process also includes discussing the planned scope of the audit, risk assessment and audit timing, as well as reviewing audited financial statements and management letter, with the auditor. The New York Nonprofit Revitalization Act also requires Audit Committees to annually evaluate auditor performance and document such evaluation in the Audit Committee’s minutes. The Audit Committee should also meet with its internal auditors to review the internal auditors’ reports and any corrective action plan required to be taken by management as a result of any management team comments.

Oversight of Financial Reporting Process and Internal Controls

Traditionally, the role of the Audit Committee includes ensuring that the organization’s accounting policies comply with Generally Accepted Accounting Principles, in the United States (“U.S. GAAP”) and that the organization has sound internal controls to ensure transactional checks and balances.

The New Enhanced Role of the Audit Committee within this Area Includes:

• Oversight of Technology
• Cybersecurity
• Data privacy
• Enterprise-wide risk management

This level of oversight involves increased interaction with the organization’s Chief Information Officer (CIO) to gain a deeper understanding as to whether the organization has an effective technology policy in place that addresses polices on passwords, data backup, firewall, disaster recovery, data security for storage, handling and transmittal, etc. Periodically, the Audit Committee should request that the CIO provide reports on incidents or suspected incidents indicating data breaches or other cybersecurity-related matters. The Audit Committee should ensure that the organization has adequate cyber insurance to cover risk associated with its cybersecurity.

Enterprise risk management (ERM) is gaining much attention in the nonprofit industry and, generally, Audit Committees are responsible for implementing ERM. The Audit Committee has always been responsible for organizational risk management. However, their involvement was limited to an organization’s tangible assets. ERM covers risk management for tangible assets and intangible assets – including customers, employees, third parties and technology infrastructure among other organizational assets. The Audit Committee should spearhead the assessment of potential risk and opportunities available to the organization – and assist with prioritizing and addressing them. The nonprofit audit committee still functions as a fundamental body across a number of key areas – including those covered in this article. However, due to the ever-changing corporate governance polices, legal requirements and other complexities, the Audit Committee now must be entrusted with additional organizational responsibilities – namely the detection, prevention and remediation of fraud; administration of conflict of interest and whistleblower policies; review of related-party transactions; the gamut of technology, cybersecurity and data security policies; as well as general enterprise risk management.

About Joseph J. Kanjamala