10 Things Keeping Internal Audit Up at Night – Part 1

The internal audit (IA) function is vital to the health of any nonprofit, regardless of mission or scope. The audit committee and its individual members are crucial partners in safeguarding the integrity, purpose, and ultimately, the success of organizations.

But, they often face challenges navigating a strained regulatory environment, all while trying to do more with less. Adjusting to these new realities means that proper management is more important than ever. This is the first in a two-part series outlining the top 10 challenges keeping internal auditors up at night, and providing remedies to help them continue their critical work.

1) CHANGES TO OPERATIONS OR STRATEGY
For most nonprofit organizations, change is inevitable. As the needs of communities, internal dynamics, priorities, and leadership transform, nonprofits adjust their mission and strategies. While this dynamism is essential for organizations to further their work, change can create strain for internal auditors. Whether it’s expanding operations to a new location, working with new donors, or rolling out a new organizational structure, internal auditors are often left scrambling to ensure compliance.

THE REMEDY: Change is unavoidable, but compliance headaches don’t have to be. Nonprofits should be proactive about integrating internal audit into large scale organizational changes. This means allocating IA resources to evaluate emerging compliance and legal requirements, incorporating IA into the strategic decision-making process at the outset, revising policies and procedures with the new compliance environment, and developing succession plans to have facilitate smooth personnel changes. And, IA should not just be involved in the change process—organizations should allow internal auditors to conduct post-implementation assessments to ensure ongoing compliance.

2) ORGANIZATIONAL CULTURE
The organizational culture of nonprofit organizations usually centers on a mission that employees are passionate about. This passion attracts staff personally motivated to help the overall organization succeed, but can come at the cost of internal controls. For nonprofits, “the cause” can often be promoted at any cost. Mid-level management professionals can be highly skilled in technical areas, but may lack knowledge in compliance, financial accountability, and oversight. A lack of interactive communication between key administrative and program units within the organization can result in insufficient internal controls.

THE REMEDY: To balance maintaining organizational culture with proper operational management, communication is essential. Nonprofits should develop a sound communication strategy that brings the internal audit and compliance functions in regular contact with the rest of the staff. During these interactions, IA professionals should be sure to communicate how risk management practices align with overall organizational strategy, and mission objectives. Bringing people together in this way helps make IA an integral part of an organization, rather than an afterthought.

Even when strong communications are in place, breakdowns are sometimes inevitable. Organizations should conduct regular assessments of business processes to determine where breakdowns in communication between business units occur. These assessments should help identify gaps that could pose significant risks to the organization.  

Based on the results of these assessments, organizations should design and implement remediation plans, including scheduling necessary trainings for all employees and rolling out new process flows and accountability points to close any gaps.

3) NEW TECHNOLOGY
Technological advances help organizations store and share data, but new technology is often implemented without the knowledge or involvement of the internal audit function, to potentially disastrous and costly results. Ideally, internal auditors should assess new technology well before it’s utilized to review issues like control over sensitive data, continuity of the technologies between offices, and adherence to compliance and regulatory requirements. Without this review, nonprofits leave themselves open to a number of risky consequences, as well as operational inefficiencies.

THE REMEDY: Technology can be a huge boon to nonprofit organizations, but only when it’s used smartly. IA should work with nonprofit leaders to first assess technology currently being used organization-wide, and then identify what the organization still needs to address. Internal auditors can assist with researching and proposing approved technologies for organization-wide usage, to facilitate cohesion and compliance and to help management improve system efficiencies.

Organizations also need to implement proper internal controls to ensure they’re mitigating tech risk as much as possible. IA can conduct a risk assessment of each technology used and implement policies to restrict to prevent the use of high-risk programs or devices. Organizations should also require a similar checks and risk assessments for all new technology prior to usage.

4) CYBERSECURITY
With new technologies exploding in popularity, cybersecurity risks abound. Nonprofit organizations often mistakenly believe they aren’t of interest to cyber-criminals, but the amount of personal data they store from donors and employees, and the tendency to underinvest in cybersecurity measures makes them an ideal target. It can be difficult for nonprofits to maintain up-to-date technology and hardware, keep pace with technological changes, and navigate the shifting regulatory landscape with their limited funding. Nonprofits also frequently partner with technology suppliers and other contractors that leave them open to third-party cyber risks.  

THE REMEDY:The first step to mitigating cyber risk is to conduct an organization-wide cybersecurity risk assessment that includes partner, contractor, and technology supplier cybersecurity as part of the due diligence process. This assessment should shed light on where internal and external gaps exist. Following the assessment, organizations should implement additional controls by updating policies, procedures, and internal controls to address identified gaps.

A startling number of cyber incidents arise from employees unknowingly exposing the organization to bad actors. Training staff to recognize these exposures is fundamental to their prevention. Nonprofits need to regularly communicate risks to employees and vendors to ensure everyone is adhering to established policies.  

Monitoring cyber risk needs to be an ongoing effort. Nonprofits should develop a risk assessment schedule to examine internal partner, contractor, and technology supplier cybersecurity on a quarterly or annual basis. Internal audit can assist with implementing these assessments.  

5) COMPLIANCE WITH FUNDER REQUIREMENTS
Nonprofit organizations often have the unique challenge of negotiating compliance requirements across multiple funding sources including government entities, individuals, private foundations or other organizations. This challenge is only growing as budget cuts force organizations to focus on diversifying revenue streams and expanding donor pools, and with a recent increase in donor audits of specific grant activity at the materiality level. Further complicating the matter is a growing emphasis on international accounting standards (as opposed to relying on U.S. Generally Accepted Accounting Principles).

THE REMEDY: To clarify exactly what funding requirements an organization faces, it should conduct a compliance assessment, comparing requirements across all donor agreements to determine areas of overlap and areas of discontinuity. These agreements should then be compared against written policies and current practices to identify gaps.

Remediation plans can amend policies and procedures, and staff trainings should be conducted to ensure all levels and functions understand their role in maintaining compliance with funding requirements.

Staying current is critical. Nonprofits should develop a compliance assessment schedule, and IA and compliance departments need to stay on top of new funding streams and emerging trends so they can pivot when necessary.

This isn’t the whole story, however. To find out the other 5 issues facing internal auditors, be sure to subscribe to our blog and follow us on Twitter @BDONonprofit.