10 Things Keeping Internal Audit Up at Night – Part 2

In part one of this series, we discussed how funders, strategy, culture, and more create obstacles for nonprofit internal auditors, but that’s not the whole story. Now, we’re looking at how things like third-party vendors and potential fraud pose challenges to nonprofit organizations, and what steps they can take to mitigate risk.  
Even though nonprofits are motivated by making an impact rather than money, organizations still face a host of hurdles when it comes to financial management. Many international nonprofits operate in countries with cash-based economies, making it tough to maintain adequate control of funds and sufficient supporting documentation. And, new payment technologies, while enabling new and widespread operational tools, are often accompanied by verification and other control challenges. Nonprofits also face resource constraints and may have a limited number of finance staff to oversee financial management processes, which can be manual and prone to human error. For organizations with several offices, branches often operate with little to no centralized oversight over their accounting and cash management procedures.

THE REMEDY: Nonprofits should review cash management procedures and evaluate typical expenditure cycles to identify potential risk areas across the entirety of an organization. Internal audit is central in assisting management in testing cash management controls.

  • Organizations can then implement additional controls in keeping with best practices, like limiting cash handling or volume of cash transactions where possible. Nonprofit managers should consider investing in technologies and resources that limit high risk processes. 

  • Standardizing procedures will help cut down on variance of practices between offices. All branches should centralize accounting and reporting procedures. At a minimum, each location should maintain copies of supporting documentation of all expenditures and financial reporting and should regularly review them with staff.


Vendor actions can create extremely adverse consequences for nonprofit organizations. Concerns range from reputation damage to the vendor's illegal acts being attributed to the nonprofit organization. This risk applies to all types of organizational relationships with vendors and nonprofits especially those administering federal grant programs given increased subrecipient monitoring and due diligence requirements.

Despite the risks, most nonprofits rely on partners or contractors for critical program functions. This makes it difficult to conduct due diligence reviews and monitoring activities, particularly when the partners/contractors are numerous, geographically dispersed, or operating overseas. Partners are normally tasked with self-reporting, meaning frauds like ghost employee payments are easily hidden. Contractors also usually have access to organizational networks and information, creating an additional layer of risk.

THE REMEDY: Organizations should review current policies and procedures to ensure robust due diligence and monitoring processes are in place for all third-party relationships. This should include an assessment of partner/contractor access to project data, systems, and networks, and the limitation of access where possible.

Nonprofits need to implement additional monitoring and verification processes, including:

  • Conducting regular spot reviews or investigations of reported data

  • Requiring partners and contractors to certify financial and programmatic assertions

  • Verifying number of partner/contractor staff and salary payment amounts

  • Conducting unannounced site visits

  • Considering third-party verification systems

These processes should be reevaluated on a regular basis to ensure their effectiveness.

Nonprofit organization rely heavily on non-competitive procurement processes due to several reasons. Often, procurement procedures, selection criteria, and selection decisions are inadequately documented, leaving organizations unable to show that there was no bias in the selection process. Preferred vendor lists are rarely updated, and control of vendor solicitation, selection, and site visits is often left with just a few individuals.

THE REMEDY:IA should review current procurement procedures against industry standards and donor requirements. They should also be transparent about their procurement policies including:

  • Publicly announcing tenders as much as possible

  • Updating vendor lists through open competition as frequently as possible

  • Verifying vendors and prices through in-person or third-party checks

  • Comparing bids against market prices

  • Documenting criteria and selection procedures to bid samples with procurement files

  • Ensuring procurement/selection committees are rotated on a regular basis

For organizations that distribute goods, inventory management and oversight can prove to be a major source of stress for internal auditors. Often, nonprofits have difficulties verifying receipt of goods or services by their intended beneficiary, and confirming the goods provided to are in the same quality and quantity as what was purchased. Diversion, theft, and product substitution are especially difficult to identify. Despite resource and capacity issues, recent increased scrutiny on internal controls and supply chain management means that organizations need to address these issues sooner rather than later.

THE REMEDY:To help combat issues in the distribution chain, organizations need to shore up monitoring procedures by:

  • Establishing monitoring teams for critical points along the supply chain

  • Implementing two-step or three-step verification procedures at each critical stage

  • Hiring a third party to conduct site visits and monitor transportation and distribution

  • Using technology to assist in tracking and monitoring, including unique identifiers on products for inventory and tracking purposes and requiring distributors to take timestamped photos/videos of deliveries

  • Another effective risk mitigation strategy is to communicate directly with beneficiaries. Organizations can hold pre-distribution meetings with communities to review any past issues or concerns. Detailed packing lists and/or photographs of parcel contents should be inside packages. Nonprofits can include in the contract clauses with distributors to withhold payments to distributors until delivery is confirmed. This further ensures the distributor is holding up their end of the agreement.

It’s the job of the internal audit function to uncover fraud, waste, and abuse in nonprofit organizations, but often they are set up for failure. Due to a lack of communications between functional and program units within organizations, increased used of third parties, outdated systems, increased regulations, (and the list goes on…) the opportunity to exploit a nonprofit’s controls is growing at a time when IA resources are shrinking and reputational risk for organizations is at an all-time high. 

THE REMEDY:Preventing fraud starts within an organization itself. Stakeholders should evaluate current fraud prevention, detection, and investigation measures against regulatory requirements and develop a plan to remediate any identified gaps. They should also be sure to provide accessible fraud reporting mechanisms for all employees, partners, grantees/beneficiaries, and stakeholders.

  • Despite resource constraints, organizations need to ensure IA has the appropriate level of resources to detect and investigate potential cases of fraud. Funds should also be set aside for visits to third parties and office locations and the establishment of a fraud hotline. Put a process in place to notify any impacted funders in a timely manner and in line with donor requirements to prevent exacerbating the impact when fraud does occur.

  • It’s also key to establish a fraud prevention and detection assessment schedule so practices can stay up to date and make sure nothing falls through the cracks.

Internal auditors at nonprofits have a tough, but essential job that’s key to keeping the organization focused on mission fulfillment. By assessing current practices, developing action plans, and regularly monitoring activities, organizations can mitigate risk and serve their beneficiaries more effectively.

Be sure to keep up with the latest happenings in the nonprofit industry by subscribing to our blog and following us on Twitter @BDONonprofit.