One needs only to look at the changes in the AICPA’s not-for-profit audit committee toolkit to understand the evolving responsibilities of the audit committee. The AICPA had previously recommended that not-for-profit audit committees monitor the financial reporting process and external auditors, perform internal audit functions and meet legal and/or regulatory requirements. The AICPA toolkit for 2015, the third edition, recommends roles and responsibilities beyond just hiring and communicating with the outside auditor. It suggests not-for-profit audit committees assess their internal audit function’s qualifications (if there is one), independence and performance and assist with their organization’s risk management and governance functions. The toolkit comes with Microsoft Word files of all the tools so you can modify and customize to fit your committee’s needs.
Audit committees should play a crucial role in helping the organization manage its risk and meet its compliance requirements. Three of the key risk areas audit committees should be aware of include monitoring conflicts of interest and related party transactions, fraud and enterprise wide risk assessments. By examining how your organization and its internal audit team address these areas, your audit committee can assist your organization in mitigating its risks and meeting its compliance requirements.
Conflicts of Interest and Related Party Transactions
A related party transaction occurs when an entity, one of its affiliates, a board member or a relative of a key employee of the entity or entity affiliate has a financial interest in the exchange taking place. Your organization’s risk management policy should include protocol for monitoring and reporting related party transactions, as they come with disclosure requirements and present a potential source of fraud.
Increasingly, not-for-profits are being asked to develop written policies and procedures to minimize conflicts of interest and related party transactions. The New York Nonprofit Revitalization Act of 2013 requires not-for-profits to adopt procedures and policies that include a written definition of conflict of interest, procedures for disclosing conflicts of interest to the audit committee and board of directors, and procedures for handling related party transactions. The Nonprofit Revitalization Act asks that not-for-profits in New York consider and document alternative transactions to avoid the related party transaction. The Act also asks that organizations only go through with the related party transaction if it was approved by a majority vote of directors or other committee members.
Though the Nonprofit Revitalization Act is not applicable broadly, it holds best practices for effective management of related party transactions and conflicts of interest. Your audit committee should consider how well your organization’s policy aligns with the requirements of the Act and whether additional steps need to be taken to minimize the risk of conflicts of interest and related party transactions.
Fraud often occurs long before it’s being noted by the organization. In its 2014 Report to the Nations, the Association for Certified Fraud Examiners found that fraudulent activity occurs for an average of 18 months before being detected. Organizations also reported losing up to 5% of their revenue to fraud each year.
Your audit committee should be reviewing how the organization collects and responds to internal tips about potential fraudulent activity. The committee should help monitor any personnel that have the authority to override controls in the financial reporting process. Employees with control, as well as staff with known financial difficulty or close relationships with vendors or subcontractors can be sources of fraud risk. The AICPA’s not-for-profit audit committee toolkit contains, in detail, information on complaint reporting, anti-retaliation procedures and a tracking report, generally all considered in a whistleblowing policy.
Enterprise Risk Management
The modern risk environment necessitates an organization wide, continuous approach to risk assessment and management. If it hasn’t already, your not-for-profit should develop an enterprise risk management (ERM) approach that aligns decision-making with your organization’s appetite for risk. An ERM includes identified board-level and operational-level risks, metrics and tolerances for those risks and risk reporting. Again, the AICPA’s not-for-profit audit committee toolkit provides tools for assessing organizational risks.
ERM works best when multiple parties get involved, from the board of directors to internal auditors. The board of directors can help direct the shape of the approach while internal auditors can assist with the monitoring of the controls in the environment. Your audit committee can help ensure that risks are being monitored continuously and effectively and that the activity reflects the organization’s risk tolerance.
Audit committee responsibilities cannot be static. As your organization grows and its risks and opportunities change, the audit committee’s role will expand, too. For more information about how you can improve and strengthen the function of your audit committee, please contact us here.
David Brown, Jr. is a Director at CBIZ and a member of the Not-for-Profit & Education Practice. He is based in the Minneapolis office and can be reached at 612.376.1205 or firstname.lastname@example.org.