Audit committees for not-for-profit organizations do much more than what their name suggests. In addition to their primary focus of overseeing all aspects of the audit process, they are increasingly tasked with oversight of the not-for-profit’s enterprise risk management process and other risk mitigation activities.
Audit committees are responsible for the appointment, compensation, oversight and evaluation of the performance of the independent auditors performing the organization’s financial statement and employee benefit plan audits. Audit committees also discuss audit findings with the management team, and help address any issues that may arise in governance, risk management or internal controls that the auditors identify. Given this critical role, it’s considered a best practice for audit committees to be part of the risk management conversation.
Charters define the role and responsibilities of the audit committee and may not reflect the full range of responsibilities an audit committee should, or does assume. Audit committees should evaluate and update their charters to ensure they include best practices, not only for managing the audit process but also for helping their organizations mitigate their key risks.
Best Practices for Audit Responsibilities
Audit committees work closely with the external auditor performing the financial statement and employee benefit plan audits. The preliminary audit meeting is a key responsibility of the committee, and if conducted properly, can result in a more effective and efficient audit plan. Committee members should work with the auditor to understand the nature and timing of certain audit tests and procedures. They should also identify potential steps the organization can take to reduce overall engagement hours and increase the auditor’s efficiency. This may include sharing internal audit results, ensuring key processes are documented or gathering information and records for their audit team.
Exit conferences are also vital to the audit committee’s role in the audit. Members should leave the exit conference with an understanding of the results of the audit and whether the auditor encountered any difficulties in completing the audit. In addition, the committee should ask for the auditor’s opinion of the organization’s financial management practices, including whether accounting practices used by management are overly aggressive or conservative and what management’s attitude is toward establishing internal controls.
If committee members not only comprehend the audit results, but also the auditor’s impressions of how their not-for-profit accomplishes its reporting requirements, they may be able to improve their communications with management about fine-tuning current practices.
Best Practices for Managing Tax Obligations
Many audit committees also meet with management and the accounting firm regarding the IRS Form 990. They often go over the information presented in the Form 990 prior to filing and may review their organization’s IRS Form 990-T, which reports unrelated business income produced by the not-for-profit organization. Unrelated business income can pose a significant risk for a not-for-profit organization if the amount of unrelated business income is too high relative to the size of the organization. Committee members should also inquire as to whether there are strategies available to minimize the tax due for unrelated business income activities.
Increasingly, audit committees are approving policies suggested by management for items such as when to file in a particular jurisdiction, especially when activities may be minimal. Most states have additional compliance requirements to meet, which may be triggered by certain activities. Audit committees can help ensure that organizations are minimizing their state and local tax exposure risk.
Best Practices for Risk Management
Audit committees also take on enterprise risk management (ERM) responsibilities. Audit results may reveal weaknesses in a not-for-profit organization’s internal control environment and the audit committee should collaborate with management to address any deficiencies noted.
More and more, information technology and cybersecurity are becoming part of the ERM discussion. Committee members should work together with internal information technology teams to understand how the organization utilizes technology and what controls are in place to safeguard the organization’s sensitive information. They may also consider meeting with external consultants who can independently assess IT security by performing penetration testing and mimicking social engineering schemes to provide the organization with a “heat map” of their key IT threats. Audit committees should also inquire about cyber-risk insurance and related programs with their insurance provider.
The audit committee may be tasked with monitoring and overseeing legal risks. Some audit committee members may serve as the ombudsperson for complaints about financial mismanagement. Committees with these responsibilities should be familiar with the organization’s whistleblower policy. Regardless of whether the audit committee is tasked with legal concerns, they should periodically meet with their organization’s internal corporate counsel or seek reports from external counsel on litigation, claims and assessments.
Making Changes to Your Audit Charter
Audit committees should review their audit charter for compliance with emerging best practices that may provide value to their organization. As part of the evaluation, audit committees should consider whether other committees of the board (such as the finance or performance committee) are already undertaking some of these responsibilities. Committees may also want to ask for input on their charter from their auditor.
Once the committee has identified any modifications it wishes to make to its charter, it should circulate the new draft to the members of the executive committee and members of the governance board to ensure all parties are in agreement with the changes. The revised audit charter must then be brought before the full board for approval.
For questions or concerns about your organization’s audit committee charter, please contact us.
Tracey McDonald is a Managing Director at CBIZ MHM in the Tampa Bay office. She can be reached at 813.594.1400 or Tracey.McDonald@cbiz.com.