A financial audit is one of the most important accountability mechanisms a nonprofit has. It provides an independent assessment of whether the organization's financial statements are accurate, whether internal controls are functioning, and whether funds are being managed properly. For donors, funders, and regulators, a clean audit opinion is a signal that the organization is trustworthy. For the board, the audit is a critical tool for fulfilling its fiduciary duty of care over the organization's finances.
Yet many nonprofit boards treat the audit as a formality, delegating it entirely to staff or the external auditor and never engaging meaningfully with the process or its findings. This approach misses the point. The audit is for the board. The auditor reports to the board, not to management. And the board is ultimately responsible for ensuring that the organization's financial house is in order.
This guide covers why audits matter, when they are required, how boards should oversee the audit process, and how to address findings that emerge.
When Is an Audit Required
Legal Requirements
Whether a nonprofit is legally required to obtain an independent audit depends on several factors:
State law. Many states require nonprofits to obtain an annual audit if their revenue exceeds a specified threshold. These thresholds vary widely by state. Some states set the threshold at $250,000; others set it higher. Organizations operating in multiple states may be subject to different audit requirements in different jurisdictions. For a broader discussion, see our guide to state-by-state nonprofit compliance.
Federal grants. Organizations that expend $750,000 or more in federal awards in a fiscal year are required to obtain a Single Audit under the Uniform Guidance (2 CFR Part 200). A Single Audit is more extensive than a standard financial statement audit and includes testing of compliance with the terms and conditions of federal awards.
Funder requirements. Many private foundations and government agencies require grantees to submit audited financial statements, regardless of whether an audit is legally required. These requirements are typically specified in the grant agreement.
Best Practice
Even when an audit is not legally required, most governance experts recommend that any nonprofit with annual revenue exceeding $500,000 obtain an annual audit. The cost of an audit is modest relative to the protection it provides against fraud, financial mismanagement, and reputational damage.
Organizations below the audit threshold should consider obtaining a financial review, which is less extensive and less expensive than an audit but still provides some independent verification of financial statements.
The Board's Role in the Audit Process
Audit Committee
Many nonprofits establish a standing audit committee of the board. An audit committee provides focused oversight of the audit process and financial controls, freeing the full board to focus on other matters while ensuring that financial oversight receives adequate attention.
The audit committee should:
- Be composed of at least three board members, none of whom are employees of the organization.
- Include at least one member with financial literacy, ideally someone with accounting or audit experience.
- Operate under a written charter that defines its authority and responsibilities.
- Report to the full board on its activities.
Organizations that are too small for a formal audit committee can assign audit oversight responsibilities to the finance committee or the full board, but someone must own this function.
Selecting the Auditor
The board, not management, should select the external auditor. This is a critical governance principle because the auditor's independence depends on being accountable to the board rather than to the people whose work they are examining.
Selection criteria:
- Experience with nonprofits. Nonprofit accounting has unique features, including fund accounting, restrictions on contributions, and Form 990 preparation. An auditor who primarily serves for-profit businesses may not be familiar with these nuances.
- Independence. The auditor must be independent of the organization and its management. An accounting firm that also provides bookkeeping or consulting services to the organization may have a conflict of interest.
- Reputation and references. Check references from other nonprofit clients of similar size and complexity.
- Fees. Audit fees should be reasonable for the scope of work. However, the cheapest auditor is not necessarily the best. Quality and experience matter.
- Communication. The auditor should be willing and able to communicate clearly with the board, not just with the finance team.
Auditor rotation. While few states require auditor rotation for nonprofits, it is considered a governance best practice to periodically change auditors, typically every five to seven years. Fresh eyes can identify issues that a long-tenured auditor might miss due to familiarity. At a minimum, the audit committee should regularly evaluate whether the current auditor relationship continues to serve the organization well.
Setting the Audit Scope
The board or audit committee should discuss the scope of the audit with the auditor before fieldwork begins. Key questions to address:
- What financial statements will be audited?
- Will the audit include testing of internal controls?
- Are there specific areas of concern that the board wants the auditor to examine more closely?
- Will the auditor prepare the Form 990, or will the organization prepare it separately?
- If the organization is subject to a Single Audit, what federal programs will be tested?
This discussion should be documented. Include the audit engagement scope in the board pack for the meeting at which the audit is discussed.
Pre-Audit Planning
Before the auditor begins fieldwork, the organization needs to prepare. The board's role in pre-audit planning is to ensure that management is ready and that the process will proceed on schedule.
- Timeline. Establish a clear timeline for the audit, including the start of fieldwork, the expected completion date, and the date by which the auditor will present findings to the board.
- Staff readiness. Ensure that the finance team has the resources and time to support the audit. If the organization is understaffed, consider whether temporary help is needed.
- Document access. Ensure the auditor will have access to all necessary records, including board minutes, financial records, and grant agreements.
During the Audit
The board or audit committee chair should maintain contact with the auditor during fieldwork. This serves several purposes:
- It reinforces the board's role as the auditor's client.
- It provides an opportunity for the auditor to raise concerns in real time rather than waiting for the final report.
- It allows the board to address any access or cooperation issues that may arise.
The auditor may also request to meet with the audit committee without management present. This is standard practice and gives the auditor an opportunity to raise concerns about management's cooperation or financial practices without management in the room. The board should always agree to these meetings.
Reviewing Audit Results
When the audit is complete, the auditor should present the results to the board or audit committee in person (or by video conference). This presentation should cover:
The audit opinion. The auditor's report includes an opinion on whether the financial statements are presented fairly in accordance with generally accepted accounting principles (GAAP). The possible opinions are:
- Unmodified (clean) opinion. The financial statements are fairly presented. This is the standard and expected result.
- Modified opinion. The auditor has identified issues that affect the accuracy of the financial statements or limitations on the scope of the audit. A modified opinion is a red flag that requires immediate board attention.
- Adverse opinion. The financial statements are materially misstated. This is rare and extremely serious.
- Disclaimer of opinion. The auditor was unable to complete the audit. This is also rare and serious.
The management letter. In addition to the audit opinion, the auditor typically issues a management letter (sometimes called a communication to those charged with governance) that describes any internal control weaknesses, operational issues, or recommendations for improvement identified during the audit. The management letter does not affect the audit opinion, but its findings are important and should be taken seriously.
Material weaknesses and significant deficiencies. These are formal findings about the organization's internal controls. A material weakness means there is a reasonable possibility that a material misstatement of the financial statements would not be prevented or detected by the organization's internal controls. A significant deficiency is less severe but still warrants attention.
Management's response. For each finding in the management letter, the board should ask management to provide a written response that includes a corrective action plan and a timeline for implementation.
Following Up on Findings
The most important part of the audit process is what happens after the auditor leaves. Audit findings that are acknowledged but never addressed represent a governance failure.
The board or audit committee should:
- Ensure that management develops a corrective action plan for each finding.
- Track the implementation of corrective actions through the board's action tracking system.
- Review progress at subsequent board meetings.
- Confirm in the following year's audit that prior-year findings have been resolved.
If the same finding appears in consecutive audits, the board should escalate its response. A recurring finding indicates that management has not taken corrective action or that the underlying problem is more serious than initially understood.
Key Areas of Audit Oversight for Nonprofit Boards
Revenue Recognition
Nonprofit revenue recognition can be complex, particularly for contributions with donor-imposed restrictions, multi-year pledges, and in-kind donations. The board should understand how the organization recognizes revenue and whether the auditor has identified any concerns about the organization's revenue recognition practices.
Restricted Funds
Donors who give money for a specific purpose create a legal obligation for the organization to use those funds as directed. The board should confirm that the organization tracks restricted funds separately and that restricted funds have been spent in accordance with donor intent. Misuse of restricted funds can result in legal action by donors and loss of public trust.
Related-Party Transactions
The auditor will typically identify and examine transactions between the organization and insiders, including board members, officers, key employees, and their family members. The board should review these transactions and ensure they were properly disclosed, approved, and documented in accordance with the organization's conflict of interest policy.
Executive Compensation
The audit may provide information relevant to the board's oversight of executive compensation. The board should ensure that compensation levels are reasonable, that the process for setting compensation follows the rebuttable presumption of reasonableness, and that compensation is properly disclosed on the Form 990.
Internal Controls
The audit provides the board with an independent assessment of the organization's internal controls. Common internal control weaknesses in nonprofits include:
- Insufficient separation of duties (one person controls too many aspects of financial transactions).
- Lack of board review of financial statements.
- Inadequate controls over cash receipts or expenditures.
- Missing or incomplete supporting documentation for transactions.
The board should take internal control findings seriously and ensure that management addresses them. Weak internal controls increase the risk of fraud and financial mismanagement.
Compliance with Grant Requirements
If the organization receives government or foundation grants, the audit may include testing of compliance with grant terms. Non-compliance can result in required repayment of grant funds, disqualification from future funding, and reputational damage.
Common Mistakes in Audit Oversight
Delegating Entirely to Staff
The audit is a board function, not a staff function. Management prepares the organization for the audit and works with the auditor during fieldwork, but the board selects the auditor, sets the scope, receives the findings, and ensures follow-up. A board that delegates the entire audit process to the executive director or finance director is not fulfilling its oversight role.
Not Reading the Management Letter
The management letter contains the auditor's most practical observations about the organization's operations and controls. Board members who read only the audit opinion and skip the management letter miss critical information about areas that need improvement.
Ignoring Recurring Findings
When the same finding appears year after year, it indicates a systemic problem. The board should ask why the finding has not been resolved, whether management needs additional resources to address it, and whether the finding reflects a more fundamental governance or management issue.
Not Meeting with the Auditor Privately
The board or audit committee should meet with the auditor at least once during the audit cycle without management present. This gives the auditor an opportunity to share concerns about management's cooperation, financial practices, or tone at the top without fear of reprisal. If the auditor does not request this meeting, the board should.
Treating the Audit as a Substitute for Ongoing Financial Oversight
An annual audit provides a snapshot of the organization's financial condition at a point in time. It does not substitute for ongoing financial oversight throughout the year. The board should review financial statements at every meeting, monitor cash flow, compare actual results to the budget, and ask questions when something does not look right.
Connecting Audit Oversight to Board Governance
Audit oversight does not exist in isolation. It connects to several other governance functions:
- Meeting agenda. Audit-related items, including engagement approval, progress updates, findings review, and follow-up on prior findings, should appear on the board's agenda at the appropriate times throughout the year.
- Board packs. The audit report, management letter, and management's corrective action plan should be included in the board pack for the meeting at which audit results are discussed.
- Meeting minutes. The board's discussion of audit findings, including questions asked and decisions made, should be documented in the meeting minutes. This documentation demonstrates that the board exercised its oversight responsibility.
- Action tracking. Corrective actions arising from audit findings should be tracked in the board's action tracking system with assigned owners and deadlines.
- Compliance calendar. The audit timeline, from engagement to fieldwork to presentation of findings, should be included in the board's annual compliance calendar.
Conclusion
Financial audits are a cornerstone of nonprofit accountability. They provide the board with independent assurance that the organization's financial statements are accurate, that internal controls are functioning, and that funds are being managed properly. But the audit only fulfills its purpose if the board is actively engaged in the process.
Select your auditor with care. Set the scope thoughtfully. Review the findings carefully. Follow up on recommendations diligently. And treat the audit not as a compliance burden but as a governance tool that strengthens your organization and protects the people it serves.
If your board does not currently have an audit committee or a structured process for audit oversight, now is the time to establish one. For the broader compliance picture, see our essential guide to nonprofit board compliance. To explore tools that support financial oversight and governance, visit NFPHub.