You are on the board of a not-for-profit organization (NFP) and charged with making wise decisions for the good of the organization and its donors. When is the best time to perform an audit of its financials?
The NFP doesn’t have any outside requirements to have an audit. It does not need to provide one to a lender to fulfill debt covenants, nor does it need to file one with the state because its revenue is over the threshold. None of your big donors have asked for your financial statements in years because they look at your IRS Form 990. But isn’t it a best practice to have an annual audit performed by an independent auditor? Before you send out a request for proposal, let’s look at what a financial statement audit really means, and what other service offerings may be a better fit.
First, establish what result your organization is looking for. Is it a set of financial statements with an accountant’s report? Is it a deeper dive into your operations and internal controls, resulting in actionable recommendations for improvement? Perhaps it’s an analysis of the general ledger, looking for signs of fraudulent activity?
If you are focusing on financial statement reporting, it’s helpful to know the main three services: audits, reviews, and compilations. Each of these result in a set of financial statements, typically including some form of balance sheet, income statement, statement of cash flows, and statement of functional expenses. These also include footnote disclosures. For all three of these services, the financial statements and footnotes are identical. The difference is in the report from the CPA firm that is attached to the front of the financials.
The first two services below are attestation engagements. This means that the independent accountant provides a level of assurance that the financial statements are reported in accordance with generally accepted accounting principles (GAAP).
What is a Financial Statement Audit:
Financial statement audits are the highest level of assurance that can be obtained for an organization’s financial statements. The auditor issues an opinion that provides reasonable assurance that the financial statements, including footnotes, are presented fairly, in all material respects, in accordance with a relevant reporting framework like GAAP. As an independent auditor, CPAs are bound by generally accepted auditing standards (GAAS) that structure how an audit must be performed. In return, the audit report “enhances the degree of confidence that intended users can place in the financial statements.” (AICPA AU-C 200.04)
Required elements of an audit include the following:
- Risk assessments to determine where the financial statements and footnotes are at higher risk of material misstatement. In the auditing standards, revenue recognition is presumed to be a higher risk area for all organizations.
- An assessment of internal controls, including obtaining an understanding of the internal control structure as it impacts financial reporting, and performing limited procedures to gain comfort that the controls have been implemented as described.
- Reporting of qualitative and quantitative audit results to those charged with governance. For NFPs, this is often the board of directors, or an audit/finance committee if such a group has been authorized by the board to act on their behalf.
From a practical standpoint, a financial statement audit includes detailed testing of activity from the fiscal year and of year-end balances. For your first audit, this also includes testing beginning balances. Third-party documents, such as invoices and contract agreements, are requested by the auditor and confirmations are sent to outside parties to verify certain transactions and balances. Analytical procedures are also performed on populations of data, such as assessing the change in compensation expense from the prior year by comparing to the change in staffing levels and approved pay increases.
As a part of the audit, most CPA firms will also assist with pulling together the financial statements and footnotes from the organization’s trial balance and audit workpapers. Keep in mind though, the audited financial statements and footnotes are the responsibility of the organization. The NFP can’t rely on its external auditors to be the GAAP experts if the auditors are to remain independent. If your organization doesn’t have the knowledge, skills, and expertise to oversee the preparation of GAAP-basis financials, that’s an indicator of an internal control deficiency the auditors will likely write up as a finding.
An internal control letter, or a letter of comments, is a byproduct of a financial statement audit. It should be noted that the purpose of an audit is not to seek out internal control deficiencies. However, if the auditors identify any weaknesses as part of their audit procedures, they are required to put them in writing to those charged with governance. If you receive an internal control letter, donors and lenders will often ask to see it in conjunction with your audited financials.
What a financial statement audit does not include is an auditor’s opinion over internal controls or a full assessment of operations and workflows. Depending on what the auditor observed during audit testing, the auditee may receive some suggestions about these items. These are not the purpose of a financial statement audit, but the auditors have a good idea of what the best practices are in your industry and can provide some feedback.
What is a Financial Statement Review:
A financial statement review is less in scope than an audit. The independent accountant does not issue an opinion; rather, a review report indicates that the accountant did not note any material modifications that would need to be made to the financials in order for them to be in accordance with GAAP.
Reviews consist primarily of inquiries of the NFP’s management, plus some analytical procedures on the balances and activity. Reviews do not include an assessment of internal controls or vouching to third-party documents.
If your organization’s goal is to obtain a set of financials that have more assurance than management-prepared statements, and there isn’t a desire for the internal controls assessment or higher level of assurance that an audit provides, a review is a good option. A review is also lower in cost than an audit.
What is a Financial Statement Compilation:
A financial statement compilation provides no assurance from the independent accountant. The accountant simply takes the financial data and puts it into the form of financial statements. If you have a CPA on staff, you probably don’t want to spend the money to have a compilation performed. If you don’t have a robust accounting staff, a compilation is the lowest-cost option for a set of financial statements and footnotes from an independent accountant.
What about services that aren’t focused on providing a complete GAAP-basis set of financials? One benefit of the following two types of engagements is that they can be right-sized to fit any budget by simply expanding or limiting the scope of work.
Agreed-Upon Procedures (AUPs):
This attest service is very flexible as to what it can provide. Management and the external accountant work together to come up with a list of procedures for the accountant to perform, and the accountant reports back on the results. The benefit is the procedures can be structured to get at the specific areas of interest of the organization.
Examples of agreed-upon procedures include tests of a sample of cash disbursements to see evidence of the internal control procedures occurring, or tests of a sample of payroll transactions to see if signed timesheets were kept on file. Analytical procedures can also be performed, such as running data analytics over a population of disbursements to identify all checks cut on the weekend, for example, with the results provided to management.
There is no audit opinion with an AUP. Unless it’s written into the engagement letter, there is no application of materiality by the accountant, and no judgment as to which errors or exceptions are included in the report. The independent accountant simply reports the results. Management and the board can determine what follow-up they want to implement internally.
Finally, consulting is the most flexible type of service that you can obtain from a CPA firm. The NFP and CPA firm can discuss what the NFP’s needs are and can structure the best solution to the problem. Many CPA firms have ready-to-go consulting projects that they offer to organizations. For example, Clark Nuber has consulted with NFPs that receive federal funding to assist them with their implementation of the Uniform Guidance requirements. We also offer a Business Health Checkup service, which looks at compliance and reporting matters. We can lead Enterprise Risk Management discussions to help identify and prioritize areas of risk for your organization. Our IT audit team can do a deep dive into your IT internal controls, including performing penetration testing to see where the weaknesses in your system are. We have accounting software experts to do a functional needs assessment for your software packages. These may be more useful than an engagement that is focused on financial statement reporting.
In conclusion, a financial statement audit may be just what your organization wants and needs. But before diving in to your first audit, take a step back and figure out what would be the best service for your needs (and your budget!)
© Clark Nuber PS, 2018. All Rights Reserved