Q&A #39 – How should a small-staffed nonprofit address audit findings on segregation of duties?
Question: I run a small-staffed nonprofit organization, and our annual financial statement audit generally has gone very well. However, we have received repeated segregation of duties findings each year. Our audit committee gets bogged-down on this single issue. How can we better address this issue for our next audit?
Answer: Addressing segregation of duties findings in an audit is a common challenge for small-staffed nonprofits, and this issue can best be mitigated by proactive front-end outreach and communications with your independent auditors and audit committee, and by submitting a formal written Management Response to be included in the auditor’s Management Letter before the final draft is issued.
Segregation of duties is a core principle aimed at mitigating occurrences of errors and fraud by separating shared responsibilities and processes in order to strengthen checks and balances built into internal accounting control systems (“IACS”). Small-staffed organizations are naturally constrained in their ability to spread critical accounting functions among different individuals, since there are fewer employees to take on these responsibilities.
Consider the following three tactics for addressing IACS challenges related to segregation of duties:
Meet with your auditors well before the current year ends and discuss audit findings from the prior year audit. Specifically, ask the auditors for their interpretation of industry guidance related to segregation of duties. And ask them about alternative low-cost solutions that could be implemented, such as using volunteer leadership oversight or using third party outsourced services (e.g., online banking, accounts payable/bill paying services, payroll services, or bookkeeping services).
At the front-end of the audit engagement, inform your auditors that, for any future audit findings, you want to submit a formal written Management Response to be included in the auditor’s Management Letter before the final draft is issued to the audit committee. Knowing that a Management Response will follow each finding will impact the selection and timing of related communications for the findings the auditors choose to include. More importantly, any finding ultimately listed in the Management Letter will appear in a better light if followed by a thoughtfully written Management Response.
Meet with your audit committee before the audit formally begins and review the Management Letter findings from the prior year audit. Explain the facts and circumstances behind the findings, any changes to these facts and circumstances, and any steps management is planning to take or has taken to alleviate the perceived weakness in IACS caused by limited options related to segregation duties. This is the best time to engage your audit committee on the challenges of a small-staffed organization and get their input on how to best manage segregation of duties in the future.
Planning Tip – Make better use of the risk assessment meeting with the auditors and other inquiries that occur before fieldwork starts. As part of auditors risk assessment procedures, request that a separate formal live meeting with the auditors and the audit committee be scheduled. At this meeting, have the auditors explain their perspective related to past audit findings (including findings related to segregation of duties) and whether they believe the findings are naturally recurring or if there is an opportunity to efficiently correct IACS weaknesses identified.
These three proactive tactics will go a long way towards improving audit committee confidence and trust by giving them a better understanding of the natural challenges faced by a small-staffed organization. Also, these front-end steps will help sensitize your auditors to the optics of listing segregation of duties findings and prompt them to be more proactive with identifying potential alternative solutions.
If you have a question you would like to submit to SE4N, send it to us using the contact form and we will consider answering it in a future post. Please do not send confidential information.