For nonprofit leaders, protecting your organization’s mission means more than strong programming – it requires strong governance. One of the most important governance structures a nonprofit can have is an effective audit committee. Many organizations delegate the responsibilities of audit oversight to a subcommittee. However, committee members often don’t receive proper training or clarity on their roles, which can cause disconnect between board members and staff, inefficiencies in process, and weakened ability to identify and respond to risk.
Audit Committees are not symbolic. Their role is needed not only to satisfy regulatory requirements or meet a compliance checklist. An effective committee can be one of the most powerful tools a nonprofit has to protect its mission and its assets.
What Is an Audit Committee (and Why It Matters)
An Audit Committee is a small group — separate from full board deliberations — charged with independent oversight of your organization’s financial health, internal controls, and compliance. A nonprofit Audit Committee’s responsibility can vary from organization to organization, but traditionally, the committee focuses on the annual audit process, internal controls, and financial oversight.
For nonprofits specifically, the stakes are high. Your organization’s tax-exempt status, reputation with funders, and public trust all depend on sound financial management. Unlike for-profit companies, nonprofits are accountable not just to shareholders but to donors, grant-makers, regulators, and the communities they serve. An Audit Committee provides the independent oversight structure that gives all of those stakeholders confidence that the organization is managing its resources responsibly.
Because of this oversight role, Audit Committees need to have objective members. Some state regulators have specific requirements on membership.
Example: State Audit Committee Requirements
New York requires that Audit Committees include at least three members of the Board and that all members are independent (generally meaning that members and their relatives are not paid by the organization).
Nonprofit stakeholders and funders have increasingly high expectations of standards of governance. For this reason, the committee should rest on top of the control hierarchy at an organization. Committee members should not be involved in either the day-to-day operations of processing transactions or performing management functions.
The committee’s task is to oversee those functions, which serves as an important part of demonstrating the organization’s commitment to responsible and transparent financial management. Understanding what an effective committee looks like — and what it actually does — is the first step toward building one.
Core Responsibilities of a Nonprofit Audit Committee
In practice, an audit committee’s role focuses on practical oversight rather than just theoretical governance. Here’s what the committee actively does during the year.
Oversight of the Audit Process
Independent auditors spend most of their engagement working with management, but the auditors work for the Board. The Audit Committee is responsible for selecting the audit firm, receiving a report from the auditors on the results of the audit, and evaluating the auditors’ performance.
When selecting an auditor, the committee should consider:
- The reputation and quality of both the CPA firm and the individuals assigned to the engagement
- The cost and fee structure
- Timeline of service delivery
- Composition of the audit team
The committee should also ensure that the firm is independent and should ask for a copy of the firm’s most recent peer review report.
Professional standards require auditors to communicate with the audit committee both before and after the completion of the audit.
Pre-audit communication
The pre-audit communication will include information on the scope and timing of the engagement as well as information on the auditors’ preliminary risk assessment on the engagement. Meeting before the audit also gives the committee the opportunity to flag any concerns that they have for the audit team so that the auditors can effectively design their audit plan.
Post-audit communication
Communications at the end of the audit will include information on the execution of the audit. This can reveal valuable insights for the Board that might not otherwise be apparent, particularly if the audit team identified misstatements in financial reporting or deficiencies in internal control. The auditors can typically provide needed context for these items as well as other operating processes and procedures.
In practice, both committees and auditors should ensure that there is effective two-way communication.
Monitoring Internal Controls
The reporting on internal controls mentioned above is often the most useful component of the auditors’ report to the committee.
“Internal control” refers to internal policies and procedures that an organization implements to ensure financial and compliance objectives are met.
Example: Internal Control in Practice
An organization may have multiple individuals review expenses before they are paid to ensure that the disbursement is for an approved business purpose and paid to a valid vendor.
The auditors should report deficiencies in internal control that they identify to the committee. Even when there aren’t deficiencies listed in the report, the committee can still ask the audit team about any recommended best practices.
These types of recommendations should not necessarily be interpreted as a problem – even high-functioning organizations have areas where they can improve and part of the value of an audit is having an independent viewpoint on these areas. But follow-up matters. The Audit Committee should oversee management’s progress towards addressing audit findings so that they don’t recur in future audits.
Compliance and Risk Oversight
Nonprofit organizations are subject to reputational risk that can impact funding from both the private and public sectors. As such, as well as the broad set of risks that all businesses face, Audit Committees should be aware of additional compliance rules and industry-specific risks that they should oversee.
Most nonprofits have conflict of interest policies that require disclosure of any potential conflicts from Board members or individuals in senior management. These relate to laws and regulations that govern potential related party transactions. Because of the reputational impact to both the organization and individual Board members, compliance with these policies should be governed and enforced by the Audit Committee.
In practice, this may mean that the committee:
- Receives annual disclosure statements from the Board
- Ensures a process is in place for identifying and resolving any potential conflicts of interest
In addition, nonprofit organizations file publicly available programmatic and financial reports, including IRS Form 990. These filings protect the organization’s tax-exempt status, but also should be reviewed by the committee before issuance as they are used by both regulators and the general public to gain information about the organization.
Audit Committee Best Practices for Strong Oversight
If your committee hasn’t been active in its monitoring role, you can pivot by treating this section as your practical playbook for improvement.
Build the Right Committee
Committees should have at least three members. While it is not practical (and not necessary) to have a CPA on every Audit Committee, the members should be financially literate or commit to learning to read nonprofit financial statements. Legal and compliance backgrounds are also extraordinarily helpful. Remember to check state regulations in case there are additional requirements.
Establish Clear Roles and Expectations
Ambiguity is the enemy of governance. Every nonprofit should have a formal, written Audit Committee Charter. This document clearly defines the committee’s authority, responsibilities, and scope, so every member knows exactly what is expected of them from day one.
Strengthen Communication with Auditors
Your external auditor should not just speak with your CFO. The audit committee must have direct communication with the auditor. A best practice is to include executive sessions that involve just Board members and the auditors at the end of every meeting. Even if there is nothing sensitive for the auditors to report to the committee, a private session builds trust in the audit relationship and gives committee members a venue to solicit honest feedback.
Beyond the Audit
Recent trends have led to Audit Committees overseeing more than just financial risks and the audit relationship. Some committees have expanded their portfolio to oversee enterprise risk, and in particular, technology risks. These committees may schedule sessions with insurance carriers and IT vendors.
While the full scope of IT exposure can appear overwhelming with the increase in cybersecurity incidents and the emergence of AI, committees should understand management’s current activities to protect the organization and their views on addressing these growing threats.
Empowering Your Committee, Protecting Your Mission
If your Nonprofit Audit Committee isn’t where it needs to be yet, don’t be discouraged. Most nonprofits don’t need a radical overhaul, but intentional, incremental improvements can make a substantial difference. Awareness is the first and most critical step. Further guidance is available from state regulators, the National Council of Nonprofits, or you can contact us with any questions.
