This primer on internal auditing needs to be studied in concert with the internal controls, operating procedures, and reporting requirements covered in the following sections of this resource: Basic Internal Controls that every All Volunteer Organization (AVO) Should Have; all three segments of Cash and Bank Accounts; both segments of Internal Reporting; and both segments of External Reporting, especially the sub-segment Maintaining Tax-Exempt Status. The internal auditors need to confirm controls that have been adopted are in place and operating effectively, operating procedures are being followed to the letter, and required reports are accurate and being filed on time.
Every AVO that does not have an external audit conducted in a year should have an internal audit. The fundamentals of establishing an internal audit function are as follows:
- The audit process and expectations (like what reports should be provided by the auditors to who and when) should be part of the bylaws of the AVO and/or in the policies and procedures manual.
- The internal auditors should be volunteers, members, board members, or officers who have no responsibility for recording, physically handling, or approving financial transactions, etc. These internal auditors are sometimes configured as an audit committee. There should be more than one auditor and the membership of the audit committee should be changed frequently but preferably in such a way as there is always still one member with experience who was on the committee the year before. If possible at least one member of the audit committee should have some business experience, preferably in bookkeeping or accounting. Note: If there is another AVO of the same type and size, it should be considered asking for a reciprocal audit arrangement; have the auditors of the first AVO audit the records of the second while the auditors of the second are auditing the records of the first. This arrangement greatly increases the credibility of the internal audits because the auditors are truly independent of the records they are auditing, yet there is no cost like there would be with an external audit.
- The auditors should report the results of their work at a board meeting which should formally accept the report and a signed written version of the audit report should be given to the secretary to include in the minutes of that meeting.
- The audit committee should obtain a receipt from the treasurer that all records have been returned to him or her intact.
- Every account and every financial component of the AVO should be audited; none should be left out "because it is so small," or "we did nothing with it last year," or "I just can't find those papers right now." The auditors don't have to look at every single transaction in every account, but they should look at every account in one way or another.
- The auditors should never assume that the totals, subtotals and numbers carried over from one area to another are correct. The auditors should re-add, recompute, and trace all numbers.
- The auditors should write a simple plan of what they plan to do ahead of time and then follow it. This also can make the audits conducted in subsequent years easier to do.
- The audit should be performed as soon after the year end as possible.
- An internal audit should be performed whenever there is a change in the treasurer.
The details of the what should be done in the audit itself are difficult to cover in this resource because each AVO is unique with its own set of bylaws, policies, procedures, financial transactions, exempt purpose, etc. What is listed here is not to be considered a complete list of audit steps and procedures and some mentioned may not be applicable to a specific AVO. Even if an AVO cannot afford an external audit by a CPA, it should consider engaging one to design an internal audit program for the AVO. This would not be too costly and would represent a one-time investment. None-the-less, presented here is a list of some of the audit steps and procedures that would be appropriate and in most cases necessary for internal audits of AVOs:
- The auditors should ensure that they have access to articles of incorporation, bylaws and/or policies and procedures manual, list of all officers and other responsible individuals with their titles, list of authorized signatories on bank accounts, copies of all minutes for the year, copy of the minutes for the last meeting of the year preceding the audit, copy of the minutes for the first meeting held after the year of the audit if one has been held, a list of all bank accounts, reports filed with regulatory agencies (like the IRS), all correspondence from regulatory agencies and any letters from attorneys.
- The auditors should ensure that they obtain all credit card statements, treasurer reports, bank statements, and bank reconciliations for the year, and as with the minutes, the last one of each for the preceding year and the first one of the subsequent year.
- The auditors should obtain all checkbooks and canceled checks. The invoices and other supporting documentation for payments should also be obtained.
- The auditors should obtain documentation of cash collections and bank deposits (like deposit slips).
- The auditors should obtain any books of financial records like journals and ledgers.
- Test a few of the treasurer reports to ensure they are mathematically correct and all the numbers match those in other records (deposits, balance brought forward from previous report, balance forward to the next report, bank reconciliation, etc.).
- Test a few bank reconciliations to ensure they are mathematically correct and all the numbers match those in other records especially the treasurer reports and the bank statements.
- Ensure that all check numbers for the period are accounted for, including any voided checks which need to be examined to ensure they have been voided. Ensure there are no missing check numbers.
- Examine the largest checks written in the year, a sample of checks that appear to be written the same every month, and any that appear unusual. Verify that the amounts recorded in the other records (like the bank statement and treasurer report) match those on the checks, the dates match (make sure timing is not delayed or post-dated), the payees are who they should be, and the endorsements on the back of the checks appear to be legitimate.
- Match the largest checks written in the year, any that appear unusual, and a random sample of others to the supporting documentation for the payments: invoices (not vendor statements), sign offs that goods or services have been received, etc.
- Ensure the signatures on the checks are by the correct signatories and if two are required that there are indeed two "different" signatures on the checks.
- Examine the credit card statements and examine supporting documentation of any large and unusual charges.
- The auditor should sign in the checkbook where the final entry is for the year so that no additional entries can be made after the audit is completed. This signature should be checked the next year to ensure no additional entries had been made for the previous year.
- Examine all bank statements looking for any unusual transactions.
- Verify that established procedures for handling cash collected and bank deposits made have been followed to the letter.
- Verify that all other internal controls established in the bylaws and/or policies and procedures manual have been implemented and carried out correctly by the correct authorized individuals.
- Always pay attention to the timing of work done (deposits, reports, payments, etc.) to ensure that there are not long delays or post-dated work.
- Count the petty cash fund if there is one.
- Verify the list of, or make a list if one is not already prepared, outstanding bills unpaid at the end of the year.
- Ensure that all donations have been handled correctly and that receipts have been sent out to individuals who contributed $250 or more.
- If the AVO has any equipment or similar assets, ensure that the list of assets matches what is in existence; examine the assets to ensure they are present and in good condition.
- Review all reports to external agencies (IRS, etc.) to ensure they are accurate and filed on a timely basis. Review all correspondence received from external agencies.
- Include in the auditors' report:
o Any exceptions found
o Confirmation of all that is found to be correct
o Signatures of all auditors