As management or a stakeholder within an organization, it’s essential to understand and execute your fiduciary responsibilities as it relates to your organization’s audit (provided one is conducted). Everyone wants to have a “clean” audit with no findings, but internal control findings are very common in smaller organizations. They aren’t necessarily a result of wrongdoing (though they can be sometimes), and the findings have different levels of severity. Findings can be related to the design of procedures and controls, or they can be due to a control not functioning properly.
Severity of Findings
The auditors are required to report control matters to management and governance that rise to the level of being significant or material (the deficiency has the potential to cause a misstatement that would affect how people view and use the financial statements). Any deficiency in internal control qualifies as a control deficiency, but some aren’t significant or material. They might cause an insignificant misstatement, but the auditor was able to isolate the effect to a small amount. Those instances are usually communicated during the audit or in a letter to management and are not reported as findings. When the deficiency is significant or material, it will be reported to management and governance as a finding.
The two terms for findings in an audit are significant deficiency and material weakness:
Significant Deficiency – A deficiency, or combination of multiple deficiencies, in internal controls that is important enough to warrant attention from governance. However, it is less severe than a material weakness.
Material Weakness – A deficiency where one or more controls either doesn’t exist or is ineffective, such that a material misstatement in the financial statements could (or did) result. A material weakness is more severe than a significant deficiency since there is potential for a more substantial effect on the financial statements.
Documentation of Findings
In a nonprofit audit, the findings will be communicated either in the reporting package (as supplementary information to the financial statements) or in a letter. Those organizations that don’t have a separate compliance audit will generally have findings reported in a letter, so they are visible only to management and governance.
Each finding is generally made up of five elements:
- Condition – What happened, or what is the process being performed
- Effect – The impact of the condition
- Cause – Why did the condition occur
- Criteria – Authority for the condition being an improper procedure
- Recommendation – How can the procedures be changed so it isn’t a finding again
Here is an example of a common finding for a segregation of duties deficiency:
- Condition: One individual within the organization opens the mail, records cash receipts, prepares the bank deposit, and sends thank you letters to donors.
- Effect: This individual has the opportunity to misappropriate cash receipts because this person has the responsibility to receive and record cash receipts.
- Cause: The organization does not have procedures in place to properly segregate the custody (handling the cash) and recording duties for cash received by mail or in person.
- Criteria: Internal controls should be in place to provide reasonable assurance that cash receipts are received by the organization and properly recorded in the accounting records.
- Recommendation: We suggest management implement additional procedures to separate the duties of custody and recording. If these duties can’t be separated, management should evaluate whether other procedures could be implemented to help reduce the risk of misappropriation of assets.
In a compliance audit, management of the organization is required to respond to the finding, which would be shown as a response.
Effects of Findings
Findings aren’t meant to “ding” organizations or increase oversight from a third party. Conversely, a lack of findings doesn’t mean an organization’s internal controls are necessarily airtight. Deficiencies could exist that weren’t identified during the audit. Auditors report on things that were noted as a result of testing and understanding procedures and controls. The recommendation is meant to help management improve procedures in the future to reduce risk in the organization. The auditors can be a part of an open dialog with management and governance to brainstorm ideas to implement controls that address the deficiencies that were noted. If you have any questions on audit findings (whether from Forge or another auditor), we would be happy to discuss them with you.