The board is responsible for their own policies and procedures, like having all board members sign a related parties disclosure and code of conduct. The board is also responsible for establishing the audit committee and defining the committee’s responsibilities. The audit committee is comprised of members of the board of directors and is answerable directly to the board. Generally the audit committee is responsible for oversight of the financial reporting processes. This includes risk management, internal controls, monitoring and communication. As a nonprofit auditor I consider all these risk during the risk assessment phase of the audit.

Risk Management:

Risk management is done at the board level, by the various committees, and by the organizations management. The audit committee is responsible for ensuring the organization establishes practices to identify risk in the financial reporting processes. Management is generally tasked with establishing financial reporting objectives and identifying risk affecting the entity, including the financial reporting process. The audit committee ensures management has established procedures to identify risks potentially affecting the accuracy of reporting, including fraud considerations.

Internal Controls:

Once the risk assessment is completed and potential risks have been identified, management designs controls to mitigate those risk. The controls must be designed to control what they intend to control and they must be implemented. The audit committee provides oversite to ensure management has developed an effective system of internal controls and that they are functioning properly.


The monitoring process is part of the risk management process and the internal control process. Monitoring also includes reviewing the monthly or quarterly financial statements including questioning budget to actual results outside of expectations. The choice of accounting policies and principles should be reviewed for their effect on the financial statements and compared to alternative choices. Quality of accounting principles are also considered. Monitoring the process to ensure compliance with grants and other contracts, and compliance with legal and regulatory requirements.


Establishing policies and procedures is of little value if they are not appropriately communicated throughout the organization. Two way communications between management and the audit committee must be maintained so that each have the available information to perform their duties with respect to governance and the financial reporting objectives.

The audit committee should be independent board members who have an accounting or financial background. A separate charter for the audit committee should be established and include the structure, scope, and process. The audit committee charter should be reviewed annually.