Keys to Successful Remote Audits of Nonprofit Organizations

The coronavirus (COVID-19) pandemic severely disrupted business operations for many not-for-profit organizations and their service providers. As the pandemic hit the United States, a new way of conducting fieldwork became an immediate necessity.

For many auditors, performing fieldwork remotely was an unfamiliar concept prior to March 2020. Traditionally, there has been an inherent aversion to remote audits in the public accounting profession based on the belief that auditors need personal interaction to effectively apply auditing standards. When that was suddenly not possible, CPA firms had to quickly pivot and adjust their standard operating procedures to ensure that levels of client service and audit quality were maintained in a remote environment.

Based on the experiences of auditors who have performed remote audits for many years, as well as new methods identified throughout the pandemic, this article explores the strategies that auditors can consider as they continue to plan and conduct remote audits for not-for-profit organizations.

Planning for the Audit

Performing effective and efficient remote audits begins with proper planning and preparation. The first step is scheduling a kick-off meeting between audit team and client team members to discuss and understand significant key items that occurred during the audit period as well as any unique challenges that the organization is facing.

Auditors should make sure to discuss and establish specific timelines and expectations between the audit team and the client team. This conversation should include not only due dates for deliverables and anticipated lead time, but also communication of whether the client team will be in the office or remote and whether they are available to provide audit documentation. During these conversations, auditors should also gain an understanding of the client’s communication preferences, such as the frequency of video conferences and meetings, and the mode of communicating open items and other requests.

It is also important to conduct planning and preliminary testing procedures before or near year-end. Auditors should review board minutes to generate questions and conversations surrounding key transactions or events. Audit transactions should be tested early on to minimize questions and audit requests during fieldwork.

Assessing Risk

Many aspects of a not-for-profit organization’s business and industry are likely to have changed as a result of COVID-19. All kinds of business operations have been disrupted by work stoppages, travel and work restrictions, and the imposition and lifting of stay-at-home orders. As a result, information gathered by procedures performed in prior periods may be far less relevant today. An auditor may need to approach the audit in a manner similar to the audit of a new client. Risk assessment procedures are likely to be more extensive as a result.

Involving Other Members of the Engagement Team

In the remote environment, risks of material misstatement identified in prior years will likely be intensified, while new ones are likely to emerge. Simultaneously, audit evidence and sources of evidence relied on in prior years may be much more difficult to obtain or, in some cases, may be unobtainable.

Given the need for auditors to evaluate significant judgments and assumptions, they should consider planning for increased involvement of partners and other senior members of the engagement team, especially in the areas most significantly impacted by COVID-19. These experienced and additional sets of eyes can meet the heightened need for exercising professional skepticism and help the audit team focus on ways in which COVID-19 risks and developments have increased the risk of material misstatement.

Senior members of the team can also help identify areas of vulnerability to material misstatement due to the increased incentives and opportunities for fraud. Discussions should cover the effects of increased uncertainty on account estimates and new approaches to obtaining audit evidence.

Collectively, the audit team also needs to consider the challenges regarding supervision and management of remote team members and implement strategies such as increased use of videoconferencing to provide adequate supervision and instruction to less experienced members and ensure consistent audit quality.

If an audit firm plans to make greater use of automated tools and techniques in response to a reduced access to other forms of evidence, this discussion may also need to address the audit team’s comfort level with those tools and techniques and the possible need for on-the-job training.

Re-evaluating Internal Controls

As not-for-profit organizations were forced into a remote environment, changes to their systems, controls, and documentation procedures were inevitable. The degree of change, however, may well have varied depending upon how fully an organization had embraced an electronic workflow before the pandemic (as opposed to those organizations that relied heavily on paper documentation, physical check payments, and pen and paper approvals). And in the past two years, some organizations have adapted so successfully that they can be thought of working from the office even when working from home.

As the audit team conducts this year’s audit and makes recommendations, it should consider those new controls that resulted from the pandemic and whatever future controls are due to necessary improvements. Auditors should determine the number of internal control systems in effect from the beginning of the financial statement period through the completion of the audit. Keep in mind that an organization may have experienced several levels of operations and controls during a single reporting period.

To test the implementation of controls, a traditional review of authorizations and approvals could still be accomplished in a remote environment, via the scanning and uploading documents or screen-sharing. On the other hand, it might not be possible for auditors to observe not-for-profit employees applying controls in person in the current environment. Auditors may need to brainstorm and collaborate with clients to determine how to obtain sufficient appropriate evidence about the design and implementation of controls relevant to the audit in a remote working environment.

The importance of an auditor’s insights on internal control has likely increased. Significant deficiencies and material weaknesses should be contemporaneously documented in audit working papers and communicated timely, both to the client and those charged with governance, at the conclusion of the audit. Auditors can provide the most value by:

  • Understanding entity-level controls versus activity-level controls and the impact on operations and financial reporting
  • Applying professional judgment in determining how internal controls (which rely heavily on paper signoffs and documentation) can be tested and assessed remotely
  • Determining the use of service organizations, especially if the SOC1 report is delayed or unavailable.

Detecting Fraud Vulnerabilities

The opportunity for fraud is increased by breakdowns in internal controls due to a reduced workforce and changes or gaps in processes when work shifted to a remote environment. The ability to rationalize fraud is also enhanced when employees can conceive of additional justifications, such as the notion that the fraud is only temporary until the pandemic is under control or the sense of urgency when medical bills or mortgage payments pile up. Employees may also feel entitlement because they “are doing more than their fair share” due to a reduced workforce.

Evaluating COVID-19 Relief

Many not-for-profit organizations took advantage of COVID-19 relief programs that have tax, financial reporting, and auditing implications. Because these programs are relatively new, accounting systems and controls may not be designed to track compliance with all their requirements.

An auditor needs to be familiar with the eligibility, documentation, and other requirements of each program in order to plan and perform necessary audit procedures. These requirements are provisions of laws and regulations with a direct effect, and audit procedures need to be designed to detect any misstatements that result from noncompliance.

Auditors should have a conversation with clients about the funding received and maintain awareness of the internal controls over these funds and the potential for fraud and noncompliance. These programs include the following:

  • Paycheck Protection Program (PPP). Considerations include ensuring compliance with PPP changes and reporting requirements; reviewing internal controls over PPP transactions; and the PPP loan’s impact on expense allocations.
  • Provider Relief Fund (PRF). Considerations include the regulatory and reporting requirements for PRF funds distributed by the Department of Health and Human Services (HHS) and the need to ensure accurate and complete reporting of requests for reimbursement that are not covered by another source.
  • Employee Retention Credit (ERC). This payroll tax credit requires accurate and complete reporting of requests for reimbursement that are not covered by another source. An auditor should ensure compliance with documentation and notification requirements and understand the revenue recognition methodology used.
  • Shuttered Venue Operating Grants (SVOG). Auditors must review allowable expenses as defined by the terms and conditions of any award granted; they must understand the regulatory and reporting requirements of the funding source; and they must grasp the limitations on spending and potential offsets due to other funding sources (e.g., PPP, Economic Injury Disaster Loans, Restaurant Revitalization Fund).

An auditor’s fraud antenna needs to be raised to the highest possible level under these circumstances. The audit should be conducted with an assumption that there may be fraud present. Auditors must consider potential new fraud risks that may have arisen as a result of the pandemic, as well as changes in key personnel and vendors who have access to an organization’s systems.

When fraud inquiries are conducted remotely, videoconferencing is preferable to phone interviews. Auditors typically want to see the facial expressions and body language of the individuals being interviewed. As restrictions are eased, fraud inquiries are likely to be a priority for face-to-face discussions.

Auditors should assign more experienced engagement team members to perform any fraud inquiries. When selecting which of a not-for-profit organization’s personnel to speak with, auditors should consider including individuals involved in the process of applying for PPP loans and other governmental assistance, where applicable. (See the Sidebar, Evaluating COVID-19 Relief.)

Applying Analytical Procedures

Throughout the audit, it is necessary for auditors to consider the expectations and data used in order to effectively develop and apply analytical procedures to supplement substantive procedures. The effectiveness of substantive analytical procedures can be improved significantly by paying careful attention to the quality (accuracy and completeness) of the information gathered during preliminary engagement planning activities.

Auditors should be diligent in obtaining detailed explanations of the reasons for variances from expectations or account balances and corroborate these against the supporting documentation. For example, when comparing the current-year balance to the prior-year balance (or current-year expectation), an auditor needs to quantify the effects of known changes caused by COVID-19 or other factors on the amount.

Overgeneralizations, such as: “The balance is lower because of COVID-19,” should be avoided in documented explanations. Whenever possible, quantify variances and the effect of known events on revenues, such as revenues lost when the entity shut down for two months or price concessions made on major contracts.

Potential pandemic-related changes to data commonly used in analytical procedures for not-for-profit audits include the following:

  • Changes in the pattern and amount of revenue streams
  • Receipt of additional funding or tax credits provided under the CARES Act or other government relief
  • Impacts to staffing, wages, and benefits
  • Changes in collection patterns for receivables
  • Volatile investment markets.

Developing Accounting Estimates

The economic disruptions and challenges created by the COVID-19 pandemic may cause accounting estimates to exhibit greater uncertainty and more frequent re-evaluation. It is important to inquire about conditions or events caused by COVID-19 that affect accounting estimates and consider whether historical assumptions still provide an accurate assessment.

The development of significant estimates, such as an allowance for uncollectible receivables, often relies on historical data. In the COVID-19 environment, however, more effort will likely be needed to understand how current economic conditions and uncertainty may alter the assumptions used to develop those estimates. Management should review the historical assumptions being used and determine whether they still provide an accurate means of predicting, for example, future collections when calculating the allowance for uncollectible receivables.

Assessing Technology

The COVID-19 pandemic has been a stark reminder of the risk not-for-profits assume if they do not pro-actively invest in new technologies to address financial and operational threats. The rapid shift to remote work environments exposed major issues, such as internal controls that were insufficient to protect against fraud and antiquated systems that could not support productivity and demand. Many of these vulnerabilities were found in the finance function.

Two of the most cost-effective and impactful changes a not-for-profit organization can make in this area are 1) the utilization of a third-party accounts payable (bill-pay) service provider to strengthen internal controls over the accounts payable (A/P) process and reduce human error, and 2) migrating to a cloud-based general ledger to allow for easier remote accessibility by auditors and staff.

Of course, these changes come along with increased cybersecurity risks. An auditor should evaluate cybersecurity policies and procedures in conjunction with new technology recommendations, as well as the virtual fieldwork model.

Inquiring about Going Concern

Inquiries about going concern uncertainties need to be conducted early in an audit. The operating and financing pressures created by COVID-19 will result in more situations in which substantial doubt about an entity’s ability to continue as a going concern is a significant audit issue. An auditor will likely want to have early discussions with management about the planned response to circumstances creating increased uncertainty around going concern. Heightened professional skepticism in this area is critical in the current economic environment.

Going concern inquiries should focus heavily on management’s revised forecasts and plans. Auditors should consider requesting an updated financial forecast covering a period of no less than 12 months after the date of the financial statements.

Internally, the audit team may need a refresher course to stay current with going concern requirements. Firms should also consider the need to modify the auditor’s report for scope limitations, emphasis-of-matter paragraphs referencing COVID-19 related disclosures, and the going concern paragraph.

Identifying Subsequent Events

Due to the volatile current economic environment, small and midsize not-for-profit organizations may be faced with significant events that occur after the date of their financial statements, but before those statements are issued or available for issuance. Auditors should make sure they are not overlooking any red flags, such as a subsequent decline in market value of investments, the loss of major donors, or the failure of a bank to renew an operating line of credit after year end.

Early and Often

In summary, to succeed at a remote audit, it is imperative to plan early, communicate often, and adjust one’s audit approach to face the new realities brought on by COVID-19. Technology should be used to one’s advantage whenever possible. (For examples, see the Sidebar, Top 5 Tips for Conducting Effective Remote Audits.) And auditors must always remain flexible—just as the traditional hours and required availability of auditors in public accounting have changed substantially due to the pandemic, so have the lives and needs of clients and audit team members.

Top 5 Tips for Conducting Effective Remote Audits

Auditing in a remove environment requires new approaches to ensure that audit procedures are properly followed. The following tips can help CPAs effectively maintain audit quality during fieldwork:

  • Utilize video conferencing and screen-sharing often. The more frequently these tools are used between audit and client teams, the easier it will be to recreate the working environment and gain mutual comfort with document legitimacy. Screen-sharing with clients can effectively replace watching over their shoulders or shadowing them through procedural walk-throughs. In addition, auditors can continue to perform alternative procedures surrounding bank confirmations by watching clients as they log into financial institution websites to verify year-end balances. While viewing client screens, auditors can also review sign-off history and date/time stamps that support timely review and approval.
  • Keep your camera on. An auditor’s ability to assess the overall culture of a not-for-profit client is severely inhibited by an inability to be onsite, but using cameras in all client meetings can help bridge that gap and support both client and staff relations. The use of web cameras allows auditors to read body language and gauge nonverbal cues. It can also support various aspects of internal audit team meetings, including communication and collaboration, as well as training.
  • Transition to remote verification of supporting documents. Auditors are trained to review every piece of supporting documentation and vouch for its reliability through color ink, wet signatures, and other evidence that would indicate a document is original. This approach is also used when confirming that supporting schedules actually originate from the general ledger being tested. Auditors have historically performed these steps in person by, for instance, watching clients run reports directly out of their general ledger software. These same concerns can still be considered and mitigated in a remote environment—for example, asking a client to hold up a specific piece of supporting documentation while screen-sharing could enable auditors to review such details as ink color, paper texture, and signature clarity.
  • Exchange documents electronically. Making it easy for not-for-profit clients to scan and upload documents to an audit firm’s secure portal can be beneficial in efficiently compiling audit evidence. Auditors can use folders and subfolders to clearly convey information and documentation requests and organize the files received in response. Auditors can also set up notifications so that they are aware as soon as clients upload. Because the transfer of information electronically increases cybersecurity risks, the stress on safe file transfers through secured portals or encrypted emails is critical.
  • Ensure consistent and ongoing communication. In a remote environment, it is essential to identify and maintain open lines of communication with clients. Although it may be more difficult to navigate difficult conversations, open items, and planning meetings when meetings are not face-to-face, a proactive approach can make remote communication more seamless. In addition to planning an audit kick-off meeting with management and audit committees, auditors should pre-schedule the check-in calls that will happen throughout the audit. Whenever possible, conduct conversations via videoconference, not email or phone, to create a better dialogue between all parties; issues must be addressed throughout the audit process, not at the end. Finally, within the internal audit team, it is also best to create group chats for each engagement to allow for increased collaboration and communication within the group.

This article was originally published in the March/April 2022 issue of The CPA Journal.

David M. Rottkamp David M. Rottkamp, CPA, is an Audit Partner and Nonprofit Practice Leader, at Grassi. David has over 36 years of experience providing audit and advisory services to the not-for-profit and health care industries. David focuses on organizations serving individuals with special needs, religious organizations, educational institutions, membership associations, social service providers, healthcare providers, foundations, and the arts and culture world. David’s technical knowledge allows... Read full bio

Vanessa M. Gordon Vanessa Gordon is a Principal at Grassi and works with clients solely in the Nonprofit industry. She has experience auditing a variety of industries including health care and human services organizations, institutions of higher education, local and governmental units, and religious organizations. Vanessa demonstrates her expertise in the auditing practice area, which encompasses financial reporting, preparation of financial statements and tax preparations. She has... Read full bio