top of page
Search

Internal Audit in Not-for-Profit Organizations: A Strategic Tool

Updated: May 31


Not-for-Profit Organizations (NPOs) are at the forefront of driving meaningful change. In their mission to build a better world, principles like accountability, transparency, and impact are not just expectations, but guiding principles. Earning the trust of donors, boards, regulators, and communities is both a privilege and a responsibility. Amidst this noble pursuit, Internal Audit stands out as a transformative tool. It not only strengthens systems and safeguards integrity but also empowers organizations to deliver on their mission with greater confidence and clarity.


  1. Understanding Internal Audit in the NPO Context


  • What Is Internal Audit?

    As per the Institute of Chartered Accountants of India (ICAI) Preface to the Standards on Internal Audit:

    “Internal audit is an independent management function, which involves a continuous and critical appraisal of the functioning of an entity with a view to suggest improvements thereto and add value to and strengthen the overall governance mechanism of the entity, including the entity's strategic risk management and internal control system.


  • Is Internal Audit a legal requirement or a best practice?

    Unlike statutory audit and tax audit, internal audit is not mandatory for all Not-for-Profit Organizations (NPOs). For NPOs registered as Section 8 companies, internal audit becomes applicable only if they meet certain financial thresholds under Section 138 of the Companies Act, 2013, such as high turnover, large borrowings, or substantial paid-up capital. These thresholds are typically relevant for larger entities.

    For other NPOs there is no statutory requirement for internal audit. However, it is widely considered a good governance practice, especially in the following situations:

    • Significant funds or multiple donor projects: Internal audits help track utilization, ensure donor compliance, and build transparency.

    • Geographically or operationally expanded activities: As organizations grow, audits help identify gaps in controls, processes, or reporting.

    • Receipt of CSR or foreign funding: While internal audit is not mandated under FCRA, it helps organizations meet donor expectations and mitigate risks related to fund utilization.

    • Leadership or structural transitions: Audits during such times help maintain continuity and strengthen oversight.

    • Growing reliance on technology: Audits can assess IT systems, data security, and automation-related risks.

    • Focus on risk management: Even without external mandates, internal audits proactively strengthen internal controls and boost stakeholder trust.

  • How Is Internal Audit Different from Statutory Audit? Although both aim to improve financial accountability, statutory and internal audits serve distinct

    A statutory audit is legally required under laws such as the Companies Act or the Income Tax Act. It focuses on verifying whether an organization’s financial statements are accurate and comply with legal requirements. This audit is conducted once a year by an independent Chartered Accountant, and the report is submitted to regulators, donors, or members. For a deeper dive into statutory audit requirements for NPOs, you can read our earlier article here.

    An, internal audit is usually voluntary (unless required by specific laws for larger entities) and is designed to help management improve internal processes, controls, and risk management. It can be done more frequently—quarterly or half-yearly—and the findings are shared internally with the management or board. While statutory audits look backward to confirm what has already happened, internal audits take a more forward-looking approach by helping the organization strengthen systems and prevent issues before they arise.


  1. Internal Audit in Action: A Quick Look at the Journey The internal audit process follows a structured yet flexible path. The following visual captures the four key stages of the audit lifecycle:


    Icons representing steps: teal "Plan" checklist, blue "Review" magnifying glass, yellow "Recommend" lightbulb, green "Follow-Up" target.

    Let’s now dive into the specific areas that internal audits in NPOs typically cover.

  2. Key Areas Covered in NPO Internal Audits Internal audits in NPOs are not limited to financial scrutiny. They extend to operations, compliance, and risk management. Based on our experience of working with multiple NPOs, here are key areas typically covered in an internal audit, along with practical examples:


    • Monitoring of Internal Controls

      1. Review of policies and procedures in procurement, accounting, payroll, budgeting, HR, etc.

      2. Evaluation of control effectiveness and policy implementation.

      3. Identification of inefficiencies, control gaps, or redundant practices.

      4. Review of IT systems, data security, and access controls.

      5. Assessment of the organization's delegation of authority and approval hierarchies.

      6. Evaluation of automation, audit trails, and digital workflows.


    • Examination of financial and operating information

      1. Review of policies and procedures in procurement, accounting, payroll,

      2. Verification of income streams such as grants, donations, interest, and other unrestricted income.

      3. Accounting for non-monetary donations (e.g., in-kind contributions).

      4. Ensure compliance with grant fund accounting norms and proper donor-wise accounting.

      5. Review of expense recognition and procurement processes.

      6. Assessment of the accuracy and transparency of expense allocation across donor projects.

      7. Evaluation of due diligence processes for partner NGOs or sub-granting mechanisms.

      8. Review of financial reporting to donors, trustees, and statutory authorities.

    • Review of operating activities

      1. Review of programmatic interventions, related SOPs, and documentation practices: This includes assessing how well programmatic processes—such as beneficiary selection, procurement, and field-level monitoring—are defined and followed.

        Pro tip: In our experience, while financial SOPs are often well-documented, programmatic SOPs and related records are frequently overlooked. Documenting and institutionalizing these not only enhances efficiency and continuity but also reduces dependence on specific individuals. Moreover, increasingly authorities are requesting programmatic records as part of their assessments, making it critical for NPOs to treat program documentation with equal importance.

      2. Review of impact assessment methodologies and their integration into program design.

      3. Evaluation of capacity building and training practices to ensure effective knowledge transfer.

    • Review of compliance with laws and regulations

      1. Verification of compliance with applicable statutory requirements including: – FCRA – Income Tax Act – CSR Rules – Companies Act (where applicable) – Labour laws (PF, ESI, PT, etc.) – Local trust/society registration laws

      2. Adherence to grant agreements, MOUs, and service contracts.

      3. Review of inward foreign remittances and FCRA bank usage.

      4. Verification of statutory filings and disclosures.

      5. Investment reviews for compliance with tax and FCRA norms.

    • Risk Management

      1. Assessment of governance structures—Board oversight, roles and responsibilities, committee functioning.

      2. Evaluation of conflict-of-interest policies and their implementation.

      3. Risk of program continuity—financial sustainability, donor dependency, strategic alignment.

      4. Risks associated with the use of volunteer personnel and volunteer board of trustees.


  1. Don’t Skip the Follow-Up: Importance of the Action Taken Report (ATR) While the Internal Audit Report is all about findings and making suggestion what plays a significant role in actually taking the correct action is the Action Taken Report (ATR). ATR is what turns an audit from a report to a roadmap. Without a structured follow-up process, even the most insightful audit may not lead to meaningful improvements. NPOs must institutionalize tracking, discussing, and implementing recommendations within defined timelines. As per SIA 4 (Reporting), the ATR should include:

    (a) Status of compliance or corrective action already taken.

    (b) Status of pending actions and reasons for non-compliance.

    (c) Revised timelines for pending actions and assignment of responsibility.

  2. Conclusion

    1. Internal audits do not hold NGOs back; they help them grow with clarity and credibility. More than a review mechanism, internal audits are strategic tools that foster trust, strengthen systems, and support long-term impact.

    2. It offers leadership insight into what’s working, what’s not, and where risks lie.

    3. To help you decide if it’s the right time for your organization, use the checklist to assess whether an internal audit would be beneficial. Taking this step can set you on the path to stronger governance and greater impact.

  3. What Aria can offer? At Aria, we’ve partnered with over 450+ NPOs across the past 14 years. Our team brings deep domain expertise and contextual understanding of the not-for-profit sector. We can support your organization in:

    1. Designing and executing meaningful internal audits,

    2. Strengthening internal controls and systems, Ensuring regulatory and donor compliance, and

    3. Building internal team capacity for sustainable governance.

    New to internal audits or looking to elevate your current approach? Let Aria help you transform internal audits into a strategic advantage. Strengthen your systems, build trust, and drive greater impact. 👉 Get in touch with us  

Comentários

bottom of page