TLDR
19% of nonprofit audits report internal control deficiencies, based on analysis of over 24,000 engagements. Four material weakness domains account for the majority: deficient board oversight, commingled funds, inadequate documentation, and segregation of duties failures. Each has concrete prevention steps. Two of them, commingled funds and segregation of duties, are addressable through accounting software design.
Why audit findings matter more now
The IRS received $80 billion in additional funding under the Inflation Reduction Act, with $46.5 billion allocated for enforcement activities. In one 18-month period, over 440,000 organizations lost tax-exempt status for failing to file annual returns. “We’ve always done it this way” is not a defense auditors accept for weak internal controls.
The Single Audit threshold increased from $750,000 to $1,000,000 in federal expenditures for fiscal years beginning on or after October 1, 2024. A GAO analysis of 2017-2021 federal expenditures found $1.17 trillion in awards linked to severe and persistent findings, including 213 findings from 2015 or earlier that remained unresolved as of 2021. Federal agencies track unresolved findings across grant cycles and factor them into future award decisions.
Research analyzing over 24,000 nonprofit audit engagements found internal control deficiencies in 19% of audits, with regional audit firms reporting the highest rates (28%) and Big 4 firms the lowest (14%). The four domains where material weaknesses concentrate are consistent across organization size and sector.
The four material weakness domains
1. Deficient board oversight
Passive boards produce audit findings. Auditors look for evidence that the board independently reviewed financial information, not merely received it. An audit committee that meets once a year to approve the audit engagement without reviewing interim financials does not constitute meaningful oversight. Boards where the executive director prepares and presents financial statements without independent verification leave the organization with no early-warning system.
Remediation steps: Establish a board finance committee or designate the treasurer for monthly financial review. Require that bank reconciliations be reviewed and signed off by a board member independent of the bookkeeper. Document in board minutes that substantive financial review occurred, not merely that financials were distributed.
2. Commingled funds
Commingling is the finding category most addressable through accounting software. Restricted and unrestricted balances that share a ledger account, or that are tracked in a separate spreadsheet rather than enforced at the accounting system level, produce commingling findings.
Auditors trace each restricted fund’s balance from the grant agreement through contributions received, expenditures charged, and restriction releases to the ending balance. If your accounting system cannot produce this trail without a spreadsheet supplement, you are one audit cycle away from a finding.
The Colorado State Fair Authority maintained material weaknesses in fund management for over 20 years without remediation. Each cycle that ends without a written remediation plan gives auditors grounds to escalate the finding’s severity in the next cycle.
Remediation steps: Move to accounting software that enforces fund assignment at the transaction entry level. Confirm that your chart of accounts structure produces fund-level balance sheets, not fund-level P&L alone. Document and test restriction releases with source documentation before posting.
3. Inadequate documentation
Documentation findings trace to a common source: bookkeepers and managers made decisions and incurred expenses without creating a contemporaneous record. Auditors do not accept documentation prepared after a finding is identified.
The Breast Cancer Survivors Foundation directed over 90% of revenue to fundraisers and 4% to charitable purposes, with management unable to produce records supporting the allocation decisions. Regulators could not reconstruct the decision-making from available documentation until enforcement action forced disclosure.
For grant-funded nonprofits, documentation gaps appear most often in three areas: expense eligibility (confirming the expense type is permitted under the grant agreement), payroll allocation (the time records or written certifications supporting the charge to a grant-funded position), and program eligibility (the intake documents confirming a participant met the criteria at the time of service).
Remediation steps: Build a monthly close checklist that includes a document completeness review for each active grant. Establish a policy that no expense is charged to a restricted fund without attaching documentation at the time of entry. Maintain time records or written certifications for employees whose pay is allocated to federal grants.
4. Segregation of duties failures
Full segregation requires one person to authorize transactions, a second to record them, and a third to reconcile the resulting accounts. Most small nonprofits cannot staff this. One person, often the only bookkeeper, handles all three functions.
Auditors know this. The test is whether compensating controls are in place and operating: independent oversight that catches what the single bookkeeper might miss.
Aspira-managed charter schools accumulated material weaknesses across multiple audit cycles. Management fees charged to the schools increased approximately 80% in a single year, reaching $13 million, while the schools collectively ran $4.7 million in net deficits and current ratios dropped to 0.2. The absence of independent board financial oversight allowed those conditions to develop without detection.
Remediation steps: Document compensating controls in a written internal control policy. The policy should name the specific controls and the specific people responsible for them. Compensating controls auditors accept include: board treasurer independently reviews and approves monthly bank reconciliations; executive director approves all journal entries over a threshold; board finance committee receives and reviews fund-level financial statements monthly.
Making the controls sustainable
Written policies are a starting point. An internal control policy that describes monthly board reconciliation review produces no audit protection if the review does not happen. Auditors ask whether the controls operated as described, and they look for evidence: signed reconciliations, emails confirming review, meeting minutes that reference substantive financial discussion.
Accounting software that enforces fund assignment and produces fund-level financials reduces the manual verification burden on both the bookkeeper and the board. When the system prevents commingling by design, the compensating controls required to cover manual separation become less critical. Organizations that have outgrown general-purpose bookkeeping tools carry a disproportionate share of the 19% ICD rate because their systems create the conditions for findings that purpose-built fund accounting software removes.
Like what you're reading?
Try RestrictedBooks free for 30 days — no credit card required.
See plans & pricing- Internal control deficiency (ICD)
- A weakness in accounting or oversight procedures that creates the possibility of misstatement in financial records. Auditors classify ICDs into three tiers: material weaknesses, which create a reasonable possibility of material misstatement; significant deficiencies, which require management attention; and other matters. Both material weaknesses and significant deficiencies are communicated in the management letter delivered to the board after the audit.
DEFINITION
- Material weakness
- The most severe classification of internal control deficiency. A material weakness means auditors found a control gap significant enough to create a reasonable possibility that a material misstatement of the financial statements would not be prevented or detected on a timely basis. Material weaknesses sometimes appear in the auditor's report itself, making them visible beyond the management letter. For grant-funded nonprofits, a material weakness can affect future grant eligibility and grantor confidence.
DEFINITION
- Significant deficiency
- An internal control deficiency that is less severe than a material weakness but still important enough that auditors communicate it to management and the board. Significant deficiencies require written management responses in the management letter and should generate remediation plans with deadlines.
DEFINITION
- Single Audit
- A financial and compliance audit required for organizations that expend $1,000,000 or more in federal awards during a fiscal year (threshold increased from $750,000 for fiscal years beginning on or after October 1, 2024). Single Audits follow 2 CFR Part 200 (Uniform Guidance) and test both financial statements and compliance with federal program requirements. Findings from Single Audits are public record and tracked by federal agencies.
DEFINITION
Q&A
What are the most common nonprofit audit findings?
Research covering over 24,000 nonprofit audit engagements found internal control deficiencies in 19% of audits. The four most frequently cited material weakness domains are: (1) deficient board oversight, where boards lack audit committees or do not independently review financial statements; (2) commingled funds, where restricted and unrestricted balances share a ledger account without fund-level separation; (3) inadequate documentation, including missing eligibility records, payroll allocation support, and expense approvals; (4) segregation of duties failures, where one person controls authorization, recording, and reconciliation. Fund accounting gaps, such as incorrect fund assignments, undocumented restriction releases, and negative restricted balances, are a subset of the commingled funds domain.
Q&A
How does accounting software affect nonprofit audit findings?
Two of the four material weakness domains are addressable through software design. Fund accounting software that enforces mandatory fund assignment at transaction entry eliminates the commingling finding category. Software that maintains documented release-of-restriction entries provides the audit trail auditors request without year-end reconstruction. Segregation of duties gaps are structural in small nonprofits, but software that produces fund-level financial statements for independent board review supports the compensating controls auditors accept. Software cannot fix board governance or documentation culture, but it removes the system-level conditions that generate commingling findings.
Q&A
What is the difference between a material weakness and a significant deficiency?
Both are internal control deficiencies communicated to management and the board after an audit. A material weakness is more severe: it creates a reasonable possibility that a material misstatement of the financial statements would not be caught by existing controls. A significant deficiency is less severe but still requires a management response and remediation plan. Both appear in the management letter. Material weaknesses sometimes also appear in the auditor's opinion report, which makes them visible to external parties including grantors and state regulators.
Q&A
What is the Single Audit and when does it apply?
A Single Audit is a combined financial and federal compliance audit required for organizations that expend $1,000,000 or more in federal awards in a fiscal year (effective for fiscal years beginning on or after October 1, 2024; previously $750,000). It follows 2 CFR Part 200 (Uniform Guidance) and tests both the financial statements and compliance with federal program requirements. Findings are public record. A GAO analysis of 2017-2021 federal expenditures linked $1.17 trillion in awards to severe and persistent Single Audit findings, which has contributed to increased scrutiny of grantee internal controls.
Frequently asked