TLDR
An audit that surfaces a material weakness or a significant grant compliance finding does not stay in the audit report — it follows the organization into funder applications, state registrations, and board governance conversations for years. These 14 questions address what auditors actually test, what the findings mean, and how to manage the audit process from PBC list through management response.
A children’s services organization received a single audit finding for inadequate subrecipient monitoring in Year 1. They wrote a corrective action plan. In Year 2, their auditor tested the same area and found the controls still inadequate — a repeat finding. Repeat findings trigger escalated federal oversight, including enhanced monitoring visits and the potential for additional award conditions on future grants. The finding that began as a documentation gap in Year 1 had, by Year 3, produced two federal monitoring visits and a 90-day hold on a $400,000 draw request while the agency reviewed the organization’s corrective actions.
Audit findings compound. The 14 questions below address what auditors test, what findings mean at each severity level, and how to manage both the pre-audit preparation and the post-audit response in a way that stops findings from recurring.
Implementation realities and migration notes
Mid-sized nonprofits in this category typically inherit a tangle of restricted-fund histories: federal pass-throughs, state agency contracts, family-foundation grants, and partner funding stretching back many years. Migrating that history cleanly is not optional — auditors and program officers will ask questions that require a year-by-year reconstruction. Implementation timelines run six to ten weeks for organizations that scope the data inventory before signing. Cutting corners on migration to chase a fast launch usually surfaces gaps during the next single-audit cycle, and the cost of fixing those gaps after the fact is meaningfully higher than doing migration right at the start.
Plan accordingly, and require any vendor on the shortlist to demonstrate restricted-fund handling, grant tracking, and donor record migration on a representative sample of your actual historical data before you sign. Vendors that decline to demo on real data are filtering you out for a reason. The demo on your data is where the gaps surface — both the gaps in the vendor’s product and the gaps in your existing records that you will need to clean up regardless of which system you choose. Use that demo to set realistic expectations with the board and the audit committee about timeline and scope before contracts get signed.
Free resource
Get the Nonprofit Grant Compliance Checklist
A practical checklist for post-award grant compliance: restricted funds, reporting cadence, audit prep, and common failure points. Delivered by email.
Frequently asked
Frequently Asked Questions
Does my nonprofit need an audit?
Whether you need an audit depends on three independent triggers, all of which apply simultaneously: (1) state law — most states require a financial audit for nonprofits above a revenue threshold, commonly $500,000–$1,000,000; some states require reviews (less rigorous than an audit) at lower levels; a few have no requirement; check your state's attorney general charitable registration requirements; (2) federal grant requirements — any organization expending $1,000,000 or more in federal awards in a fiscal year is required to have a single audit under 2 CFR 200.501 (the threshold was raised from $750,000 in the 2024 revisions, effective for fiscal years ending September 30, 2025 or later); (3) funder requirements — many foundations and government funders require audited financial statements as a condition of grant application or renewal, regardless of state law and regardless of whether you meet the single audit threshold. Review your grant agreements annually for audit requirements — they vary by funder and may change with each award cycle.
What is the difference between an audit, a review, and a compilation?
These three engagements provide different levels of assurance and involve different levels of auditor work. A compilation is the lowest level: the accountant takes the organization's financial information and presents it in financial statement format, but expresses no assurance about whether the statements are accurate or comply with GAAP. A review involves analytical procedures and inquiries that give the accountant a basis for limited assurance — the statements are 'not aware of any material modifications' needed. An audit is the highest level: the auditor tests internal controls, performs substantive testing of transactions, confirms balances with third parties, and issues an opinion on whether the statements fairly present the financial position in conformity with GAAP. A clean audit opinion provides positive assurance; a review provides negative assurance; a compilation provides none. Most funders require audited statements. State requirements vary: some accept a review below a certain revenue threshold. A single audit requires a full audit — there is no review or compilation alternative.
What triggers a federal single audit?
A single audit is required when a non-federal entity expends $1,000,000 or more in federal awards during its fiscal year (2 CFR 200.501). Federal awards expended include: direct grants from federal agencies; federal contracts (cost-reimbursement); federal loans; and sub-awards where federal funds pass through a state, local government, or another nonprofit to your organization. All federal sources are aggregated across all agencies and award types. If you received $300,000 from HHS, $400,000 from HUD, and $400,000 in federal CDBG funds passed through your city, you have expended $1,100,000 in federal awards and must have a single audit. The single audit covers both the financial statement audit and a compliance audit of major federal programs, conducted under Government Auditing Standards (the 'Yellow Book') and 2 CFR Part 200 Subpart F. Results are submitted to the Federal Audit Clearinghouse and are publicly accessible.
How much does a nonprofit audit cost?
Audit fees for nonprofits vary by organization size, complexity, and geographic market. For small nonprofits (under $500,000 in revenue), expect $6,000–$12,000. For mid-sized nonprofits ($500,000–$2M in revenue), expect $10,000–$20,000. For organizations subject to a single audit (federal expenditures of $1,000,000 or more), add $5,000–$15,000 to the base financial statement audit cost for the compliance testing component — a single audit typically runs $15,000–$35,000 total for a mid-sized organization. For larger organizations ($5M+ revenue), audit fees commonly run $25,000–$75,000 or more. Factors that increase cost: weak internal controls that require expanded testing; disorganized records that require additional auditor time; a large number of major federal programs; first-year engagements (where the auditor has no prior-year workpapers to reference); and significant audit adjustments or prior-year findings that require remediation testing.
How do I choose an auditor?
For any organization subject to a single audit, choose a firm with demonstrated Yellow Book experience and active nonprofit audit clients at your revenue size. Ask for: references from three current nonprofit clients of similar size and federal award complexity; the credentials of the specific audit manager and senior staff who will work your engagement (not just the partner); the firm's most recent peer review report (peer reviews evaluate audit quality and are publicly available); and the firm's current single audit experience — how many single audits did they complete last year? For the financial statement audit alone, seek a firm whose staff is familiar with FASB ASC 958 and nonprofit fund accounting — common nonprofit audit issues (restricted fund releases, functional expense allocation, endowment valuation) are not general knowledge. Rotate auditors every five to seven years as a governance practice, or when the current auditor's fees have escalated significantly without a corresponding increase in service quality.
What is the PBC list and when should I receive it?
PBC stands for 'Prepared by Client' — the PBC list is the document request list your auditor sends before fieldwork begins. It enumerates every schedule, workpaper, and source document the auditor needs to conduct the audit. A typical PBC list for a mid-sized nonprofit includes: trial balance and general ledger for the audit period; bank statements and bank reconciliations for all accounts; accounts receivable and accounts payable aging reports; payroll registers and benefits summaries; fixed asset schedules with additions and disposals; grant agreements for all active awards; board minutes; insurance certificates; contracts over $10,000; and the prior-year audit report. For a single audit, the PBC list also includes the Schedule of Expenditures of Federal Awards (SEFA), subrecipient agreements, and grant monitoring documentation. You should receive the PBC list two to four weeks before fieldwork begins. Your ability to respond completely and promptly to the PBC list is the single greatest driver of audit efficiency and cost — late or incomplete PBC responses directly increase audit hours and fees.
What do auditors actually test?
Auditors test three things: (1) internal controls — the design and operating effectiveness of controls over financial reporting, particularly around cash receipts, payroll, disbursements, and grant management; (2) account balances — confirming that the amounts on the financial statements are supported by underlying transactions (cash confirmed via bank confirmation; receivables confirmed or tested against documentation; grant balances traced to award agreements and expenditure records); and (3) for single audits specifically, federal program compliance — testing whether the organization met the specific requirements of its major federal programs, including allowable activities, allowable costs, eligibility, cash management, reporting, and subrecipient monitoring. Auditors do not test every transaction — they use sampling, selecting transactions for testing based on risk and materiality. But they do examine every journal entry that meets certain thresholds and all unusual or manual journal entries.
What is a management letter?
A management letter (formally called a letter of reportable conditions or, in single audit terms, a written communication to management) is a document the auditor provides to management and the board after the audit, identifying internal control weaknesses and operational deficiencies that did not rise to the level of a reportable finding but that the auditor believes management should address. Management letter comments might include: reconciliation processes that are performed infrequently; user access controls that are not adequately segregated; documentation practices that are inconsistent; payroll processes that lack secondary review; or IT security practices that expose financial data. A management letter comment is not a finding and does not appear in the audit report — but funders and board members sometimes request management letters as part of due diligence. Recurring management letter comments that are not addressed eventually become findings.
What is a material weakness vs. a significant deficiency?
Both are deficiencies in internal control over financial reporting, but they differ in severity. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness yet important enough that those charged with governance should know about it. A material weakness is a deficiency, or combination of deficiencies, where there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected and corrected on a timely basis. In plain terms: a significant deficiency means the control environment has a meaningful gap; a material weakness means that gap is serious enough that financial statements could be materially wrong without anyone catching it. Material weaknesses are reported in the audit opinion section and are visible to funders. Significant deficiencies are reported in the auditor's communication to those charged with governance. Either finding requires a written corrective action plan from management.
What is the difference between a finding and a recommendation?
A finding is a conclusion that noncompliance, or a control weakness meeting the threshold for reportable finding, exists in a specific area — it requires a formal management response and a corrective action plan, and it appears in the audit report. For single audits, findings are reported in a Schedule of Findings and Questioned Costs and are submitted to the Federal Audit Clearinghouse. A recommendation is the auditor's suggestion for improvement that does not meet the threshold for a formal finding — it may appear in the management letter or in a separate communication, but it does not require a formal response and does not appear in the public audit report. Treat recommendations seriously regardless of their technical status: a recommendation that is ignored frequently becomes a finding in a subsequent year, and auditors note whether prior-year recommendations were addressed.
Do I have to share my audit with funders?
For federal awards, yes — the audited financial statements and the single audit report (including findings and corrective action plans) are submitted to the Federal Audit Clearinghouse and are publicly accessible. Any funder, journalist, or member of the public can retrieve your single audit report. Beyond federal disclosure requirements, many private foundation grant agreements explicitly require submission of audited financial statements as part of annual grant reporting or as a renewal application requirement. State reporting requirements often require submission of audited financial statements with the annual charitable registration renewal. Even when not contractually required, many funders request audited statements during grant due diligence. Assume your audit report will be seen by your major funders. If your report contains findings, prepare an explanation — proactive disclosure with a corrective action narrative is far better than letting a funder discover findings on their own.
How do I respond to draft findings before the report is finalized?
Auditors provide a draft findings summary or exit conference to management before the final report is issued — this is your only opportunity to correct factual errors and to provide context before findings become final. Review the draft findings carefully and within the response timeline the auditor provides (typically 10–14 days). For each finding: (1) verify whether the facts as stated are accurate — if the auditor has misstated the condition or the relevant criteria, provide specific correction with documentation; (2) prepare your management response addressing whether you agree or disagree and why; (3) if you agree, provide a specific corrective action plan with named responsible parties and completion dates; (4) if you disagree, provide your position with documentation. Do not simply write 'management agrees and will correct' — a vague response does nothing to demonstrate accountability and does not prevent the same finding from recurring. For single audits, the management response becomes part of the public record.
What do I do if my audit has a qualified opinion?
A qualified opinion means the auditor has concluded that the financial statements are fairly presented 'except for' a specific identified matter — a GAAP departure or a scope limitation. The first action is to determine whether the qualification can be remediated: if the auditor qualified because you could not provide sufficient evidence for a specific account balance, gather that evidence and ask whether a supplemental procedure can clear the qualification before the report is issued. If the qualification cannot be cleared before issuance, you must notify funders proactively — particularly those with grant agreements that require audit opinions and those that are considering renewal applications. Provide a clear, factual explanation: what caused the qualification, why it occurred, what you have done or will do to correct it, and what controls are being put in place to prevent recurrence. Funders respond better to clear explanation and corrective action than to the absence of communication. A qualified opinion is not automatically disqualifying for grant renewal — but an unexplained one is.
How do I prepare for next year's audit starting today?
Audit preparation is a continuous process, not a pre-audit sprint. Specific actions to take starting now: (1) reconcile every bank account monthly and retain the reconciliations — unreconciled accounts are the most common source of audit adjustments; (2) close the month within 15 days of month-end, with all journal entries reviewed and approved — a journal entry backlog created in the final quarter before year-end is an audit red flag; (3) review grant fund balances monthly and verify they reconcile to the grant accounting records; (4) maintain a complete and current fixed asset schedule — additions, disposals, and depreciation calculated monthly; (5) ensure every significant expense over $500 has a source document attached in your accounting system before the month is closed; (6) document your cost allocation methodology in writing and apply it consistently every month; and (7) schedule an internal 'pre-audit' review in the month before year-end — pull the prior year's PBC list and verify you can produce every item on it. Organizations that maintain audit-ready records year-round have audits that cost 20–30% less than organizations that scramble in the final 60 days.