It is also advisable for trustees to commission a "risk register" from the auditor.
This explores the various risks facing the charity, how high the various risks are and how they can be tackled.
CASE STUDY RNIB USES INTERNAL AUDIT TO IMPROVE EFFICIENCY
For Fiona McKenzie at RNIB, the job of internal auditor is about making sure the charity's money is spent wisely and helping prevent crises through risk management.
"Some people will always see me as the charity's 'police woman' and that's perhaps not a bad thing because it keeps people on their toes," says McKenzie.
But internal audit is now much more than this, she says, and is about working with management to improve the effectiveness and efficiency of operations.
"We have attempted to modernise the function at RNIB to have a wider role looking at all control systems rather than just compliance and financial systems."
Earlier this year, she and her colleague in internal audit were called in to tackle the challenge of maintaining security checks on staff members dealing with vulnerable adults and children.
She says that when the old system of police checks was wound down there was a gap before the new Criminal Records Bureau got going. This meant the charity needed to work out what it could do in the meantime, in order to prevent the worst case scenario of closing some services because of a lack of vetted staff.
"We sat down with managers and explored various options, such as bringing in staff that had already been vetted from other parts of the charity and training them for other roles," says McKenzie.
A framework was drawn up identifying the potential risks and ways round them, which enabled all services to be kept running until the new system was in place.
McKenzie sees this as an example of "positive risk management", in other words looking at potential risks at an early stage and ensuring strategies are in place to manage these.
"Now, whenever a new service or big project is planned internal audit is involved at an early stage," she says.
McKenzie joined the charity four years ago after working as an external auditor specialising in the non-profit sector. With the growing pressure on fundraising and the fall in stock markets, which has affected charities' reserves, trustees are much keener to make sure the charity's operations are efficient, she says.
"But I see the main part of my role as giving independent assurance to the trustees that projects are properly planned and resources being used efficiently."
Troubleshooting is also part of her role but she has had to carry out relatively few investigations in her time at RNIB, she adds. "There have been projects that have gone wrong and people want to know why, which is when I'm sent in."
McKenzie reports to the trustee board's audit committee, which she helped set up in her first year with RNIB. While she is managed by the director of finance and resources, she is keen to point out that her regular contact with trustees and with the chief executive ensures her independence.
"I know that if ever there was a conflict with managers, I'd have the ear of the chief executive and trustees and that gives me independence," she says.
The Charities Internal Audit Network has around 70 members and holds events to promote internal audit in charities and encourage best practice. For information, contact Perry King at email@example.com or visit www.cianonline.org.uk.
Once feared as the charity 'wrist slappers', internal auditors are taking on a wider role. Patrick McCurry looks at how they are helping to set up systems to protect charities from risk
If you're wondering who that person is in the staff canteen that everyone avoids, except for the occasional whispered conversation, it's probably the charity's internal auditor.
Often regarded as the charity's "policeman", the job of internal auditor can sometimes be lonely and the individual treated with suspicion. But things are changing as the internal audit assumes a wider role in many charities.
"I spent a lot of time at the beginning explaining to people that internal auditing had a positive side of adding value and helping manage risks and that it wasn't just about investigations," says Mike Gadsden, head of risk management and internal audit at the British Red Cross.
Internal auditors are keen to point out that their role has widened significantly in recent years, moving away from a firefighting approach to one that is more forward looking and about putting better systems in place to manage risk.
From its original brief of concentrating on financial issues, the role has also broadened to include other operational areas such as fundraising and IT.
But internal auditing can still be a difficult role, says Sally Kirby, director of charity services at consultancy Chantrey Vellacottt and formerly an internal auditor at the NSPCC. "It can be lonely because often you're a one-man band and, even though you're part of the organisation, you don't have your own department."
"You're often viewed with suspicion and people may be reluctant to talk to you. You need very good communication skills to win people's trust, and the ability to get information from a variety of sources."
But Kirby acknowledges that in the past five years the job has become less about "wrist slapping". "Today there's more emphasis on what the risks are and not just in finance but in IT security, fundraising compliance or vetting staff working with vulnerable children," she says.
The growth of the internal audit role has been accelerated by the revision of the Sorp accounting regulations in 2000, which require trustees to comment in their annual report on the systems the charity has put in place to handle risk.
But in order to move onto the broader risk management agenda, basic procedures first need to be put in place and that should be the first priority for any charity setting up an internal audit function.
Andrew Jones, internal auditor at care sector charity Norwood, spent his early days ensuring that adequate financial procedures were implemented, such as secure post opening.
"I came from local government where there were procedures and financial regulations covering everything and I have had a lot of involvement in ensuring that adequate systems and procedures are put in place at the charity," says Jones.
A key question is who should carry out internal audit. Not all charities have an internal auditor. Although larger organisations may have an auditing team, many groups outsource the role.
It doesn't matter whether the service is provided in-house or outsourced, providing the auditor is independent, says Kirby.
To help maintain this independence, there is a growing consensus that the auditor should report to the trustees or chief executive, not to the finance director.
For example, Gadsden at the British Red Cross reports to the chief executive but also, for day-to-day administrative purposes, to the finance director.
He reports the plans and results of all work to the regular meetings of the finance committee of the board, so audit conclusions are considered at the highest level.
Mark Freeman, managing director of consultancy Charity Business, says that a common pitfall is for internal auditors to report to the finance director.
"The first problem with that is that internal audit now looks at operations from a risk management viewpoint rather than a financial one and, second, the danger that the auditor's independence is impaired by reporting to finance," he says.
For smaller charities, says Kirby, they may not even need to buy in expertise and could instead use existing directors to audit each other.
It is important the internal audit function is not seen as the property of the finance department but instead is "owned" by the organisation as a whole.
"Many people see it as a finger-pointing exercise," says Freeman. "But internal audit should be a forward-looking exercise that helps prevent problems."
Nevertheless, it can be difficult to deal with people when they feel their traditional way of working is being questioned. This is a particular challenge when dealing with charity volunteers.
Nigel Pitt, internal auditor at WRVS, has a team that carries out audits at the charity's trading sites around the country. Many of these trading ventures are run by volunteers.
"It's definitely a challenge working with volunteers having come from the private sector where if you tell someone to do something in a certain way, they do it," says Pitt. "But with volunteers you have to be tactful as some may think that because they've always done something a certain way, why should they change. You need to be patient and to explain why new systems are being introduced and how the charity will be protected as a result."
Another issue is to avoid an internal audit becoming an overly bureaucratic exercise. "When I see the audit committee, they want to know how many reports I've written, how many investigations I've carried out, so there's an incentive for me to produce a lot of paperwork," says Pitt.
Freeman says that bureaucracy can become a problem when the internal auditor is investigating something that has gone wrong. "In those cases, everything needs to be documented and you can end up with lots of reports and little action."
In contrast, if an organisation takes a risk management approach and looks ahead, there will be fewer cases of things going wrong, he believes.
For any charity setting up an internal audit function, Kirby recommends that the trustee board, possibly through its finance sub-committee, clearly decides what it wants to achieve.
"Does it want to focus on compliance in particular areas or on risk management, or perhaps a mix of the two?" says Kirby.
It must also work out the terms of reference of the internal auditor, who he or she should report to and how often. Whatever the textbook examples, it will be up to the internal auditor to take into account the circumstances of the charity when making recommendations, she adds.
Jones agrees. "Any recommendations you make have to be workable." For example, it may be best practice to have two people signing in money, but at Norwood's care homes there may only be one member of staff on duty at certain times.
"In such cases, instead of making a signing-in recommendation that is not practical, I'll focus on cash handover procedures between members of staff on different shifts," he says.
But probably the biggest headache for many internal auditors is lack of resourcing for the function. "I'm in a team of two when really we need four or five to do the job properly," says an auditor at one large charity.
This is despite the fact that there are numerous areas where auditors are saving charities money, says Heather Hunter, internal auditor at Charity Business.
For example, it is common for charities to have several databases covering different groups, such as volunteers or donors, but these databases do not "talk to each other" and so the same information is often recorded several times, says Hunter.
"An internal auditor can recommend changes that create efficiencies and often reduce risk to the extent that insurance premiums come down," she says.
CHECKLIST FOR AN INTERNAL AUDIT
Under the revised Sorp accounting and reporting framework, the board of trustees is required to make a statement in the annual report on what systems are in place to tackle risks facing the charity. It is therefore the board's responsibility to decide what it wants an internal audit to cover and who should do it. Large charities generally set up their own audit department, while smaller organisations may buy in the service or use existing staff to carry it out
It is important that trustees have some involvement in monitoring and setting objectives for internal audit. This should be done by an audit committee or, in its absence, the finance sub-committee of the board.
To preserve independence, the internal auditor should not report directly to the finance director but instead to the trustees or, failing that, to the chief executive.