What Actually Happens During a Nonprofit Audit

This walkthrough covers what to expect if your nonprofit is going through its first audit or switching to a new firm. A financial statement audit follows a consistent structure, but the experience varies significantly depending on the auditor, the nonprofit’s internal readiness, and how well both sides communicate before fieldwork begins.
This guide covers each phase of the process from the engagement letter to the final report, what your team should expect to provide, and the timeline that keeps everything on track.
Phase 1: Engagement Letter
Every audit starts with a formal engagement letter. This is the agreement between your organization and the CPA firm that defines the scope of the engagement, the responsibilities of both parties, the expected timeline, and the fees.
The engagement letter will specify:
- What is being audited. For most nonprofits, this is your financial statements prepared in accordance with generally accepted accounting principles (GAAP). If your organization expends $1 million or more in federal awards, the engagement may also include a Single Audit under the Uniform Guidance (2 CFR Part 200), which adds compliance testing for federal programs.
- What standards the auditor will follow. Financial statement audits are conducted under Generally Accepted Auditing Standards (GAAS). If your nonprofit receives government funding, the audit may also follow Government Auditing Standards (the Yellow Book) issued by the GAO. The 2024 Yellow Book revision is effective for financial audits of periods beginning on or after December 15, 2025, which means calendar-year 2026 audits must apply the new requirements around independence, quality management, and CPE.
- Your responsibilities. The engagement letter makes clear that management is responsible for the financial statements, internal controls, and compliance with laws and regulations. The auditor’s role is to express an opinion on whether the financial statements are fairly presented, not to prepare them. If the auditor does assist with statement preparation (which is common for smaller nonprofits), the letter will describe that as a separate non-attest service.
- Fees and timing. A standard financial statement audit for a mid-sized nonprofit typically costs between $10,000 and $25,000, depending on the organization’s complexity, number of programs, and volume of transactions. The additional Single Audit requirements can raise the incremental cost above a standard audit by 25% to 50% or more.
The engagement letter is signed by your organization’s leadership (typically the executive director or board chair) and returned to the auditor before work begins. If your organization has an audit committee, the committee should review the letter and confirm the auditor’s selection.
Phase 2: Planning
Planning is the behind-the-scenes phase where the auditor designs the audit approach. It typically begins three to four months before your fiscal year-end and involves several steps your team may or may not see directly.
Understanding your organization. The auditor reviews your programs, funding sources, governance structure, and the accounting systems you use. For first-year engagements, this step is more extensive because the auditor is building familiarity from scratch. For returning clients, the focus shifts to what changed during the year: new grants, new programs, staff turnover in finance, or changes in accounting software.
Assessing risk. The auditor identifies areas of the financial statements that carry higher risk of material misstatement. For nonprofits, common risk areas include:
- Contribution revenue recognition under ASC 958 (particularly conditional vs. unconditional contributions, multi-year pledges, and donor-restricted grants)
- Functional expense allocation
- In-kind contributions (separate presentation required under ASU 2020-07)
- Classification of net assets with donor restrictions vs. without donor restrictions (the ASU 2016-14 framework that replaced the old unrestricted / temporarily restricted / permanently restricted categories)
- Related-party transactions
The risk assessment determines where the auditor will focus the most testing.
Preparing the document request list. Your auditor will send what is often called the PBC list (prepared by client). This is the inventory of documents your team needs to assemble before fieldwork begins. Expect requests for bank and investment reconciliations, accounts receivable and payable aging schedules, a schedule of fixed assets, copies of grant agreements and award letters, payroll records, board meeting minutes, and the general ledger and trial balance.
The planning phase is also when you should tell your auditor about anything unusual that happened during the year: a large bequest, a new federal grant, a change in fiscal sponsor relationships, staff transitions in accounting, or internal control issues you identified. Raising these topics early prevents surprises during fieldwork and allows the auditor to plan the right level of testing.
Phase 3: Fieldwork
Fieldwork is the hands-on phase of the audit where the auditor examines your records, tests transactions, and evaluates your internal controls. Depending on the size of your organization, fieldwork typically lasts one to three weeks and may be conducted on-site, remotely, or a combination of both.
Here is what your team should expect:
Internal controls walkthrough. The auditor will ask your staff to describe how key processes work: How does a donation get recorded from receipt to deposit to the general ledger? How are vendor invoices approved and paid? How is payroll processed and reviewed? How are grant expenditures tracked and reported to funders? The auditor is documenting the design of your controls, not just the existence of written policies. They want to understand what actually happens, step by step.
Transaction testing. The auditor selects samples of transactions from the year and traces them from initiation to recording. For revenue, this might mean selecting 25 individual donations and verifying each one against the donor database, deposit records, and general ledger entry. For expenses, it might mean selecting 30 disbursements and confirming each has proper approval, supporting documentation, and correct account coding. Sample sizes depend on the auditor’s risk assessment and the volume of transactions.
Confirmations. The auditor sends independent confirmation requests to third parties to verify account balances. Bank confirmations verify your cash balances directly with the financial institution. Receivable confirmations verify amounts owed to you by grantors or other parties. Payable confirmations may be sent to verify amounts you owe. Legal confirmations may be sent to your attorney to inquire about pending or threatened litigation.
Analytical procedures. The auditor compares your current-year financial data to prior years, budgets, and industry benchmarks to identify unusual fluctuations. A 40% increase in program expenses when your grants grew by 10% would prompt questions. A decline in contribution revenue with no corresponding reduction in fundraising activity would also be flagged. These comparisons help the auditor identify areas that need closer examination.
Questions. Throughout fieldwork, the auditor will send many questions to your finance team. A responsive team that answers quickly and provides supporting documents without delay is the single biggest factor in keeping the audit on schedule and controlling costs. Make sure your accountant, development director, and any program staff responsible for grants are available during fieldwork.
Phase 4: Draft Report and Review
After fieldwork, the auditor compiles findings, finalizes testing, and prepares the draft financial statements and audit report. This phase typically takes two to four weeks and involves several rounds of communication between the auditor and your team.
Draft financial statements. The auditor prepares (or reviews your preparation of) the financial statements, including the statement of financial position (balance sheet), statement of activities (income statement), statement of functional expenses, and statement of cash flows, along with the notes to the financial statements. The notes are where much of the important detail lives: accounting policies, restrictions on net assets, lease obligations, contingencies, and related-party disclosures.
Management review. Your team reviews the draft statements for accuracy. This is not a formality. You are in the best position to catch errors in program names, grant descriptions, functional allocations, and narrative disclosures. Review the draft carefully and flag anything that does not look right.
Adjusting journal entries. If the auditor identifies errors during testing, they will propose adjusting journal entries to correct the financial statements. These are discussed with management before being recorded. The auditor may also identify “passed” adjustments, which are errors too small to require correction individually but are documented in case they accumulate across periods.
Management representation letter. Before issuing the final report, the auditor will ask management to sign a representation letter confirming that you have provided all relevant information, disclosed all known issues, and that the financial statements are your responsibility. This letter is a standard requirement of GAAS and protects both parties.
Phase 5: Final Deliverables
The audit produces several deliverables, depending on the scope of the engagement:
Audited financial statements with independent auditor’s report. This is the primary deliverable. The auditor’s report (typically two to three pages) states whether the financial statements are fairly presented in all material respects in accordance with GAAP. Under SAS 134 (effective 2021), the report format leads with the Opinion section followed by the Basis for Opinion. If your last audit was issued before 2021, the new report format will look different.
The opinion can be one of four types:
- Unmodified (clean): the standard your board, funders, and donors expect
- Qualified: there is a specific exception
- Adverse: the statements are materially misstated
- Disclaimer: the auditor could not obtain sufficient evidence
Management letter (also called a letter of comments and recommendations). This letter describes internal control deficiencies, process weaknesses, or operational observations that the auditor identified during the audit. Not every audit produces a management letter; if no issues were found, the auditor may confirm that in writing or simply not issue one. If you do receive management letter comments, your organization should prepare a formal written response describing how each issue will be addressed and present both to the audit committee or board.
Communication with those charged with governance. Under auditing standards, the auditor is required to communicate certain matters directly to the board or audit committee. These include significant accounting policies, unusual transactions, difficulties encountered during the audit, disagreements with management (if any), and any material weaknesses or significant deficiencies in internal controls. This communication often takes the form of a letter or a presentation at a board meeting.
Single Audit reporting (if applicable). If your nonprofit expends $1 million or more in federal awards (the threshold increased from $750,000 under the 2024 revision to 2 CFR 200, effective for fiscal years beginning on or after October 1, 2024), the audit package includes additional deliverables: a Schedule of Expenditures of Federal Awards (SEFA), reports on internal controls and compliance, and a schedule of findings and questioned costs. The completed Single Audit package is submitted to the Federal Audit Clearinghouse at fac.gov (administered by GSA since October 2023).
Timeline: What a Typical Audit Looks Like
For a nonprofit with a December 31 fiscal year-end, a typical audit timeline runs as follows:
| When | What Happens |
|---|---|
| September–October | Engagement letter signed, planning begins, auditor sends initial document request list |
| November–December | Interim fieldwork (if applicable): auditor tests controls and early transactions before year-end |
| January | Year-end close: your team finalizes the general ledger, reconciles all accounts, and assembles PBC documents |
| February–March | Year-end fieldwork: auditor conducts substantive testing, confirmations, and analytical procedures |
| March–April | Draft report prepared, management review, adjusting entries finalized |
| April–May | Final report issued, management letter delivered, board or audit committee presentation |
The entire process from engagement letter to final report may range from six weeks to several months, depending on a variety of factors. The most common cause of delays is not auditor scheduling but the nonprofit’s readiness: incomplete bank reconciliations, missing grant documentation, and late year-end close push everything back. The best thing your team can do is complete the PBC list before fieldwork begins and assign a single point of contact to respond to auditor requests.
What to Ask Before Your First Audit
If you are engaging an auditor for the first time, or evaluating a new firm, a few questions help clarify expectations:
- Who will be assigned to our engagement, and what is their nonprofit experience? Consistent team members with nonprofit accounting expertise produce better outcomes than rotating generalists.
- What is your expected timeline from fieldwork to final report? A firm that cannot commit to specific dates may have capacity issues that will affect your engagement.
- Will you present findings to our board or audit committee? This is standard practice and helps your board fulfill its governance responsibilities.
- How do you handle management letter comments? The best auditors frame their observations as constructive recommendations, not compliance checklists, and follow up on prior-year comments to track progress.
How WhippleWood CPAs Can Help
Our assurance practice provides financial statement audits and reviews for nonprofit organizations across Colorado, including organizations that require Single Audits under the Uniform Guidance. We work with community foundations, human services organizations, arts and cultural institutions, and membership associations.
We assign consistent engagement teams with nonprofit experience, provide a clear timeline with defined milestones, and present results directly to your board or audit committee. If your organization is approaching its first audit, outgrowing its current auditor, or preparing for a Single Audit, we can walk you through what to expect and what to prepare.
Contact WhippleWood CPAs to discuss your nonprofit’s audit needs.



