Nonprofit Resources

print
6.24.25 | |

Performing Risk Assessment in Churches

If your church is not required to undergo an external audit*, internal audits can be an effective alternative. They also can benefit churches that have an external audit. Our previous article outlined the potential benefits of internal audits for churches and explained how to perform one. Now let’s look at a key component of an effective internal audit: a comprehensive assessment of the risks your church faces.

Below, we provide practical suggestions to help you identify risk areas within your church and develop a risk assessment process. Please note that this is intended to be an overview, not a complete guide to risk assessment. For more information, see the Internal Control-Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

 

Assemble the Pieces

A risk assessment is like a jigsaw puzzle: you need to have all the pieces visible in a way that allows you to recognize patterns. When performing a risk assessment, it’s vital to ensure you’ve identified all the risks and applied your church’s internal and external audit resources effectively to minimize exposure.

Start by following these four steps:

1. Use your financial statements to identify the transaction classes that need to be assessed. Every line item in your financial statements contains a transaction class, and it’s important to start by understanding the nature, volume, and account value of the underlying transactions in each one. Examples of transaction classes and the underlying transactions include:

  • Donor support – Cash receipts and contributions with and without donor restrictions
  • Tuition revenue (if applicable) – Tuition, room and board, accounts receivable, and deferred revenue
  • Investment income (if applicable) – Dividends and interest, gains, losses (realized and unrealized), and investments
  • Payroll and benefits – Payroll and benefits expense, accrued payroll, and accrued benefits
  • Non-payroll expenses – Cash disbursements and accounts payable
  • Capital projects – Purchases and maintenance of property, plant, and equipment and physical plant improvements, including repairs and maintenance
  • Other revenues
  • Other expenses
  • Other assets
  • Other liabilities

2. Identify the departments or budget areas that need to be assessed. Consider the amount spent in each area. If the total is insignificant, you may want to exclude that department from your risk assessment.

3. Consider which transaction classes are affected, based on the activity in that budget area. When identifying department-level risks, it’s important to understand the operating activities in each department and the financial transactions generated from those activities.

Start by listing the departments or budget areas involved in each transaction class. Next, consider which transaction classes the operating activities affect and the nature of the financial transactions that relate to those activities. For example, your IT and Production department purchases equipment and supplies. If you have a café, it purchases food and drinks to sell to customers.

Some departments may have multiple operating activities that result in several types of financial transactions. The facilities department may purchase supplies and equipment, administer facility and building rentals, and oversee the café or bookstore sales. As a result, you may need to assess more than one operating activity and the related financial transactions for each department.

4. Assign risk using the following factors and timing of work to be performed:

  1. C for Critical, which may be tested X (multiple) times a year
  2. H for High, which may be tested annually
  3. M for Medium, which may be tested every Y years (e.g., every two years)
  4. L for Low, which may be tested every Z years (e.g., every three years)

 

Develop a Risk Assessment Matrix

You can use a risk assessment matrix to evaluate your church’s risk factors. Determine the amounts and thresholds based on factors specific to your church.

Consider the identified risks in terms of impact and likelihood.

Impact is the degree to which a risk can cause a loss or potential loss. The specific loss can be defined in several ways, including:

  • Financial or material impact – Based on asset size, revenue, or transaction volume or loss of property (including data)
  • Operational – Risks that result in inefficient processes, create resource constraints, or cause facilities to become unusable
  • Intangible/reputational – Negative media or public exposure
  • Legal/regulatory – Noncompliance with federal or state laws that may result in sanctions or fines
  • Human/stakeholder – Threats to safety, talent loss, or loss of confidence in management
  • Strategic – Risks that adversely impact the church’s achievement of its goals or objectives

Likelihood is the probability that a risk will occur and disrupt or prevent the achievement of your church’s mission and priorities. Specific areas of likelihood can include these factors:

  • Controls – Processes, policies, training, or oversight intended to reduce the likelihood or severity of losses related to a particular risk
  • Risk experience – Familiarity with the risk and the ability to detect, respond to, and recover from the adverse event
  • Complexity – How the risk will affect other activities, including transactional activities and processes
  • Rate of change – The ability of people, processes, and systems to manage risk based on the frequency or volume of changes within an operational area. Changes increase the risk of vulnerability and impact.

In the first example below, the matrix is used to classify risk based on the likelihood of occurrence and the impact on the church based on subjective judgment. If a risk has both high likelihood and high impact, it is classified as a critical risk.

The second example shows the number of risks evaluated and their placement on the matrix, based on quantified factors of impact and the likelihood of occurrence.

Apply Risk Scores

Another way to assess risk is through risk scores.

At least once every two years, your internal auditor should ask various stakeholders and employees to complete a risk survey. This will help your internal auditor stay aware of major changes in the church and update the audit areas as needed.

Your church can derive the risk scores for each audit area from this feedback by assigning numerical ratings for a pre-determined set of weighted risk factors. You can then rank these scores for an overall risk value, with audits of various areas scheduled accordingly.

This top-down process should include conversations, surveys, and requests for input and ranking of the top risks from these stakeholders:

  • Executive leadership
  • Board of directors or audit committee
  • Department managers or process owners from each operating area within your church

 

Develop a Long-range Audit Plan

You can use the final risk assessment score to develop a long-range audit plan covering a multi-year period, such as five years. To develop this plan:

  1. Evaluate the level of risk in each internal audit area to determine the audit frequency. The higher the risk score assigned to a given area, the greater the audit frequency should be. In addition to scheduled audits, the plan should also include time for special projects that may be requested by management or performed because of suspected fraud, waste, or abuse.
  2. Use the long-range plan to create an annual audit plan.
  3. Have senior management and your audit committee or board review and provide input on the long-range plan.
  4. Adjust the annual audit plan to incorporate additions or changes suggested by senior management and the audit committee or board.

Keep in mind that sometimes the identified risks may be mitigated through other processes and controls, such as segregation of duties (to ensure no one individual has access to financial accounts, two people sign checks, etc.), ensuring departmental approval of disbursements prior to payment, and monitoring the monthly budget to actual, to name just a few.

A key goal of the internal audit risk assessment process is to provide adequate resources to address management requests for projects involving consultative services, analyses, and efficiency reviews. The goal of an internal audit is to provide assurance of processes, not audits of people.

Examples of risks to ask about during this process include, but are not limited to, the following:

 

Quality of the Control Environment

  1. Turnover of key personnel within the department during the last year (management and non-management positions)
  2. Major programs being modified
  3. New programs
  4. Departmental procedural problems as noted by the department director
  5. Revamped information systems
  6. Monthly reconciliations performed on all departmental revenues and expenditures

 

Business Exposure

  1. Number of programs or areas within the department (complexity)
  2. Total departmental budget
  3. Total department revenue/expenses
  4. Cash income of the department
  5. Other types of income
  6. Volume of transactions
  7. Number of full-time employees for all programs or areas

 

Economic Environment

  1. Significant new legislation or regulations
  2. New technology
  3. Natural disasters or criminal or terrorist actions
  4. Community needs and expectations
  5. Vendor and contractor performance and reliability

 

Data Security (actions by someone inside or outside the church)

  1. Data breach or leak of protected information
  2. Unauthorized access to donor records
  3. Unavailability of critical computer systems
  4. Inappropriate destruction or retention of data
  5. Failure to comply with the Payment Card Industry Data Security Standard (PCI DSS)

 

Public and Political Sensitivity

  1. Sensitivity of the department to negative publicity
  2. The potential effect of politics on the ability to meet departmental goals

 

Legal and Regulatory Sensitivity

  1. Quantity of third-party contracts
  2. Compliance with federal or state laws that apply to the department

 

Other Factors

Other factors to consider include current management or stakeholder concerns and time since the last risk assessment or internal audit. We also recommend that you consider the answers to these questions:

What could go wrong, or what could prevent my church or department from achieving its goals?

  • How do I determine how important it is?
  • How much would it impact my area?
  • How often could it occur?

Event Identification

  • How will an employee or stakeholder know that something has gone wrong?
  • When does an employee or stakeholder know that something has gone wrong?
  • How does an employee or stakeholder communicate the event to the right people at the right time?

Risk Response

  • Does the employee or stakeholder know what needs to be done to address a potential problem?
  • How long should it take to correct?
  • Was the correction effective?

 

Document and Follow a Consistent Risk Assessment Process

Risk assessment can be subjective, so it’s important to document and follow a consistent process to help create buy-in from your management and board and lead to effective assessments.

With thoughtful planning and support, including an effective risk assessment process in your internal audit function can help your church protect its resources, maintain financial integrity, and proactively manage risk.

Please contact us with any questions.

 

Authors: Nathan B. Davis and Mark Yoder

 

 Additional Resource:

Should Your Church Consider an Internal Audit?

print

Leave a Comment