A nonprofit audit is an independent examination of an organisation's financial statements, internal controls and compliance with the rules attached to its funding, carried out by an external CPA. The largest of these are federal Single Audits, and the Federal Audit Clearinghouse processes roughly 40,000 of them each year. It is an assurance exercise, not a tax filing or a fraud hunt.
The word covers more than one thing, which is where confusion starts. Some audits look only at your numbers. Others test whether you followed the rules tied to a grant. This guide explains what each examines, when one is required, and exactly what an auditor will ask you to produce. For the wider view across governance, fundraising and data, see our complete guide to nonprofit compliance.
What does a nonprofit audit examine?
A nonprofit audit examines three things: whether your financial statements are fairly presented under GAAP, whether your internal controls are sound, and whether you complied with the rules attached to your grants and donor restrictions. An external CPA gathers evidence and forms an opinion on each. The result is reasonable assurance, not a guarantee.
That word "reasonable" matters. The auditor's objective is reasonable assurance that the financial statements are free from material misstatement, which the AICPA describes as a high, but not absolute, level of assurance (AU-C 200).
It also helps to say what an audit is not. It is not a tax filing, and it is not a fraud investigation. An auditor may surface fraud, but detecting it is not the engagement's purpose.
The people doing the work are independent CPAs, not regulators. They report findings to your board and, where federal funds are involved, into the federal system. Their independence is what gives the opinion its weight.
When does a nonprofit need an audit?
A federal Single Audit is required only when an organisation spends one million dollars or more in federal funds in a fiscal year, effective for fiscal years beginning on or after 1 October 2024. Below that line, no federal Single Audit is triggered. Many states and individual funders, however, require an independent audit regardless of the federal figure.
Three caveats keep this from being a clean exemption. An award issued before October 2024 can still carry the old seven hundred and fifty thousand dollar threshold, so organisations holding a mix of older and newer awards should track them by issue date rather than assume the new line covers everything.
A Single Audit is also not the only audit that matters. Funders and grantors frequently require an independent audit as a condition of award, and program-specific reviews continue alongside it. State law is a third trigger, covered in the next section.
The volume gives a sense of scale. The Federal Audit Clearinghouse processes approximately 40,000 Single Audit submissions a year, so even after the threshold rose, a large population of organisations remains inside the federal net.
What are the nonprofit audit requirements by state?
Many US states require a nonprofit to obtain an independent audit once its annual revenue or contributions cross a set threshold, usually tied to charitable solicitation registration. Thresholds vary widely from state to state, and some states accept a review rather than a full audit below a certain level. These requirements sit separate from the federal Single Audit.
The trigger is typically gross revenue or total contributions, measured for the registration period. The National Council of Nonprofits notes that 39 states and the District of Columbia require charities to register before fundraising, and many require audited financial statements once revenue or contributions cross a state-specific threshold.
Because the figures differ so much, the safe approach is to check your own state's charitable registration rules rather than rely on a national number. If you are getting ready for one of these, our guide on how to prepare for a nonprofit audit walks through the documentation side in detail.
What is the difference between a financial statement audit and a Single Audit?
An independent financial statement audit examines whether your financial statements are accurate and fairly presented. A Single Audit goes further, testing compliance with the specific requirements attached to each federal program you draw funds from, including the internal controls over those programs. An organisation can need one, both, or neither.
The Single Audit is governed by the OMB Uniform Guidance at 2 CFR Part 200, which sets the threshold and the testing requirements. It folds the financial statement opinion and the federal compliance opinion into a single engagement, which is where the name comes from.
The compliance side is where findings cluster. A March 2025 GAO report analysing 3,680 single audit findings from 2022 to 2024 found that 36% involved incomplete subaward reporting, and in nearly half of cases recipients lacked the internal controls for basic subaward oversight, such as running no risk assessments of subrecipients. Diligent subrecipient monitoring is what those findings are testing.
Beyond these two, program-specific audits form a third category, used when an organisation draws from a single federal program rather than many. Knowing which applies to you is the first step in any audit for nonprofit organization planning.
What does a nonprofit auditor actually ask for?
An auditor asks for evidence in a few groups: financial records, governance documents such as board minutes and policies, and the operational trail behind your spending, which is the vendor, subrecipient and contract records. It is that last group where lean teams most often scramble. The numbers usually exist; the supporting trail is what goes missing.
In practice that trail means signed agreements for every material vendor, proof that each was checked before engagement, conflict of interest and related-party disclosures, records showing subrecipients are being monitored, renewal histories, and evidence that contract obligations were met. The same discipline is set out in managing contract obligations and compliance, applied here to the audit context.
It is worth being precise about scope. Gatekeeper holds the vendor and contract side of this trail, not your financial statements, and it does not run the audit or make compliance decisions for you. Vendor management software is where that third-party evidence sits, kept current as relationships change.
Within that boundary, Gatekeeper's AI agents do the collecting, chasing and monitoring, while your team keeps the judgement calls. Vendors are screened at intake, due diligence is gathered, and changes surface as they happen rather than during fieldwork.
What internal controls does a nonprofit audit test?
Internal controls are the policies and procedures that safeguard a nonprofit's assets and ensure transactions are recorded accurately, such as segregation of duties, approval workflows and access restrictions. Auditors evaluate these to identify risk and recommend improvements. Since the 2024 Uniform Guidance revision, controls must also include cybersecurity safeguards.
That revision now requires recipients and subrecipients to build cybersecurity measures into their internal controls, naming safeguards such as data encryption and multi-factor authentication. This is in force, not proposed, and it pulls vendor security into audit scope in a way it was not before.
The reason is that most of a nonprofit's data risk now sits with its third parties. The 2020 Blackbaud breach is the example most sector leaders still remember, because a supplier's breach became the disclosure problem of every organisation that used it. Evidencing the requirement means showing a vendor's current security posture and what you did when one lapsed.
That evidencing is ongoing third-party monitoring, and it is what a system of record records rather than something it decides for you. The contract side of these controls lives in contract management software, while continuous oversight of supplier risk is the job of third-party compliance risk monitoring. The human judgement about what an exception means stays with your team.
What is on a nonprofit audit checklist?
A nonprofit audit checklist covers four document groups: financial records, governance documents, program and grant compliance evidence, and the vendor, subrecipient and contract trail. Preparing each group in advance turns the audit from a scramble into a query. Below is a usable version you can work from.
- Financial records: audited or draft financial statements, the general ledger, bank reconciliations, and supporting schedules.
- Governance documents: board minutes, bylaws, the conflict of interest policy, and other adopted policies.
- Program and grant compliance: award letters, grant agreements, reporting submitted to funders, and allowable-cost documentation.
- Vendor, subrecipient and contract trail: signed agreements, pre-engagement checks, subrecipient monitoring records, renewal histories, and security attestations such as MFA and encryption confirmations from data vendors.
- Internal-control evidence: documentation of segregation of duties, approval workflows, and access restrictions.
The first three groups, and your program decisions, stay with your organisation and its CPA. The vendor, subrecipient and contract items in group four are the part a system of record holds and keeps current. For the full preparation walk-through, see our nonprofit audit preparation guide, and you can take the contract side further with our free contract management ebook.
Organisations such as the YMCA of Greater Seattle use Gatekeeper to keep that vendor and contract evidence in one current record.
Frequently Asked Questions
Are all nonprofits required to have an audit?
No. A federal Single Audit applies only at one million dollars or more in federal spending in a fiscal year, for fiscal years beginning on or after 1 October 2024. Many states require an audit above set revenue thresholds, and individual funders can require one regardless. Some nonprofits need none at all.
What is the difference between a nonprofit audit and a review?
An audit provides reasonable assurance that financial statements are free from material misstatement and includes testing of internal controls. A review is a lower level of assurance, based mainly on inquiry and analytics, with no controls testing. Some states accept a review below certain revenue thresholds.
How much does a nonprofit audit cost?
Cost varies by organisation size, complexity and number of federal programs. A Single Audit costs more than a financial statement audit alone, because it adds compliance testing. Funders sometimes allow audit costs as an allowable grant expense.
What do auditors most commonly flag in nonprofits?
Subaward problems are the most common federal finding. A March 2025 GAO report analysing 3,680 single audit findings from 2022 to 2024 found 36% involved incomplete subaward reporting, and in nearly half of cases recipients lacked internal controls for basic subaward oversight, such as no risk assessments or unreviewed audit reports.
How can a small finance team stay audit-ready?
Keep the record continuous rather than annual. A single place holding every vendor and subrecipient, their vetting and monitoring status, and the contracts and obligations tied to them, kept current as things change, turns preparation into a search. Gatekeeper's AI agents automate the collecting and chasing on the vendor and contract side; the team keeps the decisions.
.png)
.png)
.png)
-4.png)
