Audit-Ready NGOs: Preparing for Donor & Statutory Audits
Audit-ready is a system state, not a season — the evidence auditors actually request, the findings that repeat across the sector, and a 90-day preparation plan.
There are two kinds of NGOs in audit week: those retrieving documents and those reconstructing them. The difference is not diligence — both teams work hard. It is whether evidence was captured when transactions happened or assembled after the fact. Audit readiness is a property of your daily system, and it is decided months before the auditors arrive.
Know your audits
| Audit | Who requires it | What it examines |
|---|---|---|
| Statutory audit | NGO Coordination Board / Registrar, annually | Financial statements, statutory compliance, going concern |
| Donor / project audit | Individual grant agreements | That grant's spending vs budget, procurement, assets, deliverables |
| Systems / institutional audit | Large donors before or during funding | Your policies, controls, and whether you follow them |
| Statutory returns review | KRA, NSSF, SHIF | PAYE, withholding, levy filings vs payroll reality |
A donor audit is narrower but deeper than the statutory one: expect sampled transactions traced end-to-end — requisition to approval to quotes to PO to delivery to invoice to payment. One complete chain answers in minutes; one broken chain becomes a finding plus a deeper sample.
The findings that repeat across the sector
- Procurement procedures not followed — the perennial #1; see procurement challenges in NGOs.
- Unliquidated advances — field advances aging past policy deadlines with no follow-up trail.
- Unsupported expenditure — payments whose receipts, attendance sheets, or activity reports cannot be produced.
- Co-mingled funds — restricted money covering core costs; see restricted vs unrestricted funds.
- Asset register gaps — equipment that cannot be located or lacks grant attribution.
- Payroll vs statutory mismatches — PAYE/NSSF/SHIF filings that disagree with the payroll ledger.
The 90-day readiness plan
Days 1–30: find the gaps yourself
- Pull five random transactions per active grant and trace each end-to-end. Every missing document is a finding you just prevented.
- Age all open advances; chase everything past deadline.
- Reconcile the asset register against a physical spot check of one office.
Days 31–60: close them
- Collect missing support while memories are fresh — a signed memo explaining a gap now beats silence in audit week.
- Post shared-cost allocations consistently back through the year.
- Match statutory filings to payroll month by month; correct differences before KRA finds them.
Days 61–90: institutionalize
- Move the trace test into month-end routine — two transactions per grant, every month, forever.
- Give auditors read-only system access scoped to their grant; screen-time beats photocopies.
- Brief staff: answer what is asked, retrieve rather than narrate, and never guess.
Management responses matter
A finding with a concrete management response and a completed corrective action reads as institutional strength. The same finding repeated two years running — previously reported, unresolved — is what erodes donor confidence fastest.
Every item in this plan gets cheaper when the paper trail assembles itself. That is the practical case for an ERP built for NGO governance — evidence captured at transaction time, retrievable at audit time.
Be the retrieve team, not the reconstruct team
AWRA OpsHub keeps requisitions, approvals, quotes, deliveries, and payments in one traceable chain per transaction.
See AWRA for NGOsFrequently asked questions
How long should we retain financial records?
Kenyan law generally requires seven years for accounting records; donor agreements often specify five to ten years after grant closure. Apply the longest applicable period per grant, and store scans systematically — paper fades faster than retention periods.
Can auditors demand access to our accounting system?
Donor audit clauses typically grant access to records in whatever form they exist, including systems. Scoped read-only access is safer and faster than exports — auditors see the trail themselves without touching live data.
What if we simply cannot find a supporting document?
Say so, in writing, with what you did to search and any secondary evidence (bank records, delivery confirmation, activity photos). A documented gap with a corrective action reads far better than a suspiciously perfect file produced late.
Are small NGOs audited less strictly?
The sample is smaller; the standard is not. A KES 5 million grant gets the same end-to-end tracing as a KES 500 million one — smaller organizations just have fewer transactions to keep clean, which is an advantage if the system is right.