An operational audit identifies efficiency gains and compliance improvements across key areas of your project or organization. This may include areas like governance, finance, systems, fundraising, and HR. Having run several ops audits, we’d like to share our thoughts on the importance of the process, what it looks like step-by-step, common issues we identify, and specific solutions we’ve proposed.
The importance of an ops audit
The importance of an ops audit varies according to the maturity of the project or organization being audited. Projects that are scrambling to register themselves as legal entities and/or build foundational infrastructure will benefit less from an ops audit. That’s because there’s not much to review!
The benefits of an audit become more tangible for organizations in their first year or two of operation. At this stage, an organization has likely developed some policies and procedures relating to governance, compliance, finance, systems, and HR. So, we’ll typically have plenty of material to review, including the organization’s:
- risk register (identifying risks facing the project, ranked by likelihood vs. magnitude)
- policy register (including key policies like data protection and privacy, website terms of use, conflicts of interest, financial controls, investment and reserves, grievance, harrassment, and whistleblowing)
- internal procedures (for onboarding, running payroll, submitting expenses, etc.)
- budget and accounting system
- fundraising strategy (including its case for support and donor management system)
- employee handbook and HR system
- employment contract, contractor and volunteer agreement, and NDA templates
- knowledge management system and wiki
- applicant tracking system
- data map and software database
Early-stage organizations may not have fleshed-out versions for each of these resources, which gives us a chance to shape them in a compliant and efficient manner.
Mature organizations, on the other hand, will likely have a more robust (and entrenched) set of operational resources. Mature organizations can also benefit hugely from an ops audit. At this stage, it’ll be less about creating and shaping policies and procedures — and more about identifying inefficiencies and “bad habits” that may be holding back the project from reaching its full potential.
What does an ops audit involve?
- Review: We begin the process by requesting some key organizational resources, like your budgets, policies, and procedures. We review these ahead of our kick-off meeting, so that we can ask precise questions based on what we’ve learned about your project’s setup.
- Exploratory calls: We arrange a kick-off meeting, which focuses on compliance and governance. We typically arrange two further meetings to discuss finance, systems, HR, and any other project-specific activities —like grantmaking or applicant tracking.
- Audit report: Once we’ve got a clear picture of how your project works, we produce an audit report and share it within 1-2 weeks. The report highlights efficiency and compliance improvements across the project, and recommendations for implementing these. We identify high-risk areas and give each recommendation a priority score. Finally, we meet to discuss the recommendations and determine whether you’d like our support with implementation.
Common issues & solutions
So, what sort of issues do we encounter when conducting an operational audit? The most common issues fall into three buckets:
Risk management |
Issues we identify
Risk awareness and mitigation strategies may not be documented thoroughly, if at all.
Solutions we propose We typically recommend that organizations conduct a risk assessment exercise and create a risk register. We provide templates for the exercise and risk register. A risk assessment exercise itself tends to prompt you to consider risk more thoroughly. For example, if you notice that your risks largely relate to one category (e.g. fundraising), you’re more likely to consider alternative categories (e.g. turnover) when using the template. A risk register improves the project’s governance — board members will have more oversight and find it easier to propose solutions if they have a robust risk register to consult. |
Data management |
Issues we identify
Data maps showing the inflow, processing of, and outflow of data may be missing. Active software subscriptions and user access levels may be undocumented.
Solutions we propose We often recommend that organizations develop a “data map” and accompanying software database. We provide templates for the map and database, and help the team complete them as needed. A data map shows how personal data is collected, stored, processed, and deleted. Personal data includes data relating to staff, applicants, donors, grantees, website users, service providers, and more. It’s a useful first step in building an accurate and comprehensive privacy policy (which is effectively a prose version of the data map). It’s also the first line of defence should the organization come under scrutiny for a data leak — if you can show that you are treating data with caution, authorities are less likely to penalize the organization for negligence. This can be complemented with a centralized database of services/apps and their corresponding controls and permissions. Such a database might include 2 factor authentication enforcement, a list of users, a list of admins, whether or not the service provider is considered a data processor under GDPR, and more. This makes it easier to identify gaps in cybersecurity coverage, remove legacy permissions, and ensure compliance with data protection regulations. |
Capacity management |
Issues we identify
Business-critical procedures may be known and understood by only one team member. Administrative tasks may be improperly delegated.
Solutions we propose We may recommend a “bus-proofing” exercise, and the delegation of administrative tasks away from senior staff to free up their time. We provide a template for the exercise and help the team complete it as needed. A “bus-proofing” exercise is a way to protect your organization against unexpected absence from team members handling critical business functions. The exercise maps out key workflows and identifies back-up plans. Workflow differs from policies in that they focus on simple, step-by-step instructions, for completing a task — and can be immediately understood and actioned by someone otherwise unfamiliar with the topic or task. As for delegation, we sometimes discover that directors and other senior staff are responsible for tasks like bookkeeping and/or taking minutes in board meetings. These are often not optimal uses of time for a senior member of staff — who may recognize this only when prompted from an outside perspective! |
That said, our audits span the whole operational stack — so we identify and make recommendations across many more areas of the business. Our last audit report included over 40 recommendations, ordered by risk rating and including the expected number of hours each would take to implement — whether by us or by the audited organization itself.
Getting support
At Impact Ops, we’ve helped several organizations conduct operational audits. We’re really proud of the feedback we’ve received so far.
“The audit report will be invaluable to [our leadership team] going forward and is overall, exactly what I was hoping for.”
– Michael Page, Former CEO of the Forecasting Research Institute
“10/10”
– Beatrice Erkers, COO of the Foresight Institute
Our mission at Impact Ops is to enable high-impact projects to grow and thrive. As part of this mission, we’re excited about helping teams identify and implement operational efficiencies in their projects, so they can spend more time on their mission, strategy, and execution.
If you’d like support running an operational audit, please get in touch at hello@impact-ops.org.