Auditing NGO Projects: The PRINCE2 and COSO Way

Introduction

In the NGO sector, where accountability is critical and resources are limited, project auditing steers donor confidence, regulatory compliance and impactful outcomes of projects. Two globally accepted frameworks, COSO (Committee of Sponsoring Organizations of the Treadway Commission) and PRINCE2 (Projects IN Controlled Environments) methodologies provide a strong foundation for auditing and tracking these projects.

Objective

The NGO Coordination Board (now transitioning to the Public Benefit Organisations Regulatory Authority) in 2023 reported financial irregularities costing NGOs in Kenya over Ksh 2 billion, a staggering loss that significantly eroded donor trust. This spotlighted the importance of regular internal audits and public access to NGO financial reports, as outlined in its findings, to prevent the concealment of irregularities and to align Kenyan practices with global standards for nonprofit governance. The Public Benefit Organisations Act of 2013 (operationalized in 2024) further reinforces this by mandating high levels of accountability for Kenyan NGOs, ensuring transparency and accountability in their operations.

This legislative move in 2024 is already evident in PBORA’s Kenya Gazette notice in November 2024, listing the deregistration of 2,802 non-compliant NGOs, indicating a strong commitment to purging organizations failing to meet these governance standards. 
PRINCE2 and COSO frameworks offer a dual lens to address these challenges, blending structured project management with robust internal controls.
 

The foundation of project auditing

PRINCE2, a project management methodology, is built on seven principles and themes that emphasize structure, flexibility and effective governance of projects. It equips auditors with a structured approach to assess project governance, risk management and compliance, ensuring alignment with organizational goals and objectives.

Complementing PRINCE2, the COSO framework strengthens internal controls through its five components: control environment, risk assessment, control activities, information and communication and monitoring activities. Specifically, its risk assessment and monitoring components improves project auditing by providing detailed mechanisms for identifying, evaluating and mitigating risks, creating an integrated approach that unifies both frameworks.
 

Cheat sheet: Key pointers for auditing projects

Six key mapped themes critical for auditing NGOs aligned with the PRINCE2 and COSO include:

Focus 1: Validating the business case

Assessing the business case is the audit starting point, ensuring the project aligns with the NGO’s mission and donor agreement objectives. 
Focus pointers include: 

• Is the project’s purpose and benefits clearly defined?
• Do outlined outcomes meet donor expectations? 

This step prevents fund misallocation by safeguarding resources for intended impact. According to the 2024 NGO sector report,78% of Kenyan NGOs saw increased funding when their objectives were well-defined.
 

Focus 2: Assessing governance structure

Guided by PRINCE2’s organizational theme, project roles and reporting lines are assessed, with focus pointers:

• Are reporting lines transparent?
• Are conflicts of interest, common where staff juggle multiple roles, identified?

In NGOs, where staff often wear many hats, this review is essential to ensure adequate maker-checker controls are in place. This is particularly critical in sections such as financial management, procurement, and asset management.  

Focus 3: Evaluating risk management

The risk theme examines the project’s risk register effectiveness to ensure potential risks like funding volatility are identified and mitigated. Incorporating this enables auditors to assess whether the organisation’s risk responses are proactive and effective. COSO’s risk assessment (principle 6 and 9) additionally provides a structured approach to quantify financial and operational risks, such as procurement fraud which would further streamline project auditing. This rigorous evaluation ensures that the risk management strategies are proactive rather than reactive.

Focus 4: Reviewing quality and deliverables

Incorporating the quality and plans themes, auditors should examine that project outputs while answering pertinent questions:

• Do deliverables meet predefined timelines and donor criteria?
• Are milestones aligned with objectives?
• Are quality standards upheld? 

This thorough review ensures quality results and in turn enhances donor confidence.

Focus 5: Tracking progress and reporting

Applying the progress theme, auditors should examine milestones and project stages ensuring that stage plans are followed and exceptions are addressed promptly. COSO’s information and communication component (principle 13) ensures that progress reports are accurate and shared with stakeholders per donor agreements. In turn, this enables auditors to gain clear visibility into project progress, enabling precise identification of deviations and timely recommendations.

Focus 6: Monitoring stage boundaries and lessons learned

Managing stage boundaries process requires regular reviews at key project junctures to assess performance and adjust plans. Auditor reviews confirm that these checks occur and that lessons learned are documented for future projects. COSO’s monitoring activities (principles 16 and 17) further reinforces this by ensuring ongoing control evaluations at each project juncture. Documented lessons help improve future project efficiency enabling adaptive planning in future projects.

Why this matters for NGOs and internal auditors

For NGOs, PRINCE2 is the cornerstone of effective project auditing, providing a structured approach to ensure projects are delivered efficiently and aligned with project goals. COSO enhances this by strengthening both the financial and operational controls. Together, they empower auditors to tackle high-risk areas such as fraud, regulatory pressures and donor expectations transforming NGO audits from a compliance burden to a driver of enhanced transparency, accountability and greater tangible impact. 

Leveraging on internal audit adds significant value to NGOs by enhancing oversight further ensuring resources are used effectively and risks are proactively managed. By embedding these tools into their processes, internal auditors not only safeguard donor funds but also empower NGOs as a strategic partner, proving that every shilling delivers lasting change in Kenya’s resource constrained environment.
  

Caveat

This publication has been prepared by RSM (Eastern Africa) Consulting Ltd, and the views are those of the firm, independent of its directors, employees and associates. This publication is for general guidance, and does not constitute professional advice. Accordingly, RSM (Eastern Africa) Consulting Ltd, its directors, employees, associates and its agents accept no liability for the consequences of anyone acting, or refraining from acting, in reliance on the information contained herein or for any decision based on it. No part of the newsletter may be reproduced or published without prior written consent. RSM (Eastern Africa) Consulting Ltd is a member firm of RSM, a worldwide network of accounting and consulting firms. RSM does not offer professional services in its own name and each member firm of RSM is a legally separate and independent national firm.