The Importance of Internal Controls for Not-for-Profits
Fraud can happen to any organization regardless of size and industry – and while many have developed and implemented safeguards to discourage fraud and help ensure any harmful activity is uncovered quickly, the unfortunate reality we face is that many others remain at risk. This may be especially true in the non-profit space where budget and available resources are often a challenge. And that means these organizations may be at a higher risk for fraud, with potential exposure to asset misappropriation, bribery, fund diversion, and financial statement fraud vastly increased.
Enter internal controls
Still, even smaller organizations are not helpless. In fact, a thorough review of internal controls can help to level the playing field. Controls such as segregation of duties, dual signatures on checks, reviewing vendor transactions, and internal audits offer important protection.
What are internal controls?
You can think about internal controls as a checks and balances system for operations and how the organization’s business and financial processes are managed. Internal controls document processes and practices that keep the organization running smoothly, including what roles are responsible for which processes, and when and how each is performed. Staff, board members, and some external vendors and partners all operate at some level under these controls.
An organization may already have some internal controls in place, without having officially declared them. For example, making sure drawers that hold sensitive financial information are secured, the door to the office is locked when no one is working, and requiring two-factor authentication on computers can all be listed as internal controls.
Why are internal controls important?
Every internal control a non-profit establishes offers additional security for the organization. Financial management best practices can secure internal assets, protect key stakeholders, and build internal and external trust.
If donors are concerned contributions could be in jeopardy, or that they’re being used incorrectly, they might not be open to giving in the future. Misappropriation of funds or theft could rupture a relationship with the community and make it more challenging to complete established projects or to continue offering services and fulfilling their mission.
Key considerations for internal controls
The internal controls a non-profit organization employs will depend on the structure, how financial information is stored and shared, and how funds move through the organization. A review of common controls includes:
Dual Signature Requirement: When checks are issued above a specified amount, two people are required to sign when the dual signature requirement is in place. This ensures that checks for large amounts are issued appropriately and that interested parties are aware.
Alternative Payment Methods: Depending on comfort level and technology used, a non-profit organization may want to shift payment methods to check alternatives, such as ACH transfer or a company credit card. For ACHs, dual authorization – where one person initiates the payment and a second person approves the payment – is an important internal control in preventing both internal and external fraud. Additional controls can be added to cards where only pre-approved amounts may be paid to pre-approved vendors.
Bank Statement Review: Appointing someone who does not manage financial activities on a day-to-day basis to regularly review bank statements can provide a more objective overview and also raise any questions about various transactions and activities, including any unusual activity.
Secure Devices: Access to financial data can also be protected in the digital realm. Requiring all employees to log in to work computers and other devices using multi-factor authentication is a highly effective way to protect your data – and your organization.
Employee Reimbursement: Non-profit spending is more likely to be planned than spontaneous, but some unplanned expenses may be unavoidable. Having a clear, documented policy on employee reimbursement and ensuring everyone in the organization knows it is an important internal control for managing costs.
Segregation of Duties: The more financial tasks can be split up in the organization, the better. For example, if one person prepares payroll, a second person should distribute it. If one person documents the checks going out, another should be responsible for reviewing bank statements.
Conducting Internal Audits: A surprise internal audit can catch any abnormal activity happening with cash flow and checks in the organization. It’s important to keep this as a surprise so there’s no opportunity for reports to be altered prior to the audit.
Background Checks: It’s a best practice to have any employee handling the organization’s finances undergo a background check – and for highly sensitive roles, you could consider conducting periodic checks throughout the employee’s tenure.
Vendor Transactions: One common and unfortunate way fraud can infiltrate an organization is through fake vendors – so assigning an objective person to regularly review vendor transactions can help quickly identify any suspicious activity. Establishing and implementing procedures for changing vendor payment information is key in preventing fraud if a vendor’s email system has been hacked or a phishing email appears to be from someone internally approving a payment.
Timesheet Approval: If one person is responsible for approving all timesheets but isn’t familiar with the scope of work of each employee, approvals of incorrect timesheets can slip through the cracks. Having a person who’s familiar with the nature of the work approve the reported time can be an important protection.
Formal Policy: Finally, documenting all the internal controls used above into a written policy keeps things clear and concise. If there is a question of how something is done, the answer should be found in the policy. This documentation can also include rules for vendors (how they need to write invoices), employees (how to seek expense reimbursement), and how to document financial activity (what amounts require a receipt), for example. It’s also important to revisit and update on an annual basis.
Ongoing Employee Training: During the pandemic, there was a large uptick in external fraud attempts targeting organizations, including non-profits. To fend off these increasingly sophisticated attacks, training employees on how to recognize fraudulent activity and phishing attempts. Security training upon hiring a new employee, with an annual update and refresher course, is a crucial line of defense in protecting your organization. (Barnes Dennig recommends KnowBe4 security training).
Internal controls – from the field
The Barnes Dennig non-profit team was conducting an audit of a growing organization that was moving from a smaller firm to Barnes Dennig – a full-service provider. During the process, it became clear the prior audit did not review information at the depth the organization needed. After a careful review, the Barnes Dennig team was able to recommend internal controls, as well as process changes to enhance security and ensure transactions and duties are properly segregated.
A challenge many smaller non-profits face is having a small accounting team, which makes it difficult to segregate duties appropriately. Prioritizing internal controls or potentially engaging other members of the operations team can relieve some of that burden while still enabling the organization to protect itself, its assets, and its community.
Talk to an internal controls pro
Effective internal controls are an essential tool to help non-profits guard against unwanted activities. While the set of solutions varies by organization, ensuring robust internal controls can go a long way to protect against damaging activities. Want to learn more about internal controls or have a question about how to implement them? Contact us – we’re here to help.
If you’re looking for a little inspiration, watch a few episodes of our Thrive – Non-Profit Success Stories video series – or catch up on the 2022 Outreach Day, where we close our doors and send our entire team out into the community for a day of giving back.