Develop an Internal Control Program
Internal controls are not a subject that nonprofits can ignore. With an internal control system, you are not just protecting your assets, you are protecting your public image and reputation. Organizations that are tax exempt are often held to a higher code of ethics and, thus, are hurt more when fraud has been committed.
Your organization is just as susceptible to fraud as a for-profit business, and your workers are just as human as any others. They are exposed to the same temptations and life changes that could tempt them to be dishonest. Even though you trust your employees, it is your responsibility to create an anti-fraud atmosphere and have a system that will detect financial inconsistencies.
What Are Internal Controls?
The American Institute of Certified Public Accountants (AICPA) defines internal control as “a process -- effected by an entity’s board of directors, management and other personnel -- designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Reliability of financial reporting,
- Effectiveness and efficiency of operations, and
- Compliance with applicable laws and regulations.”
The Latest Guidelines
While you might count on your auditor to stop fraud in your organization, management holds the responsibility for deterring and detecting theft. Independent auditors are responsible for examining your financial statements for inconsistencies, but they are not ultimately responsible for instituting internal controls that deter and detect fraud.
The AICPA recently gave new guidance in this area in Statement on Auditing Standards (SAS) No. 82, “Consideration of Fraud in a Financial Statement Audit.” SAS No. 82 explains the independent auditor’s role in fraud detection. The standard takes effect for periods ending on or after Dec. 15, 1997, and supersedes previous audit guidance in SAS No. 53. Specifically, SAS No. 82:
- Describes fraud and its characteristics,
- Requires the independent auditor to assess the risk of the financial statements being materially misstated due to fraud,
- Provides categories of fraud risk factors for the auditor’s consideration,
- Provides technical guidance to the auditor relating to assessment and documentation of the fraud risk in an audit, and
- Provides guidance regarding the auditor’s communication about fraud to management, the audit committee and others.
While SAS No. 82 explains the auditor’s responsibilities, it also says that managers are still responsible for preventing and detecting fraud.
The Elements of Internal Controls
The management of your nonprofit is therefore responsible for adopting sound accounting policies and establishing and monitoring internal control systems. Six elements comprise internal controls:
- The control environment. This sets the tone of how an organization influences the control consciousness of its employees. It is the foundation of internal controls, providing discipline and structure.
- Risk assessment. This is the entity’s identification and analysis of relevant risks, forming a basis for how the risks should be managed.
- Control activities. These are the policies and procedures which help ensure that management directives are carried out.
- Information and communication. These are the identification, capture and exchange of information that enable employees to carry out their responsibilities.
- Monitoring. This is a process that assesses the quality of internal control performance over time. Monitoring helps management ensure that established control activities are being carried out and that they are both sufficient and efficient.
- Segregation of duties. This ensures that the activities of one employee are checked through the normal activities of another employee.
Steps to Security
Here are some practical steps you can take to develop your internal control program.
Step 1: Set an authorization and approval policy. Clearly define in written policy who has the authority to make what decisions. By requiring board approval on key decisions, you reduce the chance of risky activities or transactions and make sure that management is adopting sound accounting practices. Board members should also receive periodic financial reports and review them for trouble signs.
In many instances, the primary control over a particular transaction is a department head’s signature. Train department heads to review everything that they sign or authorize. Also, make sure any signature stamps are properly safeguarded and controlled.
Step 2: Regularly review expenditures and constantly review actual results compared with the budget. Prepare an annual budget in sufficient detail to establish these expense guidelines. Institute accounting procedures under which expenses are recorded and allocated to general ledger accounts in the same fashion they were budgeted.
One of the best fraud deterrents is timely monthly financial reporting (within 15 days of month end). The monthly report should compare actual results-to-date with:
- Budgeted amounts-to-date for the current year, and
- Actual results-to-date for the prior year, with explanation of any significant deviations. The report should be reviewed by board members and other individuals who are completely independent of those producing it. Any questions and concerns should be resolved promptly.
Step 3: Segregate duties. Segregating duties will reduce the opportunity for someone to be in a position to both steal and hide the irregularities in the normal course duties. Assign different people the responsibilities of authorizing transactions, recording transactions and maintaining custody of assets.
In the area of disbursements, for example, make different employees responsible for ordering the goods and services, recording the transactions in the accounting records, signing the checks and reconciling the monthly bank statements.
Step 4: Require employees and board members to sign conflict of interest and ethics statements. Many nonprofits have a conflict of interest policy or ethics statement in place. These policies or statements call for employees and officers to disclose any interests they may have in companies doing business with the organization.
For example, a nonprofit could run into trouble by obtaining consulting services from a board member or board member’s relative on less attractive terms than could have been obtained on the open market.
Any contracts entered into with the related parties must be reviewed and approved by board members and officers not involved in the transactions.
Step 5: Avoid misappropriation of cash receipts. A typical control in this area is using a bank lock box service to process receipts. If a lock box is not used, assign someone unrelated to the accounting process to open the mail, restrictively endorse all incoming checks and prepare a list of the checks received, which is then compared with deposits made.
When a nonprofit receives numerous cash receipts (such as registration fees at an event or Sunday collections at a church), have several individuals handle and count the cash receipts and certify the total.
Step 6: Review and reconcile bank statements. A critical component of any internal control system is prompt review and reconciliation of all bank statements and correspondence. This will highlight any unusual cash disbursements or evidence of check fraud. Unopened bank statements and correspondence should be sent to someone unrelated to the accounting function to allow an extra set of eyes to review these critical documents.
Step 7: Increase computer security. As more information is processed and stored on computers, it is more likely that information will be accessed and used inappropriately. The primary tool for computer security is the password system.
Make Your Program Work
When you have devised your program take these steps to make it effective.
Step 1: Write it down. It is important that your policies are documented in a manual and that all involved employees are familiar with it. This will make for easy reference and will also be a useful training tool. As you make changes, update the manual.
Step 2: Use a top down approach. One of the key components of internal control is that it is effected by management. Management, including department heads, defines and communicates to employees what is and isn’t allowed both through the establishment of policy and procedure, and by example.
For instance, employees will be more receptive to drug testing if executives and administrators are the first to be tested. Similarly, if administrators make a habit of running personal errands while driving the department’s car, employees will learn that using the the organization’s resources for personal gain is acceptable.
Step 9: Train your department heads. Your auditor may be able to provide assistance by showing your managers how to establish and monitor internal control activities and investigate potential fraud.
Orientation sessions for new department heads can be the the first step in making them aware of their responsibilities. Teach them how to use the reports they receive, such as budget variance reports. Develop an internal control self-assessment checklist for use throughout the organization and provide it to new department heads. Be sure to update it periodically.
Teach department heads to identify possible indicators of employee dishonesty or fraud. Provide them with the tools and authority to follow up on any suspicions without jeopardizing their own careers.
Step 10: Question unusual activities. These might include trends or anomalies suggested by a particular financial report. They might include employee behavior, such as an employee who never takes a vacation, suddenly offers to take work home, stay late consistently, or who seems to be processing a lot of emergency transactions that circumvent normal controls. Department heads should also be encouraged to check out anonymous tips.
All fraud is perpetrated by someone we trust -- that’s how the person gets the opportunity. Although you must trust your employees, don’t tempt them. An employee’s perception of fraud changes as opportunity (such as lack of internal controls), motivation (like an ill family member) and attitude (such as when an employee doesn’t think a “fair raise” has been granted) change.
Establishing adequate internal control procedures is the number one deterrent to internal fraud and embezzlement. If you haven’t given enough thought to your organization’s internal controls, you may be sorry in the end.
Give the skilled nonprofit auditors at Dugan & Lopatka, CPAs a call at (630) 665-4440.