INTERNAL CONTROLS
Internal Controls – The Basics
Internal controls are an absolute necessity for every nonprofit, no matter the size. Every nonprofit tailors their controls to their needs, so I will confine myself here to basic principles that any nonprofit can follow.
What are Internal Controls and Why Do We Need Them?
Internal controls are procedures agreed upon by management and board that protect the organization from fraud and mismanagement.
The budgeting process goes hand in hand with internal controls. Let’s imagine a $50,000 nonprofit called Feline Felicity (FF) that collects and cares for stray cats. FF has two employees—a part-time executive director and a part-time assistant—and five board members. Suppose FF has no budget and no financial management policies. Is it ok for the employees or board members to make purchases whenever they feel that an expense is warranted? FF might argue that the management and board are committed to the cause; why do they need to put their good intentions in writing?
My answer is that every nonprofit of every size and shape needs written policies working alongside a budget to maximize efficiency while guarding against fraud from both within and without.
FF may think they are exempt from risk of fraud, but I say: Think again! Whether you have two staff and five board members or a hundred staff and twenty-five board members, there is always a nonzero risk of your assets being stolen. No one is exempt from the risk of fraud and without a budget and written policies not only does your risk increase, but there is little chance of detecting it should it occur.
The Budget is a Powerful Internal Control
The budget provides a means to monitor management’s use of assets.
As we know, a budget is a twelve-month plan for raising and spending money in accordance with the mission. The budget is a powerful control because the board of directors participates in its creation and votes to accept and abide by it for the next year. Every expense that makes up the budget is automatically approved when the board votes to accept it. So, if FF’s ED decides to purchase one hundred pounds of kitty litter, it’s in the budget so, no problem.
Board members expect to see regular financial statements that show a comparison between budget and actual expenses and revenues. If FF’s ED attends a conference that was not in the budget the expense will show as a departure from the budget on the budget-to-actual income statement. Likewise, if the ED’s large purchase of kitty litter overspends the budget, that will also be visible in the financial report. As another example, if revenues from a fundraiser are considerably lower than budget, the board should require an explanation and perhaps investigate further if they think it necessary.
The Accounting Policy Manual
The purpose of the policy manual is to ensure that management and board agree on, and will abide by the policies that will guide normal operations. The policy manual might be a hundred pages or one page, depending on the size of the organization.
The most basic internal control policies deal with how, when, and by whom expenditures will be made as well as with how money coming in will be handled and tracked. The policies strive to dramatically reduce the opportunity for fraud to occur.
Segregation of Duties
The most universal principle of internal controls is segregation of duties. The goal is to spread the various steps in recurring business office operations across multiple people so that any individual who might be tempted to steal would have difficulty covering their tracks.
Fraud experts talk about the “fraud triangle” with its three sides being opportunity, motivation, and rationalization, If the bookkeeper performs the tasks of writing checks, signing checks, making all the deposits, and entering all transactions in the general ledger they have virtually unlimited opportunity to steal. If that person is experiencing personal financial pressure and feels some dissatisfaction with their treatment by management, the triangle is complete.
The smallest of organizations have difficulty segregating duties. In a case where the treasurer is performing all of the tasks, the best control I know of is to give read-only access to the bank accounts to another officer of the board who can periodically view every deposit and withdrawal.
Another way to add some segregation for very small nonprofits is to establish an approval threshold for unbudgeted expenses. For example, with a budget of $50,000, FF’s policy might stipulate that board approval is required for unbudgeted purchases over $250. Going back to our earlier example, if the cost of the unbudgeted conference was $500, the board would have been required to approve the expense before the ED attended the conference. The variance would show up on the budget-to-actual income statements and would be easily explained if the policy was followed.
Now let’s change up our example and give FF a budget of $300,000 with four employees—the ED, the ED’s assistant, the bookkeeper and a finance assistant. With two people in the business office the bookkeeper can write checks, the ED can sign checks and the finance assistant can reconcile the bank statement. The finance assistant can be responsible for making deposits at the bank and the bookkeeper can be responsible for making entries in the general ledger. At fundraising events any two of the four employees can count the cash and sign off on the count sheets. This scenario provides adequate segregation of duties.
Other Controls
Here are controls that nonprofits of any size are advised to use. (endnote)
- Reconcile the bank account promptly each month. Bank recs turn up fraud and assure that your books are in order.
- Do not use outdoor post office boxes to mail checks. (Believe it or not, there is a market out there for keys to these boxes.)
- Stamp all checks “for deposit only” as soon as they are received.
- Keep cash and checks in a locked safe.
- Take money to the bank as soon as possible—within 24 hours of receipt if possible.
- Reconcile the petty cash box regularly: Make sure the petty cash withdrawals are documented with receipts and the balance in the box agrees to the beginning balance minus the amounts withdrawn.
- Require receipts for all credit card purchases. Do not compromise on this!
- Limit GL entry access as much as possible; give read-only access to others as needed.
- Require time sheets to be completed and signed before each payroll is processed. If the employee has a supervisor, require written approval of the employee’s hours worked.
- Have a second party review all checks written. This might be the ED when there are employees, or an officer of the board (who has on-line banking access) when there are no employees.
Adhering to Internal Control Policies
A nonprofit may sincerely devote itself to developing policies but then forget about them once the manual has been neatly typed and bound.
One way to ensure the policies are followed is to keep them simple and straightforward. Choose procedures that are efficient and don’t waste people’s time. For example, allow invoice approvals by email rather than a physical signature. Or allow scanned credit card receipts in place of originals. Or consider using remote deposit for incoming checks to save trips to the bank. (If you choose this option be sure to talk to the bank about including end-to-end encryption to protect donor privacy.)
But the all-important key to effective internal controls is management’s demonstrated respect for the policies. The organization’s leadership sets the tone for the control environment. It should be understood that policies are followed all the time. The board president seeks approval before making a purchase if they expect reimbursement. The ED submits receipts for all credit card purchases. The bookkeeper submits a time sheet before paying themself. Financial matters are discussed regularly at board meetings, including financial statements presented according to a preset schedule. Financial statements always compare budget to actual and they are sent out in advance so that board members have time to review them.
Guarding Against Outside Fraud
Unauthorized withdrawals and counterfeit checks are an ever-increasing menace in our world. You absolutely cannot be careful enough. I know from experience that bank fraud happens and you cannot depend on the bank to prevent it unless you work with them to put safeguards in place.
During my tenure as CFO of a larger organization we worked closely with the bank to set up and maintain systems to protect our money. We used the bank’s products that served to reject unauthorized withdrawals and to reject counterfeit checks. Both of these systems required time and effort and came with monthly fees.
If you only make a few disbursements per month you can probably protect yourself by going on-line regularly to look for suspicious activity. Nonetheless, I strongly recommend that you meet with your bank representative to identify the dangers you face and the options for preventive measures. The threat of fraud is increasing every day. The bank will gladly partner with you to protect your assets.
In Sum: Safeguarding Your Assets is a Shared Responsibility
I worked with more than one ED who let me know that my job was to “keep me out of jail.” This is a powerful incentive to maintain a strong internal control system. (Staying out of the newspaper is another.) But aside from the worry about public disgrace (and worse), a nonprofit stays strong and healthy with a culture of shared concern for protecting hard-won assets and maximizing their value in pursuit of the mission.
Endnote
An excellent resource for internal controls for a small nonprofit can be found here: