Internal Controls: Make Your List and Check It Twice

Not-for-profits that don't exercise constant vigilance in adhering to internal controls open the door for fraud. Unfortunately, weak economic conditions have only increased the likelihood of occupational theft, making risk control measures more important than ever. You can keep such measures top of mind by regularly reviewing and updating your organization's internal controls and concentrating your energies on the biggest risks.

A detailed internal controls list potentially contains hundreds of items related to everything from governance to financial statements to payroll to information technology. If your not-for-profit has never drafted such a list, talk to your financial advisors about doing so. Most not-for-profits, however, engage in far fewer risky activities and should, therefore, focus on a smaller group of controls. For example, a startup that's putting donations to work as quickly as they come through the door probably doesn't need to worry about investment and property management policies at least not yet. But such a not-for-profit would benefit from implementing policies and procedures regarding cash receipts and disbursements.

These include segregating duties (so that, for example, the same staffer who accepts donations doesn't also record or deposit them), requiring dual signatures on checks and performing monthly bank reconciliations and having those reconciliations reviewed by someone in an oversight position on a timely basis.  In addition, someone in an oversight position not involved in accounting transactions could review the bank statement monthly, or periodically online.

Even the best internal controls can't protect your not-for-profit from fraud if managers override them. Although auditors review internal controls, audits aren't designed to catch management overrides. So it's a good idea to ask a fraud expert to observe how well your organization is adhering to controls and to identify any potential risks. But your best line of defense may be your board of directors.

Your board can help prevent management-perpetrated fraud by:     

It might also stipulate additional policies, such as requiring the approval of at least one board member on the rare occasion a manager needs to override controls. Your board also should look for signs that managers aren't following internal control policies to the letter for example, failing to report risks and actual management overrides in a timely manner. Sloppy accounting and reporting errors and disputes with auditors and outside advisors are possible signs that a manager may be committing fraud.

You and your staffers probably have a lot on your plates so it's understandable if internal controls occasionally get lax. Remedy such lapses as quickly as possible by reviewing with employees and managers alike the policies designed to control fraud.