Creating and maintaining a strong internal control system is one of the most important steps that nonprofit organizations (“NPO”) and charitable organizations can take to mitigate risk, safeguard assets, and improve financial reporting.
This is especially important in the nonprofit sector because:
- there is a greater atmosphere of trust,
- revenues from donations are often cash-based,
- they are tax-exempt entities,
- there is a heavy reliance on volunteers who may not have business or financial expertise.
If you are a director or manage the operations of an NPO you should regularly be conducting risk assessments and evaluating the systems of internal controls that are in place in your organization.
What is Internal Control?
Internal controls are the processes that have been put in place by an organization to ensure the integrity of the financial information and to prevent fraud. A good internal control system should have two different types of control activities: preventative and detective.
Preventative controls aim to deter errors or fraud from happening in the first place. Detective controls aim to identify and correct errors or fraud after they have already occurred.
This can be illustrated with an example of controls to prevent the theft of cash. A preventative control would be to lock that cash in a safe, change the password regularly, and have only a few select people know the password to the safe. This prevents the theft of cash from occurring. A detective control would be to perform daily cash counts and reconciliations to check that the cash on hand agrees to the expected amount. This catches if cash has been previously stolen so that it can be followed up on.
Why are Internal Controls Important to NPOs?
Internal controls are important for all organizations. They reduce the risk of fraud and ensure that accounting information and financial reporting is accurate. Internal controls also ensure compliance with laws and regulations. Even though the only two of the provisions listed in the Sarbanes Oxley Act apply to NPOs, most responsible NPOs use the act as a standard for their own financial practices to improve their internal controls and provide greater transparency to their financial activities.
Most NPOs have a higher risk of theft or fraud because they receive a lot of cash contributions and donated equipment and materials. The receipts of these contributions are often decentralized and solicited by volunteers. This increases the risk that they may be lost or stolen.
NPOs can also have complex reporting requirements. Often large contributions come with restrictions and reporting requirements. Without proper internal controls in place, there is a potential risk of the money being spent on the wrong activity or the reporting not being done correctly or on time. If any of these occur, the NPO runs the risk of losing the contribution.
How Controls Relate to Governance
The Board of Directors of an NPO have fiduciary duties and responsibilities, and with these responsibilities comes potential liability. What does fiduciary duty mean? It means that the directors have a duty to safeguard and pursue the interest of the NPO and set aside their personal interest while doing so. Directors who do not follow the basic standard of care in exercising their fiduciary duties can be found liable for damages.
In addition, as part of their role, directors of an NPO are responsible for the appointment and evaluation of the management of the NPO. Management has direct responsibility for the establishment and maintenance of an effective system of internal controls.
Therefore, as part of these responsibilities, directors are accountable for ensuring that the NPO has established internal controls required to mitigate risk in the organization. It is important that directors understand and regularly evaluate the risks in the organization and ensure that the proper internal controls have been established and are working properly.
A board that actively discusses internal controls and checks up to ensure they are working properly sets a strong tone at the top that internal controls are important to the NPO.
Using Technology to Improve Internal Controls
Even the best designed internal controls can breakdown. One of the primary reasons that internal controls stop working is because they were not designed for real-world use and are too difficult for people to work with. By using technology to make internal controls easy to follow it helps ensure they are used successfully. Examples of how technology can improve two common internal controls are:
- Two signatures are required on all signing cheques – this can often be difficult when the signing officers either work remotely or are travelling often. A breakdown we have seen is that people will pre-sign the cheques. This defeats the purpose of the internal control and inappropriate payments can be made. A solution to this common problem is using a cloud-based payment system that allows signing officers to electronically authorize payments. Payments can then be authorized from anywhere in the world.
- Review of financial statements and other reports – NPOs often rely on part-time employees for bookkeeping. The bookkeeper may not always be stationed in the office, and using and accessing a desktop software system can be difficult if you are not at the designated computer. This means that the accounting records may not always be up to date and regular reviews may fall behind. Moving the bookkeeping system to the cloud is a way to improve this internal control. Cloud accounting systems are secure and can be accessed easily from any computer with an internet connection. You can log in to the system to record entries or view the financial reports regardless of time and location. This makes it easier to keep the books up to date and to review the reports so that problems can be caught earlier on before they become bigger issues.
How to Implement these Changes
Setting up a system of internal controls is a time-consuming process. Each NPO is unique and has a unique set of risks which are based on its operations and the resources it has available. For example, an NPO with lots of small cash-based donations from a large pool of donors may need to place an emphasis on controls over ensuring that cash is not stolen while another NPO with only a few but largely restricted grants would be more concerned with setting up controls that ensure the money is spent on the appropriate activities and reporting is done correctly and on time.
Some organizations might establish an internal audit department and hire internal auditors to evaluate the effectiveness of their internal controls and address their internal and external risks.
However, if your organization doesn’t have the resources for an internal auditor, the best place to start is by asking questions about the risks and internal controls. What are the financial risks of the NPO, what internal controls have been put in place, and are those internal controls working as designed?
At Enkel, we have experience working with nonprofit organizations to customize a bookkeeping system that incorporates internal controls through cloud-based technology. Contact us to learn more about how we can help your organization put the right internal controls in place!