Creating and maintaining a strong internal control system for non-profits (NPOs) is one of the most important steps that NPOs and charitable organizations can take to mitigate risk, safeguard assets, and improve financial reporting.
Internal controls are especially important in the non-profit sector because:
- Bad actors can take advantage of a culture with high levels of trust
- Cash-based revenues from donations
- As tax-exempt entities, they are subject to heightened CRA monitoring
- They rely heavily on volunteers who may not have business or financial expertise
IMPORTANT: If you are the executive director or manage the operations of an NPO, you should regularly conduct risk assessments and evaluate the systems of internal controls that are in place in your organization.
What Are Internal Controls?
Internal controls are the policies, procedures, and processes an organization implements to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. These controls are designed to provide reasonable assurance that the organization's objectives will be achieved in the following categories:
- Compliance with Applicable Laws and Regulations: Ensuring adherence to laws, regulations, and internal policies to avoid legal penalties and reputational damage.
- Effectiveness and Efficiency of Operations: Ensuring that the organization's operations are running smoothly and resources are being used efficiently.
- Reliability of Financial Reporting: Guaranteeing that financial statements and reports are accurate, complete, and prepared in compliance with accounting standards.
Internal controls aim to:
- Safeguard Assets: Protecting the organization's assets from theft, misuse, or loss.
- Ensure Accurate and Reliable Financial Reporting: Providing trustworthy financial information to stakeholders.
- Promote Operational Efficiency: Streamlining processes to reduce waste and improve performance.
- Encourage Compliance: Adhering to laws, regulations, and internal policies to maintain organizational integrity.
Examples of Internal Controls
- Segregation of Duties: Dividing responsibilities among different individuals to reduce the risk of error or inappropriate actions.
- Access Controls: Restricting access to financial systems and confidential information to authorized personnel only.
- Physical Audits: Regular counting and verification of assets like inventory and equipment.
- Standardized Documentation: Using consistent formats for financial documents to ensure completeness and accuracy.
- Reconciliations: Regularly comparing financial records with external sources (e.g., bank statements) to identify and correct discrepancies.
A good internal control system should have two types of control activities: preventative and detective internal controls.
Preventative Internal Controls
Preventative controls aim to deter errors or fraud from happening in the first place. Specifically, a preventative internal control is a policy, procedure, or activity designed to stop errors, fraud, or irregularities from occurring in financial processes. They are designed to prevent financial irregularities or errors before they happen rather than detecting them after the fact. Their key characteristics include:
- Risk Reduction: Aim to minimize the likelihood of errors or fraudulent activities.
- Proactive Measures: They are implemented to anticipate and mitigate potential risks.
- Process Integration: Embedded within daily operations and workflows.
Steps to implement preventative controls
- Segregate Duties: Divide responsibilities among employees so that no single individual controls all aspects of a financial transaction. This control aims to reduce the risk of errors and fraud by requiring collusion for unauthorized actions.
- Use Authorization and Approval Procedures: Require managerial or supervisory approval for important transactions or activities to help ensure that all transactions are valid, necessary, and in line with organizational policies.
- Introduce Access Controls: Implement physical locks, passwords, and user permissions to restrict access to assets and financial systems to prevent unauthorized use or manipulation of assets and sensitive information.
This can be illustrated with an example of preventative controls to prevent the theft of cash, including locking that cash in a safe, changing the safe's password regularly, and having only a few people know the password to the safe. This prevents cash theft.
Detective Internal Controls
Detective internal controls, or detection controls, is a process or procedure designed to identify and correct errors or fraud after they have already occurred. They aim to identify and reveal existing errors, irregularities, or fraudulent activities in an organization's financial operations. Unlike preventive controls, which aim to stop undesirable events before they happen, detective controls focus on uncovering issues post facto so that corrective actions can be taken.
Steps to implement detective internal controls
Implementing some or all of the following auditing actions will create an internal detective control framework.
- Conduct Bank Reconciliations: Compare the organization's accounting records with bank statements to identify discrepancies.
- Do Internal Audits: Independent reviews of financial activities and controls to assess accuracy and compliance.
- Do Physical Inventory Counts: Verify actual inventory levels against recorded amounts to detect shortages or overages.
- Use Variance Analysis: Compare actual financial results to budgets or forecasts to identify unexpected differences.
- Conduct Exception Reporting: Generate reports highlighting transactions outside normal parameters for further investigation.
- Conduct Surprise Cash Counts: Unannounced checks of cash on hand to prevent and detect theft or misuse.
A detective control would be to perform daily cash counts and reconciliations to check that the cash on hand agrees to the expected amount. This reconciliation would catch a cash theft so that it can be investigated.
Importance of Internal Controls in NPOs
Internal controls are important for all organizations. They reduce the risk of fraud and ensure that accounting information and financial reporting is accurate. Internal controls also ensure compliance with laws and regulations.
Most responsible NPOs will use the Sarbanes Oxley Act as a standard for their financial practices to improve their internal controls and provide greater transparency to their financial activities.
Most NPOs have a higher risk of theft or fraud because they receive a lot of cash donations in addition to donated equipment and materials. The receipts of these contributions are often decentralized and are often solicited by volunteers. This increases the risk that they may be lost or stolen, leading to a difficult paper trail to trace back if anything goes awry.
NPOs can also have complex reporting requirements. Large contributions often come with both restrictions on how the money can be spent and reporting requirements from the funder. Without proper internal controls, there is a risk of the money being spent on the wrong activity or the reporting not being done accurately or on time. If any of these occur, the NPO risks losing the funding. Internal controls can help ensure the right processes and mechanisms are in place to see how the funding is being spent and report back to the funder as required.
Internal Controls Concerning Governance
The Board of Directors of an NPO has fiduciary duties and responsibilities, and with these responsibilities comes potential liability.
What does fiduciary duty mean? It means that the directors have to safeguard and pursue the interests of the NPO and set aside their personal interests while doing so. Directors who do not follow the basic standard of care in exercising their fiduciary duties can be found liable for damages.
In addition, as part of their role, directors of an NPO are responsible for the appointment and evaluation of the management of the NPO. Management has direct responsibility for the establishment and maintenance of an effective system of internal controls.
Therefore, as part of these responsibilities, directors are accountable for ensuring that the NPO has established internal controls required to mitigate risk in the organization. It is important that directors understand and regularly evaluate the risks in the organization and ensure that the proper internal controls have been established and are working properly.
A board that actively discusses internal controls and checks up to ensure they are working properly sets a strong tone at the top that internal controls are important to the NPO.
Improving NPO Internal Controls Using Technology
Even the best-designed internal controls can break down. One of the primary reasons that internal controls stop working is that they were not designed for real-world use and are too difficult for people to work with. Using technology to make internal controls easy to follow helps ensure the controls are used successfully. Here are two examples of how technology can improve internal controls.
Two signatures are required on all signing checks
This can often be difficult when the signing officers either work remotely or are traveling often. A breakdown we have seen is that people will pre-sign the cheques. This defeats the purpose of the internal control and can cause inappropriate payments can be made.
A solution to this common problem is using a cloud-based payment system that allows signing officers to electronically authorize payments. Payments can then be authorized from anywhere in the world.
Review of financial statements and other reports
NPOs often rely on part-time employees for bookkeeping. The bookkeeper may not always be stationed in the office, and using and accessing a desktop software system can be difficult if you are not at the designated computer. This means that the accounting records may not always be up to date and regular reviews may fall behind. Moving the bookkeeping system to the cloud is a way to improve this internal control.
Cloud accounting systems are secure and can be accessed easily from any computer with an internet connection. You can log in to the system to record entries or view the financial reports regardless of time and location. This makes it easier to keep the books up to date and to review the reports so that problems can be caught earlier on before they become bigger issues.
Implementing Internal Controls
Setting up a system of internal controls is a time-consuming process. Each NPO is unique and has a unique set of risks which are based on its operations and the resources it has available.
For example, an NPO with lots of small cash-based donations from a large pool of donors may need to emphasize controls over ensuring that cash is not stolen.
Meanwhile, another NPO with only a few but largely restricted grants would be more concerned with setting up controls that ensure the money is spent on the appropriate activities or programming and reporting is done correctly and on time.
Some organizations might establish an internal audit department and hire internal auditors to evaluate the effectiveness of their internal controls and address their internal and external risks.
However, if your organization doesn't have the resources for an internal auditor, the best place to start is by asking questions about the risks and internal controls. What are the financial risks of the NPO, what internal controls have been put in place, and are those internal controls working as designed?
At Enkel, we've helped many nonprofit organizations manage their books through secure cloud-based technology. Learn more about how we work with nonprofit organizations today.
