Nonprofit Internal Controls: What To Do
The framework was set regarding what to think about with internal controls in my previous post so now we can talk about a few types of internal controls you might consider putting in place now.
Things You Can Start Doing Now
Cash, Checks and Deposits. Cash is one of the biggest exposures an organization has. Incidentally this also happens to be the most popular form of payment to smaller organizations. To mitigate the possibility of theft or miscounting:
- Bank statements should be sent unopened directly to someone who isn’t involved with depositing funds or handling cash receipts, preferably a Board Member.
- This same person should also check bank statements for improperly signed checks.
- When taking in cash, ex. a box office, have two people handle and record. Once collection is complete someone not involved with writing the checks or making deposits should recount, reconcile and generate a cash receipt.
- Someone other the person depositing should check the backs of checks to make sure they’re correctly endorsed and the right checking account number is listed.
- Avoid stamping checks; manually endorse them for deposit.
- Avoid someone like the bookkeeper signing the backs of checks for deposit.
- When checks are received by mail try to stamp them immediately upon receipt for deposit only.
Create Parameters. A common reason for fraud or mistakes is lack of understanding. Granted, taking $200 out the kitty to buy a purse leans on universal no-no. But things like leaving cash out, not counting, “borrowing”, etc. might be avoided by telling the staff or volunteers “this is how it should work.”
Staff and volunteers must also understand where they fit, the role they play and responsibility they have in ensuring the security of an organization and its assets. Too often responsibilities are delegated on a “cooties” basis (oh, you’ve opened Quicken before? Then why don’t you be in charge of that) and things fall between the cracks because everyone assumes it’s being taken care of by someone else. To make all this clear, you might consider:
- Job Descriptions
- If they don’t exist, create job descriptions as soon as possible. At the very least staff and volunteers (and the Board) should understand what is expected of them and what baseline responsibilities are.
- Utilize policies, even for those things generally understood throughout the organization. If there is major turn over what originally was a given tends to become confusion.
- Policies also help communicate the organization’s expectations on a given subject and remove the possibility of someone saying “well I didn’t know.”
- If you hate confrontation, policies create objectivity and guidance in sticky or uncomfortable situations.
- Avoid fraud through the supply chain by creating a list of approved vendors and checking each invoice or purchase against it.
- Similarly if there are customers, create a list that staff checks against before issuing any customer credit.
- Create a specific process for things like purchasing that tracks action taken, and by whom, from request all the way through payment and receipt.
- Annually audit things like computers and other property and compare to the last years count; explanations should be required for any changes.
Levels of Responsibility. When it comes to particularly sensitive issues or major exposures organizations should feel comfortable limiting who may do what. Even with a small organization, not everyone should be entitled to see or do everything.
- Credit and Debit Cards
- If the organization uses credit cards (see a previous post on why this may not be a good idea) limit who has access to, and the ability to use, them. You might even set rules around what credit cards may be used for. For example, reserving use to large capital purchases and requiring that day to day items like supplies or food be reimbursed. Lastly, there should be a severe punishment where the card is used for personal matters.
- Online Banking and Transfer
- Do the same exercise above here.
Approvals and Authorizations. Processes and procedures are great in that they create an audit trail as well as an organic check and balance system. A few processes you might consider implementing now are:
- Once the bank statement is received someone other than the person depositing, or with a role in finance, should open it. Often times, the Treasurer or some other Board Member requests these be sent directly to them. Regardless who it is, they must be comfortable with confrontation. Asking questions and where answers aren’t sufficient asking documentation be provided.
- Having the Executive Director approve customer credits prior to issuing them.
- Requiring someone in management authorize purchases before a purchase order is issued or payment is made.
- Escalating payroll up (or delegating to someone in finance where the ED handles this) randomly from time to time to check the payees and amounts.
- Documentation and Recordings. Going through the efforts of creating internal controls is all for naught if you don’t have a way of proving they exist. And if something comes into question, or there is an audit, just telling people what you do probably isn’t going to fly. So require certain things be documented. For example, requiring all entries on expense reports have a copy of the invoice (detailed and broken out) and receipts supporting the purchase. Or where there is some type of check or balance create logs that must be signed after an action has taken place.
- Security. There’s nothing like good ol’ security to make sure things run the way they’re supposed to. Security procedures you might put into place:
- User Names and Passwords
- User Names Passwords should be centrally stored and kept in a secure space. Nothing worse than needing access to an account and realizing that the ED from six years ago is the only one that knew the username and passwords.
- Background checks on staff and volunteers.
- Employee Bonds
- Bond employees with access to cash and accounting records.
- Lock up checks in numerical sequence.
- User Names and Passwords
- Technology. Lastly, always remember technology is your friend. It especially helps in trying to minimize human error. The bane of a small organizations existence is manual input. But all it takes is a missed decimal or accidental extra zero to put an organization in a really really bad place. This is where import/export features, auto calculation and data checks become beneficial.
In the next post I’ll talk about detecting fraud and what to do once systems have been put in place.
If You Like This You May Like
Public Disclosure: Figuring Out What Documents To Make Available Have You: Created a Gift Acceptance Policy? Privacy Policies For Non-Profits: Sample & Resources Have You: Created A Process For Contracts?Posted by Erin | 0 comments