Nonprofit Internal Controls: What To Do
We set the framework around what to think through with internal controls previously (post here). Now we talk about types of internal controls to put in place.
Things You Can Start Doing Now
Cash, Checks and Deposits. Cash is one of the biggest exposures an organization will have. Incidentally, this also happens to be the most popular form of payment in smaller organizations. To mitigate the possibility of theft:
- Bank statements should be sent unopened directly to someone who isn’t involved with depositing funds or handling cash receipts, preferably a board member.
- This same person should also check bank statements for improperly signed checks.
- When taking in cash, ex. a box office, have two people handle and record. Once money collection is complete, someone not involved with writing the checks or making deposits should recount, reconcile and generate a cash receipt.
- Someone other the person depositing should check the backs of checks to make sure they’re correctly endorsed and the right checking account number is listed.
- Avoid stamping checks; manually endorse them for deposit.
- Avoid someone like the bookkeeper signing the backs of checks for deposit.
- When checks are received by mail try to stamp them immediately upon receipt for deposit only.
Create Parameters. A common reason for fraud is a lack of understanding. Granted, taking $200 out the kitty to buy a purse leans toward “universal no-no.” But things like leaving cash out, not counting, “borrowing”, etc. might be avoided by telling the staff or volunteers “this is how it should work.”
Staff and volunteers must also understand where they fit, the role they play and responsibility they have in ensuring the security of an organization and its assets. Too often responsibilities are delegated on a “cooties” basis (oh, you’ve opened Quicken before? Then why don’t you be in charge of that) and things fall between the cracks because everyone assumes it’s being taken care of by someone else. To make all this clear, you might consider:
- Job Descriptions
- If they don’t exist, create job descriptions as soon as possible. At the very least staff and volunteers (and the Board) should understand what is expected of them and what baseline responsibilities are.
- Utilize policies, even for those things generally understood throughout the organization. If there is major turn-over what was originally a given can become confusing.
- Policies also help communicate the organization’s expectations on a given subject and remove the possibility of someone saying “well I didn’t know.”
- If you hate confrontation, policies create objectivity and guidance in sticky or uncomfortable situations.
- Avoid fraud through your supply chain by creating a list of approved vendors and checking each invoice or purchase against it.
- Similarly, if there are customers, create a list that staff checks against before issuing any customer credit.
- Create a specific process for things like purchasing that tracks action taken, and by whom, from request all the way through payment and receipt.
- Annually audit things like computers and other property and compare to the last years count; explanations should be required for any changes.
Levels of Responsibility. When it comes to particularly sensitive issues or exposures, organizations should limit who may do what. Even with a small organization, not everyone should be entitled to see or do everything.
- Credit and Debit Cards
- If the organization uses credit cards (see a previous post on why this may not be a good idea) limit who has access to, and the ability to use, them. You might even set rules around what credit cards may be used for. For example, reserving use to large capital purchases and requiring that day to day items like supplies or food be reimbursed. Lastly, there should be a severe punishment where the card is used for personal matters.
- Online Banking and Transfer
- Do the same exercise above here.
Approvals and Authorizations. Processes and procedures are great in creating an audit trail. And an organic check and balance system. A few processes you might consider implementing now are:
- Once the bank statement is received someone other than the person depositing, or with a role in finance, should open it. Often times, the Treasurer or some other Board Member requests these be sent directly to them. Regardless who it is, they must be comfortable with confrontation. Asking questions and where answers aren’t sufficient asking documentation be provided.
- Having the Executive Director approve customer credits prior to issuing them.
- Requiring someone in management authorize purchases before a purchase order is issued or payment is made.
- Escalating payroll up (or delegating to someone in finance where the ED handles this) randomly from time to time to check the payees and amounts.
- Documentation and Recordings. The effort in creating internal controls will be all for naught if you can’t prove they exist. And if something comes into question, or there is an audit, just telling people what you do won’t fly. So, require certain things be documented. For example, require all entries on expense reports have a copy of the invoice (detailed and broken out) and receipts supporting the purchase. Or, if there is a check or balance sheet create logs that must be signed after an action has taken place.
- Security. Nothing like good ol’ security to make sure things run the way they’re supposed to. Security procedures you might put into place:
- User Names and Passwords
- User Names Passwords should be centrally stored and kept in a secure space. Nothing worse than needing access to an account and realizing that the ED from six years ago is the only one that knew the username and passwords.
- Background checks on staff and volunteers.
- Employee Bonds
- Bond employees with access to cash and accounting records.
- Lock up checks in numerical sequence.
- User Names and Passwords
- Technology. Lastly, remember technology is our friend. It especially helps in minimizing human error. True, the bane of an organization’s existence is manual input. But all it takes is a missed decimal or accidental extra zero to put an organization in a really, really bad place. This is where import/export features, auto calculation and data checks become beneficial.
In the next post I’ll talk about detecting fraud and what to do once systems are put in place.
If You Like This You May Like
Posted by Erin | 0 comments