Nonprofit organizations are more vulnerable than ever to fraud or errors in the organization’s financial statements. With employees, management, and board members focused on helping people in the communities the nonprofit serves, time and attention to key financial internal controls has more than likely been refocused to the organization’s mission and purpose.
However, these are times when internal controls are more important than ever to have in place and operating effectively. Fraudsters, scammers, and even an organization’s trusted employees—yes, it’s hard to imagine, but it happens!—are looking to take advantage of distracted organizations. Here are a few key internal controls your nonprofit should have in place.
Vendor approval controls. Make sure that before you input a new vendor into your accounts payable system, appropriate members of leadership have reviewed and approved the vendor. It would be easy for anyone to input a fake vendor into an organization’s payable system without proper oversight.
Segregation of duties for cash receipts. The person who logs in checks received in the mail should not be the same person who is responsible for depositing checks. Similarly, the same person should not both prepare the payroll and also distribute or have custody of the payroll checks.
Expense and payment approval. During chaotic times it can be easy to shortcut this control and simply give a blanket approval for a batch of expense checks. Don’t do this! Make sure you are continuing to review and scrutinize expense payments and checks for proper documentation and approved vendors before making the payments. As unpleasant as it is to imagine, a long-trusted employee may be having financial difficulties at home and may see opportunities to redirect funds.
Payroll review and approval. In a larger organization, a fake employee could easily be buried in a payroll run if management is not following proper reviews and approvals of payroll reports. Nonprofit organizations need to remain diligent with reviews and approvals of payroll reports.
Timely review of bank reconciliations. This is probably the number one key control to have in place. Management needs to ensure the bank account reconciliations are prepared and reviewed in a timely manner. Make sure that these reconciliations are prepared by someone who does not prepare or make bank deposits. For small nonprofit organizations that may have only a bookkeeper and the executive director, a member of the board of directors should review and approve the monthly bank reconciliations. Timely preparation and review of bank account reconciliations is key to identifying fraudulent activity and financial reporting errors.
Timely board of director review of financial reports. The board needs to ensure that management is providing the board with timely and relevant financial information to review. Board review of budget vs. actual reports and current year vs. prior year operating results are two key reports the board should review. The board should be questioning management on significant variances between expected and actual results. Unexplained variances could be indicators of potential issues.
IT access controls. The board and management need to ensure that employees of the organization have appropriate IT access to systems and programs for their job functions. An employee who has inappropriate access to the organization’s accounting system creates a fraud risk. Management should review each employee’s IT access to ensure it is appropriate.
Cybersecurity education. Train your employees to be suspicious of unexpected emails and requests. Train them to question and verify requests for information or money. One wrong click by just one employee can compromise your organization’s IT system.
Review of executive director expenses. Lastly, the board should be reviewing and approving monthly expense reports of the executive director and other members of executive management as appropriate. The board is the last line of defense for reviewing and monitoring these expenses. The organization should also have documented policies for allowable and non-allowable business expenses.
Keep in mind there may be opportunities for many other controls for a nonprofit to implement, depending on each nonprofit’s size and unique situation. The key is having a management team committed to the safety and soundness of the organization’s finances and control environment, even during difficult times.