Skip to content

Internal Control Best Practices for Nonprofits

Picture of Kyle Ager

Kyle Ager

In a recent blog post, Marnee described some common risk areas that can potentially lead to fraud. Implementing strong internal control procedures (controls) is essential for nonprofits to safeguard assets, help prevent fraud, and promote operational efficiency.

 

Let’s look at the basics of controls and identify internal controls that most nonprofits can easily put in place to help safeguard against fraud.

 

Background

Trust is not a control. In most frauds I’ve come across, there was too much trust or reliance placed on an individual without proper oversight. Organizations implement controls not because they don’t trust the people involved, we can and should trust, but we should also verify to safeguard the organization’s assets and positive reputation in the community.

Controls can look very different across organizations. Controls can be set up to help prevent a fraud from occurring (preventative) or to detect if a fraud already happened (detective). Preventative controls are generally more expensive to implement and may require more people to be involved. Detective controls are generally less expensive to implement and require less people to be involved making them ideal for smaller organizations or volunteer run organizations.

 

Risk Assessment

The first step to implementing controls is to perform an organizational risk assessment.

  • Those involved will want to consider what types of transactions the organization is regularly processing. For example, most organizations receive checks, pay bills, and pay staff.
  • Next, consider what could go wrong:
    • Could the incoming checks be stolen?
    • Could a check be written to the check signor or family member without being detected?
    • Could an employee’s pay rate be increased without detection?
  • Then consider the magnitude of the possible problem: How much could possibly be lost or stolen due to fraud or error?
    • For example, the magnitude of potential loss of daily checks received in the mail is likely much higher than the potential loss of ancillary parking revenue on Saturdays when the organization rents its parking lot for football games.
  • Then consider controls that may already be in place to help prevent a fraud from occurring. If you believe a fraud could go undetected with current controls, consider what additional steps may need to be taken to address the risk.
  • Finally, organizations may choose to accept some risk. Implementing controls can be time consuming and can hamper efficiency. Considering the cost/benefit of implementing a control is imperative. Nonprofit advisors and consultants can help navigate this process.

 

Controls Over Cash Receipts

One of the best controls over cash receipts is to have two people present when the mail is opened. Having someone else watching helps prevent loss or theft of income. After opening the mail, stamp checks “for deposit only” to the organization’s bank account. Next, log all checks received, include the name, amount, and purpose for the check, then sum all checks received for the day and have both people present sign off on the log. The final and most important step is to have someone that didn’t make the deposit compare the log to the deposit slip to ensure everything that was counted made it to the bank.

Organizations that earn revenue at a defined rate such as a registration fee, tuition, or rent can calculate an anticipated amount of revenue based on the price charged and the known number of registrants, students, or tenants. A significant difference between the anticipated amount and actual amount could be indicative of a theft.

Organizations can also perform trend analysis by comparing revenues to prior months or prior years looking for significant unanticipated changes.

 

Related Resource: Policies and Procedures: Cash Reserve Policies and Considerations for Cash Management

Controls Over Cash Disbursements

One of the simplest controls over cash disbursements is to present the person signing checks with the invoices. The signor should review the invoices and ensure the expenses are valid and proper for the organization before signing the checks. After reviewing the invoice and signing the check, the signor should mark the invoice “paid” to prevent it from accidentally being paid twice. The signor should mail the checks or have someone without access to the accounting software mail the checks to prevent modification of the check and/or the accounting records.

At the end of the month, one of the most effective controls to detect fraud is to review the bank statement, bank statement reconciliation, and check images. The reviewer should look at the front and back of check images and look for alterations or unusual payees or signatures. The reviewer should also inspect the bank statement reconciliation for any unusual reconciling items such as journal entries, slow to clear items, or unusual dollar amounts. Items like these could be used to cover up a theft.

 

Controls Over Credit Cards

An effective control over credit cards is to present all receipts with the credit card statement to the person signing the credit card bill. Organizational credit cards are unfortunately used by fraudsters for personal purchases. As such, all items on the receipt should be reviewed for a proper business purpose.

If an organization accumulates a significant amount of incentive points on the credit card, those should be tracked to ensure they are not diverted for personal gain.

 

Controls Over Payroll

A reviewer should look at the completed payroll report for unauthorized changes to payrates, inflated hours, and fake employees. The reviewer should also compare the payroll report to the budgeted personnel costs for the period and investigate any significant differences.

An easy control to implement for an organization that uses a third party payroll provider is to have the payroll provider send a notice to someone in management or at the board that isn’t involved in processing payroll whenever there is a new employee added or a change to payrate.

 

Steps to Take if Fraud is Suspected

When performing controls, you may notice items that may be indicative of fraud. If this happens, we suggest taking the following steps:

  • Remain objective and don’t jump to conclusions. You can certainly speak to the person involved and have them explain the business purpose for a transaction.
  • Notify management and board members about what was detected and determine whether an internal investigation is warranted.
  • If appropriate, limit the questioned individual’s access to accounting software, bank accounts, and credit cards to help prevent further loss.
  • Consult with legal and accounting experts for advice.

For help identifying and implementing the proper internal controls to prevent fraud at your organization, reach out to our nonprofit advisors. 

Would you like to learn more?

Join our email list to receive our most recent blog posts, notification of upcoming seminars, and access to new resources!

subscribe

Stay Connected
More Updates