March 6, 2012 Tim Mills Groninger
Ask an accountant to decide which is worse, the annual audit, a fire, or a lawsuit and the response will be reminiscent of the old Jack Benny joke “Your money or your life?”– “I’m thinking, I’m thinking…”
Each is disruptive. The audit is often self-inflicted and has the potential to be painful. It takes time to recover and return to normal operations after a fire. A legal action involving finances can quickly expand into fishing expeditions that take up way too much time and increase organizational risk.
Financial records are part of an organization’s institutional memory. Carefully recorded transactions are the ultimate proof the grant funds were spent within the guidelines of the award or that deposits were made promptly and accurately.
Accounting software is the backbone of a good system. It is the system of record for every transaction, as well as the primary tool (and reference manual) for staff as they do their jobs.
Sophisticated general and fund accounting software applications are capable of enforcing policies and procedures to the point that common errors are almost impossible to make. A journal entry might not be correct, but it is at least reasonable.
Accounting software is so essential to the daily operations of financial functions that a backup strategy is part of every good implementation. Most organizations can easily recover from a disk failure or server crash via a tape or online backup provider. But while the core accounting data is safe, there is a larger question of whether it is sufficient for the annual audit or other close examinations.
Not only are data losses and other disasters unavoidable, they are also unpredictable in size and frequency. While the accounting data can be available at a remote site in a few minutes, supporting documents such as purchase orders, pledge agreements, and grant contracts — all of those things that prove that the underlying debit or credit was properly approved and executed — might be inaccessible or even destroyed.
Going forward, new paperwork will accompany new requests and the accounting process can continue. Lost documentation can impede the annual audit. To be able to offer an opinion about the accuracy of an agency’s books, the auditor is required to verify not only the transaction but also the supporting documentation to ensure that the right person authorized the transaction and that it complies with policies.
According to Heather Burton, director of product marketing at Sage Software in Austin, Texas, “You rely on your accounting software to do the math, to make sure that the journal entries balance and numbers can’t be changed after a period closes. It’s the documentation — the invoices, receipts, and approvals — that create the audit trail. Missing or suspicious documents mean trouble. It’s about people using the software well within a good policy framework.”
The sheer volume of paperwork has become an issue for many organizations. “What I’ve seen evolve over the past 20 years is the importance of documentation. We’ve always been papered to death. Today it’s more important to be able to find a document, whether it is for legal and/or audit purposes,” said Linda Berseth, president & CEO of accounting software publisher GMS in Kensington, Md. “It’s more important to be able to find supporting documents quickly today.”
Into this realm of tree-killing paper comes document imaging. Imaging, also called scanning, is essentially photocopying documents to disk. Once in a digital format the document can be securely stored anywhere, including a local drive, the agency network, or in the cloud. Access can be strictly controlled and retrieval of a specific document can be almost instantaneous.
Scanning without a strategy is just automating chaos. Moving piles of invoices, grants, and time sheets from desks and windowsills to a computer desktop means that not finding things will still happen, only faster, and it creates an increased risk of carpal tunnel syndrome. In addition, from an audit or legal standpoint, being able to produce the source document is only part of the problem. The biggest issue is the provenance of the document and the ability to prove that it was authorized by the right person at the right time to do the right thing.
Managing the approval workflow turns out to be one of the major features of more advanced document management systems. For Andrew Payne, product line manager for Blackbaud in Charleston, S.C., “there’s a software opportunity for policy enforcement — to prove that spending in particular — supports a larger framework that includes risk mitigation and adherence to plan.”
There is agreement that imaging can ensure a speedy and comprehensive recovery from a disaster, but there are more far-reaching benefits. “If an organization implements a tight spending policy that provides enforcement of their documents and approval process, they can realize material reduction of associated administrative costs (pushing paper around) and direct spending benefits. Linking the two processes will typically result in far greater benefit than implementation of either individual process,” said Payne.
Auditors hate surprises. Prior to the audit they will request various schedules, balances, and documents. While onsite they will field test not only that the transactions balance but that they were appropriately authorized and classified. A successful audit requires fulfilling all requests in a way that demonstrates that financial controls are in place and enforced.
The financial policy manual becomes the primary tool for managing day-to-day functions, as well as being one of the primary references for the auditor. If everything the auditor requests can be easily produced and it follows the written policies, the audit will not only go faster, it will cost less because the auditor will spend less time searching and verifying.
One of the big advantages of electronic document management is that the workflow and approval process is more rigorous. A good policy looks at all possibilities, such as who can approve a transaction if the primary person is sick or on vacation. The better accounting and document management systems enforce these policies, as well as check to see that expenditures are within budget limits and that approved vendors are not being side stepped.
For David Abel, vice president of client services at accounting software maker Serenic Software in Lakewood, Colo., “Clients often perceive adding document imaging to the procurement process as being cumbersome and electronic approvals as creating bottlenecks. However, an automated system, implemented properly, will provide benefits that substantially outweigh the added steps. Without these tools, it is easier to lose the audit trail and avoid the approval chain since manual processes can be easily circumvented.”
At Loaves & Fishes Community Pantry in Naperville, Ill., oversight and division of duties starts at the board and extends down into financial operations.
“We have redundancies in place with multiple people looking at the books, and I do reviews as well,” said Executive Director Charles P. McLimans. “We have strong controls in place, particularly in who has access to the accounting system. In addition, our accounting firm sends a CPA who does our checks, bank reconciliations, and essentially does an internal audit weekly. She is basically looking for everything the auditor will look for and that really speeds things up.”
In an electronic environment, permissions to view documents should follow the policies and procedures guidelines and also facilitate regular backups and a restore strategy that can get financial operations running again after any level of data loss or business interruption.
While accounting software can do the heavy lifting of journal entries and calculating fund balances, delays in data entry or closing a month means that the software can’t do its job, increasing the risks of honest mistakes or even fraud. McLimans warned, “If you’re not acknowledging your gifts on a timely basis, not having the board involved and exercising their fiduciary responsibilities, there are going to be problems.”
“Many nonprofits suffer from what we call MVOT,” said Jon Biedermann, vice president of DonorPerfect Fundraising Software in Horsham, Pa. “It means Multiple Versions of the Truth, in the sense that what is recorded in the database does not match what is being stored on paper. That’s why it’s important to make sure document imaging and attachment is available in your accounting and database systems.”
According to Paul Johnston, CFO at Serenic, “Ignoring due dates can be a total disaster, or thinking that you’re prepared but not checking and reviewing, having working papers that are poorly constructed, can cause problems and drive up your audit cost.”
For Lori Pennington, director of product management at accounting software firm Cougar Mountain Software in Boise, Idaho, it’s all about the details. “You need to make sure the data are accurate going in and that the audit trail is secure, and then getting the data out, reporting on what has happened, and being able to look at each functional area in detail,” she said.
Much of it comes down to motivating staff to use the tools properly.
“If you’ve got a dismissive attitude toward the audit or toward your backup plan you will have problems. If you have a good attitude you’re going to save money and time and the process will go more smoothly,” said Johnston.
A good policies and procedures manual that exploits the best features in the accounting software and utilizes best practices in document storage and retrieval will go a long way in making the audit faster and less expensive. It will also define the critical issues for a disaster recovery plan. There is a third potential benefit: the ability to respond to any legal inquiries.
While lawsuits can be rare, inquiries into financial record keeping by funders and regulatory bodies can certainly feel like legal discovery. “If you think about it, when you’re running your nonprofit you’re thinking about the legality of each action and that you can prove that everything you’ve done is proper. So being able to document every step is important, and being able to recover from a data loss or disruption is important, and if there are any legal questions you’ve already done the work – you’re prepared to answer any questions,” said Pennington.
However, one risk in legal discovery can be too much documentation. If an organization does not have or adhere to a strong document destruction policy there is a chance a minor question can expand into a major inquisition where the existence of some documents and absence of others can create suspicion and doubt. Corporations have long instituted strict guidelines to guarantee that all documents scheduled for destruction have indeed been destroyed and that every employee can honestly say: “if it’s that old, it doesn’t exist anymore.”
Depending on the types of documents, retention can be between three and seven years, although some types of documents, such as employment of termination agreements, may be kept permanently. Most document retention policies treat electronic documents, including scanned materials, as if they were paper, and that they should be destroyed on schedule.
“Whether you have a file folder that you shred every seventh year or some similar practice, you can extend that to disks and tapes. If you haven’t done that you can be exposed to phishing expeditions. You should be exploring high-level wipe and other ways to eliminate old data,” said Pennington. Online storage is so cheap and easy, it is important to not fall into a “file and forget” practice and neglect the full document life cycle.
However, the biggest legal risk in the financial office remains internal fraud. This is where good policies that include multiple check points and separation of duties can avoid shenanigans by eliminating temptations. Payne observed that “…eventually, system-managed policy enforcement will become part of a given organization’s culture — that is, employees will learn that system-managed activity will produce a timely response. Said another way, those tempted to deviate from policy will be less likely to do so as the policy is embedded into their daily work life. As we all know, no system will deliver absolute protection against bad behavior, but system managed policy enforcement is by far the best tool presently at our disposal.”
Accurate financials are the cornerstone of a well-run nonprofit. Without them, public trust is eroded and future support is in doubt. Part of the responsibility for accuracy is ensuring that all of the roles and responsibilities are enforced and that every transaction has been approved and conforms to established guidelines and that supporting documentation is available for every internal and external inquiry.
“When all of the manual and electronic parts are working together not only are the financials accurate, but it’s also easier to prepare not only for the annual audit but for any kind of disruption, from a minor data loss due to a hard disk failure to a catastrophe that may require the relocation of the entire office” said Sage’s Burton.
Paper documentation is fragile in that it is expensive to duplicate and store; but is also not going away anytime soon. While hard numbers are hard to come by, industry insiders routinely estimate that 20 percent of smaller nonprofits and perhaps 40 percent of larger nonprofits have made significant progress with document imaging systems and electronic approval processes. These same experts also agree that these so-called “cloud” systems will become more prevalent in the future.
The starting point for any nonprofit should be a secure backup and business recovery strategy that includes online or off-site backups of all accounting data and related scanned documents. While this should be a no-brainer, it’s surprising how many agencies don’t know how to revert to a previous version of their general ledger.
Even when the software resides entirely in the cloud, there should be a plan in place to deal with any related business disruption, including the Internet connection and phone system going down for a period of time.
Tim Mills-Groninger is a consultant to the federal Department of Homeland Security Science and Technology Directorate working on integrating nonprofits into disaster recovery planning.