Tips For Internal Controls For Big And Small
August 24, 2010 Cheryl Olson
With the downturn in the economy and the fact that funding from both private and governmental sources has decreased for numerous nonprofits, many of these organizations are considering how to make do with increasingly limited resources. With less funding for technology, personnel and other needs, groups have delayed or scrapped planned technology improvements, are delaying staffing increases or have decreased staff in areas such accounting and administrative functions.
This is important because many nonprofits struggle to have sufficient internal controls, even in a good economy. With the pressures to cut costs, internal control and specifically segregation of duties suffer. This might not need to be the case. Even with decreasing or limited resources, many nonprofits might be able to achieve a sufficient level of internal control and segregation of duties by setting the tone at the top by the board of directors, the finance committee, the audit committee, and organizational senior management.
When it comes to internal controls and segregation of duties, many organizations will ask, “Isn’t it so much more efficient and easier to have one person do everything in the cycle, so why do we care about internal control.” As we all know, internal controls are important for many reasons including:
* They increase internal and external integrity and help to provide a positive public opinion of the organization in the eyes of funders, the government, watchdog organizations and the general public;* They help to protect the board and key employees from scrutiny;* They increase the ability to have accurate and meaningful financial information and financial reporting;* They help to protect the organization from theft and fraud; and,* They are an integral part of your risk management plan.Many managers believe they are unable to have proper internal control due to limited accounting staff, limitations in software and lack of other resources. Limited resources do not mean that your organization cannot achieve some level of internal control, especially regarding high-risk areas.
Internal controls should be an intentional part of your risk assessment and management plan. By utilizing the results of your risk management process, you can focus your internal control efforts on areas identified as risky and thus might be able to reduce controls, effort and related costs of controls in areas identified as low risk.
For instance, if an organization has determined that fixed assets are not a high-risk area due to the fact that they have few or a small dollar amount of fixed assets, it might not be necessary have robust internal controls of that area.
By having a strong risk management process and plan, organizations can identify those areas that present the highest risk and design controls to assess these risks. By concentrating on controls related to high-risk areas, organizations can direct those limited resources to address the highest risk areas and possibly limit or reduce controls in areas not considered to be as risky.
Proper segregation of duties is arguably one of the most important facets of strong internal controls. Internal controls are not just the responsibility of the finance department, but are the responsibility of everyone in your organization. It’s always a good reminder to ensure the staff in your accounting department have the required skill set to perform their jobs and are provided ongoing training to stay current. Utilizing individuals outside of the accounting department to help segregate duties is a very effective way to ensure proper segregation when personnel is limited. Some ideas that organizations might consider are:
* Utilizing non-accounting administrative staff to perform certain duties currently performed by accounting staff, such as cash receipts or deposit functions;* Utilizing development personnel to assist with reconciliation and review processes regarding contributions; * Utilizing the executive director/chief executive officer or other senior management to perform certain review processes of financial statements, as well as reconciliations; * Utilizing the expertise of board and committee members who are considered “financial experts” to perform review processes normally performed by the chief financial officer, if that skill set does not exist at the staff level; and,* Engaging an outside certified public accountant (CPA), who isn’t your independent auditor, who is well versed in nonprofit accounting, to assist with review and reconciliation duties.
Any number of individuals within the organization might be able to assist in achieving proper segregation of duties. Many times it just takes a bit of creativity and thought to properly assign these duties. It might be well worth the cost to have your auditor or another CPA perform an internal control review and provide recommendations about how to increase your segregation of duties and increase the strength of your internal controls.
It is critical that individuals taking on these new responsibilities are properly trained. It is equally important for these individuals to understand why they are performing these functions, how it fits into the overall control environment and how it is beneficial to the organization as whole. Periodic organization-wide internal control training is not only essential, but will have a positive effect on how well individuals (especially those outside of the accounting function) perform those duties.As we all know, boards have the ultimate responsibility for fiscal oversight and organizations should have at least one person considered to be a financial expert. While the duties can be delegated to board committees and staff, the overall responsibility still lies with the board. Some of the questions organizations should be asking are:
* Are board members familiar with nonprofit financial reporting? Are some of the board members familiar with generally accepted accounting principles related to nonprofit organizations? Do we have a nominating committee or board development committee that is focused on this skill set?; * Is there ongoing financial training for board members?;* Are clear position descriptions established?; * What decisions is the board making and what information are they looking at?; * What financial information goes to the board meetings? How timely is it?; and,* What types of discussions do they have and what is documented in the minutes?
Since organizations change over time, controls must also evolve. As the organization changes, the risks related to organization will also change. As you add or eliminate programmatic areas, have new funding or lose funding, increase or decrease personnel, have a change in leadership, change software or other technology, the controls need to properly mitigate these new risks change.
A properly designed risk management plan is a continual and ongoing process and so should be the design and assessment of internal controls to mitigate these risks. This is true during both periods of rapid growth, but is also especially true during periods of financial difficulty and downturn, when resources become scarce or limited.
Many times organizations can increase the effectiveness and possibly reduce the cost of internal control by utilizing more preventative controls (front end controls designed to prevent a risk or error) and less detective controls (back end controls designed to detect an risk or error after it has occurred) and by utilizing more automated controls (computer or technology based controls) rather than manual controls (controls performed by individuals) which are subject to human error.
Many accounting and software packages have controls embedded in these systems or might be able to perform certain controls that are being currently performed by staff. These controls are commonly known as automated controls. Automated controls, if properly designed, might be more effective than manual controls and could eliminate the need to have a staff person perform them. Some of the way that technology might be able to help to increase controls and efficiency is:
* Use of the import/export feature to automatically transfer information between systems and avoid re-entry of data;* Use of automated calculation of allocations of expense or other allocated items at point of payment; and,* Use of automated formulas and other calculations to reduce the likelihood of human error.It’s important that if technology is used to reduce costs and increase efficiency that automated controls, such as hash total, data verifications, etc., are utilized to ensure that data is being properly transferred between systems and properly calculated.
An effective finance department can’t forget about the impact of other departments in the organization on internal controls. This often times requires some personal development skills for the CFO and their finance team in integrating their work and communicating with other staff.
Many departments serve as a check and balance, such as property, retail and fund development, so those departments must understand the big picture of internal controls (why to have them and the purposes they serve) as well as their part in the process. Sometimes organizations have either too many controls or the wrong type of controls, either because you inherited them or you are trying to control everything. A few examples would be internal controls over low risk areas, such as office supplies, or having too many controls, so staff can’t or don’t follow them all.
The most important things you can do for effective internal controls with limited resources are to communicate and to train those involved in the process. It’s important to devote the time upfront in setting up your systems for success in the long-term. The communication needs to be more than “you just need to do this.” Finance staff must give the “why” explanation behind the policies, procedures, and practices to all staff, including their own team. Without the required communication, staff will not understand the consequences to the organization, such as loss of funding, negative public opinion, theft and fraud and loss of exempt status. Neither trust, nor fear, of the finance department serve as effective internal controls. ***Greg Coy, CPA is the principal of Gregory Michael Coy, CPA. His email is firstname.lastname@example.org. Cheryl R. Olson, CPA is the director, Council Financial Consulting, at Girl Scouts of the USA. Her email email@example.com