Michigan Nonprofit Association
MNA Members     (login)
RESOURCES

Internal Controls: Safety Tools That Should Make Cents for Every Nonprofit

By Melanie L. Herman

When some nonprofit CEOs and senior managers hear the words, "internal controls," they cringe, roll their eyes or, in some cases, break into a sweat. If you've ever reacted in this way, it may be because you feel you already have enough to do and not enough people to do it. You may believe that many, if not most, "internal controls" are the evil invention of schools of accountancy, whose mission is full employment for accounting professionals. Or worse, the brainchild of one of the august bodies that promulgates those frustrating rules we all have to live by, such as FASB 116 and 117.

As it turns out, effective internal controls are more about doing things for your nonprofit's sake, rather than meeting the requirements or expectations of the accounting profession, an industry watchdog or standards-setting entity, or regulatory agency.

Why Do We Need Internal Controls?

While there may be a dozen or more reasons why your nonprofit should adopt internal controls, some of the most compelling of them are as follows:

  • Accountability - Somedays it seems that the call for accountability in the nonprofit sector has reached a fevered pitch. Reports of nonprofit CEOs tossed out of the executive office for "inadequate accountability" are a wake-up call for every senior nonprofit manager. What can you do? Establishing sound internal controls is one way to protect the vital assets necessary to accomplish your mission. When you do so you're moving in the direction of meeting the expectations of key stakeholders.
  • Board Expectations - When the board of directors delegates responsibility for managing a nonprofit to paid staff, it places a great deal of faith and trust in one or more professionals. Adopting a sound internal-controls system is one way to demonstrate that the staff is worthy of the board's trust and confidence.
  • Care - While it may be possible to take good care of an organization's assets without systems and processes, it's easier to exercise the degree of care required for good stewardship when a system of controls has been established.
  • Efficiency - Despite first impressions that internal controls impose an additional burden on already overworked nonprofit staff, thoughtful controls can detect careless errors, prevent serious mistakes, and ensure that a nonprofit's financial records match its actual assets and experience. Structured properly, internal controls should make life at your nonprofit easier and less stressful. Less time spent worrying means more time to devote to mission-critical activities.
  • Fraud Prevention - Every nonprofit with a checking account needs to set up internal controls to guard against loss of funds caused by carelessness or fraud. Whether you're collecting millions in donations and have an impressive portfolio of stocks and bonds, or you're collecting change in a plastic tub at your monthly bake sale, you don't want a financial loss to compromise your nonprofit's ability to fulfill its mission. Although internal controls aren't a failsafe way to catch a thief in the act; they do provide a system of verification and security that can be effective in dissuading would-be thieves. Or, in the event that someone sets out to separate your nonprofit from its financial resources, effective internal controls can detect fraudulent schemes before an organization's assets are fully eroded.

What Are Internal Controls?

Much of what you're already doing with respect to tracking, accounting for and protecting your financial assets likely falls within one of four categories of internal controls:

  1. authorization and approval - activities empowering a person or to sanction expenditures, including policies and a sign-off system;
  2. proper documentation - activities creating a paper trail of the nonprofit's revenue stream and spending, including the accounting routines created to track money coming in and going out;
  3. physical security - protective measures that safeguard assets by preventing theft by insiders or outsiders, as well as preventing access to accounting systems by those whose positions don't require access; and
  4. early detection - any activity that could detect a fraudulent scheme in the planning or execution stage and enable intervention to stop the scheme and prevent the further erosion of assets.

Fortunately, establishing good internal controls requires more of an investment of attention than money. Thus very small nonprofits or even all-volunteer groups, as well as large, secular and religious umbrella organizations can institute appropriate controls and reap the benefits.

Authorize and Approve
Activities falling under the first category of internal controls ensure that your nonprofit is not obligated for expenses or commitments beyond its desires or financial means. Some of the strategies every nonprofit should consider include:

  • establishing an annual budget and providing the board with sufficient time to review the budget and ask question. This ensures that the staff manages the organization in a manner that is consistent with the requirements of the leadership. Make certain that budgets are approved before the fiscal year begins.
  • establishing a purchasing process that tracks purchases from the time a request for an item or service is made to the delivery of goods and services and payment of fees/amounts owed. Remember that the system shouldn't be overly complicated or time-consuming. It should help you avoid surprise when vendor invoices arrive in the mail and allow you to demonstrate that commitments are consistent with an approved budget.
  • making certain that employees and volunteers in the organization know who has authority to obligate the nonprofit's funds. Providing explicit instructions about purchasing authority will help you avoid embarrassing, as well as disastrous, situations.

Document
Keeping accurate, detailed documentation of all financial transactions will not only make your auditor happy and keep the length of your management letter to a minimum, it will enable you to track vital resources and use financial information to make appropriate decisions for your agency. Some of the strategies every nonprofit should consider include:

  • Requiring that vendors and consultants submit detailed invoices for goods and services provided to your nonprofit. An invoice should be self-explanatory - someone in your organization or an outsider (such as a representative of your audit firm or a regulatory agency) should quickly understand the nature of the services or products provided and the time period to which the bill applies.
  • Maintaining employee files that contain relevant documents, such as the application, hire letter, Form W-4, disciplinary or commendation letters, and notices of salary or wage changes.
  • Obtaining written agreements with all independent contractors which specify the terms and conditions of the relationship.

Physical Security
An elaborate system of surveillance cameras installed above the desks of your bookkeeper and finance director would be considered an extreme security measure, even for a nonprofit with unlimited resources. Instead of measures that will send people logging onto online job-search sites, consider:

  • Ensuring that blank check stock is kept locked and under the control of a staff member other than the person responsible for cutting checks. Each time the accounts payable staff member needs blank stock for bill paying, he or she must sign out and log the check numbers..
  • Using appropriate passwords to prevent access to your accounting software and records by staff members or "visitors" without a need to view or change these records. Effective passwords are "easy to remember and hard to guess" and should be changed periodically (Every 60 to 90 days is a good rule of thumb).

Early Detection
No measure can prevent, with absolute certainty, the theft of your assets by a determined embezzler or burglar. However, there are things that every nonprofit can do to ensure the prompt detection of ongoing fraud and minimize the total loss to the organization. These include:

  • Ensuring that the executive director or other senior manager receives and reviews the monthly bank statement(s) before it (they) are provided to the staff member performing the bank reconciliation.
  • Having a senior manager who doesn't control blank check stock or check-writing perform the monthly bank reconciliation, or review the reconciled bank statement for errors or irregularities.
  • Using backup staff members to make bank deposits and perform other essential accounting duties when the regular bookkeeper or accountant is out sick or on vacation. The backup should be instructed to report any irregularities immediately to the executive director or other appropriate manager.
  • Engaging the services of a CPA firm to conduct an annual financial statement audit and providing time on the board's agenda for the auditor's representative to meet with the board without any staff present.
  • Engaging the services of a CPA firm to conduct a fraud audit in the event management or the board suspects that financial assets have been stolen. Keep in mind that a financial statement audit isn't designed to detect fraud and is, in fact, unlikely to detect many common types of fraud, such as:
    • the creation of and payment to bogus vendors,
    • the use of the nonprofit's credit card for personal expenses, and
    • the theft of cash receipts at a special event by a volunteer ticket taker/cashier.
  • Verifying credentials (college degrees, CPA status, etc.) specified in the job description and checking references for all incoming employees. Every year countless nonprofits waste considerable financial resources on employees who don't have the credentials stated on their resumes or the skills required to do the job, or worse, who were fired from previous positions for gross misconduct, such as lying or stealing.

What Can You Do?

Implementing effective internal controls in your nonprofit begins with adopting a positive attitude about the potential for appropriate controls to free up - rather than consume - resources needed to achieve your charitable mission. Next, consider the types of steps that are practical in your nonprofit in the areas of authorization/approval, documentation, physical security, and early detection. Implement those measures that make sense for your nonprofit, given the nature of your operations and extent of resources available for internal controls. Monitor the effectiveness of your controls and make adjustments as necessary.

Melanie Herman is Executive Director of the Nonprofit Risk Management Center, a resource organization headquartered in Washington, D.C., and dedicated to helping nonprofits control risk and focus on their missions. The Michigan Nonprofit Association is a satellite office of the Center. For more information on the numerous resources available from MNA and the Center, visit: www.mnaonline.org, (517) 492-2400 [or call toll free from Michigan only 888.242.7075]. The Center's book on internal controls, Healthy Nonprofits:Conserving Scarce Resouces Through Effective Internal Controls, is available from MNA.

Back to top

"MNA Member Login/Join