Internal controls are vital to protect your nonprofit association from fraud. While most leaders believe employees work at an organization as much for the mission as they do for the paycheck, sometimes that just isn’t the case.
When an association uncovers fraud, they are often in disbelief. Then again, would you ever put a person in a position where they could steal from you if you didn’t trust them?
This article covers what your nonprofit association should focus on and what to avoid when it comes to internal controls.
Focus On the Riskiest Activities
A detailed list of internal controls can contain hundreds of items related to everything from governance to financial statements to payroll to information technology. If your association has never drafted a list of internal controls, talk to your CPA firm about how to get started. For most associations, it’s best to focus on a small group of controls.
For example, an association that’s putting membership dues to work as quickly as they come in probably doesn’t need to worry about property management and investment policies. The association would benefit from implementing rules regarding cash receipts and disbursements, which includes segregating duties (so that, for example, the same staffer who accepts donations doesn’t also record or deposit them), requiring dual signatures on checks and performing monthly bank reconciliations. For smaller associations, segregation of duties might not be practical, meaning you might have to rely on someone outside of the process for monitoring.
The biggest exposure to theft is your association’s cash and bank accounts, which means those accounts require the greatest scrutiny and control. Recording receipts is vital. Once in the bank make sure disbursements are for legitimate organizational purposes. With the advent of electronic banking, it has become harder to enforce controls, but reviewing transactions after they have posted is just as important as approving the disbursement.
Avoid Management Overrides
Even the best internal controls can’t protect your association from fraud if managers override them. Although auditors review internal controls, audits can’t detect every fraudulent activity that could occur, especially management overrides. It’s a good idea to ask your auditor or someone experienced in fraud prevention to observe how well your organization is adhering to controls and to identify any potential risks.
One of your best lines of defense may be your board of directors. Your board can help prevent management-perpetrated fraud by:
- Overseeing annual audits
- Ensuring that material weaknesses identified by auditors are addressed
- Reviewing monthly bank reconcilements, investments reconciliations and analysis of other material accounts
- Regularly reviewing financial statements
- Signing off on completed IRS forms
Your board might also stipulate additional policies, such as requiring the approval of at least one board member on the rare occasion a manager needs to override controls.
Your board also should look for signs that managers aren’t following internal control policies to the letter — for example, failing to report risks and actual management overrides in a timely manner. Sloppy accounting and reporting errors as well as disputes with auditors and outside advisors are possible signs that a manager might be committing fraud.
Need Help?
To learn more about how your association can strengthen its internal controls, contact us online, or call 800.899.4623.