Nonprofit Financial Controls
Is your nonprofit at risk for fraudulent financial activity? Nonprofit organizations tend to be more trusting of their employees, have less resources devoted to administrative costs, and have less stringent financial controls than for-profit organizations. They are more likely to be victims of such fraud.
According to a 2013 Washington Post report, more than 1,000 nonprofit organizations disclosed hundreds of millions in losses attributed to theft, fraud, embezzlement, and other unauthorized uses of funds and organizational assets, from 2008 to 2012. Nonprofits were second only to the financial services industry, experiencing one-sixth of all major embezzlements. In one recent example, a California CPA reportedly stole $4 million while managing a church’s books for nearly seven years. He is now headed to prison.
How can nonprofits reduce their risk of fraud? A key answer is internal financial controls, and other options can provide valuable safeguards too.
What are internal financial controls?
Internal financial controls are systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to:
(1) conduct its business in an orderly and efficient manner,
(2) safeguard its assets,
(3) deter and detect errors, fraud, and theft,
(4) ensure accuracy and completeness of its accounting data,
(5) produce reliable and timely financial and management information, and
(6) ensure adherence to its policies and plans.
Good nonprofit internal control systems provide reasonable assurance of fraud prevention. Even the best procedures will not prevent errors, bad judgments, management overrides, or fraud involving collusion, but instituting and applying an effective internal control environment is a sign of proper governance and proactive management.
Effective Internal Controls: Segregation of Financial Duties
No one system of internal controls is a perfect fit for every organization. In fact, due to the diversity of missions and business models of nonprofits, the “one control system for all” approach is inappropriate. However, the first and most important consideration for every nonprofit is to set the control environment. Organizations should educate all employees that there are policies in place and that they must follow the policies.
A typical “best practices” control protocol is segregation of financial duties. Simply put, controls are implemented to ensure that there is more than one person involved in an internal financial procedure. The more people involved in a process, the less likely it is that fraud will occur. For example, the person who authorizes or writes the checks should not be the person signing the checks. Second, the person who orders a product should not be the only person approving the purchase. Third, the person in charge of billing and expenditures should not be the person reconciling the nonprofit’s bank account. The nonprofit’s board should also play a key role in reviewing financial reports generated by others – whether paid staff or volunteers. In practice, this protocol may be easier for larger nonprofits than small organizations, but the effort is well worth the resulting protection.
Transparency and Whistleblowing
Nonprofit leaders should also ask the following questions: How does our organization cultivate transparency, and is there an open door for whistle-blowers? Do we promote a culture of asking questions and do we reward people for asking them? Is the board and executive leadership engaged in a way that ensures that difficult questions are asked before fraud surfaces on its own? Are effective internal controls in place to ensure good accountability?
With respect to whistleblowing, nonprofits should encourage the reporting of suspected wrongdoing to management or a designated board member. Note that employees should have a means of anonymous communication if they do not feel comfortable reporting to their supervisor or management. Employees may not report theft or mismanagement if they believe that their job is in jeopardy. The board of directors must ensure that these reports are taken seriously, followed up, and that the reporting employee is protected. A written whistleblower policy is helpful for implementing such protections. Indeed, the IRS expects – and asks about – such policy through its Form 990 annual information return.
Performing background checks on prospective employees and volunteers is another control option. Background checks on new employees and volunteers can expose problems such as undisclosed criminal records, prior instances of fraud, and heavy debt loads that can make it more likely that an employee or volunteer leader might succumb to fraud. Keep in mind however, that while criminal checks are quite standard, credit checks are strictly regulated and subject to legal disclosure requirements.
Independent financial statement audits serve an important purpose and may prevent potential fraud. However, they rarely detect actual fraud. In fact, the Association of Certified Fraud Examiners has reported that less than 4% of frauds are discovered as a result of an audit of external financial statements by an independent accounting firm. Independent audits only provide reasonable assurances that the financial statements are free of misrepresentations. To detect fraud, an auditor would have to recognize the deception or misstatement of truth in the nonprofit’s financial statements. Therefore, for optimally reducing the risk of fraudulent situations, the above preventive measures are critical.
A final option, particularly if a nonprofit’s leaders suspect wrongdoing, is to hire an outside accountant to complete an internal forensic audit. A forensic audit is a review of the financial records of a company by an auditor in an attempt to identify unauthorized and improper activity. It focuses on transactions that seem to have been made in the ordinary course of business by managers and employees who have various levels of discretion and positions of trust. It is a good idea to engage an outside certified public accountant who is well-versed in nonprofit accounting, experienced in forensic audits, and who is not the nonprofit’s independent auditor, to assist with an internal forensic audit.
A nonprofit organization’s internal control policies should cover each of the above-mentioned recommendations, fit the individual organization’s structure, and be consistently followed. Given the financial responsibility owed to government agencies, donors, and their other constituents, a responsible nonprofit organization needs to ensure that clear internal controls become part of its everyday financial systems.