Armanino Blog

Why Internal Controls Matter for Your Nonprofit

by Renee Ordeneaux
October 14, 2015

Today’s nonprofit environment is quite competitive in seeking revenue and preserving assets.  The last thing anyone wants to see is theft or embezzlement, wasting the hard-earned results of fundraising and development and depleting these assets. A key ingredient in preserving a nonprofit’s assets is the proper design and implementation of internal controls. This is true from large, well-established national nonprofit organizations to the smallest start-up charity.

Here are three compelling reasons to make sure effective controls are in place and are being properly executed to protect your assets:

1. Fraud happens. Fraud can and does happen at nonprofits, where lean staffing can make it hard to segregate duties. Many nonprofits have trouble accepting the idea that someone would steal from them. But no matter what the industry, employees can and do steal.  

We have investigated several frauds in the nonprofit venue. Fortunately for us, these have occurred before our term as their auditor.  Sadly for them, the larger thefts resulted in substantially less than 100% realization.

  • False new employee ($50,000 theft, caught within months by the nonprofit and repaid).
  • False vendor ($1.7 million theft, caught 2 years after the fact by a total fluke – a new employee was looking through old records, and noticed several very large old invoices for computer equipment far in excess of what the organization would use).  The nonprofit received partial recovery from insurance and the bank, which was almost entirely offset by additional professional fees.
  • Falsified bank reconciliation ($300,000 theft, resulting from employee creating false vendors, and then covering their tracks by creating false bank reconciliations.  Since the accounting manager was not reviewing the bank reconciliations, this went on until a bank employee became suspicious of the employee trying to cash a check for $40,000 at the bank). The nonprofit received partial recovery, which was partially offset by additional professional fees.

Our experience tells us that the biggest frauds are typically perpetrated by the most trusted individuals!  Often the perpetrator has been with the company so long and was so trusted that standard business internal controls were dispensed with in order to simplify and empower the individual’s performance.

2. The IRS is asking.  The IRS takes a very active interest in a nonprofit’s governance practices and internal controls. After all, a well-governed charity is more likely to obey the tax laws, safeguard assets, and serve charitable interests. As a measure of its interest in this area, the IRS asks a number of very specific questions about governance processes and procedures on Part VI of IRS Form 990.

  • Disclosure of significant diversion of the organization’s assets (i.e., theft).
  • Form 990 review and approval policies.
  • Written conflict of interest policies.
  • Written whistleblower policies.
  • Written document retention and destruction policies.
  • Joint venture participation policies.
  • Executive compensation review and approval policies.

3. The public is watching.  Successful nonprofits create a bond of trust with their supporters—a bond that can quickly be broken by the slightest sign of fraud or financial irregularity. Properly implemented internal controls reassure donors, regulators, and the general public that they can have faith in the organization’s financial statements, and    that the board of directors is living up to its obligations to safeguard the organization’s assets and reputation, enabling the organization to continue its mission.

What Are Internal Controls?
The National Council of Nonprofits provides a good definition of internal controls.  At their most basic, internal controls are “systems of policies, procedures, and financial management practices that are systematically used to prevent misuse and misappropriation of assets. They are generally described in written policies that outline the procedures the nonprofit will follow, as well as who is responsible.” Written policies and procedures eliminates ambiguity, and also come to the forefront when unanticipated turnover occurs in the accounting function.

One classic control is a policy that requires two signatures on a check.  Schemes that involve creating a fictitious vendor can be mitigated by having someone outside of the purchasing function periodically review a list of all vendors who receive payment from the nonprofit. At the other end of the spectrum, a control may simply be a policy to lock the office door when no one is monitoring the entrance.

Where Do We Start?
At the very least, the National Council of Nonprofits suggests organizations adopt internal controls that address who has access to the nonprofit’s bank accounts, and who has authority to spend money on the nonprofit’s behalf. Cash controls are fundamental internal controls. 

  • Ensure the bank accounts are being reconciled to the general ledger and that someone is reviewing bank reconciliations at least monthly.
  • Establish accounting exception reports for accounting events such as new employees, new vendors, etc. Ensure these exception reports are reviewed and approved by someone with sufficient knowledge and experience to identify if something inappropriate has occurred. 

Consider these steps you can take to implement effective controls within your organization:

Set the Tone at the Top
Establish a formal code of ethics or conduct for everyone associated with the organization (employees and volunteers) that clearly spells out what is acceptable behavior. Convey that theft of organizational assets will result in immediate termination and be fully prosecuted—and then create a reporting mechanism (such as an anonymous hotline) for staff, donors, and suppliers to report suspected improprieties. If management does not participate in and overtly discourages unethical behavior, awareness will grow that unethical behavior will not be tolerated.

Utilize Your Board
Your board of directors is ultimately responsible for exercising independent oversight over the organization’s finances. Ensuring that effective controls are in place—and that management is properly executing them—is inherent in that duty.

In addition to a strong executive committee that meets regularly, your board should also have an active finance committee. This committee should be responsible for maintaining awareness of the organization’s exposure to theft or loss; considering safeguards to reduce and mitigate risk; and monitoring cash flow, accounts receivable and accounts payable.

  • Have a board member (Treasurer or Finance Committee Chair) proficient in finance receive copies of the monthly bank statements. Periodically, this engaged board member should ask some questions about the bank activity, to ensure the accounting department is aware someone is monitoring.
  • Pay attention that monthly internal profit and loss statements include year-to-date amounts, and that the year-to-date this month matches the year-to-date of the previous month plus the current month’s revenue and expenses.
  • Ensure that management also identifies significant fluctuations between budget and actual results and presents the reasons for these significant fluctuations to the finance committee.

Follow the Golden Rule
The Golden Rule of fraud prevention is simple: Separate incompatible functions. Simply put, this means no single individual should have both custody of assets (money, inventory, etc.) and responsibility for maintaining the related records.  

  • For example, ensure the person who logs in checks received in the mail is not the same person who is responsible for depositing checks.
  • Similarly, the same person should not both prepare the payroll, and also distribute or have custody of the payroll checks.

Involve your Donors
Donors are often the first to notice irregularities related to their gifts. They might note a discrepancy in their pledge balance or realize that a cash gift was never officially acknowledged. To control for fraud, ensure questions from donors about their donations or pledges are directed to a person independent of the organization’s cash receipts function, such as a development officer or even the executive director. Thoroughly follow up any discrepancies.

Internal controls, properly implemented, can act as strong deterrents to fraud.  Contact your local Armanino nonprofit experts to see if your organization could benefit from a review of where your organization’s internal controls may be lacking.

October 14, 2015

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
SaaS Market Trends
Between the uncertainty of 2022 and the highs of 2021, what will 2023 hold?

December 14, 2022 | 09:00 AM - 10:00 AM PT
Fraud: Current Trends & Hot Topics
Don’t let fraud negatively impact your organization.

December 8, 2022 | 11:00 AM - 12:00 PM PT
Year-End Tax Planning for High-Net-Worth Individuals
Our tax experts will dive deep into our annual year-end tax planning guide.

December 8, 2022 | 09:00 AM - 10:00 AM PT