Improving Internal Controls in Small Nonprofits
Consider “Happytown Thrift Shop,” a fictitious nonprofit with one accounting staff member. The organization has received communications of material weaknesses from the auditor, but management avoids reading it because they feel helpless at best and ashamed at worst.
Further, there is no budget to expand the accounting staff or provide training in the area of internal controls. The accountant logs cash received daily from thrift shop sales and keeps the cash in a nearby safe. When their schedule allows, usually monthly, they open the safe, put the cash in a lunch box and walk it down the street to the local bank.
Not Enough Staff
When the executive director of the Happytown Thrift Shop thought about internal controls, particularly separation of duties, she lamented, “We don’t have the staff for that.” She isn’t alone.
Whether they lack the headcount or their staff requires more training than the employer can provide, many businesses find themselves willing to live with lax controls and hope for the best.
Elements of a Strong Internal Control Environment
This illustrated accounts payable process is part of a strong internal control environment. It requires four roles across the three components of the internal control. These four roles are management (authorization), the bookkeeper and controller (recordkeeping), and treasury specialist (custody). It also includes technological support in the form of a vendor payment policy document and a project management system, shown here as Asana.
If the organization combines these roles or functions and if no mitigating controls are present, the major risks include:
- The organization’s assets are more susceptible to misappropriation or error.
- The financial statements may not reflect the position and activities of the organization.
- Should misappropriation or major error occur, the accounting staff are exposed to unnecessary liability.
Mitigating the Opportunity for Misappropriation
The three elements in criminologist Donald R. Cressey’s Fraud Triangle are incentives/pressures, rationalization and opportunity. The only one of these areas that an organization has significant control over is opportunity. The good news is that it’s not complicated to implement an ounce of prevention — it just takes consistency.
Even in nonprofits making do with one bookkeeper or director of finance in charge of all accounting operations — a risky situation — the executive director can fulfill the authorization role and a board member can read the bank statements and bank reconciliations in order to provide a mitigating control.
Paper checks, which include the organization’s account and routing number, represent an opportunity for both internal and external malfeasance. Check-related fraud is enabled by paper checks, from check washing to double presentment facilitated by mobile deposit technology.
Happytown Thrift Shop’s executive director hesitated to have conversations with the accountant regarding internal controls for fear of seeming untrusting. However, she remembered that the purpose of the conversation is to protect the staff as much as it is to protect the shop’s assets. The most successful leaders have these conversations courageously and often, she reminded herself, and scheduled a meeting.
Cost of Implementation and Costs of Failing to Implement
The costs of internal control training and implementation are far outweighed by both the measurable and intangible benefits.
Happytown Thrift Shop’s executive director took a breath and opened the filing cabinet with last year’s audit file. With a knot in her stomach, she turned to the Communication of Significant Deficiencies or Material Weaknesses and started reading. She was halfway down the first page when she realized that this was actually the guide she had been wishing for! She read the auditor’s recommendations and grew excited as she began to put together an implementation plan.
Based on the auditor recommendations, she instituted a daily cash count, cash vault services with armored car pickup and a secure electronic bill payment process. She added the auditor’s recommendations to the agenda for the next Finance Committee meeting and started making a case for next year’s budget to include additional accounting staff.
Six months later, at the annual state leadership convention, that same executive director looked for her counterpart from the Somberville Sunshine Society. Her colleague was nowhere to be found. To her dismay, she heard that the organization had fallen victim to a check washing scheme that they couldn’t prove. They suffered the theft of $157,000 and the loss of public trust. Fundraising dollars dried up, and the Somberville Sunshine Society was no more.
Justin Ash, CPA, is a controller consultant at Tier One Services, a fractional CFO and outsourced accounting firm specializing in the social justice sector.