Under Control: A Dive into internal controls
Kevin Omahen, CPA
Why Care about Internal Controls
Not-for-profit organizations across the country are impacted by fraud and many have experienced at times significant losses. Such losses could be devastating for these organizations. However, with strong internal controls to prevent and detect fraudulent activity, not-for-profits can reduce this risk. In addition to minimizing fraud, comprehensive internal controls also help ensure accurate accounting records and financial statements. Decisions are constantly being made within organizations both at the board of director meetings as well as at finance, audit and investment committee meetings. Without strong internal controls, there is a risk that the decisions being made are based on inaccurate financial data. Strong internal controls are essential for compliance with relevant laws, regulations and grant requirements.
Related Read: Critical Questions to Ask About Internal Controls
Internal Control Examples
Each organization’s internal controls will vary based on the nature of the transactions and size of your organization. For example, a not-for-profit with annual gross receipts over $100,000,000 that operates locations across the country will have significantly different internal controls than a single location not-for-profit with $100,000 in annual gross receipts. Internal controls should be focused on the risks of the not-for-profit and how to design internal controls to address those risks in order to prevent fraud from occurring. Below are common examples of internal controls that every not-for-profit organization should implement.
Segregation of Duties
Nearly every not-for-profit has a team of individuals that is delivering on the mission. The same strategy should be implemented with internal controls. Numerous individuals should be involved in the cash receipt, cash disbursement, payroll or any other transaction cycle. For instance, the person who opens the mail to receive an invoice, the person who enters the invoice into the general ledger, the person who approves the invoice for payment and the person who pays the invoice should all be separate people. By segregating duties, you help prevent the ability for one person to unilaterally participant in a fraudulent activity.
Approval on Credit Cards and Employee Reimbursements
Credit cards and employee reimbursement policies are frequently an area of weakness in internal controls. You should design your policies governing credit cards and employee reimbursements in a way that prevents an employee from paying a personal expense on the organization’s dime. For instance, a common control not-for-profits implement over employee reimbursements is a formal approval form. This form requests for reimbursement for an expense that the employee would like reimbursement for, whereby the employee must attach a receipt and then the form must be approved by a supervisor before payment is made.
Financial Statement Review
It is customary for not-for-profit boards or audit committees to review financial statements. How frequently this review occurs is up to the organization. Waiting to review financial statements only on an annual basis is not timely enough. Financial statement review allows for board members to review account variances or identify possible areas within the financial statement that may appear to be misstated. In addition, outside of a control to prevent fraud, financial statement review is the benchmark in which many decisions are made. Without accurate and timely reporting, it is impossible to make the most calculated and informed decision.
Management and those charged with governance should continuously be discussing fraud risks and internal controls. These conversations help facilitate the ongoing evaluation of fraud risks. Organizations evolve over time. What worked 20 years ago may not work today. Furthermore, your internal control structure from even four years ago may be outdated based on changes in operations post pandemic.
Preventing and detecting fraud is not an easy task. Its difficult to continuously review and monitor fraud risks to ensure fraud is not occurring in your organization. However, it is vital to the health and future of your organization to take these measures to help prevent fraud.
Is your cybersecurity up to snuff?
The sudden and unexpected shift to remote work in 2020 made clear that many not-for-profit organizations have vulnerabilities that cybercriminals could leverage to steal data or disrupt operations. Your organization’s employees may or may not be back in the office, but the risks are ongoing. Here is what you need to know about the most crucial components of effective cybersecurity for not-for-profits.
Culture of security
When cybersecurity is recognized as a top priority throughout an organization, the odds of being victimized drop dramatically. It only takes one employee to click on a risky link in a phishing email (see the Sidebar: Know Your Cyberattacks, below) or fail to update software to expose the entire organization, so you need everyone to be on board. Employees who see best practices routinely implemented are more likely to duplicate those practices and less likely to fall prey.
As with so many things, the tone starts at the top. If organizational leaders are exempt from measures required of others (for example, regular training or password protocols), employees notice and might take their own compliance less seriously. To create a pervasive commitment to cybersecurity, all policies, practices and procedures must apply to everyone.
You should grant data access solely on a “need-to-know” basis. Too many organizations allow access to employees or volunteers who do not actually require access to do their jobs. These people may all be trustworthy on their own, but each one represents an avenue to data that a cybercriminal could compromise.
In shared file systems, take advantage of permission settings to limit access, review permissions monthly or at least quarterly, and remember to shut off permissions when employees or volunteers are no longer with your organization. Require authorized users to use multifactor authentication and set up alerts for when these users are logging in from unfamiliar devices or unusual geographic areas.
Incident response planning
Even with comprehensive, up-to-date cybersecurity policies and tools, no organization is immune from cybercrimes. Formulating an incident response is essential to minimizing the repercussions of a successful attack. You do not want to be scrambling for the right response in the heat of the moment.
Consider establishing an incident response team (IRT) to develop a detailed written plan for handling attacks. Ideally, your IRT will be cross-disciplinary, with representatives from areas including management, IT, human resources, finance/accounting, marketing/communications, and member or client services. Each area should assume specific roles and responsibilities in the event of an attack. It is best to have two representatives from each area to improve the odds that someone will be available to respond if an incident occurs.
Annual risk assessments
Cybercriminals do not rest on their laurels — they are constantly ferreting out new vulnerabilities and devising new tactics for exploiting them. So do not assume the cybersecurity protections you put in place last year are still up to the task. Whether conducted by an internal IT employee or a third-party expert, your organization should undergo an annual cybersecurity risk assessment.
At the most basic level, every assessment should determine the data you currently possess and collect, how you store it, whether you truly need it and how you dispose of it. In addition, identify all parties that have access to your data (for example, vendors) so you can evaluate whether they use appropriate security protection. Once you have determined the risks, weigh the likelihood of each risk actually occurring and the likely consequences. These evaluations can guide you in adopting additional steps to mitigate risk.
In today’s environment of evolving risks, every not-for-profit needs to formally assign responsibility for cybersecurity. If you lack the resources to employ a full-time cyberofficer on staff or your IT employees are overstretched, you might want to outsource the job. Balancing the upfront costs against the potential ramifications of a breach should make clear that you cannot afford not to.
Sidebar: Know your cyberattacks
You’re not alone if you get confused by the various descriptions of cybercriminals’ schemes. Here are some of the most relevant for not-for-profits:
This generally refers to schemes where cybercriminals trick victims into providing personal information (including login credentials) or clicking on links in emails or texts that infect computers with malware. Many iterations exist, with more emerging.
Malicious software encompasses a variety of viruses, including ransomware and spyware. It is often unleashed when an employee clicks on a phishing link, resulting in malware installation. Ransomware can block access to critical data and could shut down a system completely, requiring the organization to pay a ransom to regain access. Spyware allows the transfer of data to the criminals.
Denial-of-Service (DOS) Attack
DOS attackers overwhelm a victim’s servers, networks or system, eating up their resources and bandwidth. As a result, servers and networks are not available for their intended users. Visitors may not be able to reach the organization’s website, or employees might be unable to do their work.