INTERNAL CONTROLS: Make Your List and Check It Twice

Nonprofits that don't exercise constant vigilance in adhering to internal controls open the door for fraud. Unfortunately, weak economic conditions have only increased the likelihood of occupational theft, making risk control measures more important than ever. You can keep such measures top of mind by regularly reviewing and updating your organization internal controls and concentrating your energies on the biggest risks.

NARROWING YOUR FOCUS

A detailed internal controls list potentially contains hundreds of items related to everything from governance to financial statements to payroll to information technology. If your nonprofit has never drafted such a list, talk to your financial advisors about doing so.

Most nonprofits, however, engage in far fewer risky activities and should, therefore, focus on a smaller group of controls. For example, a startup that putting donations to work as quickly as they come through the door probably doesn't need to worry about investment and property management policies, at least not yet.

But such a nonprofit would benefit from implementing rules regarding cash receipts and disbursements. These include segregating duties (so that, for example, the same staffer who accepts donations doesn't also record or deposit them), requiring dual signatures on checks and performing monthly bank reconciliations.

FOXES WATCHING THE HENHOUSE

Even the best internal controls can't protect your nonprofit from fraud if managers override them. Although auditors review internal controls, audits aren't designed to catch management overrides. So it a good idea to ask a fraud expert to observe how well your organization is adhering to controls and to identify any potential risks.

But your best line of defense may be your board of directors. Your board can help prevent management-perpetrated fraud by:

• Overseeing annual audits

• Ensuring that material weaknesses identified by auditors are addressed • Regularly reviewing financial statements

• Signing off on completed IRS forms

It might also stipulate additional policies, such as requiring the approval of at least one board member on the rare occasion a manager needs to override controls.

Your board also should look for signs that managers aren't following internal control policies to the letter, for example, failing to report risks and actual management overrides in a timely manner. Sloppy accounting and reporting errors and disputes with auditors and outside advisors are possible signs that a manager may be committing fraud.

REVIEW AND REASSESS

You and your staffers probably have a lot on your plates, so it understandable if internal controls occasionally get lax. Remedy such lapses as quickly as possible by reviewing with employees and managers alike the policies designed to control fraud.