INTERNAL CONTROLS
A NONPROFIT’S ACHILLES HEEL
INTERNAL
CONTROLS
The headline of the Washington Post said it all, “Inside the Hidden World of Thefts, Scams,
and Phantom Purchases at the Nation’s Nonprofits.”1 The article went on to detail several
cases of significant diversions of assets at nonprofit organizations, resulting in millions
of dollars in losses while providing a database of over one thousand other diversions at
nonprofits. The story uncovered how a majority of the cases of fraud or embezzlement
included in the database were carried out by perpetrators from within the ranks of their own
organizations. The range in asset diversion losses stretches from thousands to multi-million
dollar embezzlement schemes crossing multiple years.
Cases like these are not uncommon across all business sectors, but when the organizations
that fall prey to fraud and embezzlement schemes are nonprofits, the results can be
devastating. Many nonprofits rely on the trust, goodwill and financial support of the public to
run their organizations. When nonprofit funds are misused, the loss can have a direct impact
on the ability for certain programs and services to operate. The outrage over the financial
wrongdoing at nonprofit organizations has now made its way to the federal government – to
the people who determine and regulate the tax exempt status of these very organizations.
As stated by the ranking member of the Judiciary Committee, Senator Charles Grassley
(R-Iowa), “Tax-exempt dollars are meant for tax-exempt purposes, not bankrolling someone’s
personal Champagne lifestyle.”2
The very public reporting of this type of malfeasance leads to a sense of public mistrust that
blemishes the entire nonprofit industry. And it prompts the obvious question, “How could
this happen?” While cases of fraud and embezzlement are unique to each organization, most
have a consistent common cause – a lack of effective internal controls. A set of effective
internal controls that are implemented, followed, tested and updated on a regular basis
greatly reduce the risk of fraud and in some cases even prevent it.
In its Integrated Framework, The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) defines internal controls as “…a process effected by an entity’s
management designed to provide reasonable assurance regarding the achievement of
objectives in effectiveness and efficiency in operations, reliability of financial reporting and
compliance with the applicable laws and regulations.”3 COSO’s Integrated Framework
consists of five general components: control environment, risk assessment, control activities,
information and communication, and monitoring. These components act as the foundation
from which effective internal control procedures are designed and implemented. They aim to
create methods of both detection and prevention of fraud or misstatements.
For more information, visit:
www.vaultconsulting.com
Some of the more highly publicized alleged fraud schemes have involved employees accused
of setting up phony vendors for payment, submitting fake invoices and creating bank
accounts in the name of the phony vendors to which the funds were allegedly deposited. It is
likely that a partial contributing factor to these fraud schemes was a lack of effective control
environment. In other instances reported by the Post, embezzlement of funds were linked to
placing too much responsibility over cash receipts, disbursements, and review of funds into
the hands of a key employee or board member. In instances such as these, the lack of thirdparty oversight, separation of duties, and compensating controls enable an environment for
embezzlement to go unnoticed, often perpetrated by a staff member generally thought of as
a dedicated and trusted employee.
Many nonprofit organizations struggle with limited resources – both financial and personnel.
Nonprofits are constantly challenged to find the best ways to effectively use these limited
resources to promote their mission while at the same time providing proper financial oversight.
While it is almost impossible to have a bulletproof set of internal controls, following COSO’s
Integrated Framework is considered a best practice approach to safeguarding assets. In
many of the high profile cases of alleged fraud and embezzlement at nonprofit organizations
that have been reported by the Washington Post in recent months, adherence to a set of
effective internal controls could likely have minimized the risk of costly cases of fraud and
embezzlement. No matter the difficulty, there is no good excuse for a lack of effectively
designed and implemented internal controls within an organization of any size or type.
Let’s focus on three of the five internal control components listed above to highlight where
things can go wrong and address how effective internal controls can mitigate the risk of fraud
and embezzlement.
Control Environment
The control environment component of COSO’s Integrated Framework focuses on the ‘tone
at the top’ and how management’s attitudes and decisions are viewed and trickle down through
an organization. There must be a clearly stated code of conduct and internal policies created to
effectively promote this type of environment. It is the duty of both management and the board
of directors to establish an atmosphere where dishonest behavior and unethical conduct are
not tolerated. It is essential for those charged with financial oversight to convey ethical and
responsible behavior. The more emphasis placed on this type of behavior at the higher levels
of an organization, the less likely riskier behavior will develop throughout. Internal controls are
most effective when all levels of staff, management and the board understand and adhere to the
policies and practices that have been established.
It is also important for nonprofit organizations to actively hire competent staff in the accounting
and finance areas. Those who oversee the finance and accounting function should have a strong
understanding and knowledge in this area in order to properly manage the resources available
to them; this includes both financial and personnel resources. A high level of competency will
assist in identifying problems with existing controls and procedures while also helping to deter
inappropriate activity.
An effective control environment also exists when lines of communications are open and staff
members feel comfortable discussing potential problems with those around them. Management
should encourage and promote various channels of communication to allow staff the opportunity
to communicate concerns about observed unethical behavior. Frequent communication
regarding rules of conduct and internal control practices help to build a strong internal control
environment. Many fraud cases start out with a few instances of minor theft by the accused.
If undetected, that fraud usually continues both in duration and in size of the fraudulent
transactions. The perpetrators generally feel comfortable enough in their control environment
that they do not believe their actions will be caught or believe that the risk of detection is low.
Whether the contributing factor is poorly communicated controls or inadequately enforced
controls, the internal control environment is often times not effective enough to dissuade or
discourage the diversion of the organizations’ resources.
Monitoring
The monitoring component of COSO’s Integrated Framework focuses on determining whether
components of internal controls are operating effectively and ensuring that weaknesses in internal
control are being communicated in a timely fashion to responsible parties. It is management’s
role to assign tasks and responsibilities for internal controls to staff members at the appropriate
levels of the organization, and in order to be effective, those controls must be routinely monitored
and systematically tested. Effective supervision should include performance reviews to help
track individual employee progress. This activity assists in keeping them accountable for their
actions and decisions. Knowing that a supervisor is monitoring behavior on a regular, detailed
basis tends to lower the level of risk for fraudulent activity. It is considered best practice for
organizations to perform periodic reviews of the internal controls and to perform at least annual
performance reviews of the staff to help track individual employee progress and compliance.
One of the most important monitoring controls is the routine review and analysis of the financial
performance of the business units and the organization as a whole. This review should occur
at both upper and lower levels of management. Depending on the size and operations of an
organization, those at the level responsible for each programmatic area should be responsible
for this review and compliance. A good example of effective supervision would include reviewing
budget versus actual activity on a monthly or, at a minimum, quarterly basis. This effective control
is used to identify any unanticipated activity that might lead to a red flag or potential problem areas.
Departmental financial reports are also an easy and useful tool to monitor significant variances.
If revenues of a department are tracking much lower than anticipated, it could be a sign that
cash receipts in that department are being diverted elsewhere. If expenses are much higher
than expected, it could indicate fraudulent charges are being made by that department or
charged to the department. Ending balances on the statement of financial position (balance
sheet) of each department, or of the company as a whole, should be compared to prior periods.
Any unexplained variances in either direction could be a warning sign that fraudulent activity
is occurring. Other financial documents, monthly bank and investment statements, payroll
reports and accounts receivable aging reports to name a few, should be routinely monitored by
management. For example, an independent review of the bank statements and bank balances
could reveal unapproved transactions that are running through the operating account. Simple
yet effective monitoring controls can help to identify fraudulent activity early so that greater
losses are not incurred.
WWW.VAULTCONSULTING.COM
Control Activities
The control activities component of COSO’s Integrated Framework might be one of the most
important components of the framework as it specifically relates to fraud prevention. Control
activities are the procedures management implements to meet the organization’s internal control
goals and policies. They are the typical checks and balances within an organization. There are
several control activities that assist in detecting and preventing fraud. Here are some of the
more effective control activities:
Separation of duties is the concept of assigning responsibilities while focusing on clear
boundaries assigned to each function. Certain related tasks assigned across various levels
of an organization can ensure that not any one individual has enough control over the larger
process as a whole. A simple example of separation of duties for the cash disbursement cycle
would include separating the duties and responsibilities for requesting payment of an invoice,
authorizing payment of the invoice, processing of the invoice into the accounting system, and
signature of the checks for payment of the invoice. It is a best practice that once checks are cut
by the accounting department and signed by an authorized check signer; those checks should
be mailed out directly by accounting. They should not be returned to the person requesting
payment, which may allow a perpetrator of fraud to deposit them into an improper bank
account. Separation of duties should be applied across all of the large accounting cycles of an
organization: cash receipts, cash disbursements, payroll, and financial reporting. This effective
control allows multiple review levels and reduces the chance that any one individual can take
advantage of organizational resources. Separation of duties is an important control to implement
but one that can be constrained by organizational size and resources. There are several ways
for smaller organizations to create separation of duties including board level involvement and
outsourcing certain functions to a third party.
Reconciliation is the process of reviewing and comparing transactions to supporting
documentation. The ending balance of a general ledger account should be compared to an
internally confirmed schedule or third party report, and all reconciling items identified and
resolved. It is considered a best practice to reconcile all assets and liabilities on a routine basis,
and it is particularly important to routinely reconcile cash on a monthly basis. Reconciling the
reported cash balance to a monthly bank statement is one way to begin to identify if assets are
being diverted and can help to uncover fraud schemes such as check kiting and skimming. It
is important to assign reconciliation responsibilities to someone other than the person involved
in the transactional processing function to ensure a check on the transactional level work of an
organization.
Authorization is the process where transactions are approved by staff based on certain
thresholds and ranges of knowledge. This control assists in preventing invalid transactions
from occurring, such as purchases over a certain dollar amount or for unauthorized goods and
services. For the authorization control to be effective, the procedures should be clearly defined,
documented, and communicated in a timely manner. This level of control should usually be
assigned to upper management staff that is familiar with the organization. It is considered a best
practice to have the person in charge of the accounting function or even the treasurer involved
in some level of the authorization control.
An effective combination of these three important control activities — separation of duties,
reconciliation and authorization help focus an organization’s policies on both the detection and
prevention of fraudulent activity.
It is easy to Monday-morning quarterback cases of fraud once they are brought to the public’s
attention and to see how unwitting organizations were taken advantage of by personnel intent on
committing fraud. However it is management’s and the board’s duty to make sure that effective
internal controls are implemented to help mitigate the opportunities for dishonest people to
perpetrate fraud. COSO’s Integrated Framework outlines the methods for implementing effective
controls, but it the responsibility of each organization to utilize these suggested best practices
to safeguard their assets. If you fear that your organization’s internal control environment suffers
from some of the same risks as cited in this paper, it is up to you to be proactive in assessing
and improving that internal control environment. Please take the necessary steps to evaluate
your unique needs surrounding internal controls and don’t let your organization become the
next headline news story involving fraud.
The Washington Post, Joe Stephens and Mary Pat Flaherty, October 26, 2013.
The Washington Post, Congress Promises Multiple Investigations of Possible Wrongdoing at Charities,
Joe Stephens and Mary Pat Flaherty, November, 1, 2013.
3
www.coso.org.
1
2
WWW.VAULTCONSULTING.COM
Vault provides full-service outsourced accounting and
research programs for associations, nonprofits and
their affiliates. With deep expertise, we provide clients
with steadfast support, secure handling of sensitive
information and the resourceful counsel necessary to
transform information into action.
HEADQUARTERS
11710 Plaza America Drive, Suite 350
Reston, VA 20190
www.vaultconsulting.com | 703.652.0205
CONTACT
Jamie Saylor
CEO & Principal
[email protected] | 703.654.1446