sponsored by
Five Internal Controls for the Very Small Nonprofit
Email
Print
Segregation of duties, checks & balances . . . difficult to implement in the organization that has perhaps three or fewer staff, or only a few active board members in an all-volunteer organization. We asked CPA Carl Ho, who works with dozens of small nonprofits, what would be the five most important, most do-able controls for small groups:
1. The first and most important consideration is to set the control environment, that is, to let everyone know, from the top down, that there are policies in place and everyone has to follow the policies. In so many organizations the top person makes exceptions for himself or herself about policies, which sets a sloppy or even unethical tone. Then other people don't think they have to follow procedures, either, and they start cutting corners. The top person can't ask for reimbursement for anything for which they don't have a receipt. The management team members must all use time sheets themselves, get approval for travel expenses, have their credit cards scrutinized.
Emphasize the importance of ethics and controls at staff meetings, and demonstrate that everyone follows the rules, all the time.
2. Define clearly who is responsible for what. It's very common in small organizations, where not as much needs to be written down, for people to say, "I thought she was going to check the invoice." For example, with invoices: who is responsible for checking the math? Who is responsible for approving the invoice to be paid?
3. Physical controls. Lock it up. Computers should be locked to desks, and they should be protected with passwords. Put checks in a locked drawer. Among other abuses, there are too many cases where someone comes in and takes checks from the middle of the checkbook.
4. If there's cash involved -- such as at a fundraiser or box office at a performance -- have two people count all the cash together.
5. Reconciling the bank statement is a very crucial step. It's very unlikely that someone is going to steal from you and run away forever. Reconciling the bank statement means that embezzlement can't go on for very long.
Ideally someone other than the bookkeeper (or whoever handles the money) reconciles the bank account from an unopened statement. That's a strong check on the person who handles the money. But in a small nonprofit there may not be a bookkeeper, and there may be only one person who does everything. In these instances someone else, such as a board member, should receive the unopened bank statement, and look it over before giving it to the bookkeeper or the sole staffperson.
There are several controls that are commonly recommended but that you haven't mentioned. Could you comment on them? For example:
Payroll? Payroll controls at small organizations are actually easy because everybody knows everybody, so it's harder to create fictitious employees and pay them. The one area for attention is approval of timesheets for people working on an hourly basis. In these cases someone -- who knows what work they did -- should review and approve timesheets.
Two signatures on checks, or on large checks? This is okay as a policy, as long as you know that banks don't enforce this policy, nor can you hold them liable for a check that goes through with only one signature. Two signatures is a good policy so that someone sees the big checks, but it's more about setting the right tone than about preventing theft.
The person handling money not allowed to sign checks? Bookkeepers should not sign checks. But in a really small organization this may not be practical. One approach is to allow the bookkeeper (or the person who handles the money) to sign small emergency checks, for no more than $100 or $200. If everybody knows this rule, it helps to set a tone of accountability. And again, it will be caught by the person who does the bank reconciliation.
Any concluding thoughts?
In even the smallest organization, there can be another person who looks over things periodically, checking whether an expense was too high, was legitimate, whether the payroll taxes were paid. If you combine this with an atmosphere and environment that emphasizes following procedures and high standards of accountability, y
ou still may not be able to prevent theft completely. But you'll prevent honest people from crossing the line, and you'll catch anything before it gets too serious.
Carl Ho, CPA, is a partner at Le, Ho & Company in Daly City, California, and serves as the auditor for many small and large community nonprofits in the San Francisco Bay Area. He loves to bicycle, and can't wait to try out the unicycle he just ordered by mail. He also loves roast duck. [Editor's note: who doesn't?]
Comments
Wonderful tips! I advise very small nonprofits and they often struggle with this issue. Now I feel armed with an extra tool to help them cope.-Danny in Bethesda, MD
Thanks for the article! It is very concise and clear. I'm going to forward it to my small non-profit clients.Markwww.MarkHalpertCPA.com
Very helpful, and validating for us, as we are following many of the suggestions. We go through a mandatory audit every year and the internal controls issue comes up because we're small. We are also told that having an accounting manual that details our policies & procedures with all financial matters is critical.
The bank statement is where I get stuck. I am the ONLY employee of a non-profit organization. I have wonderful board members, but they are scattered all over the state. How are they supposed to reconcile the bank statement when all of the account information is on my computer?
I would love to have a better division of responsibilities, and would hate to ever be accused of anything improper, but how do I get this done?
Does your bank offer the statements on-line? My board chair and and financial committee chair reveiw the statements on-line and send me an email confirming they've looked at the statements. A full-fledged audit (costing up to several thousand dollars) was way out of our league, but found a local CPA who did an general overview and gave us a letter of review. (I think that's what he called it).
The idea of having someone else to review the bank statement before it gets to the bookkeeper's hand is prevent the bookkeeper from modifing or hiding things on the bank statement that he/she does not want anyone to see. With color copiers and printers, a fake statement looks real. The board members of the nonprofit most likely will not actually reconcile the bank account, but having them review the checks and money transfers that have cleared the bank provides a way of validating the transacations. In addition, this also help detecting unauthorized short-term borrowings by the bookkeeper. If you can arrange for the designated board member to have online access to your bank account, it would make things simple.
Carl Ho
We are a four-person office, with a Controller. Our bank statement is sent to a CPA firm directly from the bank. The controller sends the CPA firm the list of checks issued during the month and the CPA firm reconciles the bank statement, taking the task out of the office and our hands. This firm doing this has a small "back office" service doing "bank recs" and other tasks for small companies and non-profits, billing by the hour for a bookkeeper, not a CPA. (This is not the same firm that does our audit, adding another layer of separation.) This solution might work for you, too--if you can fit it in your budget.
Formerly a Banker
This is an excellent idea, especially if the bank will provide scans of the checks and all the items in the deposit. Thanks for bringing it up! You might also want to see an earlier Blue Avocado article: Seven Ways to Reduce Your Audit Costs.
Jan
This was very helpful. I run a small nonprofit (all volunteer) that went from a 7000 budget to over 100,000 in 2 years. Suddenly the controls we had seemed much more important, but I have been struggling with how to reorganize our efforts except that I am recruiting a new treasurer, bookkeeper and creating a finance committee.
I appreciated the perspective here, especially after reading the earlier article on embezzlement! Great newsletter.
I'm glad that the online bank statements were mentioned. As a bookkeeper (I do not handle any money), I find myself concerned about the paper bank statements lingering too long or getting lost at my ED's desk. I've used the online statements to reconcile at times so that I could move forward, and then double-checked when the paper copy finally hit my inbox. Our ED isn't comfortable with online statements, so I fall back on them instead of the reverse.
I just left a comment in regards to the ED who was embezzling. The ED I was speaking of was not being scrutinized for the credit card transactions, time sheets etc. I had traveled with the ED numerous occassions and she would use the organization's money to buy her alcohol and then make a big fool of herself from being SOO drunk. She also ran her campaign out of this organizations office and used their mailing, stamps etc. She used the organization for her advancements in her current career as an ED and as State Representative.
Please excuse any mispelling I am tired and trying to get to bed and just had to comment. I really think this is great information and somehow this stuff goes unknown and gets away these types of things. The ones who suffer are the Board and members and funders.
I would add two other actions that I believe are at the heart of honoring the fiduciary duty of the organization and its staff:
1) Make a daily bank deposit. All cash/checks received by whatever means (contributions through the mail, ticket sales, etc.) should be deposited daily REGARDLESS of the amount. Cash is fungible and checks are easily altered. If cash is not controlled in this way, there is absolutely no way an entity will ever know that anything went missing. Further, human nature is to take a short cut, payments made with cash that has been received but not yet deposited fails to get accounted for properly. This control is for any organization (for example a church receiving offerings, a theater company selling tickets, etc. etc.)
2) Prepare a time sheet. Staff (whether paid or not) should keep a time sheet, updated DAILY, showing the allocation of their time in hours to various tasks (the staff and board can agree on which recurring tasks to list on the time sheet, the staffperson can annotate the timesheet accordingly for nonrecurring tasks). This is critical information that the staff and Board can use to discuss resources and objectives, and provides the sole support for ultimately allocating expenses in accounting and tax reports. Memories are short. Doing a weekly or monthly timesheet and trying to remember how time was spent is folly. An argument that documenting one's time is too time consuming disregards that how one's time is spent is a fundamental step in managing the allocation of staff resources.
I think the most important thing is "segregation of duties". Even if you have only 1 staff member, the Board member who is Treasurer should be at a minimum viewing bank statements online and reconciling the bank account. The tricky issue is who oversees opening of daily mail (for mailed in donations) and processing of those checks for deposit, if you only have 1 employee?
Our issue is similar to Anonymous, Jan 22, as a very small volunteer nonprofit. We have 20 hours of administrative assistant time in the office each week, along with the treasurer. Must they always open the mail together? What option do we have when one is not present/on vacation? Do you have any sample internal control polices to share for organizations where the treasurer has done it all but now need controls for receipts and disbursements?
As the treasurer of a small nonprofit organization staffed primarily by volunteers, I found Richard Lord's book, The Nonprofit Problem Solver: A Management Guide, to be an excellent reference for establishing realistic internal controls. His Fiduciary Function Worksheet helps to identify unacceptable exposures. He follows this with recommendations for segregating duties (Four-Person, Three-Person, Two-Person). Our organization has handled bank statement reconciliations by delivering our bank statements, unopened, to a small company that provides a variety of business services in our local community. This company does each reconciliation for a modest fee.
Thank you for this useful post.
I've linked to it over on http://wildwomanfundraising.com, I was just writing about negligence in nonprofit leadership today, and I think that more than fiscal controls, but also social controls need to be addressed.
For instance, in nonprofits there can be such a thing as "Gangsterism" which is actually outlawed in europe, where people in a nonprofit, led by a gang leader, decide that one person is the problem, this person is making everyone unhappy. So they fire that person, then they "feel better" until someone else becomes that person. And so it goes until the entire staff is replaced.
We don't just need two signatures on a check. We need a system to make sure that workers are not being abused by managers.
Post new comment
Everyone, including anonymous visitors, is encouraged to post comments to Blue Avocado articles. If you have a (free) user account with Blue Avocado, you can also receive notice when others make comments to the same article -- allowing you to rejoin the discussion. If you don't already have a user account, create one free at http://blueavocado.org/user/register, then log in using your Account Name.