Internal Controls for Small Nonprofits
How to Segregate Duties with a Small Team
Whether just starting out, or during growth phases, one of the most common issues I encounter working with smaller nonprofits is how to segregate duties. A small team means everyone wears multiple hats, and when there are only two or three people running an organization, often one person is wearing almost if not all of the hats!
However, even the smallest nonprofit can successfully implement effective internal controls by creating “breaks” in the right places. By creating “breaks”, or “checks and balances” by segregating certain duties, effective internal controls ensure that no one person controls an entire transaction from beginning to end.
What is the Key to Effective Internal Control?
There are four major financial duties that need to be separated, at least from one step to the next:
1. Authorization – approving transactions before they happen. Approving bills to be processed or paid is a common example.
2. Custody – handling assets such as cash, checks, credit cards, and even bank access. This includes the person collecting cash from sales or opening the mail to collect checks sent to the organization.
3. Recordkeeping – entering the transactions into the accounting system. Typically a clerk, but may also include an outsourced accounting or bookkeeping firm.
4. Reconciliation/Review – comparing records to bank statements, donor records, payroll receipts, or supporting documents. This is often the “oversight” step, or the last opportunity to catch errors or fraud. This step is often split between two people, performed on a staggered basis, or outsourced.
Any one person can do more than one of these duties, but cannot do ALL of the duties. Any one person with control over all four duty types has the opportunity to commit fraud, and has no oversight to help catch errors.
Ranked Minimum Segregation of Duty Controls
Let’s walk through the 8 most important segregation of duty controls. Each nonprofit should have some control established at these points, at a minimum.
Transaction-Level Controls
Separate Bank Reconciliation from Recordkeeping and Banking Access
When it comes to banking and cash, it is most important to separate custody, recordkeeping, and reconciliation. The person who writes checks, initiates electronic payments, or enters accounting records should not be the only person reviewing bank statements. A board treasurer, finance committee member, or board chair should receive bank statements directly or access read-only bank statements online. Someone independent of bookkeeping should review monthly bank reconciliations. The reviewer should look for unusual payees, transfers, debit card activity, electronic withdrawals, missing check numbers, and checks payable to insiders. The reviewer should sign or initial the reconciliation electronically or physically to document review.
Many nonprofits outsource the recordkeeping and reconciliation tasks to our team. This works because the outsourced team does not have custody, and does not have authorization to initiate transactions without approval from the nonprofit. Even though the outsourced team performs both the recordkeeping and reconciliations, transactions are initiated and reviewed by someone within the nonprofit. This allows a very small team (of one or two people!) to still have effective internal controls and effective oversight.
Separate Payment Approval from Payment Preparation and Execution
In the case of payments to vendors, contractors, and reimbursements, it is most important to separate authorization from custody, and custody from recordkeeping. For a very small nonprofit,
Require approval before payment is made.
Establish a dollar threshold for dual approval for payments over a certain amount.
Require the Executive Director (ED) or program coordinator to approval program expenses, while payments to the Executive Director or program coordinator are approved by a Board Officer. Payments to the ED or program coordinator are most often simply salary (approved 1x per year), and reimbursements (approved ad hoc).
Establish a chain of command so that no one is approving their own reimbursement; often a Board Officer approves reimbursement to the ED, and the ED approves reimbursements for everyone else.
Invoices, receipts, and approval documentation should be retained and if possible attached within the accounting system.
Example: In the case of a very small organization where there are only 2 people, Person A must collect the payables and provide them to Person B for approval. Either person may approve, but the person who did not process the payments must be the one to enter the payments into the accounting system.
When the AP function is outsourced, the accounting/bookkeeping firm handles the entry and recordkeeping, while someone within the nonprofit team handles the collection and the approval. The outsourced accounting team owes the Board the duty of care to report if fictitious or fraudulent bills are being approved for payment.
Separate Cash and Check Handling from Deposit Recording and Donor Recordkeeping
Incoming cash and checks are highly vulnerable because they can be diverted before they are captured in the accounting records. In the case of payments received by the organization, it is most important to separate custody from recordkeeping and reconciliation. In this case, custody includes opening the mail, collecting cash, handling checks addressed to the organization, and preparing deposits to go to the bank. Reconciliation includes comparing deposit records to bank deposits and donor acknowledgements. Perhaps the most challenging part of handling this is managing custody.
Two people should open mail together, and collect cash received together. This prevents theft of cash or rerouting other assets by requiring collusion. The people opening the mail and collecting cash should create a deposit log of checks and cash received, and provide that information to the person (a third person) who records the deposit. The person who makes the deposit should not be the same person who records the deposit, but can be one of the two who collected the cash, checks, etc for deposit. Additionally, donor acknowledgements should be compared periodically to deposits to ensure contributions were correctly captured.
Where an outsourced accounting team is employed, the outsourced team may record the deposits, and reconcile the deposits to the bank statement. This verifies that the deposits collected actually made it to the bank.
Separate Payroll Approval from Payroll Processing, and Payroll Changes
Because it would obviously be very easy for someone to increase their own pay, very few people should be given access to the payroll system. In addition to maintaining confidentiality, this shrinks the payroll process down to as few people as possible, further complicating the ability to maintain proper segregation of duties. In the case of payroll, it is most important to segregate authorization from custody/execution (meaning the person approving changes to payroll must NOT be the person who processes the payroll), and custody/execution from recordkeeping and reconciliation (meaning that the person who processes payroll should not be the one entering payroll into the accounting system).
For a very small nonprofit, proper segregation within the payroll process might look like:
The Board approves Executive Director compensation
Executive Director or other supervisor approves employee timesheets and salary
Changes to pay rates, bank accounts, or employee status require approval from someone other than the independent person who processes payroll
Someone independent of approving compensation processes payroll; ideally, the entry will be automatically synced from the payroll processor to the accounting system
The Executive Director or other supervisor reviews payroll reports and reconciles them to the entries in the accounting system
When an outsourced accounting/bookkeeping firm is employed, the outsourced team can handle the approved changes to payroll, processing the payroll, and recording the payroll. However, the Executive Director or similar position should review the payrolls either before processing or on a monthly basis.
Payroll is frequently one of the largest – and most consistent – expenditures within a nonprofit. Without segregation of duties, one person could create a ghost employee, change a pay rate, approve unauthorized or inappropriate hours, or alter direct deposit information all for their own benefit. Additionally, payroll is one of more frequent places where we see errors due to the complexity of salary for multiple roles, tax complications between individuals, insurance withholdings and ER-covered expenses, and retirement withholdings and matching. Even without fraud, errors in payroll can quickly become costly problems, so it is very important to have someone knowledgeable reviewing payroll.
Separate Credit/Debit Card Custody from Statement Review and Expense Coding
When a nonprofit issues credit or debit cards, we highly recommend having a strict use and procedures policy in place (check out this blog!) to provide an enforceable framework. After that, having the proper segregation of duties in place helps prevent misuse. In the case of credit and debit cards, it is important to segregate custody from authorization of spending limits, and custody from recordkeeping and reconciliation. With cards particularly, card use should be reviewed by someone other than the cardholders to help detect personal expenses, missing documentation, recurring subscriptions, and charges outside of the organization’s mission.
First, an approval policy should be in place where either card charges must be approved prior to purchase or must be approved immediately after purchase. The approver typically also identifies the coding when reviewing for the purchase’s purpose. The nonprofit should require documentation (a receipt and record of approval) for every purchase, and someone other than the cardholder(s) should review the monthly statements, record the transactions, and reconcile the transactions to the statements. Additionally, a member of the Board such as the Treasurer or Finance Committee should review card activity. The Board should pay particular attention to the Executive Director’s card activity because they are most likely to have the least oversight, day to day.
Separate New Vendor Approval/Setup from Invoice Approval and Payment
New vendors should go through a vetting and approval process, to ensure appropriate vendor choice (particularly important in the case of government contracts and restricted funds activities) and ideally to collect a W-9. Each new vendor should be approved for addition to the payment system before the vendor’s bill is added and approved, and certainly before they are paid. Typically, the Executive Director, or whomever is approving bills for payment will approve new vendors; the Board should review for related parties or unusual/inappropriate vendors where the Executive Director does not have appropriate oversight.
Vendor fraud often occurs when someone can create or modify a vendor, then approve or issue payments to that vendor. The simple additional step of reviewing new vendors before adding them into the payment system helps reduce the risk of fictitious vendor schemes. In cases where an outsourced accounting team is employed, the outsourced team should also be vigilant to new vendors, and not blindly add new vendors and abnormal invoices, even though the bills must still be approved before payment.
Oversight Controls
Separate Accounting System Access from Administrative Oversight
This means that those with final approval – usually the Executive Director or the Board Treasurer/Finance Committee – do not have access to change accounting transactions, though they may quite appropriately be given read-only access. Additionally, accounting users should be given appropriate authorization and restrictions for their role. In a small nonprofit, this means:
Each user has a unique login
Administrator rights (to add users and change permissions) are very limited
Passwords are NOT shared
Read-only access is used where appropriate
Journal Entries can only be posted by individuals without payment rights, and are reviewed regularly by another individual
This prevents unauthorized changes to the books, and limits information appropriately for each user. This also prevents those with oversight authority from making manipulative entries or accidentally changing legitimate transactions while reviewing.
Separate Financial Preparation and Reporting from Board Review
Most organizations have this segregation already built in, where an organization team member is preparing the financial statements, and the Board is reviewing. However, some organizations are very small, such that the Treasurer is also the bookkeeper, etc. Even if a member of the Board is preparing the financial statements, the entire Board should be reviewing the financials including budget-to-actual comparisons, cash balances, restricted funds, and variances for unusual or unexpected activity.
When an outsourced accounting/bookkeeping firm is employed, preparing the financial statements is easily done by the outsourced team, where the Treasurer can then review prior to submitting the financials to the full Board.
Minimum Control Matrix
The above minimum duty segregation discussed above is summarized in this table:
Conclusion
Internal controls help keep your nonprofit organization safe and accountable. Even if you are only 2 people, your nonprofit can implement effective internal controls, with the right planning and precautions. Small organizations can make internal controls more robust by outsourcing certain functions to accounting and bookkeeping firms, but even without that added expense, the controls discussed above will help any nonprofit write and implement the proper policies to protect their assets and financial well-being.