Internal Controls for Non-Profit Organizations

By Michael S. Wilson, Ph.D., CPA

Key Terms: Non-profit Organizations (NPOs)

Internal Controls

Public Disclosure

Governance

Fundraising and Financial Management

Non-profit organizations operate in an environment that is increasingly subjected to public pressure related to their financial statements. The increased level of scrutiny by board members, donors, state charity officials and state legislators is a concern for many management stakeholders including management, the board of directors and auditors. 

Although members of management, or contractors under management direction, typically prepare the financial statements, it is the board’s responsibility to review and evaluate the statements. Boards often delegate the financial oversight responsibility to a treasurer. This can create lopsided board responsibilities with the heavy lifting being the responsibility of the treasurer. Non-profit organizations (NPOs) should consider forming a committee that can focus on their organization’s financial reporting practices, work with external evaluators including auditors, and develop policies to enhance the organization’s internal accounting system. 

Too often the responsibility for an accounting system is overlooked until a required review, such as an audit. As we know, CPAs have a responsibility to understand a client’s system of internal controls either by flowcharts, narratives or a questionnaire. The focus on internal controls center around cash receipts, cash disbursements, payroll and financial reporting at a minimum. Often CPAs will discount the internal control environment by raising the control risk to high and compensate by performing more detection work. This approach can lead to missed opportunities to provide advice on improving internal controls for NPOs. 

Internal controls are financial management practices that are systematically used to prevent misuse and misappropriation of assets, such as those that occur through theft or embezzlement. Internal controls are generally described in written policies that set forth the procedures that the NPO will follow, as well as who is responsible. The goal of internal controls is to create business practices that serve as “checks and balances” on staff (and sometimes board members) and/or outside vendors, in order to reduce the risk of intentional or unintentional misappropriation of funds/assets.

The purpose of this article is limited in scope to small NPOs that often struggle with internal controls. This is not an attempt to provide a comprehensive overview of internal controls but rather to highlight some good basic practices organized around financial management policies for small organizations especially those that rely on paper systems.

Financial Management Policies

A strong internal control environment includes certain policies and practices. The tone at the top is a key consideration to promote best practices. The following principles of public disclosure, governance, fundraising and financial management represent a framework to organize policies and procedures and evaluate the tone of the organization.

Public Disclosure

A NPO will comply with federal and state laws and regulations. Examples of this include:

• Maintaining a board-approved Document Retention Policy that outlines clear timelines for retaining governing, legal, audit and financial documents, as well as destruction requirements once documents have exceeded their retention period;
• Registering to solicit with the Attorney General in any state where required;
• Providing donors with written acknowledgment letters as required by law;
• Providing public documents (such as the IRS Form 990, IRS Form 1023/24, and IRS Determination Letter) upon request; and
• Adhering to the regulations on political campaign activities.

Policies that include statements like all journals, notes, budgets and financial records are property of the NPO and will be kept at a site approved by the NPO board. These records are considered open to the public and will be made accessible on-site, within a reasonable time frame, to members, funders and other stakeholders.

Governance

The Board of Directors will recognize and discharge their duties in a manner believed to be in the best interest of the organization. Responsibilities can be classified as proper duty of care, the duty of loyalty and the duty of obedience. Board responsibilities should include, but are not limited to, the following: 

• Approve an organization-wide program budget for the following year;
• Develop, review, revise and approve financial policies;
• Appoint a treasurer;
• Review and approve periodic financial reports;
• Review and approve year-end financial reports within two months of fiscal year end; and
• Review and approve annual audit or review, and reports to federal and state agencies prior to submission or acceptance.

One of the most important board policies that should be adopted is a conflict-of-interest policy. A board-approved policy that defines a conflicted relationship or transaction by consistently addressing director, officer and key employee conflicts of interest in all facets of the organization by maintaining a board-approved policy that requires full disclosure when conflicts arise, prohibits an interested party from approving or voting on a conflicted transaction. The policy also requires annual written disclosure of real or perceived conflicts and is consistently enforced. Additionally, the NPO will not provide loans to or relieve debts of any of its directors.

Fundraising

By request or on its website, a nonprofit will provide a donor privacy policy that describes:

• What donor information is collected; 
• How donor information is collected; 
• How that donor information is used by the organization; and 
• How to contact the organization to edit their information.

Financial Management

Strong NPOs strive to efficiently and effectively use funds to achieve their mission while investing in infrastructure. The Board of Directors will approve an operating budget (or draft budget) before the end of the first month of the fiscal year, as well as review quarterly financial reports that compare actual to budgeted revenue and expenses.

The NPO will manage revenue and expenses to demonstrate financial sustainability. The NPO will also maintain a board-approved policy, applicable to both board and staff, that describes acceptable expenses while setting reasonable limits and procedures for reimbursement, including if board members are not reimbursed.

These principles can be further developed by following the controls over transaction processing outlined below.

Financial Processing Procedures

The treasurer is often tasked with too many oversight responsibilities. Care should be taken to segregate duties among officers to prevent misuse of funds and to ensure adequate oversight. The Board may delegate some of these duties to staff.

The following four areas of cash receipts, cash disbursements, payroll and financial reporting are the most important internal control areas for an auditor. Additional internal controls are listed for additional accounts and processes.

Receipts and Deposits

The goal is to avoid having one person responsible for all phases of a transaction. Ideally, the same person should not receive checks, make the deposits, and receive and reconcile the bank statements. Deposit activities will be divided as scheduled in “Segregation of Duties: Three Person Model.”

Duties should include:

• Restrictively endorse all incoming checks immediately, and store in a secure place (such as a locking file cabinet);
• Record all incoming checks and cash (such as donations or grant payments) in the Receipts Journal as soon as they are received; enter in the Receipts Journal the date received, the source, the amount received, and initials of person who received and recorded it;
• Ensure that incoming cash is not spent (as petty cash); instead, deposit it intact;
• Deposit all checks and cash regularly to avoid losses (weekly or monthly, depending on volume; two – three per week should be done weekly); all checks above a $_threshold should be deposited on the same day of receipt;
• Maintain records of all checks and deposits, and attach to the deposit receipt;
• Place the deposit record in the Cash Receipts folder.

Disbursements

The goal for disbursements is to demonstrate a bill is approved for payment before a payment is made. The goal is for the Board of Directors to approve major purchases. This process can be completed with a check request form to establish authorization and approval. It is also recognized that control can be established by the board by approving a budget and delegating responsibility to management. 

The ability to produce an income statement with budget and actual comparisons that is reviewed by the Board of Directors is an important control.

Vendors should always be paid by invoices, not statements, to avoid double billing. If there is no invoice, use a voucher form to document expenses.

All invoices should be matched to statements to make sure you are getting everything. Stamp or note invoices and bills as “Paid” and the date, check number and amount paid. (Alternately, you may attach a copy of the check - if duplicate check forms are used, attach the duplicate.) After payment, bills and invoices should be placed in alphabetical vendor files.

Payroll

Payroll is a critical part of accounting and reporting, especially since payroll is often the single largest expense for an organization. Proper documentation and withholding practices are essential to overall financial well-being. Personnel records should be maintained and used to document job descriptions, wage history, employment letters, benefits, and paid-time-off.

Time sheets are the gold standard for financial reporting with federal government awards and should be prepared whether the employee is exempt or non-exempt. Time sheets are important support documentation for financial and reporting purposes. They should document on a weekly basis hours worked by each employee and a breakdown of time by funding source.

In addition, time sheets should be completed and signed by each employee prior to approval. All time sheets must also be signed by an approved supervisor prior to payment.

Financial Reporting

All stakeholders have a responsibility to uphold the integrity of financial reporting and reduce the risks of material misstatements in the financial statements. A material misstatement is information in the financial statements that is sufficiently incorrect that it may impact the economic decisions of someone relying on those statements. For board members, there are a few key considerations related to financial reporting.

NPO board members should recognize the first step for internal controls over financial reporting starts with employing competent CPAs who have the skills to prepare financial statements in accordance with accounting standards generally accepted in the United States. Without competency in the accounting function, the organization by definition has high-risk financial statements.

Board members should also recognize that it is management’s responsibility to design and implement programs and controls to prevent, deter and detect fraud, and board members should provide oversight to this responsibility. A board that can recognize where fraud opportunities exist is engaged.

Oversight responsibilities should include a review of the journal entries with close attention paid to transactions that are complex or unusual in nature and that have significant estimates and/or period-end adjustment characteristics.

Cyber security prevention has important elements in basic information technology controls, such as:

• The use of passwords;
• The requirement that passwords are regularly updated;
• Warnings/training on phishing emails;
• Limiting access to accounting ?systems, and
• The use of anti-virus programs.

Additional areas of internal control are reflected in policies and procedures, and if board members understand the status of the following:

• Bylaws               
• Personnel policies   
• Financial policies  
• Conflict of interest          
• Document retention          
• Grievance and whistleblower policies        
• Procurement and competitive bidding
• EEO policy         

Following is a set of documents and/or guidelines that can be used to promote solid internal controls.

Document 1 – Three Person Model

Document 2 – Receiving Cash and Checks: Segregation of Duties

Document 3 – Preparing the Deposit

Document 4 – Receipts Journal

Document 5 – Making Payments: Segregation of Duties

Document 6 – Check/Purchase Request

About the Author: Michael S. Wilson, Ph.D., CPA, is an accounting educator and a licensed CPA who provides attestation services to non-profit organizations. He may be reached at michael.ilson@metrostate.edu.

The author wishes to acknowledge the following resources:

Fiducary duties of directors of charitable organizations. Issued by the Office of the Minnesota ?Attorney General.

The Accountability Standards Charities Review Council.

Jackson, P.M., Fogarty, T.E. (2005). Sarbanes-Oxley for nonprofits: A guide to building competitive advantage. Hoboken, NJ. John Wiley and Sons.