Part 2 of 5
In the current social and economic environment not-for-profit organizations face more
risks than ever before. One of the major responsibilities of the Board, as well as management, is to continuously assess the risks facing the Organization, both externally and internally.
External Risk Assessment The external risk assessment process primarily involves keeping up to date on changes in the political, social, economic and technological environment surrounding the Organization and assessing how those changes will affect the Organization’s mission. Boards are comprised of members who typically possess an area of expertise. As a member it will be up to you to be aware of the changes within your area in addition to the many multiple sectors of the environment the Organization operates in. For example:
- New accounting pronouncements (Accounting Standards Updates {ASU}, issued by the Financial Accounting Standards Board {FASB})
- Other entities providing similar services, which could create competition for funding
- Updates to the Organization’s accounting and other software platforms
- Tax law changes that affect payroll tax withholding
- Social and administrative changes in the political landscape
- Compliance updates from regulatory and cognizant agencies
- Amendments to the Organization grant agreements
- Operate with the applicable guidelines of The Office of Management and Budget's (OMB) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (commonly called "Uniform Guidance")
Through our experience working with not-for-profit organizations, one of the most challenging obstacles facing organizations is a loss or reduction of grant funds, which are often caused by social and political changes in the local environment. For a variety of reasons grant funding can abruptly halt or scale back. Will your Organization be able to continue to fund itself and provide the same level of service?
Board members must actively monitor the social and political environment to assess the level of risk that grant funds may be lost. Before a grant is reduced or eliminated the wheels should be turning on potential replacements. The granting process can be complex, and it is highly recommended that the process is anticipated, not reactionary. We will cover granting in a future article. In the mean time, assess whether your Organization is tapping all common revenue streams:
- Other not-for-profit organizations
- Government (Federal, State, County, Local)
- Offering new or modified services, within the organization’s mission
- Internal Risk Assessment and Internal Controls
During the internal risk assessment process, the Organization as a whole must identify its goals and objectives in the major areas of financial reporting, level of service, and compliance. Internal controls are the key safeguards in meeting these goals.
Internal controls can be defined as processes, implemented by an entity's board of directors, management and other personnel, designed to promote effectiveness and efficiency of operations, increase reliability of financial reporting objectives, maintain compliance with applicable laws and regulations, and detect errors in a timely fashion.
When you are assessing your internal control system keep in mind all effective internal control systems contain these five attributes:
1.) Control Environment – The control environment is the tone of an Organization, affecting the employees’ attitudes and actions. The tone is set from the top down, and helps to create an environment conducive to meeting Organizational objectives. Board member involvement and presence is very important to setting the right tone.
2.) Risk Assessment – Continuously assess both internal and external risks, as discuss in this article.
3.) Control Activities – Policies and procedures that help ensure that management objectives are carried out.
4.) Information and Communication – Relevant information must be identified, captured and communicated on a timely basis to enable employees to carry out their responsibilities and management to obtain necessary decision making information.
5.) Monitoring – The internal control system must be monitored to access if controls are designed and operating effectively and as intended. Designing controls is not enough. They must actually be implemented and adjusted when needed.
There are many controls that an Organization can implement to meets its reporting objectives. Effective internal controls can be surprisingly simple to design; and can start with a few simple questions. Single out each significant process in the Organization and ask questions such as:
- If there is an error how would our employees catch it?
- How does management know a transaction has actually been recorded as intended?
- Could an employee steal assets or make false entries into the accounting system without getting caught?
- How are we ensuring receipts are making it to the bank?
The answers to these simple questions can lead you in the right direction to identifying weaknesses and designing and implementing internal controls to mitigate any weaknesses. The most vital internal controls for small to medium sized Not-for Profit (NFP) organizations are:
Segregation of Duties - No one employee should initiate, approve, and record a transaction and maintain custody of underlying assets. Many NFPs do not have the personnel capabilities to maintain proper segregation of duties; in those instances a mitigating control is to have a detailed supervisory review of the transactions in the process.
Segregation of duties can be circumvented by collusion between employees. The risk of collusion can never be completely eliminated; however, when possible have employees in different departments and at different levels, as well as Board members, involved in the process.
Transaction Approval – There are many levels and ways to approve transactions. A purchase order system is recommended, but for smaller entities it is usually not feasible. The most common method of approval is to have management sign checks over a certain dollar threshold. The threshold should be at least at the Organization capitalization threshold enabling management to review all transactions that require a decision to capitalize costs. For small to medium sized Organizations a capitalization and approval threshold of $500 is common. It is also common to allow accounting personnel to process routine items or items under the threshold without approval, but random spot checks are recommended (employees should be aware that random checks occur).
Approval should not be confused with merely signing a check or invoice. A competent person is to be charged with reviewing checks and invoices to agree that general ledger coding is correct, that services are reasonable, agree to the invoice and were actually received, and that there are no unusual amounts, vendors, addresses or check numbers.
Reconciling – The reconciliation is a catch all. It should be performed on a timely basis, typically monthly when the bank statements arrive. It is recommended that the bank statements be received, opened and reviewed by a person independent of the person reconciling the account. This simple act sends a message that someone is overseeing the cash flows of the Organization. When the reconciliation is complete, review it for obvious errors and unusual reconciling items.
Documentation – Internal controls are fixed. Managers may flow in and out of an Organization, but the internal control system should not change. The Board is responsible for communicating the internal control system to new managers, and every Organization needs documented internal control process, accounting policy and procedure/employee manuals. These documents serve as a fixed point of reference for internal control questions, so as personnel change the system can stay in place.
Security of Assets – Physical and financial assets must be safeguarded. There are a few simple controls that can go a long way. For instance:
- Lock-up blank check stock and don’t leave the key in the lock
- Change passwords at least annually, and every time an employee leaves
- Don’t store passwords in open view
- Title to all fixed assets should be secured and a system to track the assets’ location should be implemented
- Access to assets should only be grant to the minimum number of personal needed to meet proper segregation of duties
Just remember involvement and presence will put you in the best position to help your organization continuously manage external and internal risks.
In our next of three part series, we will discuss business management. In the meantime, if you have any questions please feel free to contact your Zinner audit professional.