Smaller nonprofit organizations often do not have the volume of transactions to require multiple level controls. Too many controls can unnecessarily slow the accounting process. A few very good controls that prevent or detect errors, misstatements, omissions or valuation in multiple areas define a well-designed accounting system.
When we hear the word “Controls”, most often we think of activity level controls. For example, controls over recording cash transactions. Another important area to establish controls is at the entity level. These are controls relating to managements’ ethics and commitment to a strong control environment. The third area of controls is information technology.
Entity Level Controls: Controls that define the nonprofit organizations’ culture and attitude toward internal control. They include controls over governance; risk assessment; information and communication; and, monitoring.
Even small nonprofit organizations have to have written policies and procedures. The policies and procedures that are part of the entity level controls over governance include:
- Written mission statement
- Code of Conduct or Ethics policy
- Conflict of Interest
- Written Job Descriptions that include identifying the skills required to perform the job
- Board of Directors policies and procedures
Other key controls that address risk assessment; information and communication; and, monitoring:
- The entity assesses risk at least annually including identifying risks related to laws or regulations that may affect financial reporting
- Employees are provided adequate information to complete their job responsibilities
- Management reviews and initials performance of activity level controls
- Period end is established with agreed upon deadlines for reporting which include review by management
- Budget to actual reports are reviewed at least quarterly by the Governance committee
Activity Level Controls:
- Separation of duties – no one person is solely responsible for more than one related function. This addresses all activity levels.
- Bank Reconciliations – confirming the amounts recorded in the general ledger to the bank statement. Bank reconciliations should be performed monthly, unusual reconciling items should be researched and resolved, old outstanding checks should be investigated, and the reconciliation should include a review by management.
- Checks matched with invoices – the invoices should be attached to the check and reviewed by the check signor to ensure the amount on the invoice matches the check, the invoice is marked paid, and the vendor is on the approved vendor list.
- Approve timesheets – timesheets should be used and approved by the direct supervisor to support hours paid.
- Review fixed asset schedule at least annually – in small nonprofit organizations the external auditor or third party CPA maintains the fixed asset listing. This listing should be reviewed by management to ensure the assets listed are still in service and any new assets purchased are included. Also, the list should be reviewed to determine the capitalization policy is being followed.
- Physical controls: Lock doors, file cabinets, blank check stock, petty cash and offices.
Information Technology and Computer Controls:
- Use passwords to access computer systems. Change passwords at least every six months. Limit access to specified users for various areas in QuickBooks. Set a closing date and lock with a password to prevent changes to prior fiscal year data.
- Back up and store computer files. Backups should be performed at least weekly, labeled and stored off site. Consider cloud back up which can be set to automatically backup at specified times.
No nonprofit organization is too small to implement internal controls or segregation of duties.
Contact us to discuss your organizations audit or attestation service’s needs.