Your phone rings. Your nonprofit’s auditors discovered a payment for thousands of dollars that was recently paid out to a vendor that your organization has never worked with. You’re told the accounts payable clerk received a legitimate-looking invoice by email, prepared the payment, and transferred the funds. Before the error was discovered, the money was gone.
The clerk fell victim to a classic case of a billing scheme, a form of financial fraud where individuals send out invoices and W-9s in a mass mailing fraud and wait to see who treats the invoice as valid and pays them.
Could this erroneous payment have been prevented? Yes, through the adoption of internal controls — formal policies, systems, and procedures designed to prevent the misuse and misappropriation of assets.
“[I]nternal controls are written policies that describe what procedures the organization will follow and who’s responsible at each stage.”
In a nutshell, internal controls are written policies that describe what procedures the organization will follow and who’s responsible at each stage. These policies are then translated in workflows, system access and rights, and even additional technologies. The goal is to provide checks and balances that:
There are many controls to reduce financial risk in nonprofits, but an important one that every organization should consider is the segregation of duties (also called separation of duties).
Segregation of duties separates the key accounting functions of custody, authorization, recordkeeping, and reconciliation. For cash disbursement, it requires separate people to initiate and authorize payments.
In our example, the accounts payable clerk would process the invoice and send it to an approver in the accounting department to authorize the payment. In an environment in which there is segregation of duties and separate vendor setup, the accounting department will check the invoice and vendor. If the vendor isn’t in the system, accounting will investigate, usually requiring discussion with programmatic teams, and in this example, discovering that nobody’s heard of the vendor and the invoice is fake.
Internal controls can be viewed as a lack of trust in an organization’s employees, but that isn’t the goal. Malicious actions can come from internal and external sources, and internal controls help identify and prevent both malicious actions and accidents.
So back to our example — the payment to the fake vendor didn’t benefit the accounts payable clerk. The clerk thought the invoice was valid and made a mistake. Segregation of duties would have helped prevent the mistake and provided peace of mind that the mistake was just that — a mistake.
“Things happen — we’re all human — but without segregation of duties, you’re left wondering if an incident was a fraud or a mistake.”
Things happen — we’re all human — but without segregation of duties, you’re left wondering if an incident was a fraud or a mistake. Once money is lost, there can be an immediate desire to find the problem, figure out what happened, and fix it. And, in a community-funded organization, that “fix” can include terminating staff to create a narrative of action and correction.
With segregation of duties in place, mistakes can be caught by normal processes before money goes out the door. When this happens, it’s much easier to have a conversation about what happened because there’s no need to assign blame. Yes, perhaps the clerk should have questioned the invoice, but thanks to a good vendor setup process and segregation of duties, the accounting department caught the scheme before it was too late.
The dramatic fraud becomes instead a learning opportunity and staff can be trained to be more skeptical to ensure the same mistake doesn’t happen again. You haven’t failed in stewardship and you can keep your good, loyal staff member who maybe just didn’t know to question this item.
Internal controls can be perceived as cumbersome and time-consuming. More people and time is required to get something done when there is a robust control environment. However, that robust control environment can also help nonprofits:
For example, controls can help mitigate some of the risks associated with staff turnover. With the loss of staff comes the risk of losing institutional knowledge, followed sometimes by the risk of “can you keep operating?” Many CEOs don’t know they can ease the pain of staff turnover in key positions with well-documented policies and procedures.
Many nonprofits have seen revenue declines during the COVID-19 crisis. This concern has executives focused on their revenue streams, but they’re not always looking at the other side — whether they have control over spending. Good internal controls ensure an accurate tally of spending and will draw attention to overspending before it’s too late.
With fraud and cybercrime at all-time highs during the global pandemic, internal controls — starting with segregation of duties — are a critical tool for ensuring good stewardship over your nonprofit’s resources. If the pandemic is forcing you to make changes in your organization, this may be a good time to consider internal controls — a few simple processes that can mitigate risk and help your nonprofit become more efficient.