Blog / Nonprofits

Mitigating Risk: Simple, Internal Controls Can Prevent Misuse of Funds

by Christina Hardy and Rachel Sweeney
Mitigating Risk: Simple, Internal Controls Can Prevent Misuse of Funds
Want the latest articles, trends, and research delivered right to your inbox? Sign up for the Johnson Center’s email newsletter!

Your phone rings. Your nonprofit’s auditors discovered a payment for thousands of dollars that was recently paid out to a vendor that your organization has never worked with. You’re told the accounts payable clerk received a legitimate-looking invoice by email, prepared the payment, and transferred the funds. Before the error was discovered, the money was gone.

The clerk fell victim to a classic case of a billing scheme, a form of financial fraud where individuals send out invoices and W-9s in a mass mailing fraud and wait to see who treats the invoice as valid and pays them.

Could this erroneous payment have been prevented? Yes, through the adoption of internal controls — formal policies, systems, and procedures designed to prevent the misuse and misappropriation of assets.

“[I]nternal controls are written policies that describe what procedures the organization will follow and who’s responsible at each stage.”

In a nutshell, internal controls are written policies that describe what procedures the organization will follow and who’s responsible at each stage. These policies are then translated in workflows, system access and rights, and even additional technologies. The goal is to provide checks and balances that:

  • Minimize opportunities for errors and omissions.
  • Identify small issues before they become bigger problems.
  • Reduce the risk of intentional fraud.

There are many controls to reduce financial risk in nonprofits, but an important one that every organization should consider is the segregation of duties (also called separation of duties).

Segregation of Duties: Build checks and balances into your systems.

Segregation of duties separates the key accounting functions of custody, authorization, recordkeeping, and reconciliation. For cash disbursement, it requires separate people to initiate and authorize payments.

In our example, the accounts payable clerk would process the invoice and send it to an approver in the accounting department to authorize the payment. In an environment in which there is segregation of duties and separate vendor setup, the accounting department will check the invoice and vendor. If the vendor isn’t in the system, accounting will investigate, usually requiring discussion with programmatic teams, and in this example, discovering that nobody’s heard of the vendor and the invoice is fake.

Internal controls can be viewed as a lack of trust in an organization’s employees, but that isn’t the goal. Malicious actions can come from internal and external sources, and internal controls help identify and prevent both malicious actions and accidents.

Internal controls help you know when a mistake is just that — a mistake.

So back to our example — the payment to the fake vendor didn’t benefit the accounts payable clerk. The clerk thought the invoice was valid and made a mistake. Segregation of duties would have helped prevent the mistake and provided peace of mind that the mistake was just that — a mistake.

“Things happen — we’re all human — but without segregation of duties, you’re left wondering if an incident was a fraud or a mistake.”

Things happen — we’re all human — but without segregation of duties, you’re left wondering if an incident was a fraud or a mistake. Once money is lost, there can be an immediate desire to find the problem, figure out what happened, and fix it. And, in a community-funded organization, that “fix” can include terminating staff to create a narrative of action and correction.

With segregation of duties in place, mistakes can be caught by normal processes before money goes out the door. When this happens, it’s much easier to have a conversation about what happened because there’s no need to assign blame. Yes, perhaps the clerk should have questioned the invoice, but thanks to a good vendor setup process and segregation of duties, the accounting department caught the scheme before it was too late.

The dramatic fraud becomes instead a learning opportunity and staff can be trained to be more skeptical to ensure the same mistake doesn’t happen again. You haven’t failed in stewardship and you can keep your good, loyal staff member who maybe just didn’t know to question this item.

Internal controls can be perceived as cumbersome and time-consuming. More people and time is required to get something done when there is a robust control environment. However, that robust control environment can also help nonprofits:

  • Mitigate risks associated with staff turnover.
  • Control and manage spending, especially in years when revenues are uncertain.
  • Ensure appropriate system access which helps improve the cybersecurity environment of an organization and can help reduce the impact of unauthorized system access in the remote environment.

For example, controls can help mitigate some of the risks associated with staff turnover. With the loss of staff comes the risk of losing institutional knowledge, followed sometimes by the risk of “can you keep operating?” Many CEOs don’t know they can ease the pain of staff turnover in key positions with well-documented policies and procedures.

Many nonprofits have seen revenue declines during the COVID-19 crisis. This concern has executives focused on their revenue streams, but they’re not always looking at the other side — whether they have control over spending. Good internal controls ensure an accurate tally of spending and will draw attention to overspending before it’s too late.

With fraud and cybercrime at all-time highs during the global pandemic, internal controls — starting with segregation of duties — are a critical tool for ensuring good stewardship over your nonprofit’s resources. If the pandemic is forcing you to make changes in your organization, this may be a good time to consider internal controls — a few simple processes that can mitigate risk and help your nonprofit become more efficient.

Christina Hardy, CPA
Partner, Plante Moran
Christina advises nonprofits on the financial aspects of their organization so they can move the needle on their missions. She specializes in human services organizations, foundations, economic development organizations, and grant-funded organizations.
Rachel Sweeney, CPA
Manager, Plante Moran
Rachel specializes in risk and efficiency assessments in accounting processes and assisting clients in the implementation of the assessment recommendations. Her experience spans a variety of industries, company sizes, and and entity structures.