Basic Internal Control for Nonprofits

The idea of separation of duties is not that obvious for many organizations, specially the ones with tight budgets, having one person handle too many functions because it seems simple and straightforward.  It’s usually a mistake.

The overall goal of separating duties is to have a system osf checks and balances to prevent losses and mistakes.

See the following articles about this topic:

https://sanfranciscohotelso.weebly.com/department/organizing-an-accounting-departiment

http://www.exemptmagazine.com/management_tips/separation-duties-effective-internal-financial-controls/

http://smallbusiness.chron.com/strengthen-office-billing-accounting-procedures-3933.html

 

 

How Nonprofit Tax Form Helps Management

The nonprofit tax form 990 contains interesting questions and requirements that should be reviewed by the board, not just by the financial people. I highly recommend to download and print the full form, even if the nonprofit doesn’t need to file it.  You can check out the core pages at https://www.irs.gov/pub/irs-pdf/f990.pdf

Take a look at the 990 page 6- “Part VI Governance, Management and Disclosure “section” and what is asked in this page– it may be an eye-opener for many.

Untitled

As you can see, this form raises good questions that may be used to improve operations.  According to the instructions on the top, saying “yes’ to lines 2 through 7b requires explanations and management should review these items carefully.

Line 2 is about identifying people who may personally benefit from the organization, a possible private inurement situation, usually a no-no for tax-exempt organizations or a hefty excise tax. The take away here — be careful with business relations involving board members.

Line 5 is about the loss of assets, an intriguing item on the tax return. A “significant diversion of assets” according to the IRS is embezzlement, fraud, theft or other inappropriate use of funds that is the lesser of 5% of current annual gross receipts, 5% of total assets at year-end, or $250,000.  According to a Washington Post report in 2013, more than 1,000 organizations marked “yes” here and most were for embezzlement.  Besides giving details of the problem, it’s a good idea to also disclose any new internal controls used after the problem was disclosed to prevent it from happening again. Note that this is NOT confidential information.

Line 11 specifically asks about top management getting copies of the tax return and how reviews are conducted.  The board must be engaged in this process, even if they are not financial people.  They cannot say that they don’t know or understand the tax returns.

Line 12 asks about conflicts of interest while line 13 is about whistleblowing, and line 14 covers document retention and destruction policy.  These lines underscore the need for written policies, and under the conflict of interest item, the need to monitor those regularly.  The idea is to say “yes” to all of these.  And the take away for management is to make sure these policies are followed up by procedures to make sure they’re not just “lip service.”

Line 18 reminds organizations to make certain forms available for review, as required by law.   Such reminders are all over the tax form, including reminding nonprofits about reporting contractors and gambling winnings.  Management could highlight those items and follow up on them with the finance department.

Also, note that the 990 asks for the nonprofit’s mission statement as the first line, and also on Part III- Statement of Program Services Accomplishments.  The idea here is to match the mission statement to the programs.  If an organization mission is to provide food for the homeless, but programs relate to buying books to schools, the nonprofit may be at risk to lose its tax-exempt status, which can be a major problem.

 

You can check the new edition of the book Nonprofit Finance A Practical Guide at https://goo.gl/M563u9

 

 

 

Kindle Version Available

Nonprofit Finance: A Practical Guide is available now as a kindle book on Amazon:

http://amzn.to/2GF2E8W

 

Nonprofit Payroll Risks and Controls

Some organizations run on volunteers only, but many need employees to perform certain tasks. Since having employees is costly, it’s no surprise that payroll is usually the biggest expense in the financial statements. Running payroll can be difficult, and while many organizations contract out outside payroll services, some prefer to process it in-house. Some key risks and controls with payroll are:

Risk: Time sheets could contain wrong information.

In many organizations receiving government funds, everyone files time sheets—even the president—to support charging grants “real” salaries rather than estimated/budgeted ones. Fortunately, many organizations use computerized timekeeping devices and time sheets that once implemented, reduce errors and confusion significantly.

A traditional internal control is for nonprofits to require supervisory approvals on time sheets (manual or electronic) to make sure hours and overtime are authorized. Auditors typically verify if the time charged to a grant was allocated and authorized properly. If the auditor finds errors or no time sheets, or time sheets with no approvals, the scope of the audit is likely to increase, becoming more expensive.

Risk: Employees may be fictitious.

Each employee should file the proper paperwork with human resources and should visit the HR department personally. I know of a case where a program supervisor “hired” a relative part-time who was a “ghost employee.” The nonprofit paid the “employee” for six months, while the supervisor cashed the paychecks.

It was only after a problem with the time sheet of this person (all fake) that the human resources manager got involved, and the fraud was discovered. So, it’s crucial for HR to see and meet with all employees, including part-timers to be sure they’re real and are actually working for the organization.

Risk: Unauthorized payroll changes or increases happen.

To make sure payroll records are correct, department managers should review and sign off payroll registers regarding their department at least once a quarter. Many department managers get the dollar amount of their department’s payroll expenses through regular internal financial reporting, but not the details.

So, having managers verify payroll numbers, overtime, sick days, vacations, etc. is very helpful in keeping it all correct. If they see someone claiming overtime that the manager didn’t approve, he or she can follow up on it.

Controllers or accounting managers should review payroll registers and change reports to make sure the persons running payroll aren’t paying themselves unauthorized overtime or salary increases—a fraud I witnessed that could have been prevented had the controller taken a look at payroll reports regularly.

Risk: Paying terminated employees by mistake.

One issue I often see with payroll relates to nonprofits paying terminated employees because payroll staff didn’t know about the terminations. Once paid, it’s tough to get the money back.  So, it’s important for human resources and managers to notify the payroll department when people quit or are let go. Staff may need to process final checks and update the payroll system.

Nonprofits may implement policies and procedures, including a checklist to follow when employees leave. Many details are involved, such as COBRA requirements that need to be handled correctly or the organization could be liable for fines.

Risk: Payroll information may leak.

Confidentiality is essential with payroll records. Nonprofits must keep all payroll-related documents, including time sheets, in safe, locked filing cabinets where only a few selected authorized personnel are allowed in. Similar security measures must be considered with access to the computerized payroll systems that should be very limited.

Nonprofits should hire people who are discreet and don’t discuss confidential matters with others in the organization. They should avoid using email when mentioning any sensitive payroll information because the system may not be secure enough.

Excerpt from book Nonprofit Finance – A Practical Guide Second Edition — https://goo.gl/M563u9

 

Nonprofit Finance and Management Explained

The second edition of my book, “Nonprofit Finance: A Practical Guide,” is out.  It includes detailed coverage of FASB update regarding reporting, details about liquidity and other details effective in 2018.   For example, the official financial reporting will show only two net assets, but internally, a nonprofit should maintain the three net assets separately and combine the temporarily and permanently restricted for reporting only.

Internal controls are covered in detail for cash, payables and computerized systems, giving ideas about how to minimize certain risks specific to the nonprofit sector.

Like the first edition, nominated for a McAdam Book Award, this second one has many examples and suggestions based on real-life experience, not just theories.  It was written with both the accountant and the non-accountant in mind, so that people of different backgrounds can benefit from the material and put it to good use right away.

You can check the new edition at https://goo.gl/M563u9

Ideas for Cash Controls

Cash is the riskiest asset of an organization. Why? Because it can be easily stolen or lost.

Below are some controls to prevent or identify these losses.

1-Two people should count any money before it’s deposited to be sure the total is correct.

2-Organizations should acquire a safe preferably bolted to the wall or floor with the code known to limited personnel to safeguard cash, checks not yet deposited, and other valuables.

3-Limit physical access to the area where money is received to just a few people.

4- Don’t keep cash, checks, or credit card slips on a desk or in another unsafe place that is easily accessible. Thieves typically look for petty cash in drawers under desk

5-Nonprofits should use their websites to collect money as much as possible.

6- Organizations should implement a policy indicating that no cash over a certain amount would be accepted.

7- When money is received, it must be deposited promptly in the bank after the count by two separate individuals to confirm the total amount.

8- Nonprofits should perform bank reconciliations, also known as cash reconciliations, every month to be sure all cash transactions have been accounted for correctly.

9- People outside accounting may answer phone calls or emails regarding complaints about payments not showing up in invoices or statements. The question would be– where’s the money these people sent in? The problem could be just an error or an unfortunate situation where money is stolen.

Just knowing that an organization has controls in place to prevent cash theft or losses may be a deterrent to some people with bad intent. The key here is for the tasks to be done all the time, not just once in awhile to avoid problems down the road.

Interested in CPE credits regarding nonprofits?  Online Practical CPE Courses

You can also check out my books:

Nonprofit Finance: A Practical Guide -Second Edition— Nominated for a  2016 McAdam Book Award

15 Quick Tips on Becoming a Great Consultant  — Free on Kindle Unlimited

Is Your Nonprofit Data Safe?

Many nonprofits keep confidential information on their computers, including sensitive data and items that cannot be lost. Membership or donor information, accounting data, and other confidential information should be safeguarded against snooping eyes.

A typical control here is to have a disaster preparedness plan, which includes a recovery strategy for the nonprofit’s functions. But that’s not enough.  Organizations should consider the following issues with software, hardware, and the cloud.

Software

Risks when dealing with software include unauthorized entry, loss of data, and confidentiality issues. Some internal control mechanisms to minimize these risks are:

  • Use anti-virus and firewall programs to prevent malware from infiltrating the system.
  • Do daily backups of all systems and keep the backed up file outside the premises.
  • Require IDs and passwords on all systems.
  • Acquire programs to identify and stop unauthorized entry using the Internet and other means.
  • Require information system’s authorization for program purchases to be sure the program is indeed needed and is compatible with existing software.
  • Once employees leave the organization, they should not have access to the nonprofit’s systems
  • Include security to prevent information systems personnel access to passwords or confidential information.
  • Create policies and procedures about computer usage and safety.

Hardware

The risks with hardware involve theft, maintenance, and obsolescence of the machines. Below are some controls to minimize these risks:

  • Place all equipment, including servers and printers, in a safe location.
  • Label all equipment with numbers and create a list of all equipment using the number and description.
  • Maintain this list, doing physical audits to identify equipment disappearances, losses and damages.
  • Centralize maintenance services and schedule them regularly.
  • IT management should approve purchases, retirement or sales of hardware.
  • Dispositions of old computers must be done carefully since they contain confidential information that may be recovered unless the nonprofit takes certain
  • Dispositions of old computers and peripherals must comply with laws to avoid poisoning the environment and possible fines.

Using the Cloud

Many nonprofits have been using accounting and other programs “in the cloud.” This means that organizations’ management and staff access these computerized programs through the Internet, making the software very convenient since employees can access the system anywhere as long as they have proper online connections, login IDs, and passwords.

-Organizations using old, unreliable equipment may benefit from the cloud since the data is not saved locally. If the server or individual computers stop working, the information is not lost and is still available.

However, there are risks associated with the cloud system. For example, the program may not be available online for long periods. So, before selecting a cloud system, check its reliability through Internet searches and word-of-mouth.

Once the organization decides to go online, management must trust the Internet provider to provide adequate security for the data, which may include donor information. Not surprisingly, data security of cloud systems is a major concern for both for-profit and nonprofit users.

Another issue with the cloud is the data transfer. If a nonprofit employs the cloud and then moves to another system, the existing data will need to be downloaded and transferred to another program. The cloud provider should allow for such transfers and help the organization in this matter, but some charge fees, so inquiries about this matter are beneficial to avoid surprises later.

Interested in CPE credits regarding nonprofits?  Online Practical CPE Courses

You can also check out my books:

Nonprofit Finance: A Practical Guide 2nd Edition— Nominated for a  2016 McAdam Book Award

15 Quick Tips on Becoming a Great Consultant  — Free on Kindle Unlimited

 

Another Nonprofit Exec in Jail

Not to be too paranoid here, but I just read an article about the Simi Valley Community Foundation whose former executive director stole over $45,000. According to the news, she forged a second signature on the checks used to pay her own mortgage.  Sadly, this embezzlement cost the organization its reputation as it had to stop operations, at least for now.  A total disaster.

It’s not clear how exactly the theft was discovered, but board members noted something odd, hired a forensic accountant to review the records, and went to the police with evidence of embezzlement. So, I give credit to the board for finding this out, but this theft had been going on for awhile.

So, what can a board do to prevent or identify financial fraud faster?

1- Knowledge –Get people on the board who understand financial matters and can ask the right questions. The board cannot have the obligation to fundraise and provide oversight only. Board members should have different backgrounds with least one person having the education and experience to really understand the information provided and ask good questions. Had this person been on the board of this Simi Valley nonprofit, the fraud may have been identified earlier.

2- Online Access –Have someone from the board check on the bank accounts of the organization online. He or she should review checks and deposits, looking for checks that don’t look right. Just having a policy about this review may deter fraud. Employees may think twice before forging signatures or doing something odd when they know that someone would be looking at the bank transactions regularly.

3- Pay attention –Listen to complaints from staff, donor, and vendors. Oftentimes, information that could be construed as gossip can be useful in pointing you in the right direction. People talk. Even though it’s not clear how the board of the nonprofit became aware of something wrong, my bet is that someone saw something and talked about it. Some nonprofits have started using hotlines for people to report possible fraud anonymously, a very good idea.

4- Variances –Pay attention to the actual vs. budget reports. Looking at this fraud, one may wonder how the $45,000 theft was classified and shown on the financial reports. The amount didn’t show up all at once, but it was likely classified as a budget item. So, if an overage is noted, the board should ask for back up documentations, such as bills.Talk only doesn’t explain financial issues.

5- System reports –Review new vendor/change vendor reports once a month to question any odd new vendor or changes. In this situation, the bank where the mortgage was paid to would have been added at a certain point to the accounting system. Had this report been reviewed, it may have flagged the bank as an odd vendor. Some accounting systems can send an email whenever a new vendor is added or changed, making this task automatic.

6- Bank reconciliations — Check on bank reconciliations, making sure they are done monthly. Keep an eye on deposits that are recognized in the accounting records, but don’t seem to be in the bank.  Also, look at the detailed outstanding checklist. This can be done online using the accounting system and can be emailed to someone at the board. If a check shows up at the bank, but not on the accounting records of the organization, it could be a red flag.

7- Self-reliance –Don’t count on auditors to notice embezzlement. Audits are designed to assure reasonableness of financial statements and they may identify fraud, but not always, especially when done by management. When something seems wrong, not it, and don’t wait for the auditors to figure it out. Insiders are the first people to note things that don’t seem right.

8- Education — Educate all employees on fraud and embezzlement. Nonprofits should have this topic on its policies and procedures documentation and not be embarrassed about it. Fraud happens not just with stealing funds, but in other areas as well, such as equipment theft and overtime pay without authorization. Just showing this awareness and clarity over fraud may prevent it in the first place.

It’s a shame that nonprofit boards must be always on alert for fraud and embezzlement, but that’s the reality of the situation.  Once a scandal happens, it’s hard for the organization to regain the trust and respect of donors, making it hard to move forward.

So, it’s time to talk about this issue openly and set up written policies and procedures with tasks specifically designed to prevent and identify fraud and theft.  The ideas presented here won’t assure boards that they are safe from this issue, but are steps in the right direction.  Each organization is different and I’m sure many will need more control features than the ones presented here.  The crucial point here is that fraud signs cannot be ignored by the board.

Interested on CPE credits regarding nonprofits?  Online Practical CPE Courses

You can also check out my books:

Nonprofit Finance: A Practical Guide — Second Edition 

Nonprofit Finance: A Practical Guide — Nominated for a  2016 McAdam Book Award

15 Quick Tips on Becoming a Great Consultant  — Free on Kindle Unlimited

Setting up an Accounting Dept– Some Pointers

 

Many growing for-profit and nonprofit organizations find themselves with financial reports that make no sense, “forgotten” revenues and slow bill paying processes. They may be at a point where the part-time bookkeeper is over his or her head and flooded in work. So, what can you do? Below are some ideas to get you going.

Identify accounting tasks

You can look at accounting tasks and divide the work within these tasks. For example, a typical accounting department performs the following work:

  • Pay bills – Accounts Payable
  • Recognize revenues – Accounts Receivable
  • Process payroll – Payroll Administrator

Other tasks associated with an accounting department are: Cash management, bank reconciliations, budgets, financial reporting, and taxes. In large businesses, each of these functions is performed by one individual or more. In smaller firms, tasks are shared and the staff is supervised by a manager or a controller, who often is responsible for financial policies and procedures for the organization.

Analyze functions

Many businesses, including nonprofits, organize their accounting department using flowcharts and job descriptions. You don’t want to have the same task be performed twice or three times, but also,  you don’t want to miss an important process. Some nonprofits hire outside consultants to help them in organizing their department for maximum efficiency, while considering risks and controls. Unfortunately, this last option is usually used after a fraud or loss situation, when people are traumatized and willing to pay for professional advice.

Hire people with proper accounting skills

A common mistake is to assume that accounting is easy and can be done by the person who is a receptionist or works in another part of the organization. Without training or education, this person should be able to perform accounting functions of a full-charge bookkeeper. That’s a mistake and is not fair. Hire accounting people who have the proper education and experience. Accounting managers or controllers should have at least a bachelors’ degree in accounting. Someone with a four-year degree in business and a few years of accounting experience may also qualify.

Segregation of duties

As you organize the department, consider segregation of duties. For example, the person who opens the mail or receives money should NOT be the person who books revenues in the accounting system. If the person running accounts payable is also doing bank reconciliations, then a manager or controller should review the reconciliation and look at cashed checks. Why?  To have check-and-balances, internal controls, to prevent and correct mistakes or misappropriations.

Background checks 

Don’t forget to run background checks on all employees and volunteers dealing with accounting and cash functions. Make this a policy within your organization, so that people understand the situation as one of internal controls, not just paranoia.  Actually, many insurance companies require this step before issuing policies against theft and fraud.

Interested on CPE credits regarding nonprofits?  Online Practical CPE Courses

You can also check out my books:

Nonprofit Finance: A Practical Guide – Second Edition— First edition Nominated for a  2016 McAdam Book Award

15 Quick Tips on Becoming a Great Consultant  — Free on Kindle Unlimited

Yikes— Nonprofit fraud again….

It’s too common to hear that a trusted person has taken money from a nonprofit illegally. Even a little bit makes my blood boil. Stealing from any business is bad, but from a nonprofit that provides goods and services to a community is just despicable. The problem is that the organization staff and managers may not aware that something is amiss or odd. People are busy with their own jobs and day-to-day activities to focus on situations that may point to internal fraud. Ghost employees and unauthorized overtime pay come to mind…

Ghost Employee

A ghost employee situation happens when someone is hired and paid, but he or she doesn’t really exist and, not surprisingly, never shows up for work. But nobody notices it. I have this happening with a nonprofit program for youth where a manager hired this new person, Mary, who filled out timesheets and was very, very quiet.  This manager was an old-timer with the organization and could control many aspects of the program, which was located in a different building. When asked, she would give glowing reviews of Mary, a great find.

This situation went on for a few months. Mary was too busy to show up at the HR office to sign papers and the manager would take all to her, as to not inconvenience the HR dept. that was busy with other activities. Paychecks and other stuff were always picked up by the manager as well. Things were going well for Mary, until someone in HR had to talk to her about benefits. And she was nowhere to be found. Actually, Mary never existed.

The manager used a relative’s name and social security to “hire” Mary.  In fact, the manager was cashing all payroll checks after Mary would endorse them to a “business checking account” the manager had.

This ruse may not have worked with a smaller nonprofit, where everybody knows everybody, but it can happen with large ones that operate in various locations and have many employees in various programs. What can be done to avoid this situation?

1- HR should meet every employee and match the face with a drivers’ license or other identification. If one cannot meet personally, then at least a video talk can be utilized.

2- Run background checks on all employees. In the case of Mary, for example, the last job the real one had was in the seventies, so a background check would have helped to identify strange jobs or situations that may raise suspicion.

3- If a nonprofit is large enough to have an internal audit department, auditors should always check on new hires to make sure they are working where they are supposed to be.  They also could personally meet all employees.

4- Payroll should distribute checks or check stubs to employees personally at least once every quarter or year. The point is to meet new employees.

5- Watch out for employees who claim very little or nothing to be withheld in taxes. They could be just fake employees used for someone else to cash in.

Unauthorized Overtime Pay

This type of theft happens when someone gives him or herself a bump in pay by showing overtime that wasn’t authorized and never happened. While many organizations have policies regarding payment of overtime, this fraud keeps going on in government, for-profit and nonprofit sectors. Take Amtrak, for instance, that paid $200 million in overtime in 2014. Unfortunately, a lot has been deemed as fraudulent according to the Amtrak’s Office of Inspector General  (Dailysignal.com).

The fake overtime bid can be perpetrated by staff, managers and payroll personnel  Actually, I have seen this happening when finance managers and others were not paying attention, didn’t supervise the guy running payroll, and didn’t know much about controls. He paid himself overtime running into the 5 figures, which was material for the nonprofit. Since overtime pay can be time and a half or even more, the nonprofit lost quite a lot of money with this fraud.

Sometimes employees fake a supervisor approval signature or may change a time sheet after it’s approved. This problem is minimized with online or electronic time sheets, but odd things can still happen, as the authorization may be automatic and not reviewed carefully by a supervisor.

Like the ghost employee fraud, this one is harder to identify with larger organizations, where details may get lost and certain people may work in more than one department, making payroll a bit complex and allowing the fraud to happen.

What can nonprofits do to minimize the problem of unauthorized overtime pay?

1- Any overtime claimed by managers should be scrutinized since managers are usually exempt from overtime.

2- Be sure managers, especially the ones supervising payroll, have the time and focus to reviewing payroll reports. Oftentimes, managers, especially in the administrative area, wear too many hats, are spread too thinly to don’t a good job in paying attention to payroll issues, including overtime and exceptions reports.

3- Department leaders should sign off on payroll reports at least once every quarter to document that they looked at the information.  The act of manually sign off usually make people pay a bit more attention to such reports.

4-Know the total payroll amount for each department and if totals on payroll reports are very different, inquire about it.  Usually, this is done using budget numbers related to wages and benefits.

It’s a shame that people are willing to take advantage of nonprofits to enrich themselves. But it does happen and organizations should do whatever they can to minimize this problem or they may lose funds and credibility, which could spell disaster for any business.  Don’t wait until something happens to take action to prevent these types of fraud.
Interested on CPE credits regarding nonprofits?  Online Practical CPE Courses

You can also check out my books:

Nonprofit Finance: A Practical Guide — Nominated for a  2016 McAdam Book Award

15 Quick Tips on Becoming a Great Consultant  — Free on Kindle Unlimited