Basic Internal Control for Nonprofits

The idea of separation of duties is not that obvious for many organizations, specially the ones with tight budgets, having one person handle too many functions because it seems simple and straightforward.  It’s usually a mistake.

The overall goal of separating duties is to have a system osf checks and balances to prevent losses and mistakes.

See the following articles about this topic:

https://sanfranciscohotelso.weebly.com/department/organizing-an-accounting-departiment

http://www.exemptmagazine.com/management_tips/separation-duties-effective-internal-financial-controls/

http://smallbusiness.chron.com/strengthen-office-billing-accounting-procedures-3933.html

 

 

Nonprofit Payroll Risks and Controls

Some organizations run on volunteers only, but many need employees to perform certain tasks. Since having employees is costly, it’s no surprise that payroll is usually the biggest expense in the financial statements. Running payroll can be difficult, and while many organizations contract out outside payroll services, some prefer to process it in-house. Some key risks and controls with payroll are:

Risk: Time sheets could contain wrong information.

In many organizations receiving government funds, everyone files time sheets—even the president—to support charging grants “real” salaries rather than estimated/budgeted ones. Fortunately, many organizations use computerized timekeeping devices and time sheets that once implemented, reduce errors and confusion significantly.

A traditional internal control is for nonprofits to require supervisory approvals on time sheets (manual or electronic) to make sure hours and overtime are authorized. Auditors typically verify if the time charged to a grant was allocated and authorized properly. If the auditor finds errors or no time sheets, or time sheets with no approvals, the scope of the audit is likely to increase, becoming more expensive.

Risk: Employees may be fictitious.

Each employee should file the proper paperwork with human resources and should visit the HR department personally. I know of a case where a program supervisor “hired” a relative part-time who was a “ghost employee.” The nonprofit paid the “employee” for six months, while the supervisor cashed the paychecks.

It was only after a problem with the time sheet of this person (all fake) that the human resources manager got involved, and the fraud was discovered. So, it’s crucial for HR to see and meet with all employees, including part-timers to be sure they’re real and are actually working for the organization.

Risk: Unauthorized payroll changes or increases happen.

To make sure payroll records are correct, department managers should review and sign off payroll registers regarding their department at least once a quarter. Many department managers get the dollar amount of their department’s payroll expenses through regular internal financial reporting, but not the details.

So, having managers verify payroll numbers, overtime, sick days, vacations, etc. is very helpful in keeping it all correct. If they see someone claiming overtime that the manager didn’t approve, he or she can follow up on it.

Controllers or accounting managers should review payroll registers and change reports to make sure the persons running payroll aren’t paying themselves unauthorized overtime or salary increases—a fraud I witnessed that could have been prevented had the controller taken a look at payroll reports regularly.

Risk: Paying terminated employees by mistake.

One issue I often see with payroll relates to nonprofits paying terminated employees because payroll staff didn’t know about the terminations. Once paid, it’s tough to get the money back.  So, it’s important for human resources and managers to notify the payroll department when people quit or are let go. Staff may need to process final checks and update the payroll system.

Nonprofits may implement policies and procedures, including a checklist to follow when employees leave. Many details are involved, such as COBRA requirements that need to be handled correctly or the organization could be liable for fines.

Risk: Payroll information may leak.

Confidentiality is essential with payroll records. Nonprofits must keep all payroll-related documents, including time sheets, in safe, locked filing cabinets where only a few selected authorized personnel are allowed in. Similar security measures must be considered with access to the computerized payroll systems that should be very limited.

Nonprofits should hire people who are discreet and don’t discuss confidential matters with others in the organization. They should avoid using email when mentioning any sensitive payroll information because the system may not be secure enough.

Excerpt from book Nonprofit Finance – A Practical Guide Second Edition — https://goo.gl/M563u9

 

Is Your Nonprofit Data Safe?

Many nonprofits keep confidential information on their computers, including sensitive data and items that cannot be lost. Membership or donor information, accounting data, and other confidential information should be safeguarded against snooping eyes.

A typical control here is to have a disaster preparedness plan, which includes a recovery strategy for the nonprofit’s functions. But that’s not enough.  Organizations should consider the following issues with software, hardware, and the cloud.

Software

Risks when dealing with software include unauthorized entry, loss of data, and confidentiality issues. Some internal control mechanisms to minimize these risks are:

  • Use anti-virus and firewall programs to prevent malware from infiltrating the system.
  • Do daily backups of all systems and keep the backed up file outside the premises.
  • Require IDs and passwords on all systems.
  • Acquire programs to identify and stop unauthorized entry using the Internet and other means.
  • Require information system’s authorization for program purchases to be sure the program is indeed needed and is compatible with existing software.
  • Once employees leave the organization, they should not have access to the nonprofit’s systems
  • Include security to prevent information systems personnel access to passwords or confidential information.
  • Create policies and procedures about computer usage and safety.

Hardware

The risks with hardware involve theft, maintenance, and obsolescence of the machines. Below are some controls to minimize these risks:

  • Place all equipment, including servers and printers, in a safe location.
  • Label all equipment with numbers and create a list of all equipment using the number and description.
  • Maintain this list, doing physical audits to identify equipment disappearances, losses and damages.
  • Centralize maintenance services and schedule them regularly.
  • IT management should approve purchases, retirement or sales of hardware.
  • Dispositions of old computers must be done carefully since they contain confidential information that may be recovered unless the nonprofit takes certain
  • Dispositions of old computers and peripherals must comply with laws to avoid poisoning the environment and possible fines.

Using the Cloud

Many nonprofits have been using accounting and other programs “in the cloud.” This means that organizations’ management and staff access these computerized programs through the Internet, making the software very convenient since employees can access the system anywhere as long as they have proper online connections, login IDs, and passwords.

-Organizations using old, unreliable equipment may benefit from the cloud since the data is not saved locally. If the server or individual computers stop working, the information is not lost and is still available.

However, there are risks associated with the cloud system. For example, the program may not be available online for long periods. So, before selecting a cloud system, check its reliability through Internet searches and word-of-mouth.

Once the organization decides to go online, management must trust the Internet provider to provide adequate security for the data, which may include donor information. Not surprisingly, data security of cloud systems is a major concern for both for-profit and nonprofit users.

Another issue with the cloud is the data transfer. If a nonprofit employs the cloud and then moves to another system, the existing data will need to be downloaded and transferred to another program. The cloud provider should allow for such transfers and help the organization in this matter, but some charge fees, so inquiries about this matter are beneficial to avoid surprises later.

Interested in CPE credits regarding nonprofits?  Online Practical CPE Courses

You can also check out my books:

Nonprofit Finance: A Practical Guide 2nd Edition— Nominated for a  2016 McAdam Book Award

15 Quick Tips on Becoming a Great Consultant  — Free on Kindle Unlimited