Internal Control Considerations for Not-for-Profits
Understanding basic concepts of internal control is nearly universal,
but implementing an effective internal control structure is a challenge that
Walker & Armstrong can help you address.
Through our experience in serving a variety of not-for-profit
clients, we have become particularly alert to common internal control breakdowns
that can lead to a heightened risk of material misstatement of the financial
statements and, in a few isolated cases, fraud. This in turn can result in a
loss of credibility among stakeholders, e.g., donors, grantor agencies,
creditors, rating agencies and the general public.
Often, the importance of strong internal controls becomes more
apparent after an incident occurs, such as:
a restatement of the financial statements;
an instance of fraud;
noncompliance with laws, regulations or the terms of
grants and contracts; or
the delayed issuance of audited financial statements.
On the positive side, adequate internal controls can
improve operating efficiency and effectiveness, increase employee morale, and
improve a not-for-profit's financial position.
Not-for-profits are often challenged in determining the correct
balance of costs versus benefits involved in establishing and maintaining
internal controls. Devoting excessive resources can be counterproductive and may
have the opposite effects of those desired. The appropriate balance depends on
many factors unique to each not-for-profit and requires careful evaluation of
available resources and risks.
A starting point is an understanding of the various components
of internal control that affect your organization. It is important to understand
these components in theory and then consider the practical applications.
Following is an overview of five areas comprising the internal
The first four components are often referred to as
“entity-level controls” because they have a pervasive effect on the
accomplishment of management's control objectives. In contrast, the fifth
component encompasses policies and procedures and specific activities
established to help ensure that management directives are carried out. These
controls are necessary to counter the effect of poorly designed or
non-operational entity-level controls.
A positive control environment provides the foundation upon
which all other aspects of internal control rest. The organization-wide tone is
set by management, with the oversight of governance, and is disseminated
throughout the organization by adherence to ethical practices, monitoring and,
when unethical behavior occurs, appropriate disciplinary action. In addition,
training and retaining competent individuals and providing relevant and timely
feedback regarding job performance are critical to good management of a
How an organization evaluates and accepts risk is also an
indicator of a well-functioning control environment. The inability to focus on
critical risk areas can result in threats to the security of the entire
organization. Also, intentionally assuming unnecessary risks can result in a
heightened potential for lost resources. For example, devoting a large amount of
resources to capital projects that are not essential to providing services may
result in excessive debt and wasteful use of liquid assets.
Information and Communication
Inter- and intradepartmental communication is another key
control that, if neglected, can undermine the integrity of a not-for-profit
entity. Decision makers in not-for-profit organizations may not fully anticipate
the financial ramifications of their decisions, including contractual
arrangements and their impact on financial reporting. As a result, transactions
that could have a material effect on financial statements may not be recorded in
a timely manner because there may be inadequate communication regarding a
resolution or agreement. For example, a board may approve an agreement of which
the finance department may not be immediately made aware, causing key
transactions to be left unrecorded.
In addition, if programs and departments do not receive accurate
financial information in a timely manner, their ability to make sound decisions
is adversely affected. In situations where accounting records are not current,
programs and departments may use separate recordkeeping systems, which leads to
inefficiencies and greater potential for errors in accounting and reporting.
In the current economic and regulatory environment, the ability
to evaluate and respond to risks is more relevant than ever. Handicapped by
increasingly scarce financial and human resources, not-for-profit entities must
make decisions on how to best allocate those resources to ensure that essential
aspects of its mission are carried out. The concepts embodied in the “enterprise
risk management” (ERM) framework developed by the Treadway Commission’s
Committee of Sponsoring Organizations are vital to assessing and responding to
There are different levels in which ERM can be implemented
(i.e., full versus partial); however, the overall approach generally follows
Focus on a small number of top priorities.
Leverage your existing resources.
Build on existing risk management activities.
While it is important to acknowledge the importance
of ERM, it is also important to prevent ERM implementation from taking on a life
of its own and hindering the accomplishment of key objectives.
Monitoring is how management evaluates the functional
sufficiency of an internal control system. The nature and extent of monitoring
vary with the organization’s size and complexity and its available monitoring
resources. Unfortunately, the monitoring process is often a weak area within
not-for-profit organizations, particularly when responsibility is not assigned
to a specific individual or group.
While larger not-for-profits may have an internal audit
department, that option is not economically feasible for all not-for-profit
entities. However, fiscal restraints should not hinder an organization from
developing a monitoring process that includes identification and monitoring of
key risk areas. For example, having a process to identify restrictions on
contributions is essential to maintaining accountability to donors.
In addition, providing timely and sufficient responses to
donors, funding agencies and lenders is essential to maintaining compliance and
credibility necessary to ensure future funding opportunities.
Not-for-profit entities often devote substantial resources to
design and implementation of control activities, such as:
the review of financial results (e.g., budget versus
policies and procedures;
segregation of duties;
physical custody and control over assets;
proper initiation and execution of transactions;
accurate and timely recording of transactions; and
appropriate access restrictions.
Segregation of duties is a key control activity often
affected by the current economic environment. As the level of human resources in
not-for-profit organizations declines, there is a heightened risk that
individuals who are part of a key process have too much access and control over
the initiation and recording of transactions. This in turn results in an
increased risk of errors and misappropriation.
Also, a critical element to a successful control environment is
well defined and current documentation of control processes and procedures that
outline responsibilities and authorizations of control functions. As tasks,
functions and controls change, a strong control environment requires written
documentation, continual monitoring and timely updating of processes and
procedures. In addition, best practices include personnel training and timely
communication of control changes.
Control activities are an integral part of a well functioning
internal control structure. However, in a not-for-profit organization's
environment, control activities often take such precedence that sufficient
resources are not dedicated to the four other internal control components.
The development and maintenance of strong internal controls is
not only a best practice; it is a prerequisite for demonstrating accountability,
maintaining efficiency and complying with laws and regulations and the terms of
grants and contracts and donor requirements.
The key steps are:
obtaining an understanding of key control components,
evaluating risks and available resources,
Design and implementation require coordination and
good communication among all functional areas of the organization.
There are many resources available to not-for-profits to assist
in developing and implementing a strong internal control structure. Resources
include publications issued by the Treadway Commission’s Committee of Sponsoring
Organizations and the American Institute of Certified Public Accountants (AICPA).
Locally, experienced public accounting firms such as Walker & Armstrong serve as
convenient and reliable sources of information and guidance.