For many nonprofit and governmental organizations, especially in smaller communities, business is conducted on trust and a handshake. We want to believe people are inherently good and therefore we become relaxed in our business practices. The problem is relaxed business practices have the potential to put both the organization and its employees in uncomfortable situations. You’ve heard the lingo: internal controls, segregation of duties, checks and balances, monitoring and review. That’s great in theory, but, in the “real world” how can an organization be cost effective in achieving good internal controls and also mitigate the risk of fraud?
First of all, try to separate duties between who controls the asset or function (cash, inventory, writing checks), who records and reconciles the information, and who is reviewing accounting records, financial statements, and bank activity. Sometimes by necessity, the person recording the activity may be the same person reviewing it. In this case, try to recruit a member of management or governance (CEO, owner, Board member) to assist with the review. The review can be haphazard, such as reviewing payroll one month and selecting random disbursements the next month. Always review the bank activity and maintain the element of surprise in what is reviewed. Examples of monitoring activities include the following:
Cash Receipts: The person receiving cash should create a list or calculator tape of cash receipts. A separate person should then later compare this list to amounts recorded in the accounting records and deposited to the bank. For example, if cash is collected for invoiced amounts, the person collecting the cash should be separate from the one applying the payment in the accounting records.
Cash disbursements: Verify the check sequence since the last check written, investigate any gaps, verify voided checks, and make sure there are no duplicate check numbers. It is smart to have an understanding of automatic bank payments; and to know vendors, amounts, and frequency of payments. Then compare this information to the bank statements. Review invoices along with disbursements, to ensure the proper documentation for the charge is included.
Credit cards can be an area of concern because of the ease of use and number of charges that can be included. Have written policies which state acceptable charges (prohibit personal charges and cash withdrawals), establish credit limits, and identify who has access. Make sure documentation is maintained for all charges, reconciled to the credit card statement, and reviewed by a separate individual in management or the Board (for instance, the general manager’s credit card should be reviewed by the owner or Board member).
Bank statements: Have a member of management or the Board receive a copy of the bank statement(s) or have “read-only” access online to review the bank activity and cancelled check images. The person performing the review should be separate from the cash disbursement process.
Specific items to look for include:
- Unexplained charges or deposits
- Automatic payments
- Checks with no check numbers or numbers out of sequence
- Duplicate check numbers
- Transfers to unknown accounts
- Other unexplained transactions
- Cancelled checks – proper signatures, obvious forgeries, altercations, and endorsements consistent are with payee information
All this information creates the financial statements, which management and governance is responsible to review. Using non-financial information can help with this review process by creating expectations for account balances. For instance, the monthly charge for residential water multiplied by the number of customers should approximate residential water revenue. Balances should be reviewed for reasonableness: the organization contributes 3% of salaries to employees’ retirement so retirement expense should approximate this amount. Comparing account balances over time to analyze trends can also be beneficial: utilities might have increased due to adding a new location or due to pricing increases. Finally, review numbers in comparison to budgets to identify unexpected variances. It’s important to understand what’s recorded in each account, how it’s reported, and what changes may affect the balance over time.
How does fraud fit into the picture? Without proper internal controls, segregation of duties, and review of financial information, organizations might be putting themselves at a higher risk of theft. Cash received may go to an employee’s bank account rather than the organization’s; a personal utility bill may get slipped in with the organization’s payment; a personal charge could be paid and overlooked on credit card statements; or an automatic withdrawal could be made from a bank account to pay for a personal expense.
Internal controls are needed for all sizes of organizations, can always be improved, and are only as good as the people implementing the controls. Management and governance should review control processes and procedures and challenge themselves to identify where improvements can be made. Always evaluate internal controls when there has been turnover in staff. We are available to assist you in reviewing this process. Contact any one of our audit professionals today to answer your questions and give you a fresh look at your internal control processes.