Nonprofit organizations have a responsibility to donors to maintain strong internal controls to prevent and detect fraud. Due to the COVID-19 pandemic, many employees are now working remotely, causing controls that were previously implemented to no longer be as effective. Now may be a good time to reassess the risks and effectiveness of your control environment.
Segregation of duties: Duties for custody, record keeping, reconciliation, and authorization for functions such as cash receipts, cash disbursements, and payroll should be segregated as much as possible. Many nonprofits struggle to keep these duties separated. Furthermore, staff working remotely may compound the issue, causing one individual to responsible for two or more of these duties. Utilizing board members or adding a third-party service provider to any of these functions can help mitigate risk and add layers of segregation. As much as possible, the individual responsible for bookkeeping should not be involved in handling cash receipts or the reconciliation process.
Examples of third-party service providers: for cash receipts, consider using your bank’s lockbox services or using web-based donor management software with an ACH payment processing function. For accounts payable, consider setting up automatic payments or using a bill pay service, when available. Consider checking with your bank for services they may offer, such as ACH and wire transfers.
Authorization and Approval, Reconciliation, and Review: Transactions should be authorized and approved to better control expenditures. Review of specific functions involve cross-checking transactions or records to ensure information is reported accurately.
Often, nonprofits authorize and approve a transaction when the transaction is reconciled and reviewed and is completed by the same individual, such as the Executive Director. In smaller organizations, the Board of Directors may perform this function. Where possible, someone other than the individual responsible for bookkeeping should authorize and approve transactions. Generally, expenditures should be approved prior to the purchase being made.
Consider completing review and approval processes through email or using digital signatures for approval. Many digital signature programs offer enhanced security with automatic independent verification. These programs can also prevent documents from being saved on untrusted servers and being exposed to tampering. For items that require Board approval and review, nonprofits should ensure that the Board is still meeting regularly. Using Zoom or similar a platform easily allows Boards to operate and carry out oversight.
Security: Even with remote work, staff may need to access the office from time to time and a vacant or nearly vacant office may allow for greater opportunity for fraud. Additionally, staff working from home may inadvertently allow access to confidential information. Here are some key controls to consider:
- Cash should be secured using a lockbox or donor management program. If a petty cash drawer is maintained but not frequently used, consider depositing the funds.
- Check stock controls can be enhanced using automatic payments. If printed checks are still required, ensure that check runs are run from the office at designated times (i.e. a specific day of the week). By no means permit staff to take check stock home to print checks remotely.
- File cabinets should be securely locked. Any documents containing confidential or proprietary information should be filed.
- File servers and server rooms need to be monitored and managed. As more work is being performed remotely, processes and controls for electronic file storage and backup has become much more crucial. Evaluate policies and controls for access and authorizations, ensuring only necessary users have access to perform their own duties.
- Physical security of laptops staff members take home also needs to be addressed. Make sure processes, policies, and controls are communicated to staff. Consider setting an automatic lock on laptops after a period of inactivity to prevent access without re-entering credentials.
The above controls are just a few suggestions to consider. Nonprofit organizations need to frequently evaluate risks, especially with large changes brought on by events such as the pandemic. If you have any questions, please reach out to your personal Sciarabba Walker contact or email us at firstname.lastname@example.org.
By Ethan Chaffee