Recent articles in the nonprofit press have stressed the need to reinforce the external controls or regulation of nonprofit organisations. For example, the recent calls to reduce the restrictions on what data the ACNC can collect, and what it can release are welcome improvements on the transparency of charities and nonprofits. But at the end of the day, it is the internal controls that nonprofits put in place which will best protect the organisation from failures which lead to fraud and error, and reputational damage.
Internal controls include
Policies and Procedures, which are the foundation of internal controls.
A strict segregation of duties, where no single person has the control of a financial process from beginning to end.
Reconciliation processes which provide alerts by comparing internal financial records with an external ‘source of truth’, such as a bank statement or fundraising application report. Furthermore, where reconciliations are delayed or behind schedule, then financial reports to the board will be delayed. This should trigger an alert of some concern, because repeated and consistent delays is a sign of poor financial management performance, and may disguise other issues in financial performance, particularly around accuracy or poor systems, technology, etc
How diligently the Policies and Procedures are monitored can send a clear message that internal controls are respected and in place. However if there is irregular, random, or even absent reporting on compliance with procedures, it doesn’t take long for the procedures to be ignored. "Why should I spend my time on these time-sheets when no one checks them"
Vigilant reporting on compliance is an essential part of monitoring adherence to policies and procedures. The monthly report on leave applications submitted in a timely way, unreconciled bank statements, timesheet omissions… there are many ways to report on compliance to policies and procedures. Drucker’s maxim: ‘if its measured, it’s managed’ applies here, or rather the reporting acts as a reminder for all staff that the procedures are important and reflect the high standards of the workplace.
And one must remember the critical role of the Board of Management, who have a fiduciary duty to protect against error and fraud, must ensure internal controls are adhered to, and not just for the staff, but for the board members themselves.
Internal controls are much more likely to detect fraud and error than an external audit. It is clear from our experience that the annual audit on nonprofit organisations is a review of a selected sample of processes and transactions, and the auditors themselves are clear that the audit is not a sufficient instrument to uncover malfeasance. (Its one reason why its the Directors who sign the audit report to members, not the auditors!)
So if error and fraud is likely to be committed by internal staff, it is also most likely to be detected by staff, suppliers or service consumers. A well managed and clearly articulated ‘whistleblower’ policy should be championed by the board, and a culture which encourages stakeholders to raise their concerns needs to be part of the organisational culture.
It is the culture - set from the top - which lets everyone know what is important. To quote from Drucker again: “Management is doing things right; leadership is doing the right things”. It is the board which determines what is important to do, and that there are supporting controls to ensure that staff do things right.
Next article: Examples of Internal Controls.