|Financial Control Recommendations for Small Nonprofits (PDF)|
Preserving charitable assets is one of the most important responsibilities of nonprofit board service. Many organizations operating in Oregon experience asset losses related to thefts, embezzlements, or other diversions of assets and these trends are mirrored in charities throughout the country. The Department has found that most situations leading to charitable asset diversion are directly related to an organization’s maintenance of reasonable financial records and implementation of meaningful financial controls. Oregon law requires that nonprofit corporations maintain appropriate financial records. See ORS 65.771(2) ».
Most financial losses could be easily avoided or quickly identified if organizations implemented basic financial controls, such as regular independent review of bank statements or following a proper expenditure review process. Financial controls are often referred to as internal controls. The following is a list of minimum internal controls that should be in place in any non-profit organization, regardless of size. Additional internal controls should be considered and adapted to the circumstances and operations of the nonprofit.
- Separate financial duties. Effective internal controls limit any single individual from having control over two or more phases of a financial transaction or operation. Generally, duties should be segregated into four categories: individuals with access to assets; individuals with access to accounting systems and accounting records; individuals in management or control positions; and individuals exercising independent oversight, such as board directors.For example, an individual that receives cash and issues a receipt for it (access to assets) should not also record the cash deposit in the receipts journal (accounting duties). An individual that makes accounting entries (accounting duties) should not be the same person that has check signing authority (management duties). The bank statement and cancelled checks should be received and reviewed by someone that is independent of all the steps in the above process (independent oversight). In this manner, no single individual has too much control and there is oversight for each step in the process. A similar system can be used for the expense cycle as well. Even if an organization has no staff, it can still ensure that there is adequate separation by assigning duties to board directors or volunteers.
- Reconcile and examine bank statements monthly. The organization’s bank statements should be reconciled on a monthly basis by someone who does not issue or sign checks on behalf of the organization. In addition, copies of checks, wire transfer information, and other information relating to deposits and withdrawals should be maintained along with the monthly statement. Checks and other expenditures should be examined to verify that the payments are consistent with the organization’s activities and that the expenditures were appropriate. Similarly, deposit activity should also be reviewed to ensure that it corresponds to expected revenues. For example, if the organization held a fundraising event that generated cash, the reviewer should ensure that there are cash deposits matching the amounts received at the event. If the organization banks online, it should still be sure it is regularly downloading or printing and storing its bank statements, deposit slips, check images, and similar documents. Banks routinely charge fees to access older records.
- Adopt cash handling procedures. Ideally a cash register or multiple-copy receipt book should be used in the collection of cash. With respect to fundraising events or other situations in which the organization receives cash, it should arrange for two people to accept, record, and monitor the collection and a third person to arrange for its deposit. Cash transactions should be recorded into a journal or log to enable account reconciliation. It is important that any cash revenues be deposited to the organization’s bank account as soon as possible, and that management verifies that the amount deposited matches the amount collected.
- Document income from sources other than cash. Revenue from sources other than cash (i.e. credit cards, checks, etc.), should also be entered into a journal or log, at the very minimum. Checks should be restrictively endorsed (for example: “for deposit only, ABC organization, First National Bank, account # 123456789) immediately upon receipt. Checks and deposit slips should be copied before they are deposited. Organizations that receive noncash donations should also adopt controls similar to that for cash donations to ensure that such donations are properly received, recorded, and accounted for.
- Control the use of credit and debit cards. Credit and debit cards are convenient, but each authorized user increases the possibility that the cards will be used for improper purchases. If the organization uses credit or debit cards, it should limit the number of users and set policies regarding their use. Credit card statements, bank statements, and supporting documentation should be reviewed monthly by someone who is not on the list of authorized card users. The reviewer should confirm that each charge is supported by a receipt and documentation of the business purpose of the expense.Some financial institutions allow organizations to set and adjust strict limits on usage of electronic payment methods and to send automated notifications to reviewers in the event of any attempted or actual misuse. Such services are particularly valuable to smaller organizations who rely on volunteers or smaller professional staffs.
- Control the disbursement process. All disbursements, whether made by check, positive pay, or an e-pay system, should be approved by someone other than the person who physically makes the payment. The approver should confirm that the payment is supported by an appropriate check request, invoice and/or purchase order, that the same invoice is not paid more than once, and that the stated amount of goods or services were truly received by the organization. The organization’s list of vendors should be reviewed for reasonableness, duplication, and “ghost vendors” on a regular basis.Cash expenditures should be avoided to the extent possible. Consistent with the proper segregation of duties, a single person should not be responsible for the collection, deposit, and reconciliation of cash receipts or other sources of income. If it is necessary to make payments in cash, those payments should be fully documented through advance approval, signed receipts by persons receiving cash, and expense vouchers or other documentation that the cash was used appropriately.
- Control expense reimbursements. Organizations should require all reimbursable expenses to be preauthorized. Preauthorized expenses should only be reimbursed if original receipts and other supporting documentation are submitted with the reimbursement requests. Reimbursement payments should only be necessary when organizational funds cannot be used to pay for the expense in the first instance. Under no circumstances should anyone ever write their own reimbursement check. Check stubs or copies of reimbursement checks should be retained along with authorization forms, reimbursement requests, and receipts. If an organization fails to maintain adequate documentation to demonstrate that the reimbursement was for legitimate organizational expenses, the reimbursement could potentially be treated as a form of prohibited inurement or taxable income to the recipient.
- Use timesheets and proper payroll controls. Nonprofits are generally required to report expenses on a functional basis, and payroll is often a nonprofit’s largest expense. Organizations should require all employees to use a timekeeping system which allows time worked to be recorded by functional area and which provides a mechanism for supervisory approval. Before paychecks are issued, a person in a position of control should ensure that timesheets have been properly approved, payroll allocations are reasonable, and that no duplicate checks or “ghost employees” are included in payroll. If the payroll reviewer is also an employee, a member of the board should in turn review the reviewer’s pay for accuracy.
- Utilize budgets. Every organization should develop an annual budget process in which it estimates incoming revenue and outgoing expenses for the year. The budget should be tracked and actual results compared to budgeted projections. Unexplained variations from projections can be an early warning signs of potential problems. For example, a drop in cash income could be a sign of skimming. Budgets help organizations identify goals and potential problem areas so that they can build on those successes or take corrective action to resolve problems. For example, if an organization has an annual fundraising event, a budget provides a revenue target for that event and also enables the organization to set planned expenditures.
- Utilize general ledger accounting and regular financial reports. Organizations should use a system of general ledger accounting which enables categorizing and tracking income and expenditures. In addition to regular budget reports noted above, organizations should also regularly prepare and distribute statements of activity (commonly known as income statements) and statements of position (commonly known as balance sheets) for the board’s review and consideration.
- Get it in writing. Remember to document all internal control procedures in writing or in a protected digital format. For example: if you review and approve the payroll report, you should immediately sign and date the report; or if you review and approve the online monthly bank statement, you should immediately send an email to the Treasurer to that effect. If you perform an internal control procedure but fail to document that fact, the organization cannot prove that its internal controls are being implemented.
- Appoint a grants manager. Organizations should appoint a dedicated individual who is responsible for reviewing all grants and/or contracts received by the organization, understanding the “fine print,” and ensuring that all grant/contract terms and deadlines are met. In smaller organizations with few or no paid staff, this responsibility is generally fulfilled by a volunteer board or committee member. The requirements for each funding source may be unique and complex. The organization risks the loss of important financial support if it fails to study, understand, and adhere to grant requirements such as timesheet tracking, expense budgets, quarterly reports, or other obligations.
- Adopt a conflict of interest policy. Organizations should have a written policy that clearly states how conflicts should be disclosed, how a majority of disinterested board members make decisions, and how a conflicted board member would be excluded from any situation that might prevent them from being impartial or from appearing to be impartial. Written record of how and when this policy is implemented should be recorded in board minutes. Director conflict-of- interest issues are addressed under ORS 65.361.
- Implement a data back-up plan. Organizations should ensure that they are backing up any electronically-stored financial data in the event of a computer failure, security breach, or other catastrophe. Organizations should also ensure that they have alternative arrangements in place to address a situation in which the person who is normally responsible for the organization’s finances becomes suddenly unavailable.
Additional Resources on Financial Management and Internal Controls
Nonprofit Association of Oregon
National Council of Nonprofits
CompassPoint Nonprofit Services
Greater Washington Society of CPAs Educational Foundation
Nonprofit Risk Management Center
COSO (Committee of Sponsoring Organizations of the Treadway Commission)