Segregation of duties, checks & balances . . . difficult to implement in the organization that has perhaps three or fewer staff, or only a few active board members in an all-volunteer organization. We asked CPA Carl Ho, who works with dozens of small nonprofits, what would be the five most important, most do-able controls for small groups:
1. The first and most important consideration is to set the control environment, that is, to let everyone know, from the top down, that there are policies in place and everyone has to follow the policies. In so many organizations the top person makes exceptions for himself or herself about policies, which sets a sloppy or even unethical tone. Then other people don't think they have to follow procedures, either, and they start cutting corners. The top person can't ask for reimbursement for anything for which they don't have a receipt. The management team members must all use time sheets themselves, get approval for travel expenses, have their credit cards scrutinized.
Emphasize the importance of ethics and controls at staff meetings, and demonstrate that everyone follows the rules, all the time.
2. Define clearly who is responsible for what. It's very common in small organizations, where not as much needs to be written down, for people to say, "I thought she was going to check the invoice." For example, with invoices: who is responsible for checking the math? Who is responsible for approving the invoice to be paid?
3. Physical controls. Lock it up. Computers should be locked to desks, and they should be protected with passwords. Put checks in a locked drawer. Among other abuses, there are too many cases where someone comes in and takes checks from the middle of the checkbook.
4. If there's cash involved — such as at a fundraiser or box office at a performance — have two people count all the cash together.
5. Reconciling the bank statement is a very crucial step. It's very unlikely that someone is going to steal from you and run away forever. Reconciling the bank statement means that embezzlement can't go on for very long.
Ideally someone other than the bookkeeper (or whoever handles the money) reconciles the bank account from an unopened statement. That's a strong check on the person who handles the money. But in a small nonprofit there may not be a bookkeeper, and there may be only one person who does everything. In these instances someone else, such as a board member, should receive the unopened bank statement, and look it over before giving it to the bookkeeper or the sole staffperson.
There are several controls that are commonly recommended but that you haven't mentioned. Could you comment on them? For example:
Payroll? Payroll controls at small organizations are actually easy because everybody knows everybody, so it's harder to create fictitious employees and pay them. The one area for attention is approval of timesheets for people working on an hourly basis. In these cases someone — who knows what work they did — should review and approve timesheets.
Two signatures on checks, or on large checks? This is okay as a policy, as long as you know that banks don't enforce this policy, nor can you hold them liable for a check that goes through with only one signature. Two signatures is a good policy so that someone sees the big checks, but it's more about setting the right tone than about preventing theft.
The person handling money not allowed to sign checks? Bookkeepers should not sign checks. But in a really small organization this may not be practical. One approach is to allow the bookkeeper (or the person who handles the money) to sign small emergency checks, for no more than $100 or $200. If everybody knows this rule, it helps to set a tone of accountability. And again, it will be caught by the person who does the bank reconciliation.
Any concluding thoughts?
In even the smallest organization, there can be another person who looks over things periodically, checking whether an expense was too high, was legitimate, whether the payroll taxes were paid. If you combine this with an atmosphere and environment that emphasizes following procedures and high standards of accountability, you still may not be able to prevent theft completely. But you'll prevent honest people from crossing the line, and you'll catch anything before it gets too serious.
Carl Ho, CPA, is a partner at Le, Ho & Company in Daly City, California, and serves as the auditor for many small and large community nonprofits in the San Francisco Bay Area. He loves to bicycle, and can't wait to try out the unicycle he just ordered by mail. He also loves roast duck. [Editor's note: who doesn't?]