The most important & do-able controls for small groups
Segregation of duties, checks & balances… difficult to implement in the organization that has perhaps three or fewer staff, or only a few active board members in an all-volunteer organization.
We asked CPA Carl Ho, who works with dozens of small nonprofits, what would be the five most important, most do-able controls for small groups:
1. Set the control environment.
The first and most important consideration is to set the control environment, that is, to let everyone know, from the top down, that there are policies in place and everyone has to follow the policies.
In so many organizations the top person makes exceptions for himself or herself about policies, which sets a sloppy or even unethical tone. Then other people don’t think they have to follow procedures, either, and they start cutting corners. The top person can’t ask for reimbursement for anything for which they don’t have a receipt. The management team members must all use time sheets themselves, get approval for travel expenses, have their credit cards scrutinized.
Emphasize the importance of ethics and controls at staff meetings, and demonstrate that everyone follows the rules, all the time.
2. Define clearly who is responsible for what.
It’s very common in small organizations, where not as much needs to be written down, for people to say, “I thought she was going to check the invoice.” For example, with invoices: who is responsible for checking the math? Who is responsible for approving the invoice to be paid?
3. Physical controls.
Lock it up. Computers should be locked to desks, and they should be protected with passwords. Put checks in a locked drawer. Among other abuses, there are too many cases where someone comes in and takes checks from the middle of the checkbook.
4. Control the cash
If there’s cash involved — such as at a fundraiser or box office at a performance — have two people count all the cash together.
5. Reconcile the bank statement
Reconciling the bank statement is a very crucial step. It’s very unlikely that someone is going to steal from you and run away forever. Reconciling the bank statement means that embezzlement can’t go on for very long.
Ideally someone other than the bookkeeper (or whoever handles the money) reconciles the bank account from an unopened statement. That’s a strong check on the person who handles the money. But in a small nonprofit there may not be a bookkeeper, and there may be only one person who does everything. In these instances someone else, such as a board member, should receive the unopened bank statement, and look it over before giving it to the bookkeeper or the sole staffperson.
Other controls that are commonly recommended:
Payroll controls at small organizations are actually easy because everybody knows everybody, so it’s harder to create fictitious employees and pay them. The one area for attention is approval of timesheets for people working on an hourly basis. In these cases someone — who knows what work they did — should review and approve timesheets.
Two signatures on checks, or on large checks
This is okay as a policy, as long as you know that banks don’t enforce this policy, nor can you hold them liable for a check that goes through with only one signature. Two signatures is a good policy so that someone sees the big checks, but it’s more about setting the right tone than about preventing theft.
The person handling money not allowed to sign checks
Bookkeepers should not sign checks. But in a really small organization this may not be practical. One approach is to allow the bookkeeper (or the person who handles the money) to sign small emergency checks, for no more than $100 or $200. If everybody knows this rule, it helps to set a tone of accountability. And again, it will be caught by the person who does the bank reconciliation.
Any concluding thoughts?
In even the smallest organization, there can be another person who looks over things periodically, checking whether an expense was too high, was legitimate, whether the payroll taxes were paid. If you combine this with an atmosphere and environment that emphasizes following procedures and high standards of accountability, you still may not be able to prevent theft completely. But you’ll prevent honest people from crossing the line, and you’ll catch anything before it gets too serious.
Carl Ho, CPA, is a partner at Le, Ho & Company in Daly City, California, and serves as the auditor for many small and large community nonprofits in the San Francisco Bay Area.
He loves to bicycle, and can’t wait to try out the unicycle he just ordered by mail. He also loves roast duck.[Editor’s note: who doesn’t?]
I just started working for a local non-profit that has done a lot of good in our community. They have recently grown quite a bit in donations with Covid-19 funding being the number one reason. At the same time, donors are able to take larger tax deductions etc. So in effect, this nonprofit has much more than usual receipts and roughly the same amount or less in disbursements.
My question is this, they have hired me, an accountant to come in and be the bookkeeper but they won’t allow me to print checks or reconcile the bank account. The Business Manager is the one who won’t let me do this and he is also a check signer and often takes checks out of the office. I have worked a total of 17 days and I am shocked at the obvious mishandling of funds. I have expressed this to both the business manager and the CEO but nothing has been done. The business manager was told by the CEO to separate the duties and he agreed that he would. He has done nothing of the sort. I am not an auditor and don’t know anything about uncovering fraud. What specific tasks should I perform to quickly catch him because he is scrambling to cover his tracks and knows that I’m on to him. I suspect he has been on my laptop and in my locked desk and may have stold 2 very important flash drives as well. Did I mention I have worked a total of 17 days? I am obviously shaken by all of this and I don’t know what to do. For all I know that may be the sole reason I was hired, to take the blame for his fraud.
Our directors now hold regular executive sessions (without their two key staff people) to discuss all kinds of topics and vote on them. Recently they voted to accept a large loan (without seeing written terms, no resolution etc.). Three members then took the check, went directly to the bank and opened a savings account in our org name without staff knowledge and without following cash receipt procedures. It never went through our books! We found out 1 month later through a somewhat guilty member. They claimed they didn’t tell us because it was for “emergency use only”. We believe this will cause a “material weakness” on our audit, even though we are taking immediate actions to reverse and start from scratch. Any thoughts?
Termination with no benefit package. If I can not trust you to be COMPLETELY open and honest the company does not need you. this also make me think what other financial “deals” you have made in the company’s name without proper protocols and accounting documents. This also raises the question of how long have you been doing this, are you only guilty because you didn’t get what you asked for and if you got what you asked for would you have brought this matter to daylight.?
Laura Plyleer says
Very helpful. Thank you so much for sharing.
I work for a small non-profit. We have an Executive Director who is not required by our Board to get approval for any of his expenses. He does not submit itemized receipts for his purchases and has submitted personal golf outings and family trips as business expenses, claiming he met a ‘potential partner’ during the trip (these partnership never materialize). What are the legal requirements for non-profit financial policies regarding the ED approving their own expenses and refusing to submit proper receipts?
Like all non-profits, we have to log into the websites of other organizations, usually to access data and notifications. Some only allow one login ID per non-profit. The result is usually a spreadsheet with URL, Login ID, and password posted to a network or otherwise shared. This strikes me as a bad idea for several reasons but I am not sure of another solution. We can’t be the only organization who has run into this. How have you solved it, or have you? Thanks
Online security is becoming a bigger issue all the time, and you are right to be concerned about passwords being saved in a manner that is not secure. Fortunately, there are a number of apps available now that will serve as a “vault” for all your passwords. One we like is called “LastPass,” which has both a free and a premium version.
I am a fan of Roboform myself but the issue seems to be a need to share instead of secure. Are you suggesting that each person be given the LastPass password and have it installed on their computer? Interesting thought and it allows them to share the passwords securely with automatic sync. I had not considered that.
There's no need to share if each staff member sets up their own free password vault account. Whether you choose to have the saved passwords within those separate accounts be the same or not is your choice.
These would be accounts where we have one account for the organization. Gas company and Electric Company would be good examples. Pretty much any time an employee is logging into an account on behalf of the organization, we would like to be able to recover the password if necessary. Certainly not of sensitive accounts like banking but there are a host of other accounts that do fit the description. This idea should work. Thanks
At the last board meeting of our AVO, I suggested that we adopt the Blue Avocado internal controls. Our treasurer did not take it well. Among other things, he wrote . .
“___ is insinuating that this “internal controls” business originated with __ when in fact it came from him.
So, on top of my accusations of being arrogant and manipulative add rude and dishonest.”
Comments ? Suggestions?
i have really found the advice very important. thanks to all those who participated. moses
Specific steps to take to fraud-proof your business or organization:
The most pressing issue for a small business or organization is lack of resources. Money is tight, and you don’t have enough hours in the day to take care of everything there is to do. That should not mean you let down your guard and allow internal control weaknesses to threaten your business or organization.
The number one internal control to pay attention to is segregation of duties. That means that no one person has control over all aspects of a transaction. Primarily, this pertains to the financial aspects of the business, but it can also mean that you have a second set of eyes to check key transactions such as taking an order, double checking the quantity, address, price, shipping address, credit card information, inventory stock, etc.
First of all, to err is human. EVERYONE makes mistakes. Your goal should be to design a process where mistakes are minimized. Split up the work. Rotate staff. You not only get improved segregation of duties internal controls, you get cross training, and the opportunity to provide a more interesting work environment for your staff.
At every bank, officers and tellers are REQUIRED to take at least 2 consecutive weeks of vacation every year. The primary reason is so any fraud that has been occurring can have a chance of coming to light when the perpetrator is not there to cover his/her tracks. One huge red flag of fraud for any business is the uber-dedicated employee who is never sick and never takes a day off. Just on the face of those facts, I would bet $100 every time ……that the person is covering up some manner of fraud. Occasionally, I’d lose the bet. But more often, I would win.
So……..your business or organization only has resources for one bookkeeper. What can you do? Let’s think…….
At the very minimum, you MUST have the bank statements sent directly from the bank to someone OTHER THAN THE BOOKKEEPER! They should be sent to the President/owner/Executive Director. Or their spouse. Or to the Treasurer. Or to your accountant. Find somebody!
The key to this control is that the person who receives the bank statements has to OPEN THEM and LOOK AT THEM! If I had a nickel for every business that has the statements sent to the owner, who then has no time for them and just hands them, unopened, to the bookkeeper, I’d be typing this from my cabana in the Bahamas.
Look at the cancelled checks.
Look at the signatures.
Look at the vendors.
Look for direct debits.
Look for bank fees.
Look at the deposits.
Checklist for examining the monthly bank statement:
Look at the cancelled checks.
Are there missing check numbers?
At the beginning of the month, you should see the outstanding checks from the prior month clearing. There may be some irregularity in the numbers.
At the end of the month, there should be some irregularity in the numbers because of outstanding checks.
Do you print your checks on a printer? Are there any handwritten checks? That would be unusual.
Look at the signatures.
In many small business fraud cases, the bookkeeper forges one or more signatures on regular and payroll checks. Try this test. Go ahead and sign any check as “Mighty Mouse.” See if the bank processes it. I bet they do.
Look at the vendors.
In many fraud cases, the bookkeeper sets up a phony vendor and then issues checks to her phony vendor business. Make sure you recognize every vendor name. I have yet to meet a small business owner who could not spot a phony vendor name. But you have to LOOK.
Look for direct debits.
Many frauds involve the bookkeeper making wire transfers or other direct debit transactions. Make sure any you see look reasonable and familiar.
Look for bank fees.
Often a fraud will involve an unusual transaction and will trigger an unusual bank fee. Also, fraud will also cause the bank balance to be dangerously low, triggering insufficient funds charges. A dishonest bookkeeper will try to cover those up in the accounting records.
Look at the deposits.
Do you make deposits every day? Are they all there? Do the amounts look right? Is the total for the month what you expect?
After a few months, this cursory kind of review ought to take only a few minutes – about 10 minutes a month. Isn’t that pretty inexpensive insurance against financial fraud?
How does that all sound so far? Think you’re done? Think you’re covered? Well, have you got any credit card accounts? Well……DO YOU?
At the very minimum, you MUST have the credit card statements sent directly from the bank to someone OTHER THAN THE BOOKKEEPER! The drill is similar for credit card statements.
Look at the vendors and amounts.
Look for bank fees – late charges and over-limit fees. Any foreign currency transactions?
Look at the payments.
The person reviewing the credit card activity every month should recognize, to some extent, every transaction and fee. If there is anything that is not familiar, ASK QUESTIONS. The simple fact that someone other than the bookkeeper has a regular and direct interest in and access to the financial transactions is enough, in my opinion, to deter at least 80% of fraud and embezzlement.
I have only a few final words. There are many other important internal controls covering many other aspects of any business. Consider inventory controls, accounts receivable controls, payroll controls, cash receipts and cashier controls, and on and on. However, if you have to start somewhere, and are looking for the most cost effective controls, I believe these I’ve described today are them. Plus……
At least once a year, order a credit report on your own business. In some frauds, the thief opens loans in the business’s name, or other accounts, and absconds with the proceeds. A credit report is one place you may catch these.
Run a criminal background check on your bookkeeper. Just do it. Wait…..is the bookkeeper a family member? Let me tell you the story of a client who owned a convenience store. Her sister was an employee. What a good sister she was, too. She was always amazingly generous with presents at Christmas and birthdays. Oh…..guess where the money was coming from. Yes, she was stealing from her sister’s convenience store.
Run a credit report on your bookkeeper. If they balk or refuse, consider hiring a new bookkeeper and make the credit check part of the job requirements. See the sister story above!
If you are a board member, run a credit check and criminal background check on your Executive Director. Just do it.
If I had small business clients, and if they agreed to adopt these controls, I would provide a guarantee that I would refund the prior 12 months of accounting and tax preparation fees if the business was ever a victim of fraud by the bookkeeper. I am not kidding.
Thanks for taking the time to write this out, great advice.
im church member cpa charged with writing the policy. im concentrating on separation of duties. Pastor wants bank recs. there is no bookkeeper. do i have to do the journals? there are only a few transactions per month so i want it manual for now. ps. i hate quickbooks. no audit trail.
Thanks for the helpful post.
Thank you for some great tips that I am sharing with our board officers.
This is a great article. I just started this new job as a compliance officer. I am asked to place internal controls. for a small company (4 full time / 3 part time employees). Can someone suggest how to control the mail or check deliveries. The operations managers receives all the packages, a lot of checks also comes in. I suggested to keep a log of all the deliveries that come in. Any other suggestions? Thank you!!!
This great! I have learned so much from people’s comments. We have a executive board director who is stubborn and wants everyone to follow what she suggests in board meetings.
Would appreciate your advise.
Great thread. As a insurance and risk manager serving nonprofits and municipalities, I’d rather see organizations use internal controls to reduce theft rather than buy more insurance. Having studied many embezzlement cases, they tend to not only cost money (they commonly cost $50,000 – 200,000) but also damage an organization’s morale, reputation, etc. Please heed your CPA and adopt and enforce strong internal controls!
Thank you for this useful post.
I’ve linked to it over on http://wildwomanfundraising.com, I was just writing about negligence in nonprofit leadership today, and I think that more than fiscal controls, but also social controls need to be addressed.
For instance, in nonprofits there can be such a thing as "Gangsterism" which is actually outlawed in europe, where people in a nonprofit, led by a gang leader, decide that one person is the problem, this person is making everyone unhappy. So they fire that person, then they "feel better" until someone else becomes that person. And so it goes until the entire staff is replaced.
We don’t just need two signatures on a check. We need a system to make sure that workers are not being abused by managers.
As the treasurer of a small nonprofit organization staffed primarily by volunteers, I found Richard Lord’s book, The Nonprofit Problem Solver: A Management Guide, to be an excellent reference for establishing realistic internal controls. His Fiduciary Function Worksheet helps to identify unacceptable exposures. He follows this with recommendations for segregating duties (Four-Person, Three-Person, Two-Person). Our organization has handled bank statement reconciliations by delivering our bank statements, unopened, to a small company that provides a variety of business services in our local community. This company does each reconciliation for a modest fee.
Our issue is similar to Anonymous, Jan 22, as a very small volunteer nonprofit. We have 20 hours of administrative assistant time in the office each week, along with the treasurer. Must they always open the mail together? What option do we have when one is not present/on vacation? Do you have any sample internal control polices to share for organizations where the treasurer has done it all but now need controls for receipts and disbursements?
I think the most important thing is "segregation of duties". Even if you have only 1 staff member, the Board member who is Treasurer should be at a minimum viewing bank statements online and reconciling the bank account. The tricky issue is who oversees opening of daily mail (for mailed in donations) and processing of those checks for deposit, if you only have 1 employee?
I would add two other actions that I believe are at the heart of honoring the fiduciary duty of the organization and its staff:
1) Make a daily bank deposit. All cash/checks received by whatever means (contributions through the mail, ticket sales, etc.) should be deposited daily REGARDLESS of the amount. Cash is fungible and checks are easily altered. If cash is not controlled in this way, there is absolutely no way an entity will ever know that anything went missing. Further, human nature is to take a short cut, payments made with cash that has been received but not yet deposited fails to get accounted for properly. This control is for any organization (for example a church receiving offerings, a theater company selling tickets, etc. etc.)
2) Prepare a time sheet. Staff (whether paid or not) should keep a time sheet, updated DAILY, showing the allocation of their time in hours to various tasks (the staff and board can agree on which recurring tasks to list on the time sheet, the staffperson can annotate the timesheet accordingly for nonrecurring tasks). This is critical information that the staff and Board can use to discuss resources and objectives, and provides the sole support for ultimately allocating expenses in accounting and tax reports. Memories are short. Doing a weekly or monthly timesheet and trying to remember how time was spent is folly. An argument that documenting one’s time is too time consuming disregards that how one’s time is spent is a fundamental step in managing the allocation of staff resources.
I just left a comment in regards to the ED who was embezzling. The ED I was speaking of was not being scrutinized for the credit card transactions, time sheets etc. I had traveled with the ED numerous occassions and she would use the organization’s money to buy her alcohol and then make a big fool of herself from being SOO drunk. She also ran her campaign out of this organizations office and used their mailing, stamps etc. She used the organization for her advancements in her current career as an ED and as State Representative.
Please excuse any mispelling I am tired and trying to get to bed and just had to comment. I really think this is great information and somehow this stuff goes unknown and gets away these types of things. The ones who suffer are the Board and members and funders.
I’m glad that the online bank statements were mentioned. As a bookkeeper (I do not handle any money), I find myself concerned about the paper bank statements lingering too long or getting lost at my ED’s desk. I’ve used the online statements to reconcile at times so that I could move forward, and then double-checked when the paper copy finally hit my inbox. Our ED isn’t comfortable with online statements, so I fall back on them instead of the reverse.
This was very helpful. I run a small nonprofit (all volunteer) that went from a 7000 budget to over 100,000 in 2 years. Suddenly the controls we had seemed much more important, but I have been struggling with how to reorganize our efforts except that I am recruiting a new treasurer, bookkeeper and creating a finance committee.
I appreciated the perspective here, especially after reading the earlier article on embezzlement! Great newsletter.
This is an excellent idea, especially if the bank will provide scans of the checks and all the items in the deposit. Thanks for bringing it up! You might also want to see an earlier Blue Avocado article: Seven Ways to Reduce Your Audit Costs.
The bank statement is where I get stuck. I am the ONLY employee of a non-profit organization. I have wonderful board members, but they are scattered all over the state. How are they supposed to reconcile the bank statement when all of the account information is on my computer?
I would love to have a better division of responsibilities, and would hate to ever be accused of anything improper, but how do I get this done?
Does your bank offer the statements on-line? My board chair and and financial committee chair reveiw the statements on-line and send me an email confirming they’ve looked at the statements. A full-fledged audit (costing up to several thousand dollars) was way out of our league, but found a local CPA who did an general overview and gave us a letter of review. (I think that’s what he called it).
The idea of having someone else to review the bank statement before it gets to the bookkeeper’s hand is prevent the bookkeeper from modifing or hiding things on the bank statement that he/she does not want anyone to see. With color copiers and printers, a fake statement looks real. The board members of the nonprofit most likely will not actually reconcile the bank account, but having them review the checks and money transfers that have cleared the bank provides a way of validating the transacations. In addition, this also help detecting unauthorized short-term borrowings by the bookkeeper. If you can arrange for the designated board member to have online access to your bank account, it would make things simple.
We are a four-person office, with a Controller. Our bank statement is sent to a CPA firm directly from the bank. The controller sends the CPA firm the list of checks issued during the month and the CPA firm reconciles the bank statement, taking the task out of the office and our hands. This firm doing this has a small "back office" service doing "bank recs" and other tasks for small companies and non-profits, billing by the hour for a bookkeeper, not a CPA. (This is not the same firm that does our audit, adding another layer of separation.) This solution might work for you, too–if you can fit it in your budget.
Formerly a Banker
Very helpful, and validating for us, as we are following many of the suggestions. We go through a mandatory audit every year and the internal controls issue comes up because we’re small. We are also told that having an accounting manual that details our policies & procedures with all financial matters is critical.
Thanks for the article! It is very concise and clear. I’m going to forward it to my small non-profit clients.Markwww.MarkHalpertCPA.com
Wonderful tips! I advise very small nonprofits and they often struggle with this issue. Now I feel armed with an extra tool to help them cope.-Danny in Bethesda, MD
Hi everyone! Hoping someone can help. I belong to an elementary Home and School Club (i.e. PTA). Our procedures have been that checks be cut on a H&SC check and signed by two authorized persons. Our new Treasurers are now paying vendors directly with a personal credit card and then having the H&SC reimburse them. Doesn’t this bypass our original procedures. Any thoughts would be great!
It seems to me that if you have an itemized receipt and two authorized people approving the reimbursement check after viewing the itemized receipt, then it is OK