Performing a Risk Assessment for Non-Profit OrganizationsAugust 01, 2013
Jeanne E. Pagnozzi, CPA
There is quite a bit of buzz in the business world about internal controls. We all know you should have good internal control. You hear your accounting firm repeatedly refer to internal control, but it is sometimes a challenge to determine what good controls really are and how you get there. The Committee on Sponsoring Organization of the Treadway Commission (COSO) has put together a comprehensive framework of the key elements to achieve effective internal control. This framework is widely accepted and utilized among accounting professionals who help to evaluate and report on your organization’s internal control environment. Internal control is defined by COSO as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1) effectiveness and efficiency of operations; 2) reliability of reporting; and 3) compliance with applicable laws and regulations”.
One of the five key elements of the COSO framework is the ability of the organization to identify, assess and respond to risks or “risk assessment”. A risk is defined by COSO as “the possibility that an event will occur and adversely affect the achievement of objectives”. This article will describe some steps that your non-profit organization can take to perform an effective risk assessment and how to address the results.
Establish goals that are needed for your organization to operate effectively and efficiently:
Operational: goals that relate to your entity achieving its mission, such as increase program participants, reduce controllable costs or have sufficient cash flow in order to make needed improvements to your facilities
Reporting: goals that relate to the organization’s ability to produce reliable reports, whether internal or external
Internal – schedules used by management to analyze departmental spending, payroll allocations, donor reports or financial reports given to your board
External – schedules for external users, such as annual audited financials, IRS form 990 or state reporting
- Internal – schedules used by management to analyze departmental spending, payroll allocations, donor reports or financial reports given to your board
Compliance: goals surrounding the ability of your entity to ensure compliance with local, state and federal laws, and regulation and contract compliance. Examples include the requirement to file and pay taxes on unrelated business income, providing written acknowledgments to donors or monitoring grant compliance.
- Operational: goals that relate to your entity achieving its mission, such as increase program participants, reduce controllable costs or have sufficient cash flow in order to make needed improvements to your facilities
Identify and Assess Risks
Now that you know what your objectives are, the next step is to identify what could occur, which may prevent you from meeting those goals. This is the most critical step because it is unlikely that a control will be put in place for a risk that has not been identified.
While your list of objectives may vary from specific to broad, your risk identification should be as comprehensive as possible, considering various transaction types, categories and volume/size. For example, if the non-profit’s goal is to increase the allocation of endowment income used for operations within five years, an associated risk may be that the organization does not receive sufficient endowment donations in the next two to three years to grow the endowment sufficiently, or a possible risk is that the investment strategy is too aggressive in the short term to allow the use of investment income in this time frame.
If your goal is to make certain that your private secondary school has filed all required informational and tax forms in a timely manner, you may specify a risk that the school store has not identified possible items being sold that are considered unrelated to your mission and could result in an unrelated business income tax liability (Form 990-T), or a risk may be that your board is not fully aware of the school’s filing requirements in order to properly monitor these filings.
Once you have identified risks that relate to your stated objectives, you need to assess the likelihood of occurrence, as well as the potential impact, before considering internal controls that may mitigate these risks. If you consider a risk having a remote chance of occurring based on known activities of the organization and/or a minimal potential impact, it may not be worthwhile continuing in the exercise relating to that risk.
While it is difficult for many in the non-profit world to even imagine that someone in your organization would commit any unethical acts, is it essential to consider. A surprising number of frauds committed in the United States occur at non-profit organizations and by trusted long-term employees.
Fraud can be divided into two main categories:
- Asset misappropriation: the unauthorized use or theft of the organization’s assets (ie: cash, inventory or computer equipment).
Fraudulent financial reporting: a manipulation of the financial records for some objective, such as concealing a loss, recording transactions outside the reporting period or knowingly underestimating certain reserve or allowance accounts
When considering the possibility for fraud, think about the primary elements relating to fraud:
- Opportunity– lack of controls gives a person the perfect chance to commit fraud
- Incentive– maybe a year-end bonus contingent upon certain financial results , or personal troubles (gambling or substance addiction, severe financial pressures)
- Attitude/Rationalization– “I’m underpaid, so I deserve it”, or “I’ll pay it back next month” lends fraud perpetrators the attitude that what they’re doing isn’t really wrong.
Identify and Analyze Significant Changes
Consider operational, regulatory or industry changes and how these internal or external changes may impact the internal control environment. Examples may include restructuring the finance office staff/management, changes in contract reporting requirements, etc.
Once you have gone through this process, you need to ensure that there are controls in place to mitigate the identified risks. It is important to have controls in place that mitigate the risks at different levels to provide the greatest impact. For example, relating to a risk of unauthorized disbursements of the entity’s cash, your first control is that all invoices are subject to sign off by a department head. The A/P clerk then makes sure all payments have been authorized by the appropriate person and generate checks. The CFO signs all checks, once it has been authorized, reviewing payees, amounts and supporting backup for reasonableness. The CFO also receives the unopened bank statements and reviews for anything unusual, improperly signed checks or other withdrawals. Then someone independent of the cash function reconciles the bank statement to the accounting records and identifies anything unusual. Finally, the finance committee reviews the budget to actual income statement (by entity and by department) for unusual fluctuations or anything outside of expectations.
As you can see, the process of assessing and evaluating your non-profit’s control environment can be a significant undertaking; however it is one that is crucial for leaders of non-profit organizations who maintain the fiduciary responsibility to do so. Developing a risk-assessment plan is one of the first steps in this process. As you consider and plan for a risk assessment, remember these final thoughts:
- Document this process, including steps taken to address the identified risks
- Involve and speak to various levels of staff within the organization to fully understand the transaction level processes and related controls.
- Perform a periodic review and re-evaluation of this assessment. Has the NFP engaged in new types of transactions, embarked on a capital campaign or hired new employees, etc. There may be new risks associated with all of these.
- Assign someone to be responsible for the process, preferably someone on the governing body. The process and its results should be shared with the board (and they should be as involved as possible).