There is quite a bit of buzz in the business world about internal controls. We all know you should have good internal control. You hear your accounting firm repeatedly refer to internal control, but it is sometimes a challenge to determine what good controls really are and how you get there. The Committee on Sponsoring Organization of the Treadway Commission (COSO) has put together a comprehensive framework of the key elements to achieve effective internal control. This framework is widely accepted and utilized among accounting professionals who help to evaluate and report on your organization’s internal control environment. Internal control is defined by COSO as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1) effectiveness and efficiency of operations; 2) reliability of reporting; and 3) compliance with applicable laws and regulations”.
One of the five key elements of the COSO framework is the ability of the organization to identify, assess and respond to risks or “risk assessment.” A risk is defined by COSO as “the possibility that an event will occur and adversely affect the achievement of objectives.” This article will describe some steps that your non-profit organization can take to perform an effective risk assessment and how to address the results.
Establish goals that are needed for your organization to operate effectively and efficiently:
Now that you know what your objectives are, the next step is to identify what could occur, which may prevent you from meeting those goals. This is the most critical step because it is unlikely that a control will be put in place for a risk that has not been identified.
While your list of objectives may vary from specific to broad, your risk identification should be as comprehensive as possible, considering various transaction types, categories and volume/size. For example, if the non-profit’s goal is to increase the allocation of endowment income used for operations within five years, an associated risk may be that the organization does not receive sufficient endowment donations in the next two to three years to grow the endowment sufficiently, or a possible risk is that the investment strategy is too aggressive in the short term to allow the use of investment income in this time frame.
If your goal is to make certain that your private secondary school has filed all required informational and tax forms in a timely manner, you may specify a risk that the school store has not identified possible items being sold that are considered unrelated to your mission and could result in an unrelated business income tax liability (Form 990-T), or a risk may be that your board is not fully aware of the school’s filing requirements in order to properly monitor these filings.
Once you have identified risks that relate to your stated objectives, you need to assess the likelihood of occurrence, as well as the potential impact, before considering internal controls that may mitigate these risks. If you consider a risk having a remote chance of occurring based on known activities of the organization and/or a minimal potential impact, it may not be worthwhile continuing in the exercise relating to that risk.
While it is difficult for many in the non-profit world to even imagine that someone in your organization would commit any unethical acts, is it essential to consider. A surprising number of frauds committed in the United States occur at non-profit organizations and by trusted long-term employees.
Consider operational, regulatory or industry changes and how these internal or external changes may impact the internal control environment. Examples may include restructuring the finance office staff/management, changes in contract reporting requirements, etc.
Once you have gone through this process, you need to ensure that there are controls in place to mitigate the identified risks. It is important to have controls in place that mitigate the risks at different levels to provide the greatest impact. For example, relating to a risk of unauthorized disbursements of the entity’s cash, your first control is that all invoices are subject to sign off by a department head. The A/P clerk then makes sure all payments have been authorized by the appropriate person and generate checks. The CFO signs all checks, once it has been authorized, reviewing payees, amounts and supporting backup for reasonableness. The CFO also receives the unopened bank statements and reviews for anything unusual, improperly signed checks or other withdrawals. Then someone independent of the cash function reconciles the bank statement to the accounting records and identifies anything unusual. Finally, the finance committee reviews the budget to actual income statement (by entity and by department) for unusual fluctuations or anything outside of expectations.
As you can see, the process of assessing and evaluating your non-profit’s control environment can be a significant undertaking; however it is one that is crucial for leaders of non-profit organizations who maintain the fiduciary responsibility to do so. Developing a risk-assessment plan is one of the first steps in this process. As you consider and plan for a risk assessment, remember these final thoughts: