5 steps to strengthen internal controls at small businesses and not-for-profits

Published on October 25, 2016

Internal controls may lag at smaller organizations as managers sacrifice them for the sake of service delivery, particularly at cost-conscious not-for-profits and start-up organizations.

Yet the risks are too great to ignore. Consider that the Association of Certified Fraud Examiners (ACFE) in its Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study found that businesses with fewer than 100 employees are more vulnerable to occupational fraud. The median annual fraud loss for religious, charitable, or social service organizations was $82,000. This amount does not take into account the cost to the organization’s reputation. Because charitable organizations are in the public eye, the occurrence of fraud, or even allegations of fraud, can significantly affect an entity’s ability to attract support.

There are many approaches to risk management, but the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control – Integrated Framework can be used by virtually any organization, large or small, to strengthen governance, improve the reliability of financial reporting, and deter fraud. The COSO framework emphasizes that internal controls should be designed with consideration for the entity’s unique environment and its risk tolerance. It does not prescribe specific activities. Instead, it offers a structured approach to making risk-based, informed decisions. Applying the COSO framework, leaders can lend analytical abilities to identify risks and optimize controls to support critical processes.

Here are five low-cost steps to consider as a starting point:

Set a strong tone internally. Internal controls are processes affected by people and the actions they take every day in our organizations. The ACFE’s study showed that only 6.4% of fraud is discovered by external auditors. Internal controls involve everyone in an organization, and the board and leadership team set the tone.

Provide a formal system for individuals to raise concerns without fear of retaliation. The ACFE study found that fraud is most often discovered from tips – in 29.6% of cases. The best thing managers can do is create a mechanism by which employees can report concerns. Even the smallest organization can adopt a whistle-blower policy and incorporate that policy into employee handbooks and training for new workers. The online resource library of the American Institute of CPAs’ Not-for-Profit Section has a sample of such a policy, which can be downloaded and tailored to individual organizations.

Be attuned to what is happening within the organization. Managers should be aware of conflicts, tensions, pressures, or incentives that could compromise decision-making, integrity, and the reliability of the entity’s financial reporting. Examples of such pressures could be aggressive growth goals, a poorly designed incentive-based compensation structure, or unbalanced workloads that lead to unfair treatment, employee resentment, and burnout. Employees who are under pressure are more prone to ignore internal controls or take advantage of control weaknesses for their own benefit.

Focus on relationship-building and open communication. It is possible to maintain an attitude of professional skepticism and, at the same time, build relationships on a foundation of trust. One way: adopting open-book management practices and explaining not just “how” but “why” particular processes are needed from a business perspective. Address issues of noncompliance first by identifying the behavior you observed, then giving the employee an opportunity to voice his or her concerns. Second, acknowledge the employee’s viewpoint and then explain the business reason for the change. Finally, clearly state your expectations going forward. Use “I” instead of “you” in communication. Example: “I noticed that your supervisor did not pre-approve this transaction” is better than “You didn’t get proper approval from your supervisor.” Keep interactions professional, not personal.

By establishing controls and processes that did not exist previously, you may cause an internal power struggle. An employee may perceive a new process, such as a new process for authorizing transactions, for example, as a sign of distrust. Give employees a chance to express concerns before implementation, and be sure to explain the business rationale.

Consistently enforce policies across the entity to uphold fairness. Periodic, one-on-one discussions with individuals about organizational policies can be enlightening. Training new employees is a given, but some organizations fail to apprise employees of the acceptable use of the organization’s property, including confidential and sensitive information. Check references and conduct pre-hire and periodic background checks, particularly for employees involved within the finance or accounting function and for those who have access to sensitive information. Also, review IT systems access logs. As much as possible, separate duties so that no single individual has control of all aspects of a transaction, and separate authorization from recordkeeping.

In small organizations, unwritten policies can be effective where a process has existed for a long time and is a well-understood practice and where communications channels involve a minimum number of management levels as well as close interaction with, and supervision of, personnel. Keep in mind, though, that no matter how well designed controls are, they are not failsafe. Although managers cannot prevent all problems from occurring, the leadership tone they set by treating individuals fairly, and identifying and remedying issues, sends a strong signal about activities that are acceptable and those that are unacceptable..
 (Source:  AICPA - BUSINDNEWS - CGMA Magazine – September 21, 2016)