October 15, 2018
By: Alejandra Jensen, CPA, CFE | Nonprofit Audit Manager
Although they recognize the importance of maintaining proper segregation of duties (SOD) as a risk management best practice, many nonprofits still struggle because of limited staff, scarce resources and tight budgets. These organizations are under pressure to cut costs, increase revenue, and identify additional funding streams while also providing better, more useful reporting to leadership and maintaining a healthy internal control structure. Unfortunately, internal control, specifically SOD, is often placed on the back burner even though studies have shown that lacking SOD is a significant contributing factor in almost all occurrences of fraud.
Segregation of Duties
Effective SOD is achieved when the steps in key processes are divided among two or more people so that no one individual can act alone to subvert a process for his or her own gain or purposes. For example, most nonprofit organizations require two signatures on checks above a specified threshold. Others employ much more stringent requirements such as requiring secondary board approval or signature on checks over a specified amount.
Preventative vs. Detective Internal Controls
There are two types of internal controls. Preventative controls ensure something does not occur, such as limits on certain transactions and SOD. A detective control is intended to catch a problem after it has occurred. An example is the reconciliation of accounts payable and a later review of that reconciliation. Smaller nonprofits may need to utilize more detective than preventative controls because there is a greater chance that one person has full access to several aspects of a process. For example, one individual may be responsible for making deposits and issuing checks while performing the monthly bank reconciliations.
Successful implementation of internal controls for a smaller organization is a matter of selecting those controls that can be reasonably employed in a timely, economic and efficient way. Contrary to popular belief, achieving appropriate SOD does not require a large finance or accounting team. It may take a bit of creativity and consideration to properly assign duties, including assigning some responsibilities to leadership and/or board members.
Below are some examples of how small nonprofits can achieve proper SOD.
2-Person Team
3-Person Team
In addition to determining the appropriate SOD, it is important that leadership set the proper tone from the top. This may include proactive steps such as conducting frequent fraud prevention trainings and requiring staff to sign annual conflict of interest statements and whistleblower policies while intentionally promoting oversight within the organization. Management should always be involved in monitoring and reviewing monthly financial reports, but nonprofits may also want to consider hiring a trusted CPA firm to review and evaluate the current internal control structure to promote confidence in the organization’s fraud protection measures.
Nonprofit organizations of any size can implement effective SOD with careful planning and advice from an external CPA, if needed. For questions about your organization’s internal controls, including SOD, contact Alejandra Jensen, CPA, CFE, Nonprofit Audit Manager at 301-951-9090 or ajensen@grfcpa.com.