Nonprofits need to pick their financial controls carefully
Nov 23, 2009 | Download this article (.PDF)
It’s been nearly a decade since the Enron and WorldCom scandals shook our confidence in financial reporting and corporate governance. Fast forward to 2008 and we saw another round of financial collapse, bringing on the largest credit crisis and recession in recent history.
As a CPA who performs audits and other work for nonprofit organizations, I have also sat on the other side of the table in volunteer positions on a number of nonprofit boards. Having those different perspectives has led me to develop strong and sometimes contrary opinions on what types of controls and procedures are “best practices” for nonprofits.
In 2002, the Sarbanes-Oxley Act (SOX) was passed to deal with the financial crisis triggered by the WorldCom and Enron scandals. SOX was written for public companies and by no means did it prevent the current crisis. Yet many nonprofit executives and boards invoke SOX as if it guarantees a utopian world where nothing bad can happen.
Many of SOX’s provisions are a good start for public companies, but the nonprofit and private sectors just don’t operate in the same world. In fact, implementing some SOX regulations can be detrimental to nonprofits and are often misunderstood. Let’s take a look at some of the issues with SOX.
There are some misperceptions that SOX applies to all companies when in fact only two aspects of it — the whistleblower and destruction of records provisions — apply to nonprofit and privately-held organizations.
Many people also believe that SOX requires an organization to rotate its audit firm every three years. This is not the case. The SEC had audit partner-in-charge rotation requirements long before SOX came along.
While it is a smart practice for nonprofits to request proposals every three to five years to check the pricing of their audit firm, going with the lowest bidder is not always the best option, particularly if there is a difference in service and quality. Nonprofits also need to remember that switching audit firms every three years creates a weakness in the process since it often takes two or three audits of an organization for the audit firm to really learn the organization and become effective in giving advice for stronger controls and improving operational efficiency.
There are some very simple, yet highly effective “best practices” that nonprofits should implement.
• Whenever possible have good segregation of duties.
These controls are easier to circumvent in a smaller organization, so always have strong financial oversight in place.
An example of a good control is to have the bank statement sent to someone who does not prepare the bank reconciliation.
• Realize that the “most-trusted person” in the organization is human and can be caught up in personal issues that cause them to commit a fraudulent act.
Controls and procedures should be designed for the position, not the person, in case that person ends up leaving the position.
• Set the tone from the top.
If employees see highly competent and ethical leadership, they are less likely to perform questionable acts and then try to rationalize them. Implement a code of ethics and conflict of interest policy for all employees to follow; this shows that you are serious about the conduct and reputation of the organization.
• Create a whistleblower policy to enlist all employees in helping police the organization.
Tell employees how to contact a specified member of management, the board or the finance committee if they think something is wrong.
These are just a few controls to consider. Every organization is different so you need to customize them to your particular situation.
You want to work in a friendly and healthy atmosphere so you can’t walk around treating every employee like they are ready to steal you blind, but it is smart to adopt a policy of trust, but verify.
http://www.bizjournals.com/baltimore/stories/2009/11/23/focus2.html
Email