Why are internal controls necessary?

Properly implemented internal controls are essential for deterring fraud, misappropriation of assets or fraudulent financial reporting. The “Fraud Triangle,” is a model used to explain the factors contributing to fraud and consists of three components: motivation, opportunity and rationalization. Motivation may be personal financial pressure (misappropriation) or the need to boost results to meet an organizational goal (fraudulent financial reporting). Opportunity is created by a lack of oversight (infrequent internal reporting to the board) or unimpeded access to resources (check signing authority coupled with responsibility for reconciling the bank account). And, because most people don’t think of themselves as crooked, rationalization is the bad actor’s ability to excuse the fraud. It is important to understand the concept of the Fraud Triangle to assess where your organization’s internal controls may fall short.

What types of procedures can be implemented to improve internal controls?

 A few suggested procedures include: 

•  Adopt workflow systems and software to replace handwritten approval documentation and record the formal approval of transactions, with automated or email approvals archived for future reference. A bank lockbox can be utilized for cash receipts.

• Segregate duties to avoid the authorization, custody, recording and reconciliation of transactions by one individual. Include a presentation of internal accounting reports at each board meeting and document the discussion in the board meeting minutes. 

How do I know if my controls are working?

Test, test, test. Consider what you are testing, and refresh your tests as necessary, when procedures change or the means of tests become familiar. Make sure that the tests you run are designed to identify: 

• Expenditures are authorized routinely 

• Funds are received when expected and deposited timely 

• Donors are acknowledged and donor information is protected

• Electronic files are secured from corruption, theft or loss Access to data and systems are limited to only those who need it Access to financial assets (bank and investment accounts) is properly secured and limited