Minnesota Council of Nonprofits 2015 MCN Annual Conference October 1 – 2, 2015 | St. Paul, MN | St. Paul RiverCentre

Internal Accounting Controls for the Understaffed Nonprofit Friday, October 2, 2015 11:00 am – 12:15 pm

Presented by: Michelle Anderson, CPA, Senior Manager

NONPROFIT AND GOVERNMENT PRACTICE www.wipfli.com/ngp | 888.876.4992 Reproduction or use of any training materials in this manual, except within a participant’s agency without express written permission is prohibited by copyright law. © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

Trainer: Michelle Anderson, CPA, Senior Manager

© Wipfli LLP © Wipfli LLP

1

Materials/Disclaimer Please note that these materials are incomplete without the accompanying oral comments by the trainer(s). These materials are informational and educational in nature and represent the speakers' own views. These materials are for the purchasing agency’s use only and not for distribution outside of the agency or publishing on a public website. © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

2

1

Agenda After today’s session you will have a better understanding of internal controls • What are the objectives of internal controls and why are they important? • What is the difference between a process and a control? • What types of controls should I have in place at my organization?

© Wipfli LLP

3

© Wipfli LLP

4

Objectives of Internal Controls There are three main objectives of internal controls • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations

Internal Accounting Controls for the Understaffed Nonprofit

2

Objectives of Internal Controls Listed below are the systems that are not only related to accounting and reporting but also relate to the organization’s communication processes, internally and externally, and include procedures for: •

Handling funds received and expended

•

Preparing appropriate and timely financial reporting to board members and officers

•

Conducting the annual audit of the organizations financial statements

•

Evaluating staff and programs

•

Maintaining inventory records of real and personal property and their whereabouts

•

Implementing personnel and conflicts of interest policies © Wipfli LLP

5

Procedures for Monitoring Assets • All organizations should have procedures to monitor and record assets received, held and expended. • These financial controls should be described in an accounting policies and procedures manual. The manual should be reviewed, approved, and given to the Board of Directors employees and volunteers as necessary.

© Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

6

3

Procedures for Monitoring Assets It should include procedures for: •

Preparing an annual income and expense budget and periodic reports.

•

Writing and signing checks or vouchers in sequential order, recording of assets, securing and depositing cash and other receipts. Such procedures should ensure that no individual is responsible for receiving, recording, and depositing funds or writing and signing checks. Checks and balances are essential to make the potential for fraud to be more difficult.

•

In assuring that grants and contributions received are properly recorded, finance is required that any restrictions on the use of such funds are obeyed. © Wipfli LLP

7

Procedures for Monitoring Assets It should include procedures for: (cont.) •

Requisitioning, authorizing, verifying, recording and monitoring all expenditures including payment of invoices, petty cash and other expenditures. Such procedures should ensure that no single individual is permitted to request, authorize, verify, and record expenditures.

•

Accessing, inputting, and changing electronic data maintained by the organization. Preserving electronic records is ensuring data compatibility when systems change and creating an appropriate records retention policy are part of this process.

•

Providing for regular oversight by an audit committee or, if there is no audit committee, by the executive committee or by the Board of Directors itself. 8 © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

4

Procedures for Monitoring Assets It should include procedures for: (cont.) • Reporting to the audit committee or board by employees and volunteers of allegations of fraud or financial improprieties. • Ensuring that timely and appropriate financial reports are distributed to all directors and officers and reviewed by them. • Providing procedures for approving contracts to which the organization is a party, including securing competitive bids from vendors. 9

© Wipfli LLP

Procedures for Monitoring Assets It should include procedures for: (cont.) •

Making clear the responsibilities of all individuals involved with the organization, including the board of directors, officers, employees, volunteers, consultants, and maintaining an organizational chart while updating such information as necessary.

•

Preparing for the annual audit process in a timely manner.

•

Developing a prudent investment strategy and providing proper oversight of the investment assets.

•

Complying with governmental and other reporting requirements. © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

10

5

Procedures for Monitoring Assets It should include procedures for: (cont.) • Complying with obligations to members, employees, and the public including their right to a copy of the organization's annual financial report.

© Wipfli LLP

11

Process vs. Control • What is the difference between a process and a control? • Is there one?

© Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

12

6

Process vs. Control A Process is an activity that: • Captures data • Changes data • Introduces the possibility for error

© Wipfli LLP

13

© Wipfli LLP

14

Process vs. Control A Control is an activity that: • Does not change data • Prevents or detects and corrects errors introduced by the processes

Internal Accounting Controls for the Understaffed Nonprofit

7

Components of Internal Control Internal controls consist of these five components. 1. Risk assessment 2. Control environment 3. Control activities 4. Information and communication 5. Monitoring

© Wipfli LLP

15

© Wipfli LLP

16

1. Risk Assessment Organization’s identification and analysis of relevant risks in relation to achievement of objectives, such as: • Changes in regulations • New personnel • New systems or technology • Rapid growth or downsizing • New programs, grants, services

Internal Accounting Controls for the Understaffed Nonprofit

8

Risk Assessment Tools & Methods to Achieve

COSO Objectives • Establish objectives, including how risks should be managed, including entity and activity objectives

• Business plans and budgets with realistic goals

• Establish and maintain an effective process to identify, analyze, and manage risks relevant to the preparation of reliable financial statements (both internal and external)

• Document and communicate about risk throughout the organization

• Periodic review and update strategic plans and objectives

• Identify, analyze, and manage change

• Involve a broad spectrum of personnel with collective knowledge of all areas in risk assessment and business planning

• Develop mechanisms to anticipate, identify, and react to routine events or activities that affect achievement of entity or activity-level objectives

• Senior management should periodically report on risk management to the audit committee or board • Work with the independent auditors and other third-party experts to appropriately address complex changes in accounting or regulation

© Wipfli LLP

17

© Wipfli LLP

18

2. Control Environment • Integrity & ethical values of management • Commitment to competence • Board oversight & interaction w/auditors • Management philosophy regarding risk • Organizational structure • Assignment of authority & responsibility • Human resource policies

Internal Accounting Controls for the Understaffed Nonprofit

9

Control Enviornment Tools & Methods to Achieve

COSO Objectives • Demonstrate commitment to character, integrity & ethical values • Establish the consciousness of the organization • Set the “tone” and foundation for all the internal controls • Demonstrate the competence of the entity's people and management • Enforce accountability, attention, and direction provided by the audit committee and board of directors • Exercise oversight responsibility • Establish structure, authority and responsibility

• Mission statement • Ethics statement, code of conduct, and other key policies (e.g., acceptable business practices, conflicts of interest, etc.) • Standing board committees with charters (e.g., Audit Committee, Nominating & Corporate Governance Committee, Compensation Committee) • Tenure and depth of senior management experience, including the CEO, CFO and COO • Training to support execution of staff and management’s assigned duties • Formal job descriptions • Segregate incompatible activities

© Wipfli LLP

19

3. Control Activities Policies and procedures to help ensure that management directives are carried out • Physical controls (facilities) • Information processing (e.g. check accuracy, completeness & authorization of transactions) • Performance reviews (e.g. budget to actual) • Segregation of duties

© Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

20

10

Control Activities COSO Objectives • Establish policies and procedures that help ensure management directives are carried out • Ensure controls address risks • Establish controls throughout the organization at all levels and in all functions • Ensure action is taken on exceptions • Review the design and operating effectiveness of controls • Select and develop controls over technology

Tools & Methods to Achieve • Monitoring • Policy • Segregation of duties • Verification • System access • System automation • Board oversight • Financial review • Authorization • Transaction review • Reconciliation • Entity level controls (e.g.,, Company-wide programs, controls and/or monitoring)

© Wipfli LLP

21

4. Information and Communication

Methods and records used to record, process, summarize, and report transactions and to maintain accountability over assets, liabilities, and net assets • • • •

Accounting records Accounting processing Financial reporting process Communication of employee duties and responsibilities • Disaster recovery • Includes IT controls © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

22

11

Information and Communication COSO Objectives • Ensure that pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities • Demonstrate the organization communicates internally and externally • Produce reports containing operational, financial, and compliance-related information • Communicate to all personnel that control responsibilities must be taken seriously • Ensure significant information can be communicated upwards within the organization. • Exercise effective communication must occur down, across, and up an organization and with parties external to the organization

Tools & Methods to Achieve • Conduct monthly conference calls • Accounting bulletins and a company handbook • Standard half-day employee orientation that addresses company ethics and values issues • A record retention period that follows all applicable federal, state and local laws (Generally 7 years) • Conduct a surveyed to determine the information that is needed or desired • Period-end reporting deadlines that allow for an appropriate review by management • Whistleblower hotline

© Wipfli LLP

23

5. Monitoring Assessing the quality of internal control performance over time, including taking corrective action, using: • Internal audit • External audit • Special assessments of internal controls • Input from personnel • Input from third parties (e.g. donors, grantors, vendors, etc.)

© Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

24

12

Monitoring COSO Objectives

Tools & Methods to Achieve

• Assess the quality of the entity's internal control performance over time by conducting ongoing and/or separate evaluations

• Internal audit or personnel with the requisite skills and independence periodically evaluate areas

• Ensure internal control deficiencies are reported throughout the organization with serious matters reported to top management and the board

• Investigate complaints of improper financial matters by external parties such as suppliers or regulators are fully investigated and documented

• Detect and remediate control deficiencies throughout the entire system of internal control over financial reporting

• Use surveys and focus groups to understand employee perceptions • Required employees to acknowledge compliance with the code of conduct • Require signatures to verify performance of significant control functions such as reconciliations • Checklists, questionnaires, or programs © Wipfli LLP

25

Application of Internal Controls Each of the five inter-related components have application to each of the three objectives of internal control: 1. Operations 2. Financial reporting 3. Compliance

So really there are 15!!

© Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

26

13

Internal Controls and the Audit

Let’s look at controls for significant classes of transactions and account balances.

© Wipfli LLP

27

Revenue and Cash Receipts The goal is to segregate as many duties as possible; especially the recording of revenue, receipt of funds, and maintenance of accounts. When one person controls all three of these functions, the potential for fraud increases

© Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

28

14

Revenue and Cash Receipts There should be a segregation of duties in the following areas: • Billing • Recording revenue in the accounting records • Receipt of payments • Initial recording of collections • Preparation of deposits • Posting of receipts to the accounting records • Reconciling the bank statement • Reconciling accounts receivable subledger with the general ledger © Wipfli LLP

29

© Wipfli LLP

30

Revenue and Cash Receipts Ideally, each of those duties should be performed by a different person. In reality this is often not possible due to the small size of the finance department.

Internal Accounting Controls for the Understaffed Nonprofit

15

Revenue and Cash Receipts General Preventive Controls • Restrictive endorsement of checks received • Timely depositing of funds – daily • Lock up undeposited funds in a safe

© Wipfli LLP

31

Revenue and Cash Receipts • Use of a lockbox • Dual control over the intake of receipts contributions • Segregating the duties associated with accepting or handling payments from those associated with posting credits to customer accounts - preparation of a listing of payments received by someone who does not have access to the accounts receivable records. • Requiring proper authorization of credits prior to posting credits to a customer account © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

32

16

Revenue and Cash Receipts General Detection Controls • Maintaining a permanent record of the initial intake of all funds by date received, payor names, amounts, form of payment, and a description of what the payment is for. • Periodic reconciliation of the cash receipts log with deposits made to the organization’s bank. • Periodic reconciliation of cash receipts log with revenue recorded on accounting records.

© Wipfli LLP

33

Purchasing and Disbursements Ideally there should be a segregation of duties in the following areas: • • • • • • • • • •

Purchase request Purchase authorization Receiving – supplies, other items Recording of accounts payable Approval of vendor invoices Check writing Recording of disbursements Delivery of checks to vendors Reconciliation of accounts payable subledger Reconciliation of bank account © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

34

17

Purchasing and Disbursements Controls over purchasing and cash disbursement process are essential to the safeguarding of cash. Key control areas: • Check writing process • Payment authorization and approval • Delivery of checks • Bank reconciliation

© Wipfli LLP

35

Purchasing and Disbursements Common controls over check writing process •

Pre-numbered checks in sequential order

•

Prohibiting the signing of a check in advance

•

Limiting or prohibiting the use of signature stamps

•

Prohibiting the writing of checks that are payable to “cash”

•

Keeping the list of authorized check signers updated

•

Physical security over unused checks – locking them up and limiting access

•

Appropriate authorization prior to check preparation © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

36

18

Purchasing and Disbursements Common controls over check writing process (cont.) • • • •

• • •

Requiring two signatures on checks in excess of a certain dollar amount Mailing all checks promptly after signature Locking up all signed checks that are not mailed the same day Reconciling the bank statement in a timely manner by someone other than the person who writes and records checks Properly voiding checks Writing off as void all checks Maintaining a list of voided checks as well as physical custody © Wipfli LLP

37

© Wipfli LLP

38

Purchasing and Disbursements Payment authorization and approval • • • • • • • • • • •

Require original invoices (no copies or statements accepted) Match with receiving reports Match with purchase order Match with vendor bid/proposal Review of invoice Mathematical accuracy Description of goods or services Quantities and prices Vendor information Documented approval by purchasing agent Cancellation of invoice

Internal Accounting Controls for the Understaffed Nonprofit

19

Purchasing and Disbursement Check Delivery • Mail by individual other than the one authorizing the expenditure and the individual that prepares the checks • Avoid direct delivery to vendor by purchasing agent

© Wipfli LLP

39

Purchasing and Disbursements Bank Reconciliation • Review statement for duplicate checks or unnumbered checks • Investigate gaps in check numbers • Review statement for other debits • Examine returned checks • Signs of alteration or forged signatures • Review endorsements for consistency • Compare payees with check register or disbursements journal • Verify lists of voided checks © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

40

20

Payroll Payroll is typically one of the largest expense line items an Agency has. There are several general controls an Agency should implement.

© Wipfli LLP

41

Payroll Ideally there should be a segregation of duties in the following areas: • • • • • • • • •

Authorizing pay rates and changes Entering master employee data into the payroll system Entering timekeeping information Authorizing timekeeping information Processing payroll Distributing payroll Transferring funds to the payroll bank accounts Reconciling the payroll bank accounts Posting payroll to the general ledger © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

42

21

Payroll General payroll controls • Maintaining written policies and procedures for timekeeping and payroll processing • Utilizing a separate bank account for payroll • Use of pre-numbered checks in sequence • Maintaining proper physical security over unused payroll checks • Holding unclaimed payroll checks

© Wipfli LLP

43

Payroll General payroll controls (cont.) • Maintaining a detailed payroll register that lists every paycheck along with total gross pay, all payroll withholdings and net pay • Use of a timekeeping system • Review and approval of payroll tax returns • Review of the posting of payroll from the payroll register • Authorization in writing of all salaries and wage rates by a designated Agency official © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

44

22

Property and Equipment Ideally there should be a segregation of duties in the following areas: • Budgeting for asset additions • Purchasing of property and equipment • Receipt of new property and equipment • Maintenance of property and equipment inventory records • Write-off of property and equipment that are fully depreciated, obsolete or unused • Physical inventories of property and equipment © Wipfli LLP

45

Property and Equipment General controls over property and equipment • Establishing an Agency-wide and departmental budget for additions of property and equipment • Maintaining proper physical security over the Agency’s premises and buildings • Establishing appropriate capitalization thresholds for additions of property and equipment • Using renumbered identification tags on all newly acquired property © Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

46

23

Property and Equipment General controls over property and equipment (cont.) • Creating a property and equipment listing • Periodically taking physical inventories of property and equipment and reconciling the physical inventory with the property and equipment listing • Utilization of a disposal form to document requests and approvals for writing off property and equipment that is no longer used • Maintaining appropriate levels of insurance over theft of and damage to property and equipment © Wipfli LLP

47

© Wipfli LLP

48

Information Technology The most important element of information technology is the security plan. It should address: • Physical access • Controls over access to data • Data input controls • Software controls • Protection of hardware • Disaster recovery

Internal Accounting Controls for the Understaffed Nonprofit

24

Information Technology Physical Access • If possible the server should be in a separate room • Access should be restricted to authorized personnel • Room should be locked at all times

© Wipfli LLP

49

Information Technology Controls over access to data • Access to data should be restricted to only those individuals authorized • Read-only access to modules • Restrictions on copying of data • Restrictions on adding, deleting or changing data

© Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

50

25

Information Technology Data Input Controls – provides assurance regarding the integrity of data that is being entered into the system • Verify pre-numbered forms sequence • Review input files prior to processing • Use of check fields to determine if data entered is proper • Validity of data checks

© Wipfli LLP

51

Information Technology Software controls • Document all changes in software • Review and authorize all requested changes to software • Restrict access to software

© Wipfli LLP

Internal Accounting Controls for the Understaffed Nonprofit

52

26

Information Technology Protection of Hardware • Communicate the risks of off-site use of laptops • Require that data stored on a laptop be backed up prior to taking off-site • Permanently mark laptops as property of the Agency

© Wipfli LLP

53

© Wipfli LLP

54

Information Technology Disaster Recovery Key Elements • Identification of the applications that are necessary in order to keep the organization operating • Storage of program files and software • Data files backed up on a regular basis • Off-site storage of data backup files

Internal Accounting Controls for the Understaffed Nonprofit

27

www.wipfli.com/ngp Connect with me: Bring Wipfli to You: www.facebook.com/WipfliNGP

My Wipfli – Access to our experts:

Tammy T. Jelinek [email protected] 608.270.2954

Evaluation:

Regulation questions Audit Process Human Resource Technology Leadership

Thank You! www.wipfli.com/mywipfli

Internal Accounting Controls for the Understaffed Nonprofit

© Wipfli LLP

55

28