This article was originally published on npENGAGE.
At the beginning of the year, you may have seen a lot of commercials about losing weight without ever being hungry or dieting. Did those big promises of reward with no effort create trust or did they feel a little shady? For nonprofits looking for funding sources, trust is paramount. And if your big promise to donors or funding agencies feels a little shady, you will not be trusted to grow your mission and do the good works you are looking to fund.
Even when nonprofits balance their desire to do good works with a realistic view of the level of effort required to accomplish those goals, funding may still be elusive if there are not strong internal controls in place. Why is that? How are trust and internal controls intertwined? That is what we will explore in this article.
The Case for Internal Controls
While many discussions about strengthening internal controls start with implementation, I’d prefer to take a step back and ask “Why bother?” Why should the whole organization put forth the effort to ensure internal controls are implemented, improved, and integrated into the whole organization?
The answer may surprise you because the most important role of internal controls is not compliance, it’s trust-building. Now I’m not saying compliance with rules and guidelines is not important. It is. But the biggest loser when internal controls fail is the trust placed in you by your donors and the people you help.
Here’s an example:
In 2013, CBS News reported that the U.S. Justice Department froze federal grant funding to a nonprofit after an audit revealed that they couldn’t account for nearly $20 million dollars of federal funds that were drawn by the organization for mentoring youth. Three years of turmoil followed including replacement of the management team and moving the national headquarters not once, but twice. Three years later, the nonprofit reached a $1.6 M settlement with the Department of Justice and agreed to institute a strict compliance program.
Weak Internal Controls = Broken Trust
The three primary areas of the nonprofit organization that internal controls influence are operations, reporting, and compliance. When bad things happen at good organizations in any of these areas, the trust of your donors and the people you serve breaks down. The best intentions become irrelevant. Employee and volunteer morale suffers, and all the good that nonprofits do in the world becomes suspect. Finally, once trust is lost, it is expensive and time-consuming to rebuild among donors, employees, and the community at-large.
Too often that path of destruction starts with missing controls. Putting in place a few simple checks and balances could prevent many bad things from occurring. Fortunately, you can make a choice to increase the level of trust and effectiveness at your organization by understanding the basics of internal controls and taking steps to implement, improve and integrate best practices. How about it? Are you willing you leave the important job of internal controls to a “catch me if you can” environment? Or would you prefer to create a climate change of inclusiveness where everyone understands the important role they play in protecting the public trust?
What Are Internal Controls?
Internal controls can be defined as a series of actions to get a specific result. For example, on the highest level, internal controls should ensure that the organization can:
- Achieve their objectives in an efficient and effective manner
- Provide for reliable financial reporting
- Comply with laws, regulations and policies
On this same macro level, you can imagine things that would destroy trust:
- Wasteful spending
- Fraud or embezzlement of funds
- “Cooking the books” and misleading financial reporting
- Ignored or missing policies
- Disregarded regulations
- Broken laws
Internal controls are implemented, improved, and integrated so that the likelihood of these trust-destroying outcomes is reduced. But what exactly does an internal control system look like and what are the moving parts?
When you think of strengthening a system, it starts with understanding the framework it is built on. Like the children’s story the Three Little Pigs, that framework may be made of straw, sticks, or bricks depending on the importance internal controls has had in the culture of the organization.
Like the house built of bricks, a strong internal control system will have strength in multiple components from the framework to the defenses against risks. That system includes five main components:
Component 1: Control Environment
The Control Environment deals with whether or not all levels of the organization are committed to high levels of integrity and demonstrate those values in their day to day work. Next, is there a structure of responsibility and authority at the organization? This involves everything from authorizing spending based on a pre-determined signatory authorization policy to periodic employee and program performance reviews by appropriate levels of management. Senior management and the board set the “tone at the top” and communicate expectations for the rest of the organization. Organizational processes are evaluated in light of those expectations and variances to be reviewed and realigned in a timely basis with board oversight.
Component 2: Risk Assessment
Risk assessment is a term you may hear tossed around since the new Uniform Guidance took effect for federal grant recipients. For federal agencies, risk assessment means looking at whether or not a non-federal entity is a good bet to complete the objectives of the federal award in a responsible and effective manner. For pass-through agencies, a risk assessment is part of developing a plan for monitoring sub-recipients. When it comes to internal controls, the phrase “risk assessment” addresses ways to ensure that the organization has plans in place to identify, analyze, and respond to a variety of risks.
Auditors are looking for assurance that risk is being reviewed across ALL levels of the organization. The board and senior management start the process by ensuring that there are sufficient levels of expertise to make sure that effective oversight is happening.
Component 3: Control Activities
Control activities (which should not be confused with the control environment) are where the devil’s in the details. This part of an internal control system is where the actual tasks that can minimize the opportunities for waste, fraud, and abuse are put into place. Again this component of internal controls involves multiple levels of your organization when it works well.
Control activities can create both safety nets and security nets. One is designed to prevent bad things from occurring in the first place, the other is designed to detect bad things if and when they do happen.
Component 4: Information and Communication
Quality communication is an important component of successful grant management and internal controls. In fact, a culture that “black boxes” relevant information or allows silos between departments encourages a toxic environment both for internal and external stakeholders. When program folks don’t talk with finance folks and vice versa, it’s not just business as usual. It is a potential internal control risk!
Improving the reliability of financial information and allowing appropriate access to query functions are just some of the ways that communication can get stronger across the organization. Likewise moving to a common platform where information resides instead of multitudes of spreadsheets can help break down silos between departments. It doesn’t matter if you are funded by grants or donors, free-flowing communication and quality information are keys to meeting organizational objectives.
Component 5: Monitoring
Finally, it is not enough to build a great internal control structure without ensuring it is working as intended. Monitoring is designed to expose real life vs. wishful thinking. Are you sure that people in your organization are really following the requirements of a sound internal control system?
When implementing, improving, and integrating an effective internal control system, you can’t rely solely on the efforts of an auditor and the finance department. Increasingly, federal agencies and even private foundations will want to know that internal controls are a team effort.
Trust building is crucial to fostering healthy donor, funder, and employee relationships. Ensuring that a broad range of employees understand the key internal control components will minimize the risk of violating policies, regulations, and laws while improving the likelihood that the organization can achieve their objectives and have reliable reporting.
To learn more about how to implement strong internal controls at your organization, make sure to read the whitepaper, How to Build Trust with Strong Internal Controls.