As auditors of not-for-profit organizations, we are often asked what policies are critical for organizations. Though much depends on the type and size of the organization, there are three key policies that all not-for-profits should have:
- Code of ethics
- Whistleblower policy
- Record retention and document destruction policy
Code of Ethics One of the most valuable assets of a not-for-profit is its reputation. In recent years more and more organizations have had public scandals that have impacted the organization by severely reducing its contributions or grants or by making the organization close its doors forever. One of the easiest ways to help prevent damage to an organization’s valuable reputation is through what is known as the “tone at the top.” The tone at the top is primarily conveyed through the actions of management and the board, both internally and externally, but also through policies such as a code of ethics. Employees and board members come from different backgrounds and will often have different definitions of what is ethical behavior. A code of ethics establishes a common framework for employees, management and the board to make decisions when interacting with donors, grantors, vendors and the media by defining what ethical behavior is in the organization. Furthermore, it can reduce subjective or inconsistent management decisions, which saves time, money and potential adverse results from an unethical decision. When preparing the organization’s code of ethics management should:
- Define what ethical behavior means at the organization and provide specific examples of unacceptable behavior.
- Convey the significance of the policy by requiring all employees and board members to sign a copy of the policy upon hire or appointment to the board.
- Periodically review the policy for relevance and changes in current laws or norms of the organization.
Whistleblower Policy The 2014 Report to the Nations Global Fraud Study published by The Association of Certified Fraud Examiners noted that tips are the most common way of discovering fraud. The report also noted that, by adding a fraud hotline, an organization can increase the number of frauds detected and, on average, cut the cost of fraud by 41 percent and the time to detection by 50 percent. Establishing a whistleblower policy can make a big difference to the organization’s reputation and bottom line. When preparing the organization’s whistleblower policy, management should:
- Clearly state that fraudulent activity is not tolerated by the organization and it is the responsibility of all employees to report violations or suspected violations.
- Include a “no retaliation” section, noting that retaliation will not be tolerated in any form and if it does occur it will be promptly investigated. The Occupational Safety and Health (OSH) Act passed in 1970 protects workers from retaliation under 22 federal laws.
- Provide a hierarchy for reporting issues internally, including options for when the person in question is the person that would typically receive the complaint. In this situation the policy may direct the employee to contact someone on the board.
- Reference the organization’s code of ethics policy. This policy often requires the board, management and employees of the organization to observe high standards for business and personal ethics.
- Consider including a whistleblower hotline, which provides additional anonymity and has been shown to make employees more likely to report potential or actual wrongdoing.
- Illustrate examples of what is considered fraud and would therefore be reported through this process versus another type of complaint that should be resolved through other outlets. These examples will help direct employees to appropriate outlets and will reduce the costs of investigating items that are not fraud.
Record Retention and Document Destruction: Organizations retain documents for a number of reasons, and some documents are legally required to be maintained for a specified period of time. Others are critical in supporting accurate accounting records, and some are retained for knowledge transfer when there is a turnover in staffing. All of these needs must also be balanced against the organization’s physical and electronic storage capabilities. When preparing the organization’s record retention and document destruction policy, management should:
- Begin by determining what types of documents the organization has. These may include employee records, accounting records, tax records, board minutes, email communications, department policies and federal or non-federal grants and contracts.
- Research if any document types are governed by federal, state, local or international statutes.
- Assign a retention period for each type of document. For some documents, professional judgement must be used. Typical retention periods include:
- 3 years: employee applications, I-9 forms, and cash and credit card receipts;
- 7 years: contracts, journal entries, employee offer letters, and invoices; and
- Permanent: corporate documents, IRS application for tax-exempt status, IRS determination letter, annual audits, and IRS form 990 tax filings.
- Describe not only the system for filing and maintaining the documents, but also the process for destroying the documents once the established time period has passed.
- Create a process to review all retained documents and establish their destruction timeline, then ensure the documents are destroyed on time. If the documents are not destroyed they are legally discoverable if the organization were to be sued.
- Decide how the documents should be destroyed. If the document is confidential in nature, a secure method to shred physical documents must be established. Examples of confidential documents may include social security numbers, dates of birth or bank account information.
- Identify who within the organization is responsible for the different types of documents. The organization may choose to designate one person in the accounting department for retaining accounting records and another within the human resource department for maintaining employee personnel records.
- Require draft documents to be destroyed as soon as official signed versions are available.
- Remind employees that it is a crime under Section 802 of the Sarbanes Oxley Act to intentionally destroy, alter, falsify, etc. any records, documents or tangible objects that are involved in or could be involved in a U.S. government investigation or prosecution of any matter or in a Chapter 11 bankruptcy filing.
- Create a system to halt all document destruction once the organization is aware that it is under investigation or it may be subject to legal proceedings.
By adopting these three policies, an organization can protect its valuable reputation, be more efficient in making decisions, detect fraud in a timely manner and protect the organization from knowledge loss and excess liability.