As auditors we are often asked for guidance on how to implement strong controls in small organizations. The key is to, at a minimum, segregate the four functions in the accounting process: 1) authorization, 2) custody, 3) record keeping and 4) reconciliation so that every transaction cycle has at least one other person performing at least one of the functions.
Depending on the size of the organization, this may require the enlistment of employees outside of the accounting function to assist with maintaining controls. While segregation of duties is not a sure way to prevent, detect and deter fraud, it’s a good starting place.
Sample Controls by Accounting Function
- Invoices are approved by department heads prior to entry into the general ledger by the accountant.
- Checks are approved and signed by the executive director prior to payment.
- Payroll disbursements are approved by the executive director prior to payment.
- Unopened bank statements are reviewed by the executive director or treasurer before passing them on to the accountant.
- Expense reimbursements are approved by the employee’s supervisor and the executive director’s expense reimbursement is approved by a member of the board.
- Cash is received and logged into a deposit sheet by the receptionist.
- Deposits are made by the accountant.
- Checks are kept in a locked location and only prepared by the accountant who is not a signer on the account.
- Record Keeping
- Only the accountant has write access to the general ledger, the executive director only has read access.
- Deposits are entered into the general ledger by the accountant.
- The executive director or treasurer reviews manual journal entries on a monthly basis.
- Bank reconciliations, including the deposit sheet, bank statement and general ledger detail are prepared by the accountant and reviewed by either the executive director or the treasurer.
- Monthly financial statements are reviewed by the executive director, department heads who approve invoices and the finance committee.
In addition to segregation of duties, an organization must also implement organization-wide policies and procedures. These policies and procedures provide additional oversight. For smaller organizations these are, at times, more easily implemented as they do not require significant staffing to accomplish.
Organization-wide Policies and Procedures
- Require all employees to take at least 2 weeks of vacation per year.
- Perform evaluations for all staff
- Conduct background checks on all employees
- Have separate passwords and usernames for all employees and require passwords to be changed at least annually.
- Prepare an accounting policies and procedures manual
- Implement a whistle-blower policy
- Have an annual audit
- Require all employees and board members to sign a code of ethics policy and provide ethics training on an annual basis.
- Send thank-you letters for all contributions. Ensure the letters are sent by someone outside of accounting.
- Review monthly financial statements compared to budget and actual for the statement of activities and regularly review a statement of financial position. Update budgets for expenses in proportion to actual decreases in revenues.
- Establish a strong “tone at the top” so it is the rule that all employees act ethically, not the exception.
- Be quick to prosecute fraud or unethical behavior when it occurs and let employees know about the consequences.
One might think that once the above segregation of duties, policies and procedures are implemented, the organization is surely protected from fraud and errors. It is important to remember that internal control is an ongoing process, not just segregation of duties. There are other factors the organization must consider. For example, author Donald R. Cressey described the following three factors present in every fraud:
To deter fraud, an organization must create an ethical environment, reduce employee’s opportunities to commit fraud, and monitor pressures on employees to commit fraud.
Organizations can create an ethical environment by adopting a code of ethics as discussed above, but also by having an appropriate response when unethical behavior is discovered, which may include terminating the employee and/or contacting the local officials.
Reducing an employee’s opportunity to commit fraud can be accomplished by cross-training employees on tasks and requiring annual vacations so that other employees have an opportunity to discover any irregularities. Ensuring monthly reconciliations are being performed and reviewed in a timely manner will create a detective control to identify fraud.
Creating a whistleblower policy will also increase the likelihood of catching fraud. The Association of Certified Fraud Examiners’ 2014 Report to the Nations on Occupational Fraud and Abuse Employers reported that organizations with a whistleblower hotline are 54% more likely to discover fraud than those without a policy. Additionally, when looking at how fraud is discovered the report noted that the most common way is through an employee tip. Other detection sources include internal audit (146%), management review (16%) or external audit (3%).
A small organization can create an environment that deters and detects fraud and abuse by taking into consideration the concepts above. However, it is important to remember that there is not a one-size-fits-all approach, and the above concepts must be customized based on the facts and circumstances of the organization.