5 steps to strengthen internal controls at small businesses and not-for-profits


By Sandi Matthews, CPA, CGMA

Internal controls may lag at smaller organisations as managers sacrifice them for the sake of service delivery, particularly at cost-conscious not-for-profits and start-up organisations.

Yet the risks are too great to ignore. Consider that the Association of Certified Fraud Examiners (ACFE) in its Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study found that businesses with fewer than 100 employees are more vulnerable to occupational fraud. The median annual fraud loss for religious, charitable, or social service organisations was $82,000. This amount does not take into account the cost to the organisation’s reputation. Because charitable organisations are in the public eye, the occurrence of fraud, or even allegations of fraud, can significantly affect an entity’s ability to attract support.

There are many approaches to risk management, but the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control – Integrated Framework can be used by virtually any organisation, large or small, to strengthen governance, improve the reliability of financial reporting, and deter fraud. The COSO framework emphasises that internal controls should be designed with consideration for the entity’s unique environment and its risk tolerance. It does not prescribe specific activities. Instead, it offers a structured approach to making risk-based, informed decisions. Applying the COSO framework, leaders can lend analytical abilities to identify risks and optimise controls to support critical processes.

Here are five low-cost steps to consider as a starting point: 

Set a strong tone internally. Internal controls are processes affected by people and the actions they take every day in our organisations. The ACFE’s study showed that only 6.4% of fraud is discovered by external auditors. Internal controls involve everyone in an organisation, and the board and leadership team set the tone.

Provide a formal system for individuals to raise concerns without fear of retaliation. The ACFE study found that fraud is most often discovered from tips – in 29.6% of cases. The best thing managers can do is create a mechanism by which employees can report concerns. Even the smallest organisation can adopt a whistle-blower policy and incorporate that policy into employee handbooks and training for new workers. The online resource library of the American Institute of CPAs’ Not-for-Profit Section has a sample of such a policy, which can be downloaded and tailored to individual organisations.

Be attuned to what is happening within the organisation. Managers should be aware of conflicts, tensions, pressures, or incentives that could compromise decision-making, integrity, and the reliability of the entity’s financial reporting. Examples of such pressures could be aggressive growth goals, a poorly designed incentive-based compensation structure, or unbalanced workloads that lead to unfair treatment, employee resentment, and burnout. Employees who are under pressure are more prone to ignore internal controls or take advantage of control weaknesses for their own benefit.

Focus on relationship-building and open communication. It is possible to maintain an attitude of professional scepticism and, at the same time, build relationships on a foundation of trust. One way: adopting open-book management practices and explaining not just “how” but “why” particular processes are needed from a business perspective. Address issues of noncompliance first by identifying the behaviour you observed, then giving the employee an opportunity to voice his or her concerns. Second, acknowledge the employee’s viewpoint and then explain the business reason for the change. Finally, clearly state your expectations going forward. Use “I” instead of “you” in communication. Example: “I noticed that your supervisor did not preapprove this transaction” is better than “You didn’t get proper approval from your supervisor.” Keep interactions professional, not personal.

By establishing controls and processes that did not exist previously, you may cause an internal power struggle. An employee may perceive a new process, such as a new process for authorising transactions, for example, as a sign of distrust. Give employees a chance to express concerns before implementation, and be sure to explain the business rationale.

Consistently enforce policies across the entity to uphold fairness. Periodic, one-on-one discussions with individuals about organisational policies can be enlightening. Training new employees is a given, but some organisations fail to apprise employees of the acceptable use of the organisation’s property, including confidential and sensitive information. Check references and conduct pre-hire and periodic background checks, particularly for employees involved within the finance or accounting function and for those who have access to sensitive information. Also, review IT systems access logs. As much as possible, separate duties so that no single individual has control of all aspects of a transaction, and separate authorisation from recordkeeping.

In small organisations, unwritten policies can be effective where a process has existed for a long time and is a well-understood practice and where communications channels involve a minimum number of management levels as well as close interaction with, and supervision of, personnel. Keep in mind, though, that no matter how well designed controls are, they are not failsafe. Although managers cannot prevent all problems from occurring, the leadership tone they set by treating individuals fairly, and identifying and remedying issues, sends a strong signal about activities that are acceptable and those that are unacceptable.

The AICPA’s Not-for-Profit Section has resources on risk management and internal controls for NFPs. It recently published a new e-publication, the Controller Toolkit for Not-for-Profit Entities, that has sample polices and transaction cycle narratives to assist with design and implementation of internal controls.

Sandi Matthews (smatthews@aicpa.org) is technical manager of the AICPA’s Not-for-Profit Section. She is speaking on the topic of internal controls at the AICPA National Governmental and Not-for-Profit Training Program, Oct. 17–19.