Perhaps you cringe when you see news stories on nonprofit fraud, worrying that your organization could be next in line to be cheated and scandalized. If strengthening the internal controls at your not-for-profit is at the front (or the back) of your not-for-profit’s to-do list, now is as good a time as any to do something about it.
A sensible starting point is a look at Internal Control — Integrated Framework, a document issued in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The framework can help you establish, strengthen and assess the controls set up to safeguard your operations from fraud.
Is it required?
Although publicly held companies are required by the SEC to evaluate internal control over financial reporting using a recognized control framework, other for-profits and nonprofits aren’t required to use a framework for the oversight of internal controls. Auditors do generally rely on the framework’s concepts when they assess internal controls. And the framework is mentioned as a resource for “best practices” in the new Uniform Guidance for federal grant awards.
Even if you’re under no obligation to follow COSO, its framework has proven over the years to be an effective risk management tool for many different types of organizations. The updated version, which incorporates recent technological developments, the move toward increased globalization and the demand for better governance, is designed to help organizations apply internal controls more broadly to operations, reporting and compliance objectives.
What’s the foundation?
Both the original and revised COSO frameworks are built around several interrelated components:
- Control environment — a set of standards, processes and structures that provide the basis for carrying out internal controls, such as ethical values, performance measures and people management,
- Risk assessment — the process for identifying and assessing risks related to achieving an organization’s objectives,
- Control activities — actions that help ensure that management’s directives to mitigate risks are carried out, such as authorizations and approvals, verifications, reconciliations, and segregation of duties,
- Information and communication — the flow of information necessary to support the internal control function, including continual communication throughout the organization, between board members and executives as well as with external stakeholders, and
- Monitoring — both separate and ongoing evaluations of the internal control system’s performance over time and reporting of any deficiencies that are found.
COSO stresses that each of these components must be in place and fully functioning for an internal control system to be effective.
To help organizations turn abstract concepts into actionable items, the new framework introduces 17 principles related to the five components. For example, three principles apply to “control activities”:
- Select and develop control activities that mitigate risks,
- Select and develop technology controls, and
- Deploy control activities through policies and procedures.
In addition to the 17 principles, COSO offers 81 “points of focus” in its report. These provide guidance in designing, implementing and conducting internal controls and in assessing whether relevant principles are present and functioning.
What are your internal control concerns?
If governance is a particular concern, you might focus on the framework’s guidance about directors’ independence from management and best practices for expertise on audit committees.
If your nonprofit’s concern is employee fraud, you can use the framework to assess current risks (such as poor hiring decisions), strengthen controls (such as annual performance reviews), and communicate ethical expectations to staffers.
Or if a new accounting software system is being selected, you can use the framework to help guarantee that the selection process follows proper acquisition procedures. Following the framework also can ensure that the product selected is subject to strong controls related to password protection and security levels that allow access only to the appropriate users.
Nonprofits have looked to COSO for guidance in designing, strengthening and assessing internal controls for more than two decades. With the revised framework for internal controls still in its childhood, consulting the document for inspiration and direction makes more sense than ever.