By Mike Nurse, CPA, CFE, CGMA
An organization’s board of directors plays a unique and important role in providing the internal control oversight.
Internal control is defined by COSO1 as a “process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” It is an equally important concept for all organizations to understand regardless of size or entity type.
Internal Controls and the Small Not-for-Profit
For small non-profit organizations, however, a board member’s role becomes increasingly more important because of certain inherent challenges. For example, having a limited staff can create challenges in maintaining adequate separation of duties. The close-knit culture of some small organizations may also promote the illusion of trust and the expectation that all employees are compassionate and ethical—which may not be the case.
These types of challenges can weaken or break down a small organization’s internal controls, which govern financial activities and jeopardize the organization’s operations. This is why it’s important to understand your role as a board member when it comes to internal control oversight.
What’s the Board Member’s Role?
Here are ten important roles that board members should keep in mind when it comes to internal control oversight. The Board should:
- Be made up of individuals who have sufficient independence from management—in action, in appearance, and in actuality. Independence strengthens the board’s ability to enforce accountability by management and helps to avoid the perception of conflict of interest, both by staff and by the public.
- Oversee the development and implementation of internal controls by the CEO or senior management. Even the smallest non-profit organizations can implement some degree of internal control, and it is the board’s responsibility to ensure that management is implementing and enforcing them.
- Monitor management’s response to accounting and reporting control deficiencies and weaknesses. A control deficiency or weakness is a serious problem that has been identified by an internal or external audit function. The Board is responsible for holding management accountable for responding to and acting on these findings timely.
- Work with management to establish standards of conduct and an ethically sound tone at the top. The board should help to define expectations about financial reporting transparency, integrity, and ethical values. The tone at the top trickles down through the organization and sets a consistent tone and overall standard for conduct.
- Maintain direct and open reporting lines, such as a whistleblower policy to report business conduct issues or nefarious activity. Having a weak or inconsistent reporting policy can discourage those who would otherwise report on internal control or conduct issues. According to the Association of Certified Fraud Examiners ‘Report to the Nations’, an anonymous phone or email “hotline” is the most frequently reported detection method in the initial finding of fraud. A hotline is inexpensive and easy to set up for any organization, regardless of size.
- Define and evaluate the skills and expertise needed among its members to be able to understand and identify issues affecting the organization. For example, the treasurer should have a strong understanding of finance and accounting to perform his or her duties successfully.
- Engage in “constructive challenge” conversations with management. The ability to identify and verbalize focused questions allows board members—who have limited time—to leverage their experience and maximize their benefit to the non-profit organization. The board should require follow-up and corrective action for all issues identified through this process.
- Create oversight structures, such as committees to focus on specialized topics. For example, an audit committee should be created to oversee internal controls and promote transparency over the organization’s financial reporting.
- Consider the organization’s internal and external risks and challenge management’s assessment of those risks. Identifying an organization’s potential risks is a key component in creating controls that will help the organization reach its goals. Risks should be considered on a continual basis as the organization or business environment changes or grows.
- Exercise its fiduciary responsibilities to stakeholders and practice due care in oversight, which includes preparing for and attending meetings, reading the financials, attending board training if needed, and other various duties that promote the organization’s success and well-being.
Of a board member’s many responsibilities, internal control oversight is one of the most important roles in helping an organization reach its goals. The board should be instrumental in setting the tone at the top and ensuring that management is following through with their responsibilities and action items.
Boards of small non-profit organizations should take special care, as these organizations often lack the resources that bigger companies have (e.g. internal audit). Understanding these roles and concepts will go a long way toward creating a strong internal control environment.
Please contact Mike Nurse with questions about this article.
 COSO is an acronym for Committee of Sponsoring Organizations of the Treadway Commission. The committee was formed in 1992 as a joint initiative of five organizations, including the American Institute of CPA’s and the Institute of Internal Auditors, among others. Since that time, the committee has been developing and refining frameworks and guidance around enterprise risk management, internal control and fraud deterrence, with the most recent revisions of the Internal Control – Integrated Framework model in 2013.
© Clark Nuber PS, 2017. All Rights Reserved