March 31, 2016

I was recently at a not-for-profit (NFP) conference and asked audience members to stand up if they had received donations by cash on behalf of their organization. There was some murmuring, but only about 5% of the audience stood up. By check? About 40% of the room stood up. Credit card? More than half the room was now standing. Wire transfer? Some more stood, and when I finally got to grants via an Automated Clearing House (ACH) system, the entire room was standing.

I then asked the audience to sit down if they formally call out and test key systems that receive funding and donations as part of their IT general controls and application controls. Only about 10% in the room were able to sit down. In a perfect world, everyone should have been seated.

The need for greater transparency, cleaner reporting and electronic security are the key elements that build trust and integrity for those donating and using the services of your organization. The greater ability your organization has to promote a secure environment in terms of financial records and personally identifiable information (PII), the more confidence people will have in using and donating to your organization.

Now more than ever, the overwhelming trends for receiving donations and funding is via electronic means. Campaigns are run via social media, donations are received via apps on smart phones, and donor registration information supplied over webpages.  Being confident in your electronic security is essential.  However, many NFP organizations are still focused purely on the manual element of reporting on their accounting records, grant approval and distribution procedures.

The most effective way to cover your operations is by calling out a complete suite of internal controls and regularly performing a risk assessment to address your ever-changing risk profile. There are many definitions out there for internal control(s), but I generally lean toward the one provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  An internal control is broadly defined as a process  ̶  effected by an entity’s board of directors, management and other personnel  ̶  that is designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

I like this definition because it’s sequentially accurate to how all reporting is currently performed.  So, before you can have an accounting system, you need an effective and efficient level of operations to securely run your accounting software. I believe this puts identifying and validating your IT general controls and associated application controls even before the manual controls around your accounting software. Consider this: Without effective IT change management controls, how do you even install your accounting software?

The COSO framework lists five interrelated components (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) that are derived from the way management runs a business and are integrated with the management process.

The Control Environment component embodies the mission statement and vision your organization has spent time defining and promoting. It sets the tone and should have factors that reflect ethical values, integrity, management’s philosophy and operating style.

The Risk Assessment component is an essential annual process to keep you and your organization abreast of the ever- changing risk landscape within which you operate. If your organization doesn’t perform an annual risk assessment, then you have an immediate action item. This process doesn’t take long, it can provide a voice to areas within your organization that you may not be familiar with, and, most importantly, the process should collectively define your identified risks into risk definitions.

By gaining consensus of the definition of each individual risk to the organization, you by default educate all the key participants and, in many cases, break down any silos within the organization. The better your people understand the risks your organization faces, the better chance you have at preventing, detecting and mitigating those risks.

Control Activities are where I think the COSO frame work could get slightly more prescriptive. I’ve provided the whole narrative from COSO below:

Control Activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

I like to look at control activities as they fall across the organization as control types. I break these down in to five groups:

  • Entity level controls
  • Manual controls
  • IT dependent manual controls
  • Application (or system) controls
  • IT general controls (ITGCs)

Of these control types, the last two –  application controls and ITGCs –  are where I believe there is a great need to have these called out, documented, and tested to give you a complete suite of internal controls to cover the operations of the entire entity. At an even more detailed level, you can further classify application controls into two types: embedded and configurable. And, at the IT general controls level, break these into three categories: security – logical access, change management and operation controls.

At Clark Nuber, we are focused on bringing a lean version of these IT general controls and application controls into an easy format to assist NFP organizations on getting a handle on their complete suite of controls.

In this day and age, where the velocity of negative social media or the leak of a data breach or publication of fraud can cripple the brand and trust of your organization, it is essential to have strong security practices in place. Support this by understanding how system changes and reports are formatted and ultimately backed up, and it puts your organization at a distinct advantage over organizations not embracing this need.

© 2016 Clark Nuber PS. All Rights Reserved

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.