What are you required to do? According to OMB Circular A-133 (which governs the administration of federal awards), organizations are required to:
“Maintain internal control over Federal programs that provides reasonable assurance that the auditee is managing Federal awards in compliance with laws, regulations, and the provisions of contracts or grant agreements that could have a material effect on each of its Federal programs.”
       To ensure that you have the proper controls in place, it is a good idea to perform an assessment of each of the compliance requirements that affect your federal grants. Here are a few questions you can ask yourself and others involved with the administration of the grant:
     “How do we know that case managers who are carrying out the program are fully informed of the provisions of the grant?”
     “What process do we have that would prevent an unallowable cost from being charged to the grant?
     “How do we know that participants in the program are eligible to receive services? Does anyone verify eligibility after the initial assessment?”
     “How do we make certain that we have paid for allowable costs before we request reimbursement from the grantor?”
     “How do we communicate changes involving the grant to those personnel who need to know?”
     “Do we routinely check the “Excluded Parties Listing System” to ensure that we are not doing business with any vendors that have been suspended or debarred?”
     “What process do we have in place to make sure that all reports were filed accurately and timely?”

     After doing this assessment, you may find that your internal controls need to be strengthened. If you need assistance with this, please give us a call.

• Determine staffing during collection times. For receipts over a certain dollar amount, always have at least two employees present (counting/depositing) to help lower this heightened risk factor.
• If receipts are provided to the donor or client: consider using a triplicate form. One copy to the donor/client, one that is included in the deposit report sent to the accounting office , and one to be retained in numerical sequence for accountability over the forms used.
• Maintain a cash receipts log when using numbered receipt forms. The log should include receipt number, date received, name of payor, amount of payment, form of receipt (cash, check, money order, etc.), check number and date (if applicable), and purpose of payment (if known or applicable).
• Posting signs at collection areas informing payors that they should get a receipt showing their transaction.
• When transporting cash receipts from the remote location back to the central office or bank, utilize a courier service if possible or appropriate. Minimally, keep receipts in a locked security bag with a trustworthy employee not involved in the recording or reconciliation process transporting the bag. If there is a large amount of receipts being transported, have two employees be involved for additional safety.
• After depositing the funds: have an employee other than the person making the deposit reconcile the deposit ticket to the validated deposit slip.
• Reconcile the cash received to register tapes or the cash receipts log at the end of each day or employee shift. Match the daily receipts to those posted in the general ledger; the deposit slip and the bank statement.
• Bank reconciliations should be reviewed and approved by a supervisor independent of preparation. This same individual should verify the “book balance” agrees with the general ledger balance.
• Consider performing unannounced (surprise) audits of cash receipts at remote locations.
• Lead by example: show your employees that your policies and procedures are sound and important by always following them yourself and having that expectation of your employees, with clearly defined consequences for skirting them.

The overall goal of these “cash collection” controls is to minimize fraudulent activity and errors before they can occur. Although these particular suggestions may not be appropriate at every organization, you can evaluate and adapt them to be compatible with your own. You should be able to think of a few other ways to protect yourself even further with the in-depth knowledge you have of your particular organization and situation. In fact, please share your own suggestions with the other readers of Mission Accountable by posting a comment on this article. Remember, it is not through any one of these suggestions, but a combination of maintaining integrity of accounting records and a strong control environment, separating duties, and implementing accountability and oversight, physical protections, and strong policies and procedures that will truly help your organization to be as effective and efficient as possible.

One of the most important controls you can implement is separating the duties of collecting, recording, depositing, and reconciling cash receipts. This simple step can have a strong effect on preventing mishandling and safeguarding against losses. Unfortunately, many organizations do not have enough personnel to effectively separate these duties and, depending on the average value of these collections, it may not be cost-effective to hire someone new. This is why having other strong controls in place can really help safeguard your cash receipts.

The following are a few suggested controls that you can tailor to your particular organization to help mitigate the risk of loss:

• Establishing written collection policies and procedures to clearly outline duties and responsibilities to employees involved in the process.
• Restrictively endorsing all checks immediately upon receipt.  For example, you can imprint the checks with a stamp that says “For deposit only” as they are collected.
• Depositing cash receipts in the bank every day or as often as necessary for the circumstances of your particular organization and always depositing them fully intact to ensure that the total receipts is equal to the total bank deposits.
• Documenting and recording all cash receipts promptly.
• Utilizing strong physical controls, such as keeping the cash receipts in a safe or at minimum securely locked until deposited.

Remember, none of these suggestions are meant to be taken as-is: any one that you want to pursue needs to be tailored to your particular organization and situation and no one control will cover all of your risk areas.

However, as a general rule of thumb, if your organizational structure is prohibitive to implementing some of the more in-depth controls, focus more on the monitoring-type controls mentioned. When employees are aware that quality management oversight is taking place, they are far less likely to commit fraudulent acts.

Another post will follow shortly with even more suggestions for internal controls over cash receipts at remote locations. Don’t forget to check back soon!

If that’s really true, then why are are nonprofit organizations involved in almost 10 percent of all fraud cases reported in the study?

We often let our desire to trust other people cloud our judgment. Especially people we hired personally and have spent years building relationships with Monday through Friday. Deep down, we all believe we’re exceptional judges of character.

And that’s when it happens. 

If the most important fraud control in place in your organization is the ability to judge character in the people you hire, you may already be a victim.

If you’re concerned that you may be the victim of a fraud, or want more information on preventing fraud, we can help.

It can be a daunting task to get individuals to engage in making changes to the processes and controls already in place at their organization but when they are educated on how important the controls really are they may be more willing to with stain from their resistance to change.

The 2008 report to the Nation on Occupational Fraud and Abuse estimated that US organizations lose 7% of their annual revenues to fraud which translates to approximately $994 billion in fraud losses. Losses were noted to be significantly lower in the cases where the organization had implemented controls. Small businesses were noted to be especially vulnerable to occupational fraud. The median loss suffered by organizations with fewer than 100 employees was $200,000 which is higher than the median loss in any other category, including the largest organizations. Lack of adequate internal controls was most commonly cited as the factor that allowed fraud to occur.  To read more on this report go to http://www.acfe.com/resources/publications.asp?copy=rttn

One of the key parts of the ‘self-test’ reads as follows: “Internal control is a process designed to…achieve effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.” What organization doesn’t want to process transactions more efficiently, have accurate financial statements to their stakeholders or ensure they are in compliance with applicable laws and regulations? Properly designed internal controls can lead an organization in the right direction.

I have found the following to be a handful of a few good controls (this is not intended to be a list of the minimum controls an organization should have; simply it is a few of the controls that I think are very important):

1. Do not underestimate the power of “Tone at the Top” – if management skirts issues under the table their subordinates will assume they can do the same. This includes maintaining an oversight body (Board of Directors, etc) that has intimate knowledge of how the company operates and understands how to read and process financial information
2. Implement “Big Brother” approaches – people are less likely to stray from doing the right thing if they know someone is out there watching over their actions

Another step I highly recommend is to gain an in depth understanding of your company’s processes and procedures and see where the weaknesses are; then develop internal controls to address the identified risks.

To take the brief test to determine your level of understanding of internal controls go here:  http://www.journalofaccountancy.com/Issues/2010/Mar/20092240.htm

In January 2010, Carl Ho, CPA posted an article on Blue Avocado (http://www.blueavocado.org) titled “Five Internal Controls for the Very Small Nonprofit” that gives some insight as to what the most important controls are for small organizations. The most important controls relate to checks and balances. Establishing a “tone at the top” so that policies are in place and all employees including management follow them. Other importants considerations include clearly defined responsibilities, locking up checks, using protected passwords on computers, having two people count cash together, reconciling bank statements timely, review of reconciliations or bank statements by someone other than the bookkeeper or preparer, requiring two signatures on checks, and not allowing the bookkeeper to be a check signer. Even with these procedures in place, fraud can occur if there is collusion or if management circumvents the policies or controls. For the full article visit, http://www.blueavocado.org/content/five-internal-controls-very-small-nonprofit.

Governance plays a significant part in the control environment. Listed below are a few links from the IRS website regarding governance practices for non-profit organizations.

Governance and Tax-Exempt Organizations – Examination Materials

http://www.irs.gov/charities/article/0,,id=216068,00.html

http://www.irs.gov/pub/irs-tege/governance_check_sheet.pdf

Governance of Charitable Organizations and Related Topics

http://www.irs.gov/charities/article/0,,id=178221,00.html

1. Determine if employee deferrals comply with current regulations (See limitations at: http://www.irs.gov/retirement/sponsor/article/0,,id=151925,00.html)
2. Determine if employee deferrals comply with the Plan’s maximum percentage requirements, if applicable (controls should be in place to ensure that employees are not allowed to elect to contribute more than the Plan’s elected maximum percentage as indicated in the Plan Document)
3. Controls should be in place to ensure that contributions are submitted to the Plan in a timely basis (Determine the who and the when to make sure it happens as required by law). Key – Timing should not be in excess of the number of days it takes an employer to transmit payroll taxes
4. Knowledgeable personnel should review and approve all loans and distributions made from the Plan . This knowledgeable person has read and fully understands the Plan document and requirements contained therein.
5. For loan approval – Understand the plan requirements for the following: loan amount complies; interest rate in loan agreement complies; condition for loan.
6. For distributions – Understand the following:  distribution complies with plan provisions and ensure all necessary documentation is retained (specifically for hardship distributions); distribution request includes the appropriate amount and the accurate amount of withheld taxes (10% and possibly an additional 20% if early distribution); ensure the appropriate vested percentage is utilized for employer contributions; determine if distributions required by law (required minimum distributions, etc) were completed during the year.

I hope the information is helpful in establishing a sound control environment for your organization’s employee benefit plan.  If there are areas that I have missed feel free to leave a comment to help out the other readers.  The controls that I have listed are coming from an auditor’s point of view and you may have insights related to your field of expertise that could be beneficial to others!

1. Ensure all user control considerations included in the third party administrator’s (record-keeper, trustee, custodian, etc) Type II SAS 70 are in place at the Plan Sponsor
2. Analyze compliance testing results provided by the third party administrator and if the Plan failed any tests ensure that corrective action is taken in a timely manner (distributions or additional contributions to the Plan as necessary)
3. Determine if established internal controls are designed appropriately to catch errors or fraud that may occur during the processing of transactions related to the Plan. Consider conducting a brainstorming session with individuals involved in the Plan in determining what could go wrong and then determine if controls currently in place are adequate to address such risks.
4. If the census is prepared by the Plan Sponsor ensure that the total wages included in the census reconciles with the organizations payroll records (remember census must include all employees that received a paycheck during the year whether employed by the organization or not during the year); the census should also be reconciled with the record-keeper statements (employee contributions, employer contributions and loan repayments). Key point – A reconciled census that agrees with the Plan Sponsors audited financial statements and the record-keeper statements will save time and money during a benefit plan audit
5. Controls should be in place to ensure all information included on the participant statements (social security #, name, compensation, date of birth, date of hire and date of termination) is complete and accurate.  Inaccurate information could lead to:

• Allowing individuals to enter the plan when they were not eligible to do so or not allowing an employee into the plan that is in fact eligible.
• Inaccurate amounts being withheld for employee contributions and/or employer matching contributions.
• Inaccurate amounts being withheld or forfeited when an employee receives a distribution (early distribution tax penalties or issues related to utilizing the appropriate vesting percentage for employer contributions)

     6. Determine if the annual Form 5500 reconciles to the Plan’s financial statement’s

 Interested in refining your internal controls for benefit plan recordkeeping. More will come in a later blog post…

Has your company received a portion of the American Recovery and Reinvestment Act of 2009 funds or do you anticipate applying to receive such funds?  If so the following are a few key points that should be discussed/considered:Consider appointing a Recovery Act “Czar” who is responsible for becoming familiar with the numerous requirements associated with the Recovery Act funds and communicate them to others in the organization.  They will also be a resource for others in the organization and be indicative of a strong “tone at the tope” for the importance of compliance with Recovery Act awards.

• Additional controls and systems may be required to ensure that Recovery Act funds are separately identified and tracked in the accounting system.  This segregation will have to carry through to the Schedule of Expenditures of Federal Awards and the Data Collection Form.
• Additional controls and systems may be required to meet the stringent reporting requirements to the federal agencies. 
• Internal control over compliance is extremely important to ensure funds are spent appropriately.  Consider the following:
  • Are control procedures over federal expenditures appropriate, working properly and designed to prevent unallowable expenditures?
  • Are additional controls and systems required to ensure that Recovery Act funds are separately identified and tracked?
  • Are new controls needed to meet the stringent reporting requirements to the federal government?
  • If Recovery Act funds are passed down to subrecipients are controls in place to ensure appropriate monitoring and reporting requirements?
• The Federal Audit Clearinghouse is required to provide public access, via the internet, to all single audit reports filed with the FAC for fiscal years ending 9/30/09 and later.  This will include the Schedule of Findings and Questioned Costs, if applicable.
• With the addition of Recovery Act funds, there will likely be more high-risk programs and additional compliance requirements that auditors will need to test.

For more information, see the Government Audit Quality Center Alert No.’s 106, 111 and 112 and the OMB Circular A-133 Compliance Supplement Appendix 7.

The following are a list of helpful controls that limit the ability to perpetrate and conceal theft of cash. The term “independent employee” would be someone who does not handle cash disbursements or the accounting for those disbursements.

• An independent employee (or board member) receives the bank statements directly from the financial institution.
• The independent employee (or board member) reviews the bank statements for unusual transactions including signatures on returned checks.
• An independent employee reviews the bank reconciliation investigating unusual reconciling items.

These controls will help detect issues whether fraudulent or reporting errors, but the organization really would rather not have things slip through to this review stage.  Segregating duties involves not allowing the same person to perform any two of the following duties:

• Authorize transactions
• Maintain custody of the resource
• Record the effect of the transaction on resource
• Reconcile related activity to the general ledger

As an example, if the controller for the organization can print checks (custody and recording), sign checks or print someone else’s signature (authorization), and reviews/reconciles the bank statement (review of recording) these functions are incompatible. If you take away the signature authority and a more effective review process is performed as mentioned previously, can the controller still commit fraud? The unfortunate answer is yes, but it is less likely and it hopefully will be discovered on a timely basis.

Always remember the computer issues at hand as well. Too often the segregated duties are manually implemented where it is “policy” that the controller signs checks but does not print checks. Often we ask the question could an individual print checks if they wanted to and be authorized to sign them. Most accounting software packages allow you to limit access to different functions depending on access rights and passwords. This also brings up the thought of having unique usernames and good password policies in place as well.   

As you can tell, there are many issues to consider when segregating duties. There will be more to come later.