Installing sufficient internal controls for small organizations is difficult. Yet having adequate safeguards helps protect against theft.
A 2008 study by the Association of Certified Fraud Examiners finds that a third of businesses with fewer than 100 employees are the victims of fraud.
The most frequent technique used is embezzlement, by submitting invoices to pay for personal items or fictitious goods or services.
Here are a few things that even the smallest nonprofits can do to help prevent fraud:
Adopt an accounting policies and procedures manual. This document presents the procedures the entire organization will use to keep financial records. It also allows for consistent financial record keeping as employees come and go.
Segregate duties and delegate authority as much as possible in matters involving managing the organization’s assets. Having multiple people involved creates checks and balances over each other’s work.
These safeguards could include:
A policy prohibiting someone writing a check from signing it.
Having checks signed by two people, at least those above an agreed upon amount.
Training several people on preparing bank deposits and having these people conduct spot checks to help identify irregularities.
The board of directors regularly reviewing the financial statements.
Requiring at least two people to be involved in bank statement reconciliation. The statements should be opened and reviewed by someone other than the person doing the reconciliation.
Carefully document cash on hand, with at least two people counting the cash.
Clearly documenting a check writing process and do not waver from it.
In California, nonprofits that have assets greater than $2 million must have an annual independent audit.
Smaller organizations should have their financial records reviewed whenever there is a change in treasurer, or every three years.
The goal is to have multiple safeguards in place.
Barry VanderKelen is executive director of the San Luis Obispo County Community Foundation. Reach him at firstname.lastname@example.org.