Internal Control Review

One of the five key elements of the "COSO" framework is the ability of an organization to identify, assess and respond to risks or “risk assessment”.  A risk is defined by "COSO" as “the possibility that an event will occur and adversely affect the achievement of objectives”. 

Here are 5 common steps we will take (at the minimum) to ensure your nonprofit organization has effective internal control procedures:

  1.  Specify Objectives - establish organization-wide goals that are needed for your organization to operate effectively and efficiently.
    • Operational
    • Reporting
    • Compliance
  2. Identify & Assess Risks - your risk identification should be as inclusive as conceivable - in view of several transaction types, categories and volume/size. 
    • Upon identifying risks relating to your Organization's stated objectives, next you need to assess the probability of that particular risk occurring, in addition to the potential impact. If you conclude a risk as having a remote (unlikely or small) chance of occurring based on known activities and operations of your Organization,  it may not be worthwhile continuing in the exercise relating to that risk. A cost-benefit analysis would be needed in this instance. 
    • Then, mitigate the risks which seem likely to occur.
  3. Considering Fraud - an unsettling amount of fraud occurs among all organizations, including nonprofits, even among the most trusted and long-term employees. 
    • Fraud can be divided into 2 categories: Fraudulent Reporting & Asset Misappropriation.
    • Fraud has 3 elements that have probability of partaking in this unethical manner: Incentive, Opportunity, Attitude/Rationalization
  4. Identify & Analyze Significant Changes - it is crucial to consider operational, regulatory or industry changes and how these changes may impact the internal control environment - whether internal or external.   
    • Common examples include: restructuring management or board of directors; changes in federal/state contract reporting requirements. 
  5. Review & Mitigate Risks - once you have gone through steps 1-4, it is essential you ensure there are controls in place, and effectively working, to mitigate any previously identified risks.  Having controls in place that mitigate these identified risks at different levels will provide the greatest impact and benefits for your organization.

In conclusion, document all the above steps, including any steps to taken to assess identified risks. Perform periodic reviews and re-evaluate these assessments as required or deemed necessary based on the level of the risk. Hold the governing board accountable and make sure leaders of your nonprofit organizations maintain the fiduciary responsibility to act on the entire Organization's behalf.