Nonprofits: Upgrade Your Internal Controls
Reviewing the COSO Framework Can Help
Perhaps you cringe when you see news stories on nonprofit fraud, worrying that your organization could be next in line to be cheated and scandalized. If strengthening the internal controls at your organization is on your to-do list, now is as good a time as any to do something about it.
A sensible starting point is a look at Internal Control — Integrated Framework, a document issued in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The framework can help you establish, strengthen and assess the controls set up to safeguard your operations from fraud.
Is It Required?
Although publicly held companies are required by the SEC to evaluate internal control over financial reporting using a recognized control framework, other for-profits and nonprofits aren’t required to use a framework for the oversight of internal controls. Auditors do generally rely on the framework’s concepts when they assess internal controls. And the framework is mentioned as a resource for “best practices” in the new Uniform Guidance for federal grant awards.
Even if you’re under no obligation to follow COSO, its framework has proven over the years to be an effective risk management tool for many different types of organizations. The updated version, which incorporates recent technological developments, the move toward increased globalization and the demand for better governance, is designed to help organizations apply internal controls more broadly to operations, reporting and compliance objectives.
What’s the Foundation?
Both the original and revised COSO frameworks are built around several interrelated components:
- Control environment – a set of standards, processes and structures that provide the basis for carrying out internal controls, such as ethical values, performance measures and people management;
- Risk assessment – the process for identifying and assessing risks related to achieving an organization’s objectives;
- Control activities – actions that help ensure that management’s directives to mitigate risks are carried out, such as authorizations and approvals, verifications, reconciliations, and segregation of duties;
- Information and communication – the flow of information necessary to support the internal control function, including continual communication throughout the organization, between board members and executives as well as with external stakeholders; and
- Monitoring – both separate and ongoing evaluations of the internal control system’s performance over time and reporting of any deficiencies that are found.
COSO stresses that each of these components must be in place and fully functioning for an internal control system to be effective.
To help organizations turn abstract concepts into actionable items, the new framework introduces 17 principles related to the five components. For example, three principles apply to “control activities”:
- Select and develop control activities that mitigate risks;
- Select and develop technology controls; and
- Deploy control activities through policies and procedures.
In addition to the 17 principles, COSO offers 81 “points of focus” in its report. These provide guidance in designing, implementing and conducting internal controls and in assessing whether relevant principles are present and functioning.
What Are Your Internal Control Concerns?
If governance is a particular concern, you might focus on the framework’s guidance about directors’ independence from management and best practices for expertise on audit committees.
If your nonprofit’s concern is employee fraud, you can use the framework to assess current risks (such as poor hiring decisions), strengthen controls (such as annual performance reviews), and communicate ethical expectations to staffers.
Or if a new accounting software system is being selected, you can use the framework to help guarantee that the selection process follows proper acquisition procedures. Following the framework also can ensure that the product selected is subject to strong controls related to password protection and security levels that allow access only to the appropriate users.
Nonprofits have looked to COSO for inspiration in designing, strengthening and assessing internal controls for decades. For additional guidance on the COSO Framework, contact us today.
Material discussed in this communication is meant to provide general information and should not be acted on without obtaining professional advice tailored to you or your company’s individual and specific needs. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used by any person or entity, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. This information is for general guidance only and is not a substitute for professional advice.
The information contained herein should not be construed as personalized investment advice. Investment in securities involves the risk of loss, and past performance is no guarantee of future results. There is no guarantee that the views and opinions expressed in this document will come to pass. Historical performance results for investment indexes and/or categories generally do not reflect the deduction of transaction and/or custodial charges or the deduction of an investment-management fee, the incurrence of which would have the effect of decreasing historical performance results. There can be no assurances that your portfolio will match or outperform any particular benchmark.
Information presented was obtained from sources deemed qualified and reliable; however, MFA makes no representations as to accuracy, completeness, suitability, or validity of any information within this communication and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. Any forward-looking statements are believed to be reasonable; however, MFA gives no assurance that such expectations will prove to be correct.