Transcript Episode 129 – Safeguard Your Nonprofit’s Assets with Internal Controls on The Prosperous Nonprofit
Stephanie Skryzowski: [00:00:00] Welcome to the prosperous nonprofit, the podcast for leaders who are building financially sustainable and impactful nonprofits and changing the world. I’m Stephanie s Kowski, a chief financial Officer and founder, and c e o of 100 Degrees Consulting. My personal mission is to empower leaders to better understand their numbers, to grow their impact and their income.
On this show, we talk to people who are leading the nonprofit sector in new, innovative, disruptive, and entrepreneurial ways, creating organizations that fuel their lives, their hearts, and their communities. Let’s dive in.
Hello. Hello. How are you doing today? I am super excited you’re here because I have a topic that is super important, but don’t hate me. It’s kind of boring. So this is not [00:01:00] really my favorite topic to talk about if I’m being honest, but it is so dang important. We’re talking about internal controls. So what are internal controls?
So internal controls are processes that you put in place inside your organization to help mitigate risks, to help ensure compliance, to help safeguard your precious, precious assets as a nonprofit. And they’re super important for all those reasons. And also this is something that your auditor looks at with a fine tooth comb.
They are gonna be looking at your internal controls to make sure that you have the appropriate safeguards and processes in place so that nobody can steal your money. So that you’re not going to be subject to fraud so that there’s not gonna be mismanagement of your donors funds. Right? We have a responsibility as nonprofit organizations to safeguard our assets and to safeguard the money that has been entrusted to us by our donors, by our funders, and [00:02:00] we need to have the appropriate controls and basically like rules in place to make sure that everything is safe, right?
So, Not the most thrilling conversation that I’ve ever had, especially because I’m just talking to my computer today. But I am imagining that you and I are sitting in a little cafe right now here in Buffalo, New York. It is a rainy afternoon, so I’m imagining I have a nice warm cup of tea in front of me, and you have your beverage of choice.
And we’re sitting next to a cozy fireplace and we’re talking about internal controls. So same topic, but maybe a slightly more pleasant environment. Right? So, If you are a nonprofit leader, you have probably heard the term internal controls before, and so this is basically, like I said, a set of rules and policies and systems in place to very [00:03:00] intentionally help us make sure that we have the appropriate safeguarding of our assets.
And by assets, I mean not only. You know, things like fixed assets, cars and computers and things like that, but also our cash and really just making sure that we’re protecting the resources that we have. So let’s get into it. Some common risk areas for nonprofits, and I’ve seen some of these firsthand and I have just heard horror stories of others, but we’re gonna talk about each of these today and kind of go into what this means and how we can avoid them, right?
How we can make sure that these areas are not at risk. So financial, mismanagement, fraud. A lack of segregation of duties, meaning one person has control over it and is doing everything in a particular process. Cybersecurity threats and conflict of interest. So let’s first go into financial management and controls.
So this [00:04:00] is. Thinking about your bookkeeping, making sure that you have proper bookkeeping done by one person and maybe reviewed by somebody else. Making sure that you are reconciling your financial system to your bank statements, making sure that you have. Some sort of internal audit and checklist by which you are making sure that you’re doing everything that you should be doing on a monthly basis as well as an external audit.
So this is really making sure the financial statements that you are presenting to the world are accurate. So some things that I have seen auditors recommend and some good best practices that I have seen are. Maybe you have two people go get the mail together and two people open the mail together and two people prepare the deposit slip and sign off on the deposit slip together for like when you deposit checks, and then a different person is entering that information into.
The accounting system or the donor database, right? So making sure that you’ve got two people in [00:05:00] every step of that process is really helpful for having a solid internal control there. Another thing that I have seen auditors recommend, and again, another best practice is having the bank statements, the physical bank statements sent to perhaps.
A member of the board, the treasurer of the board, so the mailing address for the bank statements is the treasurer of the board. And then the, you know, the finance team internally is doing the bank reconciliations. And so when the treasurer opens the bank statements, they’re able to see if there are any transactions that look.
Inappropriate that don’t look correct, um, because it may be easier to hide them within the financial statements. But if you’re looking at the bank statement, that bank statement does not lie, right? So having different people involved, different steps along the way. Now you may think I. Well, I’m a one woman show.
I’m a one woman shop. How in the world am I supposed to do that? I hear you, my friend. I hear you. But think about what I just said, [00:06:00] right? Having your bank statements sent to a member of your board, that’s not really that hard to do. Like that is definitely something that can be done. Or making sure that.
The person who is reconciling the books does not have full access to the bank accounts online, right? Maybe they only have read only access, so they can pull the statements, but they can’t make any transfers, right? So putting controls around that. So even if you’re a one person shop, likely, well, you have to have a board, right?
So there’s at least one other person involved. And if you’re that small of an organization, Your board should absolutely be willing to step in and serve as the second person to some of these things to make sure that we’ve got the right controls in place. So definitely think about that when it comes to financial management and controls.
The second thing that I mentioned was around fraud prevention and detection. And so everything I just talked about with having two people doing different pieces of the process is absolutely going to help with that, right? You’re definitely going to [00:07:00] have. More eyes on the organization and be able to highlight fraud if you’ve got a couple people doing different steps of the process.
Right? So that’s the segregation of duties. So making sure that multiple people are involved in each process related to the finances. I. The other thing that’s important to have that if you have read the nine 90 in any length or amount of detail, which hopefully you have, I know I have cu Love the nine 90.
You have heard about a whistleblower policy, right? So every organization should have a whistleblower policy, and I say the nine 90, because there’s this. Specific question in the governance section that asks you if you have a whistleblower policy, and of course you wanna be able to say yes. So the whistleblower policy just allows for anyone in the organization to be able to highlight if there is a concern without.
Like retaliation, right? They’re not gonna get fired if they highlight something. So you definitely wanna have a whistleblower policy. And I think the other piece [00:08:00] for fraud prevention and hopefully detection, um, is regular internal audits. And so this one organization, one of my clients I work with, we have a monthly checklist and we go through this checklist every single month.
And it’s a little bit of a way for us to do an internal audit to make sure that, okay, is this getting done? Is this person involved? You know, and going through in, in detail to make sure that we are on top of things on a monthly basis. And that’s another way to. Help prevent fraud. The other thing is, you know, what is your culture like internally, right?
Do you have a strong ethical culture that’s really mission focused and is culture part of the way that your organization runs? Now you can have a fantastic culture and there can still be fraud, right? Like you can have a great culture and have that one bad egg that you just didn’t realize and. Have somebody steal a bunch of money.
Of course, we absolutely do not want that to happen, but I think that really [00:09:00] building. A culture of transparency with a strong focus on core values, on your vision, on your mission is really important. And so, you know, again, it’s not going to prevent fraud, but I think it’s something to think about. Like, you know, are our core values really central?
To what we do to our everyday work. And if they’re not, maybe think about, okay, well how can we incorporate this so that, um, it really becomes more of just like the way that we do things the way we are.
Today’s podcast episode is sponsored by Grants Works with billions of dollars in federal grant funding available. Now is the time to learn about how to apply for and manage federal grants. From Patrice Davis, an expert who simplifies federal grants, her federal grants Simplified Bootcamp is a six week hybrid training that gives you the freedom to access on-demand training on your schedule, [00:10:00] and to attend live weekly q and a sessions with Patrice and bonus grants.
Works is a C F R E approved continuing education provider. Go to www.grantsworksacademy.com/federal-grants. Simplified to learn more about federal grant simplified bootcamp and use discount code degrees to get 10% off your registration.
So the third piece around, um, internal controls I mentioned was around cybersecurity and data protection. Now, My friends, I’m not gonna go into detail here because I’m not going to pretend I am a cybersecurity expert. Like you can barely get me to put a password on my, on my laptop. Kidding? Not kidding.
No. This year in my company, we hired an IT security firm to set us up with, you know, remote desktop and V P N and all the security things. So we’ve. Definitely upped our security, our [00:11:00] cybersecurity game. Big time here. But what I will say is that this is increasingly important. We are all doing so much work online and we all are sending so many emails and there’s so much banking information floating around.
It is really important to have a cybersecurity plan, understand what do we do, what happens if we have a data breach or unauthorized access or a cyber attack, um, and have really good policies around. Passwords around data encryption and make sure that we’re training our team. Now, this is something that I’ve seen in recent years.
Auditors have really started asking about our IT controls because this is such a huge issue, right? There is so much risk and we, you know, nonprofits, anybody really can essentially get wiped out if you don’t have the right cybersecurity in place. So I’m not gonna tell you what to do, but I do know you need a policy and you need to really have a plan for not only prevention, [00:12:00] uh, but also.
What happens in case there is a breach of cybersecurity? So, I know several organizations that I work with have an external IT consulting firm that has helped them set something up, especially larger organizations that have a lot of employees and have a lot of employees working remotely or working like on site.
I. Um, it’s, you know, it’s, uh, it’s something we definitely need to think about. So if this is not in your budget for next year, I would do some research and put it in your budget. This is going to be super, super important to ensure that you’ve got some good, solid controls. So the other thing that I mentioned was, Conflicts of interest, so this is something you’ve probably seen on the nine 90 before as well.
Does everyone on your board and key management personnel sign a conflict of interest form annually? And this is basically just disclosing any relationships that [00:13:00] anybody on the board has with anyone else in the organization. And you know, I know an organization where, you know, two or three sisters are on the board and there’s nothing wrong with that.
There’s nothing wrong with that at all. You can have your family on the board, but it’s just important to disclose it because there are situations where say, you know, a nonprofit organization, um, chooses. The company that a board member owns to be their sole vendor for a particular good or service. Right.
And it’s important to disclose that because we wanna make sure that, okay, did we do a fair bidding process? Did we, you know, look at other vendors as well to ensure that. We’re not just giving all of our business and putting money in the hands of our board member, right? There’s a pretty big conflict of interest there, and even with key management personnel as well.
It doesn’t just have to be on the board. And speaking of the board, I think it’s really important for board members to understand their fiduciary [00:14:00] responsibilities and their commitment to overseeing internal controls, right? Like they’re not just responsible for looking at the income statement and the balance sheet, but they need to understand.
What they’re responsible for in terms of internal controls too, so they should know all of this. And one of my favorite things is to train board members. So I’ve done some training with board members of some of our client organizations and really showed them like, Hey, As a board member, here’s what you’ve committed to.
This is your responsibility to look at X, Y, and Z. Understand the financials, review and approve the I 90 and the audit, understand our policies, that kind of thing. And I think it was really enlightening to a lot of board members ’cause they’re like, oh, I didn’t realize that. I’m not just like, you know, Rubber stamping my name on the nine 90, but I’m actually like financial, like fiduciarily responsible for this, right?
And so if there’s education that you need to do with your board members, like that is super, super important for building [00:15:00] out a really robust system of internal controls. Actually within, um, our online course, master your nonprofit numbers. We have a whole module. Board financial responsibilities. And so this is like a fantastic presentation that you can use, um, to share with your board members and like, Hey friends, here’s what we should be doing.
Here’s what you need to know. So that is, uh, super important. The other thing I wanna mention, speaking of, you know, training your board is also training your staff. Letting the staff know, like, what are our rules, right? Because a lot of times, This is what I’ve seen happen. The finance team is so hung up on internal controls.
I say hung up like it’s a bad thing. No, we’re obsessed with internal controls and we should be right. We love our internal controls, but the rest of the team doesn’t understand like why do two people have to go to the mailbox? That seems bananas. Well, okay, if we’re being honest, it kind of does seem bananas, but it’s an important internal control that we need to adhere to and you know, it is what it is.
And so we need to really. [00:16:00] Make our team aware of our internal controls, of our conflict of interest policies, of our whistleblower policies. We can’t just like create the policy, file it away, and then I. You know, we’re good, right? We need to make the staff aware of their roles and responsibilities, our code of conduct reporting mechanisms, and really help them be updated on evolving risks and control practices.
So thinking about like cybersecurity, right? That’s not just for the finance team, that is for everybody in the organization needs to understand like, what are our policies around cybersecurity? For example. So making sure that the staff is in the loop is super, super important as well. So the other thing that I wanna talk about is just monitoring continuous improvement, right?
Like nothing is going to be done once and then done forever, right? This is gonna be something that’s ever evolving. As we’re growing, as our programs are changing, as our organization is shifting, there are [00:17:00] always going to be new things that we need to think about. So, I think about this one organization, one of my clients where I was making wire transfers for the organization.
They barely had any, but I was doing the wire transfers on the Chase account. Somebody was saying, you know, okay, here’s the approved invoice. Please make this wire transfer. All the signatures are here. Go ahead and do it. And the auditors were like, well, You really shouldn’t be able to just make wire transfers.
And so we had to work with Chase to set up a dual approval process within the Chase platform. Right? It wasn’t readily apparent to us how to do that, so we just never, we just never had, they never had done that. And so we were able to set up a dual approval process by like basically turning on some more features within our Chase banking system.
So it’s not always things that are. Super straightforward or super clear from the get go, but it’s always this continuous improvement process. And so if you have a process or if you have a culture of continuous improvement in your [00:18:00] organization, that’s just gonna bleed through into your internal controls, and I love that.
You know me, I’m all about, you know, personal and professional development. All day, every day. So I love this idea of continuing to improve. So that was a lot. I just flew through internal controls in less than 20 minutes. Okay, so just a quick recap. Internal controls super important way to make sure we are mitigating our risk, we’re ensuring compliance and we’re safe guarding our ous assets.
And a couple things we talked about, some risk areas are around financial management fraud. Segregation of duties, cybersecurity, conflicts of interest, and. We talked about the importance of not only implementing this, but training your team and of course ever evolving. So I hope this was useful, like I said, within master nonprofit numbers.
Um, my online firstname.lastname@example.org, shameless plug, there is a whole module around board financial management and [00:19:00] governance, and I think this would be a great one for you to share with your board if you join the course. So check it out, nonprofit numbers.com. Um, otherwise go forth and build your internal controls, my friend.
So again, maybe the, not the most thrilling stories in this episode, but so, so, so important. And let me tell you what, when your auditor comes by next year and you have the most baller. Like solid as a rock internal controls. You’ll think back to this podcast episode and you will thank me. Okay, friends, I will see you next time.
Bye. Hey everybody. I hope you loved this podcast episode as much as I loved recording it for you. You probably heard earlier in the show that this episode was sponsored by Grants Works, and I just wanted to pop in here and give you my 2 cents on the Federal Grants Simplified Bootcamp. Patrice Davis is a genius at literally simplifying federal grants, which can be so [00:20:00] scary and so confusing, but she gave me access to her bootcamp so I could check it out for myself and oh my goodness.
There are just six modules. They are super simple and super clear. I love how she walked us step by step through the federal websites, which are so confusing to make sure that everything is set up right on the backend to be able to apply for federal grants. She goes over. The application, including the budget and all of the like wonky federal rules.
She goes over what in the world uniform guidance means and what’s inside. Basically all of the rules that come along with federal grants. She also has this amazing federal grant application checklists and the Ultimate Grant workbook, and there’s so much info inside. I love that I could pause. Take in the slides, take notes, and then hit play again.
So I just wanted you to hear directly from me that I actually went through the bootcamp myself and it was fantastic. So [00:21:00] the link again is www.grantsworksacademy.com/federal-grants-simplified, and that is where you can get all of the info on this amazing bootcamp. And don’t forget to use the discount code degrees, you know, like 100 degrees consulting degrees to get 10% off your registration.
Okay, friends, this is the end of our podcast episode for today. As always, thank you so much for being here. I appreciate you so much. We have our little community of loyal listeners, and I really just appreciate you. So if you wouldn’t mind sharing this podcast with a friend, I would love it. I would love if another nonprofit leader is able to listen and get all of the information that we drop in each episode.
So alright friends, I will see you next time. Bye.