Failure to understand internal control when identifying risks was the reason major issues come up at nonprofits 40 percent of the time, according to data from a AICPA Peer Review Program Study. Making sure your accountants and consultants understand remote monitoring and management (RMM) and internal controls is vital.
The best practice is to document internal controls so that there can be a complete risk assessment. The issues of internal controls and risk were discussed during the recent AICPA Nor-For-Profit industry conference in National Harbor, Md. The session presenters were Melissa Galasso, CPA, director, audit professional practices, in the Charlotte, N.C., office of Cherry Bekaert and Kris Ray, industry technical leader for Plante Moran in Southfield, Mich.
Internal control is designed, implemented and maintained to address identified business risks that threaten achievement of any of the entity’s objectives that concern reliability of financial reporting, effectiveness and efficiency of operations and compliance with laws and regulations.
Internal controls can provide only reasonable assurance that things won’t go sideways, according to the presenters. The reality is that human judgement can be faulty and that mitigates the controls, they said.
The Committee of Sponsoring Organizations has an integrated framework for internal control, the components of which are: Control Environment; Risk Assessment; Information and Communication; Control Activities; and, Monitoring.
Even the smallest of organizations have internal controls of one form or another, according to the presenters.
The 9 Common Internal Controls include:
- Strong tone at the top
- Leadership communicates importance of quality
- Accounts reconciled monthly
- Leaders review financial results
- Log-in credentials
- Limits on check signing
- Physical access to cash, Inventory
- Invoices marked paid to avoid double payment
- Payroll reviewed by leaders.