Nonprofit organizations inherently have less funding and resources to build a bulletproof internal control system. Therefore, the management team should look for less expensive ways to monitor the effectiveness of its control environment, especially now that more and more data resides and transfers through new technology. Words like “Cloud,” “Portals,” and “Smartphones” are a few of those buzzwords we hear more about.
As you look at many business risks facing nonprofit organizations, several key technology-related risks I see include unauthorized access to donor and other confidential information, potential harmful internet publications or blogs about the organization or its stakeholders, and unauthorized electronic access to financial assets of the organization.
What to do?
On a macro level, the management team should ensure that the organization has:
- Proper tone at the top
- Policy in place to address fraud
- Sufficient education provided to its staff to help them identify and report fraud red flags (see below for more)
- Sufficient monitoring: Most Importantly - Maintaining sufficient management review procedures
On a micro level with respect to the two specific risks mentioned above:
- Develop a policy as well as procedures regarding electronic transmission of data that would answer questions like:
- Who can transmit data through new technology?
- What technology can be used?
- What system controls should be in place?
- What type of information can be transmitted?
- What controls will be in place to minimize the risk of unauthorized access to sensitive data?
- What should be done if such sensitive data is obtained?
- It is critical for the organization to monitor what information is being shared or created online relating to its organization, its key donors, board members, and key employees. Public relations for a nonprofit are instrumental, and therefore, such monitoring would be critical
- With respect to controls over the financial assets of the company:
- Segregate the key roles of cash (identifying who receives and logs, who reports in the accounting system, who pays, and who reconciles the statements)
- Strengthen the management review of the bank statements and reconciliations
- Work with your IT person on ensuring that there is a proper level of access to the organization’s financial assets, including bank accounts, investment accounts, etc.
What more to keep in mind?
As studies show that fraud is best found through a tip from an employee, nonprofit organizations should look for ways to provide their employees with the tools, education, and comfort of communicating their concerns to the management team, and if necessary, the Board of Directors.