Nonp onpro rofi fit Symposium posium Nonprofit Risk Management - - PowerPoint PPT Presentation

Nonp

• npro

rofi fit Symposium posium

Nonprofit Risk Management Through Enhanced Internal Controls “A Board Member’s Perspective”

James B. Yard CPA, CIA, CISA July 16, 2009

2

Agenda nda

Board expectations Getting Started Building a Foundation for Good Internal Controls

• Organizational Considerations

– Entity-level Governance – Financial Oversight

• Process Considerations

– Pledge to Cash

• Requisition to Payment

– HR to Payroll

• Investments

– Information Technology

3

Board Expectations

4

What are re You

• u Responsible

sponsible For? For?

Would you answ swer yes es to any of

• f the

the follow

• wing

ques estion

• ns:

– Effective governance – Managing risk – Fundraising and customer service – Legal compliance and public disclosure – Fraud mitigation and ethical behavior – Technology – Internal controls – Internal audit

5

Boa

• ard

rd Expe pectations tations

Management has an established and well-defined process for assessing its risk and control practices. Expect fundamental business tools to be in-place: – Governance Process evaluation – Strategic Plan/Budgeting – SWOT Analysis – Enterprise Risk Management – Risk Assessment – Fraud Risk Assessment – COSO Framework – Control Self Assessment – Internal Audit

6

Whe here re Doe Does my Organiz rganization tion St Stack Up? Up?

Would Would you

• u answ

swer yes to to any of

• f th

the foll llowing

• wing que

questi stions

• ns:
• Have you recently undergone significant changes in

size, management or structure?

• Have you recently performed a review of your

governance and control practices?

• Are your board members and management educated
• n risk matters?
• Do you have a formal process for evaluating internal

controls or are you reliant on your auditor?

7

Getting Started

8

Nonp

• npro

rofi fit Ch Chall lleng nges

• Attention and focus on running the business

(not controls)

• Sufficient resources to achieve segregation of

duties

• Management’s ability to dominate activities
• Recruiting requisite financial reporting and
• ther expertise to serve on Board/Committees
• Recruiting and retaining sufficient financial

reporting skill sets

• Technical resources to run information systems

9

Re Recent nt Dri Drivers of

• f Risk

Risk and nd Co Cont ntrol rol

• Form 990/IRS
• SAS 99, 109,110 and 112/Auditors

– SAS 99 - Consideration of Fraud – SAS 109 - Understanding the Entity and its Environment and Assessing the Risk of Material Misstatement. – SAS 110 - Performing Audit Procedures in Response to Assessed Risks and Evaluating Audit Evidence – SAS 112 Communicating Internal Control Related Matters Identified in an audit

• COSO Framework
• AICPA Alert - Not for Profit Organizations
• Sarbanes-Oxley Act

10

What are re We Tal Talkin king abou bout Here? re?

Process for assessing risk and developing appropriate internal controls:

– Setting objectives – Identifying risks to achieving those

• bjectives

– Prioritizing those risks – Designing and implementing responses to the risks (e.g., internal control)

11

Impor Important nt Th That We Und Underst stand nd

• Smaller Nonprofits can meet the challenges of their

unique environments

• Management most likely already routinely monitors

business activities and should take “credit” for their contributions to internal control effectiveness

• Must take a risk based approach to controls
• Must leverage a principles based framework
• Cost vs. Benefits are critical to decision making

12

Impor Important nt Th That We Und Underst stand nd

Four Factors to establishing internal controls:

• 1. Response to one or more identified risks that

affect the achievement of organizational

• bjectives.
• 2. Within the context of an effective control

environment.

• 3. Method for information and communication.
• 4. How will we monitor?

13

Impor Important nt Th That We Und Underst stand nd

Components of Internal Control (as defined by COSO)

• The Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

14

Impor Important nt Th That We Und Underst stand nd

Three Reasons internal control systems fail:

1. Not designed and implemented properly at the outset. 2. Designed and implemented properly, but the environment in which they operate changes (changes in risk, people, processes or technology), and the design

• f the internal control system does not change

accordingly. 3. Designed and implemented properly, but their

• peration changes in some way, rendering them

ineffective in managing or mitigating applicable risks.

15

Impor Important nt Th That We Und Underst stand nd

Seven Factors that increase the risk of failure:

• 1. Complexity
• 2. Judgment
• 3. Manual vs. automated
• 4. Known control failures
• 5. Competence/experience of personnel
• 6. Risk of management override
• 7. Likelihood of control failure detection

16

Whe here re Do Do You

• u Get

Get St Started rted?

• Governance Structure/Board Committees
• Financial Oversight
• Code of Ethics / Conflict of Interest Policy
• Expense Reimbursement and Gift

Acceptance

• Whistleblower Hotline
• Control Environment/Activities

17

Re Resource sources

AICPA Financial Management Center

– Not-for-Profit Organizations Audit Committee Toolkit (2005)

BoardSource

– The Source, Board Governance Principles (2005) – Board Self Assessment Toolkit (2009) – The Principles Workbook (2009)

Nonprofit Risk Management Center/Public Entity Risk Institute

– Financial Risk Management Guide for Nonprofit Executives

18

Re Resource sources (co

contin tinued ed)

Open Compliance and Ethics Group (OCEG)

– Red Book (April 2009)

COSO

– Internal Control over Financial Reporting – Guidance for Smaller Public Companies (June 2006) – Guidance on Monitoring Internal Control Systems (January 2009)

19

Organizational Considerations

20

Gov Governa ernance Str Structu ture

• Review of the size and composition of Board
• Establishment of Board committees to address

risks, including regulatory, financial,

• perational, and reputational.

21

Boa

• ard

rd of

• f Di

Direc rectors

• rs
• Composition – Who? Size?
• Selection – How?
• Contributions/Value – Performance?
• Format of meetings – Formal? Timing of Materials?
• Agenda – passive recipient of information or decision makers?
• Transparency - role in communications and approval on matters?
• Executive sessions
• Board member education and training

Items worth reviewing:  Articles of Incorporation  Bylaws  Board minutes  Election/Nomination/Termination process

22

Gov Governa rnanc nce/Ri Risk Co Committe ittee

• Establishing a Governance Policy
• Addressing Governance and Policy Matters
• Risk Oversight
• Monitoring conflicts of interest policy and ethics matters
• Hotline/Whistleblower activity
• Retention and document destruction policy
• Board Member education and training
• Reviewing adequacy of Form 990 disclosures

Items worth reviewing:  Articles of Incorporation  Bylaws  Board minutes  Form 990  Process for evaluating strategy and risk

23

Nom

• mina

inating ting Co Committe ittee

• Selection of new Board members
• Evaluation of existing Board members

Items worth reviewing:  Articles of Incorporation  Bylaws  Board minutes  Nominating Committee charter

24

Fi Financ nance Co Committ ttee

• Oversee the preparation of the annual budget, financial

statements and Form 990

• Advising on capital structure and financial risk exposures
• Advising on major planned or unplanned expenditures
• Evaluate performance of investment advisor
• Evaluate investment policy and monitor compliance with policy
• Oversee and advising on all other financial/banking relationships

Items worth reviewing:  Articles of Incorporation  Bylaws  Board minutes  Form 990  Finance Committee charter  Finance Committee minutes

25

Audit Audit Co Committe ittee

• Selection and evaluation of auditor
• Auditor independence
• Involvement in financial risk and control matters
• Review of financial statements - Financially literate
• Review of Form 990 disclosures

Items worth reviewing:  Articles of Incorporation  Bylaws  Board minutes  Form 990  Audit Committee charter  Audit Committee minutes

26

Co Compe pens nsation tion Co Committ ttee

• Evaluate compensation of CEO, President, Executive Director and

key Management

• Evaluation of incentive compensation and bonus plans
• Review of Form 990 disclosures

Items worth reviewing:  Articles of Incorporation  Bylaws  Board minutes  Form 990  Compensation Committee charter  Compensation Committee minutes

27

Financial Oversight

28

Fi Financ nancial Overs rsig ight ht

• Close Process, Calendar, Checklists

(Completeness)

• Comprehensive budgeting and forecasting

model

• Precision and granularity of variance

analysis (!!!!!!!!!!!!!)

• Key Performance Metrics (Simple to ensure

Early Warning)

29

Fi Financ nancial Overs rsig ight ht

• Investment Policies (Risk Mitigation)
• Limits of Authority Policy (Transaction

Authorization)

• Journal Entry Review and Approval

(Management Overrides)

• Spreadsheet Controls (Errors)
• Segregation of Duties (Access Restrictions)

30

Fi Financ nancial Overs rsig ight ht

• Account Reconciliations (Knowledgeable and

Independent)

• Management review reports of select /detailed

transactions

• Take periodic asset counts (Existence)
• Document Retention policies (Evidence)
• Human Resources policies (Competencies)
• Independent Annual Audit/Internal Audit

31

Process Considerations

32

Uni Univers rsal Ar Areas of

• f Fo

Focus us

• Policy and Procedures
• Budgetary controls
• Competencies
• Segregation of Duties (Access to Assets,

Recordkeeping, Approval, Reconcilement)

• Account Reconciliations
• Journal entry review and approval
• Use of estimates/valuation/accruals

33

Co Cont ntri ribut utions ions to to Ca Cash sh

• Donor restriction identification and tracking
• Donor confirmations
• Lockbox, Cash Receipts Log
• Handling, Recording Daily Deposits (Cut-off)
• Cash Account Reconciliation
• Reserve review
• Write-off approval capabilities/authorities

34

Re Requisition quisition to to Payment nt

• Accruals
• Purchase Order/Bidding/Limits of Authority
• Vendor set-up and approval
• Invoice Matching
• Securing Check Stock
• Signature Authorities
• Don’t forget about Wire Transfer Controls!
• Don’t forget about T&E Controls!

35

Hum Human Re Resource sources to to Payrol roll

• Background checks/screening
• Job description/roles/responsibilities
• Offer/compensation approval
• Bonus/merit increase
• Employee set-up/modification/termination
• Pay-rate tables, access restriction

36

Hum Human Re Resource sources to to Payrol roll (co

cont. t.)

• Timekeeping, supervisory review and

approval

• Payroll register review and bank account

reconciliation

• Payroll taxes
• Vacation tracking

37

In Investm stment nts

• Controls over changes to Investment

policy/strategy

• Performance monitoring/benchmarks
• Compliance with policy
• Withdrawals (approvals)
• Recording, valuing and reconciling

investment accounts

38

In Infor formation tion Te Techn hnolo

• logy
• Acceptable Use policy/sign-off
• Confidentiality of Information policy/sign-
• ff
• Super-user access restrictions
• Security administration (including

passwords)

• Quality assurance in change management
• Database administration
• Interface checks and balances

39

In Infor formation tion Te Techn hnolo

• logy (co

cont. t.)

• Interface checks and balances
• Back-up monitoring
• Firewall monitoring
• Physical access to IT equipment
• Environmental conditions

40

QUES UESTIONS IONS ??? ???

Nonp

• npro

rofi fit Ri Risk sk Management nt