Most mission-driven organizations operate within a framework of trust and goodwill. In these environments, considering internal controls, segregation of duties, and the possibility of fraud can seem less important than in a typical corporate environment. However, ensuring that the organization’s assets are managed safely, efficiently, and effectively is consistent with prudent stewardship and an important role of management.
Maintaining a sound control environment is a critical component of mitigating risks inherent in a continuously changing economic, technological, and regulatory environment. Organizations are expected to provide swift, effective, and socially responsible measures to safeguard against these risks.
Enter the Committee of Sponsoring Organizations of the Treadway Commission (COSO), who published Internal Control – Integrated Framework in 1992 to provide a common definition of and efficient method to analyze and evaluate internal controls. COSO’s Internal Control—Integrated Framework (COSO’s Framework) became the best-practice standard for 20 years. However, changes have been proposed and are expected during the second quarter of 2013.
While the changes to the framework will not result in substantial changes for organizations with a control environment deemed to be effective, the updates to the framework will result in a more versatile and cost-effective approach to the design and evaluation of organizational internal control systems. Here is a brief overview of COSO and its key changes based on the recently issued exposure draft; although the changes are not final, we do not anticipate a significant change from the exposure draft.
The original framework
COSO was founded on four critical underlying concepts:
- Internal control is a process toward the achievement of organizational objectives.
- The internal control process is driven by people at all levels of the organization.
- Internal control is a means to achieve objectives within one or more separate but overlapping categories.
- Internal control can provide only reasonable assurance to the achievement of organizational objectives.
The framework further details five framework components as summarized by the updated COSO Cube for internal controls, shown below:
- Control environment
The internal organizational environment driven by the management operating philosophy, risk appetite, integrity, and ethical values.
- Risk assessment
Risks are identified and the likely impact on the organization is assessed.
- Control activities
Policies and procedures are implemented to ensure organizational objectives and risk-mitigation activities are effectively executed.
- Information and communication
Relevant information is communicated in an acceptable format and timely fashion to enable the organization to meet its objectives.
The internal control process is continually monitored. Modifications are made to improve internal control activities as a result of the monitoring process.
Why did the framework change?
The original Internal Control – Integrated Framework stood unchanged for 20 years. The Committee of Sponsoring Organizations elected to update the framework in to reflect the dynamic changes in the business environment by incorporating discussion on the technological advances in business processes and communication, as well as an ever increasing regulatory atmosphere that impacts an organizational control environment. The updated framework has been modified to maintain relevance with current and future business environments and will apply to public companies, privately held companies, not-for-profit agencies and governmental entities.
What are the key changes to the framework?The original five Internal Control – Integrated Framework components remain, but 17 principles from the original framework are now explicitly listed among those five components. As a result, the framework adopts a principles-and-attributes approach, which provides more detailed guidance for designing and assessing the effectiveness of internal controls. This change is critical because the framework more clearly communicates the fundamental concepts associated with the components of internal control. The 17 principles are listed below:
- The organization demonstrates a commitment to integrity and ethical values.
- The board of directors demonstrates independence of management and exercises oversight for the development and performance of internal control.
- Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
- The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
- The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
- The organization considers the potential for fraud in assessing risks to the achievement of objectives.
- The organization identifies and assesses changes that could significantly impact the system of internal control.
- The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- The organization selects and develops general control activities over technology to support the achievement of objectives.
- The organization deploys control activities as manifested in policies that establish what is expected and in relevant procedures to effect the policies.
Information and communication
- The organization obtains or generates and uses relevant, quality information to support the functioning of the other components of internal control.
- The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.
- The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.
- The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
- The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Guidance for not-for-profit organizations
Segregation of duties is a key component of the following COSO standards:
- Control environment
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
- Control activity
The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
A common challenge that many NFP organizations face in today’s cost-constrained environment is the ability to adequately segregate duties over the receipt of contributions. The following considerations should be made to strengthen internal controls over this area:
- To the extent possible, all funds received by the organization should flow through the normal cash receipts process.
- Donations received by mail should be restrictively endorsed upon receipt and turned directly into the finance office.
- A copy of every donation check and related correspondence received by the accounting department should be forwarded to the development office.
- The bank deposit should be prepared by the finance office and should include all funds received by the organization.
- The development office should use the check copy for its recordkeeping purposes.
- The finance office should post cash receipts to the general ledger to serve as the primary record of all funds received.
Ideally, the development office should not receive funds directly. When this cannot be avoided, the received funds should be delivered directly to the finance office for receipting and deposit.
Any correspondence included with a contribution that identifies restrictions as to its use should be noted by both the finance office and the development office. The documentation should be retained and made available to the auditors to ensure proper reporting on the financial statements.
Internal controls and segregation of duties are important concerns for NFP organizations—just as important as they are to private-sector companies. For more information on these best practices, please give us a call.