By Makalynn Funk, CPA, Senior Accountant at Blue & Co.

April Fools’ Day brings around lots of fun pranks and punchlines, and while we all have fun with these little pranks, as nonprofit organizations, internal controls are one area that we do not consider a laughing matter! Did you know that most fraud schemes last approximately 12 months before they are initially detected? Additionally, industry data on cybercrime shows that the longer it takes an organization to detect fraud, the more costly it becomes.

As we head into April Fool’s Day and the start of a new quarter, it is a great time to step back and evaluate your internal controls. Below are a few internal controls to think through to best protect the organization and its employees from such occurrences of fraud or cybercrimes.

Dual Authorization/Signature

This helps to hold others accountable and adds an extra layer of control. By setting a requirement for two check signers, two people review the checks being issued, hopefully along with the related support. These types of requirements are generally set on a certain dollar threshold of checks. This ensures that it is going to the correct party, for the correct amount, and is properly authorized. Whoever has authorization to be a check signer/approver should be reviewed annually.

Reconciliations

Reconciliations of major accounts (such as cash, investments, receivables, debt, and other major accounts) should be completed monthly and retained for future record. Along with preparing reconciliations, someone (other than the preparer) should also review them. It is best practice for the reconciliations to be signed off by both the preparer and the reviewer to document who is involved in the process. This could be done by approving within the financial software or a physical signature on the physical reconciliation.

Credit Card Reimbursements 

As we are continuing into the digital age, credit cards are becoming increasingly common. It is best to have a clear, written policy regarding credit cards and expense reimbursements. This policy would include expected timeliness of receipt submissions, any minimum amounts where receipts are not required, and approval levels.

Receipts should be required on all charges of the credit card or reimbursement requests unless a minimum amount is specified, and a monthly review of credit card charges by someone who is not the cardholder should be performed and maintained on file. Lastly, it is also a good control to set spending limits on cards to properly manage credit usage.

Journal Entries

As we are approaching the month’s end, it is likely that more journal entries are being posted. Both routine and non-routine journal entries should be reviewed by someone after posting, and supporting documentation should be kept to justify or explain the entry. It is also important to consider who in your general ledger system has the ability to post journal entries.

There should be restricted access as to who can post an entry, review it, and delete it. Lastly, does your system keep track of who is posting journal entries? It would be best practice to have someone periodically review this log for entries posted by unexpected personnel, for unusual amounts, on unusual days/times (i.e., weekends, holidays, evenings), or for unknown vendor names.

Positive Pay

Many banks are offering this service, which is a great way to help prevent fraud and protect your organization. Positive Pay works by comparing a list of checks you have issued with checks presented for payment. If the check does not match what is on the log, the bank will notify the organization so you can decide whether to pay or reject the check.

While the calendar may say April Fool’s Day, it is important that your internal controls are saying “joke’s on the fraudster!” Please reach out to your Blue & Co. advisor if you have any questions.