Chapter 7 Internal Controls: What Every Executive and Board Member Needs to Know – Best of Boards, 2nd Edition

Chapter 7
Internal Controls: What Every Executive and Board Member Needs to Know

Carl sat at the head of the boardroom table looking somber. He had just left a meeting with the CFO of his nonprofit, Cheerful Giver, an organization that raised money to fund social service organizations. He knew he had to tell the board that giving was at an all-time low. In fact, contributions to the organization declined from $25 million in 2009 to $7.5 million in 2010. Sure, the economy was at fault, but the root cause of the decline was due to a fraud that was brought to light by one of the organization’s accountants early in the year. It had been going on for 5 years. Once the fraud was exposed in the news media, word crept like a virus across the internet, and longtime donors started calling to try to understand what happened. To make matters worse, once the new fund-raising campaign started, donors stopped returning phone calls. It was evident that they didn’t want to give money to an organization that would let a fraud go on for so long.

Who would have believed that the CEO, a person in a position of trust, could have stolen money from his own organization? Who would have believed that the board could have let this happen? The words of the external auditor came back to him. “Management and those charged with governance (the board) are responsible for implementing and maintaining internal control over financial reporting and compliance with laws and regulations and provisions of contract and grant agreements.” The CEO always said that implementing internal controls was disruptive and cost too much money, money that should be spent on the organization’s programs. To be honest, Carl knew he couldn’t even identify what internal controls could have prevented this fiasco. He thought that management would handle it. But how do you explain that to donors?

Characteristics of Nonprofits

The preceding story was based on a very high-profile case of fraud that gained national attention. The sad thing about it is that donations to the entity really never recovered. And this is not an isolated incident. Nonprofit boards and executives often have a belief that it could never happen to them. Gerard Zack calls this the NIMO (not in my organization) complex. 1 In 2016, the Association of Certified Fraud Examiners (ACFE) 2 reported that incidents of fraud account for a loss of 5 percent of total revenue. 3 At 5 percent, this equals approximately $113 billion annually. 4 But for nonprofits, it isn’t just the money. It’s the lack of trust that develops on the part of the donors, funding sources, and people who work for these organizations. There are several characteristics that make nonprofits vulnerable to fraud:

  • Control by a chief executive; employees believe that there is no one to whom they can report unusual actions or requests.
  • Existence of transactions, such as contributions, that are very easy to steal.
  • Environment of trust, especially in financial personnel. The ACFE report states that accounting people are more likely to steal than anyone else in the organization.
  • Focus on the mission to the exclusion of administrative systems of controls and risk management.
  • Failure to devote sufficient resources to financial management.
  • Failure to include people with financial oversight expertise on the board.
  • Failure of the board to challenge the chief executive for fear of losing him or her.
  • Fear that the cost of implementing controls will outweigh the benefit and spend money that, in their view, would be better spent on programs.

This chapter addresses the nonprofit’s need to design a system of internal controls to prevent or detect and correct both error and incidents of fraud. The five levels of internal control that are generally used in most organizations are defined. In addition, this chapter discusses the major fraud schemes that are perpetrated against nonprofits along with controls that might have prevented them or detected them sooner.

Internal Control Defined

Internal control is the process put in place by an entity’s board of directors, management, and other personnel, that is designed to provide reasonable assurance that

  • the entity has accurate and reliable reporting (both financial and nonfinancial);
  • the entity complies with applicable laws and regulations, contracts, and grant agreements; and
  • management’s objectives are met regarding the effectiveness and efficiency of operations.

This definition comes from a framework that was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in response to the Foreign Corrupt Practices Act of 1977. Financial statement auditors have used this definition since the mid-1980s when it became part of their professional literature.

Management, the board, donors, other funding sources, regulatory authorities like the IRS, and creditors need to be able to rely on the financial statement amounts and footnote disclosures in the financial statements. Therefore, internal controls should be designed and implemented in order to prevent or detect and correct both errors and fraud that might be in the financial statements.

The nonprofit organization should also have internal controls to prevent or detect noncompliance with laws and regulations and provisions of contracts and grant agreements. Compliance is very important to the nonprofit because noncompliance could cause the organization to lose funding and even its tax-exempt status. Internal control over compliance will be briefly discussed in this chapter. Although it is also important for the nonprofit to meet its objectives relating to effectiveness and efficiency of operations, these controls will not be addressed because they are beyond the scope of this book.

Another way of defining internal control might be actions that management and employees take in the course of their assigned functions to prevent or detect and correct fraud and error. The board is responsible for seeing that these actions are carried out and should delegate the design and implementation of the controls to management. However, the board is still responsible for ensuring that the organization maintains adequate internal control.

COSO Framework Updated for Changing Times

The COSO revised its original framework in 2013 to be responsive to enhanced risk in the way that entities do business, the increase in use of technology for commerce and the threat of cyberattacks. The revised framework incorporates 17 principles within the five elements of internal control. The five elements—control environment, risk assessment, information, communication, and monitoring did not change. The major changes to the framework are the following:

Reporting objective. This concept is broadened to not just financial reporting but now includes nonfinancial reporting. The concept highlights that attention should be given not only to what is reported but also the media through which it is reported.

Competencies and accountability for internal controls. There is an increased focus on individual competence and accountability for accomplishing the internal control objectives. The accountability starts at the board level and extends through senior management and employees.

Expectations relating to preventing and detecting fraud. Assessment of the risk of fraud is highlighted as one of the 17 principles. Fraud risk can be associated with financial statements but is also important as it relates to operations and compliance. Risk assessments should be performed periodically.

Use of, and reliance on, evolving technologies. Given the extent of electronic commerce and outsourcing processing to third parties, information security risks have become heightened. Entities are increasingly relying on cloud computing. Connectivity within the entity has expanded, passwords are often not protected and computer hacking is an ever-present threat. The revised guidance states that IT controls must be explicitly considered.

Effective governance oversight. Major stock exchanges and regulatory agencies have focused on improving corporate governance and organizational oversight. This is also a highlight of the federal administration. The competence and independence of board members is a focus of regulators. With the complexity of operating environments, it is incumbent on the entity to stop and truly assess the effectiveness and independence of the governing structure. Board members must demonstrate competence and independence in action.

Professional judgment. The current accounting environment requires more and different data for making estimates. For this reason, the revised COSO guidance puts additional emphasis on the need for professional skepticism and judgment.

Expanded relationships and globalization. As noted earlier, organizational relationships have expanded through joint ventures, increased dependence on suppliers, and contractual relationships that require risk assessment and applicable controls.

Integration. The interrelatedness of the control principles is also highlighted as they each have a bearing on the other.

Distinguishing Error From Fraud

Internal controls are designed to address improper transaction processing, whether due to error or fraud. In this chapter, most of the examples are related to fraud and are designed to increase the reader’s awareness of how fraud can occur. But preventing, detecting, and correcting error is also an important function of internal controls. By implementing controls that are designed to accomplish those objectives and by adding in certain controls to address the risk of fraud, management and the board will help to ensure that their goals of complete and accurate processing are achieved.

Sometimes it is difficult to tell the difference between error and fraud. Fraud is an intentional act to misappropriate assets or improperly report account balances, transactions, and disclosures in the financial statements or to violate contracts and grant agreements. But if the nonprofit’s personnel are not properly trained, a transaction that might be fraudulent in other circumstances could be an error.


Sue was an accountant at a private school. She was responsible for recording donations as they were received. Sue did not fully understand the difference between unrestricted and temporarily restricted donations and recorded them all as unrestricted. This was an error because Sue was not properly trained.

Jackie was in charge of donor development at a charity. The organization was very small, so Jackie also opened the mail and coded the donations received as unrestricted, temporarily restricted, or permanently restricted. She also wrote the acknowledgement letters to the donors. In 2010, she was able to secure a $100,000 challenge grant. In order to get the $100,000, the organization had to raise $50,000 from donors. These donations needed to be unrestricted in order to count toward the challenge grant. Jackie wanted to get this grant so she knowingly misrepresented $25,000 in pledges to the organization as unrestricted when they were really temporarily restricted for a specific purpose. Jackie’s acted with the intention to defraud or misrepresent a situation to a funding source.

Both situations resulted in inaccurate financial statements. Internal controls are designed to prevent or detect and correct misstatements whether due to fraud or error, but in both of these cases, controls were lacking. In the case of Sue, she needed training (a control environment control) and supervision (a monitoring control) to help her understand appropriate accounting. In the case of Jackie, she knew she was in the wrong. Segregation of duties between the person who has custody of the assets (opening the mail) and the person who processes the assets (recording the transactions) should be maintained.

It is important to note that even the best, most comprehensive set of controls can only provide reasonable assurance that fraud or errors will be either prevented or detected and corrected. This is because there is always the possibility of human error, malfunctions in technology, or collusion. And because internal controls cost time and money to implement and maintain, it is important to weigh their benefits versus their cost and choose them wisely.

In September 2016, the COSO published its Fraud Risk Management Guide. 5 The guide provides a comprehensive approach to managing fraud risk and contains five steps that should be considered by management and the governing board in a comprehensive fraud risk management program. Examples of activities that are part of an effective fraud risk management program and the COSO fraud risk management steps and principles that they support follow.

  • Establish antifraud governance policies. Establish a governance process that is visible to employees and outsiders that sets a tone that fraudulent activity will not be tolerated. Create or enhance a culture that values ethical values, transparency and accountability for employees, management, the governing board and outside parties such as vendors, grantors, donors and other parties (Control Environment Principles 1–5)
  • Perform a fraud risk assessment. Includes a periodic fraud risk assessment process that helps identify weaknesses in the system of internal control, whether manual or electronic. Depending on the size, complexity, and preferences of the entity, this may be done from the top down where management conducts the assessment and presents it to the board or from the bottom up where the employees are solicited for their input, which then advances to management and is then provided to the board. The governing board would evaluate the fraud risks based on the information presented, their own experience, and the synthesis process with other board members and prioritize them based on how likely they are to occur and the magnitude of loss to the entity if the situation did occur. (Risk Assessment Principles 6–9)
  • Design and implement control activities to prevent and detect fraud. Modifies or implements additional internal controls to ensure that the anti-fraud control portfolio is effective at preventing and detecting fraud (Control Activity Principles 10–12)
  • Conduct investigations. Respond immediately to allegations of fraud and take prompt action when wrongdoing is discovered (Information and Communication Principles 13–15)
  • Monitor and evaluate the risk management program. Develop a plan for ad hoc and ongoing evaluations that will give early warning signs about the risk of fraud and whether internal controls are functioning. (Monitoring Principles 16–17)

The concept of fraud deterrence, which is critical in preventing fraud from occurring, has a significant role in this fraud management program. The COSO fraud risk management guide illustrates ways that governing boards, management, internal audit (if applicable), and employees at all levels can contribute.

Controls for Smaller Organizations

When considering internal controls, it is important to keep in mind the size of the entity as well as its degree of complexity. Size is determined by the size of the budget, the amount of endowment funds, the amount of transactions processed for others (agency transactions), and other factors. Complexity is determined by a number of factors: the degree to which the entity is regulated, its use of sophisticated information technology, its number of locations, and other factors.


A charity, which is a local affiliate of a national organization, has contribution revenue of $500,000 a year. It has approximately $150,000 in grant revenue and a small amount of interest income. It operates from one location and uses QuickBooks to process and record its transactions. Its investments are held at the local community foundation. It has no endowment.

An arts organization has total revenue of approximately $100 million. Its revenue comes from several sources. A significant amount comes from contributions, many of which are restricted. It also has membership income, sells items in its gift stores and through the internet, and has significant investment income coming from its endowments. It processes many of its transactions online and uses a check scanner to deposit the contributions it receives. It operates two stores that sell merchandise, and many of its customers use credit cards. The organization also runs an art school and has tuition revenue. It uses PeopleSoft, an enterprise application, that has been customized to fit its needs.

The arts organization would be considered a large complex organization due to its size, use of technology, number of locations, and numerous sources of revenue. The charity would be considered a small, noncomplex organization. Both need to implement and maintain adequate internal controls, but the number and types of controls will be different.

COSO issued its Internal Control over Financial Reporting—Guidance for Smaller Public Companies in 2006. 6 This guidance was not intended to replace the COSO framework. Instead it provides examples of internal controls that are relevant to smaller and midsize entities. It was superseded by the 2013 framework, presuming that the revised guidance can be applied to all entities regardless of size.

Management and the governing boards of smaller entities should critically challenge the design of internal controls. Research performed when the 2006 guidance was issued showed that larger organizations have a higher proportion of controls in the category of control activities. This is because they have more people among which to segregate the duties. In addition, their information technology is more robust, so there are more automated control activities. The guidance also points out that smaller organizations will have a very different distribution of internal controls in that the majority of the controls will be in the categories of the control environment and monitoring. With a strong tone set by management and the board and a high degree of monitoring, the lack of segregation of duties is mitigated somewhat. This puts even more significance in the board’s and management’s roles and responsibilities in setting the tone for integrity and ethical values and monitoring.

Consider the example discussed in chapter 1 where the lack of segregation of duties created a situation that was ripe for fraud to occur. The governing board as well as the auditors believed that the tone from the top was solid. Collectively, management, the governing board, and even the auditors believed that the tone from the top and the board’s ability to monitor financial reporting was adequate to mitigate the risk of fraud. Ultimately, the board was not sufficiently experienced in financial statement analysis to even ask the right questions. Their care and concern for the entity was not sufficient to mitigate the risk of fraud when such a blatant lack of segregation of duties was present. This is the dilemma of so many smaller entities.

Elements of Internal Control

The five categories in the COSO framework can be viewed as a portfolio of integrated controls. These are used in combination to help the organization meet its need for accurate financial reporting and for compliance with laws and regulations, contracts, and grant agreements. Some of the controls serve to lay a good foundation for the entire organization, and others support the processing of transactions. Together they make up the internal control structure.

Figure 7-1 Internal Control Structure

As illustrated in figure 7-1, the entity controls are those that lay the foundation for effective internal control. With a good foundation, the organization can have better assurance that transactions are accurately authorized, processed, recorded, and reported. The controls that support transaction processing are the control activities. The purpose of these controls, along with examples, is discussed in this section.

There are five categories of entity controls.

  • Control environment. Sets the tone from the top of the organization. This category of controls includes integrity and ethical values, commitment to competence, attention and direction provided by the board of directors or audit committee, management’s philosophy and operating style, organizational structure and the manner of assigning authority and responsibility, and human resource policies and procedures. Many of these controls were discussed in the 33 good governance principles in chapter 2. As noted in that chapter, a strong control environment is the best deterrent to fraud.
  • Risk assessment process. Refers to the process the organization goes through to identify the risks that would prevent it from meeting its objectives. These could be internal factors such as lack of diversity of funding sources, turnover in key positions, implementation of a new IT system, entering into new programs, and significant, rapid growth with insufficient infrastructure to support it. Risk can also be present from external factors such as deterioration of the economy affecting its funding sources or changes in accounting principles and reporting requirements. Risk assessment is more fully discussed in chapter 6.
  • Information controls. The technology and processes necessary to initiate, authorize, process, record, and report transactions and events in the financial statements and to communicate the results to management and employees who have a need for the information. Information controls are considered to be entity controls in that there are controls over information technology that set the foundation for the system as a whole. There are also control activities at the point of processing transactions. A comprehensive discussion of controls over information technology is beyond the scope of this book.

    Organizations that have complex and sophisticated information technology systems should be aware of the framework created in 1998 by the IT Governance Institute called Control Objectives for Information and related Technology (COBIT). The COBIT framework, which is now on its fifth revision is designed to instill good practices into the organization to ensure that the organization’s information technology supports its business objectives. Use of this framework should also result in greater efficiency and optimum use of the information produced by the organization. It can be obtained from the website of the Information Systems Audit and Control Association at

  • Communication controls. Involves the quality of communications between the board and management; the board and the external auditors and internal auditors, if any; staff and management; and management and donors, funding sources, and vendors. Two-way communication is very important to ensure transparency, accountability, and the dissemination of knowledge employees need to perform their assigned duties and to enable issues to be identified at the ground level for prompt management consideration and action.
  • Monitoring. Monitoring is a very important control function. It occurs when management follows up to determine whether the nonprofit’s staff members are performing their duties as expected. It also occurs when the board follows up to determine that its objectives are being met. Monitoring is such an important part of the COSO framework that in 2009 COSO published a book, Guidance on Monitoring Internal Control Systems. This is not intended to replace either the COSO framework; it is designed to highlight and expand the basic principles in both documents. Monitoring controls can be performed at the overall entity level and also at the transactional level. This guidance was not superseded by the 2013 Framework.

Control Activities

Control activities are performed at the transaction level. These controls are designed to prevent or detect and correct misstatement. Whereas the entity level controls set the foundation and affect all of the financial processes, the control activities are specific to a particular transaction cycle such as revenue and cash receipts, expenses and cash disbursement, payroll, investments, or grant accounting. When management prepares financial statements, it is making assertions that transactions and events

  • exist (assets and liabilities) and actually occurred (revenues and expenses).
  • are complete. In other words, all of the transactions and events are recorded.
  • are appropriately valued.
  • represent the rights to assets and obligations of the organization. For example, if the organization receives and holds assets for another organization, these are appropriately reflected as amounts due to that organization.
  • are recorded accurately and in the proper period.
  • are disclosed in the right net asset classification. For example, the donations to the endowment that are restricted in perpetuity are recorded as permanently restricted.
  • are disclosed in the financial statements in such a way that they are understandable.

Control activities support management’s assertions.


Roger perpetrated a fraud against a small nonprofit that nearly bankrupted the organization. He was the sole accountant, responsible only to the board of directors. He collected the receipts from donors, grantors, and clients and was also responsible for recording them in the general ledger. Many did not get recorded because he deposited the checks in his own checking account. He was also responsible for paying the bills. He received the invoices and wrote, signed, and mailed the checks. Because he had custody of the assets (cash), he wrote checks to himself, to vendors to pay his own bills, and to a fictitious vendor he created. Those checks he deposited in a bank account he set up for himself under that name. Because no one approved the invoices for payment, no one identified the fictitious vendor. To the organization’s credit, they terminated Roger and prosecuted him for fraud. If the organization had performed a background check on him before he was hired, they would have seen that he had previously been prosecuted for fraud against another nonprofit.

One of the most important control activities is the segregation of duties. Duties should be segregated so that no one person has the ability to initiate and approve transactions while also being able to have access to the technology to record those transactions or have custody of the assets.

In this example, the lack of segregation of duties was not mitigated by any other controls, such as monitoring by an executive director (ED) or the board of directors. Smaller organizations are at a disadvantage when it comes to segregation of duties. However, the consequences of having too much control vested in one or two people are so calamitous that it is wise to make an effort to segregate them as much as possible. Even in cases in which there are very few employees, the board can be enlisted to perform analytical reviews of revenues and expenses to see if the amounts are reasonable. Figure 7-2 illustrates a way that segregation of duties might be accomplished by two with additional support from the board of directors.

Figure 7-2 Example of Segregation of Duties with Two Employees

It is important to note that the lack of segregation of duties is a significant deficiency, if not a material weakness in internal control. Although enhanced oversight from the board can help to mitigate some of the risk, the risk is still high. In addition, the management and the governing board need to understand how to properly analyze financial information.


In the opening case study in chapter 1, the governing board was charged with reviewing the financial statements and the analysis prepared by the bookkeeper each month. Due to the lack of segregation of duties, the bookkeeper performed all of the duties related to cash disbursements except for signing the checks. Therefore, the analytical review of the financial statements by the board, specifically designed to help mitigate the segregation of duty issue, was one of the entity’s most important internal controls. The analysis consisted of evaluating the statement of activities to determine whether there were any anomalies noted in the change from budget to actual and the change from the prior period to the current period.

The board evaluated the spreadsheet below and asked questions about the legal and travel items that were program expenses. The bookkeeper explained that the volume of children served was down, so those expenses were down. The board did not inquire about professional services because the fluctuation was so small. Unfortunately, that was the line item that contained the fraudulent expenses. The line item should have decreased with the other program expenses. Because it did not fluctuate significantly, the board failed to ask any questions. The board members did not consider if there was no fluctuation in a program expense line item when volume was down, that it could be a red flag. The bookkeeper realized if the expenses were constant, no one would ask questions.

Analytical procedures should be performed by setting an expectation of what a balance should be. If the board considered dividing the program expenses that varied with volume by the volume of children served, they would have seen the lack of fluctuation was unusual. Note in figure 7-3 that the other program expenses decreased approximately 16 percent but the largest one—professional services—did not.

In order for a governing board to be effective in monitoring, members need fraud awareness training and training on internal controls, especially monitoring techniques.

Figure 7-3 Comparison of YTD 20X1 to YTD 20X0

YTD 9/30/X1 YTD 9/30/X0 Change$ Change %
Salaries and wages 469,754 468,795 959 0.20%
Employee benefits 22,503 23,664 (1,161)  − 4.91%
Payroll taxes 35,936 35,863 73 0.20%
Professional services 277,807 277,542 265 0.10%
Legal fees 24,620 29,550 (4,930)  − 16.68%
Office expenses 37,071 37,875 (804)  − 2.12%
Information technology 7,858 8,842 (984)  − 11.13%
Occupancy 46,601 46,000 601 1.31%
Travel 20,957 25,050 (4,093)  − 16.34%
Conferences, conventions and meetings 3,516 3,855 (339)  − 8.79%
Interest 7,428 7,428 0.00%
Insurance 6,500 6,205 295 4.75%
Training and development 7,617 6,890 727 10.55%
Depreciation and amortization 3,520 3,520 0.00%
Accounting fees 29,569 30,058 (489)  − 1.63%
Total Expense 1,001,257 1,011,137 (9,880)  − 0.98%

Designing a System of Internal Control

Entity Controls

When designing a system of internal control, the nonprofit should start with the entity controls that form the foundation of the control structure and support the control activities for the various transaction cycles. Management will need to ask, “What policies and procedures could we put in place to meet the objectives in the COSO framework?”

There is no one correct answer to that question. Chapter 2 discussed the questions dealing with governance that are asked in the Form 990. If the IRS took the effort to include questions about entity controls on Form 990, it implies that the IRS believes that the controls that are the subject matter of the questions are important. However, if an organization has only those controls, it will not generally be sufficient to meet the objectives identified in the COSO framework. Certain vendors of tools and templates, including the AICPA 7 and Practitioner’s Publishing Company, 8 offer products with examples of internal controls that could be implemented at the entity level. Management should consider the options available and make decisions on the design and implementation of entity level controls considering the size and complexity of the organization.

The next example shows how an organization used internal control products to choose the controls that were right for it and document them. Controls that are not documented are less likely to be consistently followed.


A nonprofit historical society had $25 million in revenue. Its primary revenue sources were memberships and contributions from donors. In addition, the organization had a gift shop, offered workshops and programs on topics of historical interest, and sold admissions to its museum. In 2010, a new ED was hired. Prior to joining the historical society, she worked with a charitable organization that placed a high priority on its internal controls. One of the first things she did was ask the CFO to perform an evaluation of the organization’s entity level internal controls. The new ED was concerned because she knew that nonprofits faced scrutiny from the IRS, Charity Navigator, GuideStar, and others. She also knew that donors prefer to give to organizations they feel they can trust to do the right thing.

The new ED believed that once the foundation for the control structure was solid, the organization could then undertake an evaluation of each of its transaction cycles. The CFO purchased the COSO’s Internal Control—Integrated Framework (2013) and used it to get suggestions on controls that would be effective for her organization. In fact, the organization already had some very good controls but given changes in their business model and increased use of technology, additional controls were added. The CFO also decided it would be helpful to enhance the level of the current documentation. The CFO created a new structure that not only documented the controls already in place but also included controls that would fill what she believed to be the gaps or holes in the historical society’s controls. The resulting table follows.

Control Environment
(Controls with * indicate that they are also included in Form 990 questions)
Principle Controls Identified by the CFO From the COSO Framework
Integrity and ethical values establish management’s intent that the conduct of the organization is transparent and above reproach; that the financial statements are free of misstatement; and the organization complies with all laws, regulations, grant requirements, and donor restrictions.
  • The organization has a code of ethics and conflict of interest policy. Employees are trained on the policy and are expected to sign an acknowledgement each year of their understanding. (*)
  • The organization has a whistleblower policy and an anonymous reporting mechanism. Employees are trained to know where to report instances of suspected fraud or noncompliance with laws, regulations, contracts, and grant agreements. (*)
  • The governing board and management make anti-fraud awareness a priority and a no tolerance policy sets a preventive tone.

The board of directors understands its roles related to the oversight of the financial reporting function and internal control.

  • Two-thirds of the board members are independent. (*)
  • The board signs the code of ethics and conflict of interest policy. (*)
  • The board reviews the financial statements and Form 990 before they are released. (*)
  • The board consistently performs budget to actual, current period to prior period, and other reviews of financial information on a monthly basis.
  • The board meets with the external auditor at least yearly and on an as-needed basis.
  • The board is aware of the need for effective internal controls and discusses their effectiveness with management.
  • The board includes at least one financial expert.
  • Outside speakers in matters of risk, internal control, and fraud awareness are brought in to assist the board in improving its oversight.
Management’s philosophy and method of operating are conducive to effective controls. Management does not exercise inappropriate levels of control, take inordinate business risks, or expect employees to achieve unrealistic or unethical operating results.
  • The organization publishes a newsletter, and it is used to reinforce executive management’s and the board’s view of accurate financial reporting and ethical values. The newsletter reminds management and the employees of their responsibility to the organization and gives them a place to turn if they feel pressured.
The organization is committed to retaining competent employees in the areas of financial accounting and reporting. Employees are held accountable.
  • Training programs are held for employees so they are current on requirements and policies affecting their job. Performance appraisals are performed and reviewed with employees yearly. Employees are held accountable for the quality of their work.
Human resource policies and procedures support effective internal control over financial reporting.
  • Background and credit checks are performed on new employees.
  • Employees who are in financial positions are bonded.
Risk Assessment
Principle Controls Identified by the CFO From theCOSO Framework

Risk assessments are performed to understand where the organization is vulnerable. This includes internal and external risks. Management establishes clear objectives to better identify the most significant risks to meeting the objectives.

The entity specifically assesses the risk of fraud.

Management prioritizes risks and then determines an appropriate response.

  • Management and department heads identify areas of risk to the organization and provide input to senior management’s risk assessment.
  • Senior management and the board meet to discuss risks to the organization. Input from middle management and department heads is considered.
  • Management and the governing board prioritizes the risks as to the chance of them occurring and the magnitude if they did.
Information and Communication
Principle Controls Identified by the CFO From the COSO Framework
The organization has adequate information technology to support accurate accumulation of financial information, financial reporting, and compliance with laws and regulations.
  • The information technology is appropriate to the size and complexity of the organization.
  • The organization has the appropriate controls over the input to the system and output from the system.
  • Information security, including passwords, is evaluated yearly. Passwords are changed every 90 days.
The organization has sufficient communication among the board, management, staff, external auditors, regulatory bodies, and others to allow for the exchange of information that would allow accurate and transparent financial reporting to take place.
  • Information from regulatory bodies andchanges to the organization’s internal controls and policies are provided to staff on a timely basis to assist them in their duties.
  • See board controls in the preceding "Control Environment" section.
Principle Controls Identified by the CFO From the COSO Framework

Monitoring of the organization’s activities takes place at the board level, the executive level, and at the individual account balance level.

There is a mix of ongoing and separate evaluations to determine whether internal controls are properly designed and functioning.

Internal control deficiencies are dealt with on a timely basis and corrective action is taken. The board evaluates the changes that need to be made to prevent reoccurrence.

  • Monitoring of the organization’s activities takes place at the board level. The board performs analysis on the financial statements on a monthly basis.
  • Board reviews Form 990. (*)
  • Senior management monitors financial metrics on a monthly basis.
  • Reconciliations of asset and liability accounts are performed on a monthly basis.
  • See other board monitoring activities in the preceding "Control Environment" section.

Control Activities

Control activities are important to prevent or detect and correct errors and fraud at the level of the transaction cycles. As discussed in this chapter, although there could be others, common transaction cycles are revenue and cash receipts, expenses and disbursements, payroll, and investments. It is important to document not only the processes involved in the accounting for these transactions but also the internal controls within the processes.

Even properly trained employees can make inadvertent errors, and that is why reconciliations of account detail to the general ledger, spot checking the work of employees, and analytical procedures are very important. But these controls alone will not be sufficient to prevent or detect fraud. There are excellent products 9 on the market that can provide management with examples of control activities that, along with segregation of duties, will more specifically address the risk of fraud.

Management should consider the following entity-specific factors and how they could impact control activities that are needed for effective and accurate processing:

  • External environment and complexity
  • Nature and scope of operations
  • Degree of regulation
  • Diversity of operations
  • Sophisticated information technology
  • Centralization and decentralization
  • Degree of innovation


A large nonprofit charity realized that its annual walk and gala were not performing as well as in past years. The lackluster performance of the events left a gaping hole in the entity’s fundraising goal. The director of advancement was concerned because her team was judged by their ability to attract and retain donors and hold successful events, so she looked for ways to make up the shortfall. For the past several years, a pharmaceutical company contributed $100,000 to the entity to help pay for its quarterly magazine. The name of the company was in a small box on the inside cover with the words, “thank you to our sponsor”. When the advancement director called on the pharma company to ask for a donation for the current year, she asked for $200,000. The public relations department said they would ask for approval to give that amount but in exchange they wanted space for drug ad in the magazine. The advancement director was very pleased. She reported the $200,000 to the accounting department as a restricted donation, just the same as in prior years. The accounting manager did not ask for support for the transaction and recorded a donor restricted receivable for $200,000.

This is an example of how innovation can lead to an entity needing to rethink its internal controls. There was clearly a lack of communication controls in this entity. The advancement director thought the transaction was a contribution like it had been in previous years. The accounting manager did not challenge the nature of the transaction. The external audit team found the error, proposed an adjustment and reported a significant deficiency in internal controls. The internal controls around the communication between the advancement and accounting personnel were weak. In addition, since the fair value of the ad was probably not equal to the entire incremental funding, the entity had a bifurcated transaction. The exchange portion of the transaction must be estimated to do that and internal controls are necessary to ensure an appropriate valuation.

The AICPA’s Audit and Accounting Guide Not-for-Profit Entities 10 provides examples of areas in which it is particularly important to have good internal controls because the risk of error or fraud is higher in these areas:

  • Identification, acceptance, and evaluation of donor-restricted contributions
  • Valuation and recording of promises to give (pledges)
  • Valuation and recording contributions of noncash assets (services, goods, utilities, use of long lived assets, and the like)
  • Compliance with grantor requirements
  • Compliance with accounting principles such as those related to the allocation of expenses by function as well as natural classification or joint cost allocation, agency transactions, and the like (see discussion of accounting in chapter 5)
  • Identification and accounting for new programs

The following example illustrates how an organization could document the design of internal controls.


The ED of a private school was concerned about the internal controls over revenue. In particular, she wanted to ensure that contribution revenue was properly recorded and that payments by donors were recorded completely. She also wanted to be sure that the tuition being paid was posted to the correct student account. Some parents paid quarterly, some paid monthly, and some paid in advance for the year. There were also discounts associated with the advance payments. The school was small, and there were only two employees in accounting to keep up with the work.

She began by identifying the segregation of duties over revenue. Her documentation follows:

Segregation of Duties Over Revenue at Jordan Lewis Preparatory School

We believe that we have appropriate segregation of duties for the size and complexity of our organization. All cash comes into one central location. The mail is opened by two people, and a check log is prepared. Cash receipts in the form of checks are scanned in through the I Stream System and reconciled to amounts received by the Bank of the South. The ED and the board of directors monitor the levels of revenue analytically. There is follow-up on variances from budget. Bank reconciliations are performed and reviewed independently from the handling and posting of cash. A table summarizing the segregation of duties follows.

Revenue Source Initiating Transaction Cash Handling Posting Transaction Supervision and Monitoring
Academic programs Academic program administrator Handles registrations.
All discounts are approved by the academic program administrator and the executive director.
Accountant 1 processes checks by scanning them into the IStream system.
Accountant 1 Processes credit cards.
Accountant 2 posts revenue and cash receipts.
Accountant 2 mails statements to students’ parents and follows up on complaints.
Accountant 1 performs bank reconciliations.
Executive director reviews bank reconciliation monthly.
Executive director reviews receipts analytically monthly.
Donations Development department initiates some donations; others are unsolicited.
Donations are made online.
Development department writes acknowledgement letters from information provided by accountant 1 and for pledges received.
Accountant 1 processes cash receipts by scanning into the IStream system.
Accountant 1 Processes credit cards.
Accountant 2 posts cash received and credit cards.
Accountant 2 posts pledges.
Reconciliation performed between fund-raising database (Raiser’s Edge) and general ledger by accountant 1. All donations reviewed by executive director and board of directors (lists analytically reviewed).
Executive director signs the acknowledgements and reviews general ledger classification for appropriate restrictions.



Person in charge of the specific special event adds the event to Raiser’s Edge and records list of checks received related to the event. Accountant 1 processes checks by scanning them into the IStream system.
Accountant 1 processes credit cards.
Accountant 2 posts to accounting records. Reconciliation performed between Raiser’s Edge and general ledger by executive director.
Merchandise sales— Bookstore Parents and students purchase books in bookstore. Bookstore personnel process credit card payments.
Bookstore personnel reconcile the cash drawer daily and provide reconciliation and detail tape to accounting.
Accountant 1 processes cash and checks by scanning them into the IStream system.
Accountant 1 reviews reconciliation.
Accountant 2 posts activity to the general ledger Executive director monitors cost of goods and sales margin through monthly analytical review.

Following are the controls in place to prevent or detect misstatement in revenue.

Revenue Source Assertions Covered Internal Control Monitoring
All Forms of Revenue Existence, occurrence, completeness Control 1: Checks are endorsed with a "Bank of the South" stamp as they are run through the check scanning machine. The accountant places a red "POSTED" stamp on the face of the check.
All Forms of Revenue Existence, occurrence, completeness, valuation Control 2: Deposits of cash are made by the receptionist on Tuesday and Friday. The checks are locked in the safe while they are waiting for deposit. Currency with denominations of $20 or more are tested with a counterfeit pen. Control 2: The executive director goes online with Bank of the South to compare the amount of the deposit with the amount on the reconciliations from the development director, store, and accountant 1.
All Forms of Revenue

Accuracy, existenc,



Control 3: The bank statement is reconciled by accountant 1. Control 3: Bank statement is reviewed by the executive director.
All Forms of Revenue Completeness, accuracy, existenc occurrence Control 5: Accountant 1 attaches documentation to the computer-generated deposit slip and forwards it to accountant 2 for review after the cash receipts have been posted. Control 5: These are reviewed again by the executive director when posted to the general ledger for completeness and accuracy.

All Receivables

Valuation Control 6: Follow-up is performed on past due receivables by the academic program administrator and adjustments are made as needed for tuition. Follow-up is performed on pledges by the development director, and adjustments are made as needed. Control 6: Accountant 1 proposes a journal entry based on the input from the academic program administrator. These are reviewed quarterly with the executive director.
Special Events Existence occurrence, completeness, cutoff Control 7: Special event revenue is recorded in the general ledger by accountant 2. Control 7: The executive director compares the monthly schedule of events to revenue posted to the general ledger and follows up with the special events coordinator if an event is listed on the schedule but revenue and expense have not been recorded. Further monitoring is performed by the board.
Merchandise at Stores Existence, occurrence, completeness Control 8: Cash registers are used at the bookstore. Cashiers have access sign in and sign out codes.
Merchandise at Stores Existence, occurrence, completeness Control 9: The bookstore manager has access to the register tape compartment and occasionally reviews the tape if there is a question about a transaction.

Antifraud Programs and Controls

Nonprofits, like other small organizations, are vulnerable to fraud. The ACFE describes three categories of fraud:

  • Fraudulent financial reporting. Improperly reporting transactions and events in the financial statements. This could include overstating or understating account balances, failure to make required disclosures, or making misleading disclosures.
  • Asset misappropriation. Theft of assets. Assets may be cash or noncash assets.
  • Conflicts of interest. Use of an employee’s position in a way that violates the employer employee relationship. Examples are bribery, extortion, and conflicts of interest.

The most prevalent fraud scheme reported in the 2016 Report to the Nations on Occupational Fraud and Abuse is theft of assets. 11 In fact, 90 percent of respondents to the survey reported it. The median loss ($100,000 per incident for nonprofits in the survey) is far less than for fraudulent financial reporting ($975,000 per incident for all companies—nonprofits were not separately identified in this category), but the occurrence is far more frequent.

The ACFE 2016 Report to the Nations on Occupational Fraud and Abuse highlights the fact that smaller organizations are more likely to be touched by fraud, primarily because they are lacking in antifraud programs and controls. Antifraud programs and controls have shown to be effective in reducing the magnitude of frauds and the length of time it takes before the fraudster is caught.

In its Statement on Auditing Standards No. 122, section 240, Consideration of Fraud in a Financial Statement Audit, 12 the AICPA states that there are three important elements to consider when evaluating the possibility of fraud. The first is the incentive or pressure that an individual has to commit fraud. The second is the opportunity. The third is the ability to rationalize the act.

Misappropriation of Assets

Lindsey works for a charitable organization. She has 3 children, and one of them is very ill. The medication for her child is very expensive, and Lindsey makes too much money to qualify for public assistance. Her husband was just laid off from his job. At her job, Lindsey opens the mail by herself and makes a list of the incoming cash and checks. She knows that frequently a $10 or $20 bill will come in with nothing more than a note saying, “Thank you for the good work that your organization does for the disadvantaged.” No name, no address, and no way to write an acknowledgement. The pressure on Lindsey to help her child is significant, and she decides that she, too, is disadvantaged and takes the money.

Incentive or Pressure: Lindsey sees her child suffering and feels desperate because she can’t pay for the medication.

Opportunity: Lack of controls. Lindsey has no one watching her open the mail, and the cash is an easy thing to steal. Further, the cash is unsolicited, and the donor is not expecting an acknowledgement.

Rationalization: Lindsey believes her family is disadvantaged in its circumstances and she may even believe that she will pay back the money once her husband gets work.

Fraudulent Financial Reporting

Grace works for a private school in its advancement department. The expectation is that she will raise 20 percent more in donations this year than the last. The economy is not good, and Grace is having trouble getting new donors. There is a foundation that is willing to give the organization a matching grant if Grace is able to raise $100,000 by the end of the fiscal year. Grace goes to several existing donors with multiyear pledges and asks them to extend their pledges one year. Five of them are willing to do it, and these additional pledges provide the organization with $50,000 in donations toward the $100,000. This is not enough for the match.

Desperate to meet her goal, Grace goes to the accounting department and tells them that they need to write off pledges in the amount of $50,000 from multiyear donors. About a week later she reports an additional $50,000 in pledges. There are no new pledges; Grace is just reinstating the pledges written off the prior week. The people in the accounting department do not understand the significance of what they have been asked to do, and they are reluctant to question Grace who is their friend. Grace files a report with the foundation claiming credit for (1) the amounts she raised in the fiscal year and (2) the fraudulently written off and reinstated pledges. She receives the matching grant and meets the expectations of the ED and the board. This is clearly fraud perpetrated on the foundation that will provide the matching grant.

Incentive or Pressure: Grace is afraid that she will not meet the expectations of the board.

Opportunity: Lack of controls. Grace knows that the accountants have limited knowledge and training and do not understand what they are being asked to do. There is insufficient review of journal entries at all levels where this activity could be detected.

Rationalization: Grace believes that what she is doing isn’t really stealing because the foundation has so much money and because her organization is deserving of the funding.

Revenue Recognition and Management Override

AU-C section 240 states that there are two areas that are presumed to be significant risks of fraud. The first is misstating (recognizing) revenue. The primary reason a nonprofit would do this is so that it could show larger results, thereby making the nonprofit appear that has more revenue than it actually has. For many organizations, this is an easy place to misrepresent financial results. Management could

  • record fictitious pledges,
  • represent that revenue is collectible when it is not (instances in which the donor is not likely to honor the pledge), or
  • represent revenue as eligible to be spent on operations as opposed to restricted to spending for a specific purpose or time period.

Management override is also presumed to be a significant risk of fraud because management could

  • have access to all parts of the system and record transactions that do not exist or do not accurately reflect the situation. This is a violation of the segregation of duties that the organization may have.
  • put pressure on employees to make inappropriate entries to the system knowing they will do it for fear of reprisal.
  • ask employees to make inappropriate entries knowing that the staff does not have the experience to know the entries are improper.
  • create estimates that are biased.
  • improperly record unusual transactions or those with little business rationale believing that the board will not question them.

Antifraud programs and controls should be designed to prevent or detect these sorts of actions.

The AICPA provides a list of entity level controls that are good antifraud controls in the appendix to the standard. 13

Control Environment

  • Code of conduct or code of ethics
  • Ethics hotline and whistleblower program (hotline can take many forms)
  • Hiring and Promotion Guidelines—background and credit checks
  • Oversight by the audit committee and board
  • Investigation of ethical violations and prompt punishment and remediation of control deficiencies

Fraud Risk Assessment

  • Management’s identification of fraud risks and implementation of antifraud measures
  • Board’s assessment of the potential for management override of controls or other inappropriate influence over the financial reporting process

Information and Communication

  • Appropriate internal controls to prevent unauthorized changes to programs or master files
  • Communication between management and staff, management and the board, management and the auditors, the auditors and the board, and, if there are internal auditors, communication between them and the board
  • Ethics hotline (or equivalent for smaller organizations)
  • Open door policy
  • Collaborative board


  • Board receives and reviews periodic reports describing the nature, status, and eventual disposition of alleged or suspected fraud and misconduct
  • An internal audit plan (if the nonprofit is large enough) that addresses fraud risk and a mechanism to ensure that the internal auditor can express any concerns about management’s commitment to appropriate internal controls or report suspicions or allegations of fraud
  • Involvement of other experts—legal, accounting, and other professional advisers—as needed
  • Review of accounting principles, policies, and estimates used by management in determining significant estimates
  • Review of significant nonroutine transactions entered into by management
  • Review of functional reporting by internal and external auditors to the board and audit committee

The 2016 Report to the Nations on Occupational Fraud and Abuse 14 showed that those completing the survey had antifraud controls as follows.

Antifraud Control Percentage of Those That
Had the Control
Code of conduct 81.7
Internal audit department 73.7
Management review of internal control 64.7
Independent audit committee 62.5
Employee support programs 56.1
Fraud training for employees 51.6
Fraud training for managers and executives 51.3
Antifraud policy 49.6
Dedicated Fraud Department 41.2
Surprise audits 37.8

Joseph Wells, the founder of the ACFE, acknowledges that internal controls will not ever completely prevent or detect fraud. The 2016 survey noted that the median time it took to detect occupational fraud was 18 months. However, 32 percent of the frauds in the survey took two years or longer to detect. The longer a scheme goes on the more financial harm it causes.

Duration 13–18 months 37–48 months  > 60 months
Average Cost $150,000 $350,000 $850,000

The 2016 Report to the Nations on Occupational Fraud and Abuse notes that the most frequent way that fraud is detected is by a tip. In fact, 39.1 percent of the nonprofit respondents to the survey indicated that this was how the frauds in their organizations were detected. A tip may come from an employee, vendor, or funding source. Internal audits were another way that frauds were caught (16.5 percent), followed by management’s review (13.4 percent), by accident (5.6 percent), by account reconciliation (5.5 percent), by document examination (3.8 percent), by external audit (3.8 percent). This suggests that a strong whistleblower program, frequent account reconciliation, review of documents, and an external audit may be very beneficial to the nonprofit considering the cost.

Joseph Wells suggests that preventive controls are the key to combating the cost of occupational fraud. His advice is summarized in the antifraud check-up tool that follows.

Antifraud Provision Questions for Board Members to Ask Response
Training Do employees receive training that helps to educate them about the following:
  • What constitutes fraud?
  • Costs of fraud, such as job loss, publicity issues, loss of donor funding, and so forth?
  • Where to go for help if they see something suspicious or unusual?
  • Is there a zero tolerance policy for fraud and has it been communicated?

Does the organization have an effective way for employees to report fraud or suspicious behavior?

Is there an anonymous reporting mechanism for employees to use?

Do employees understand that those issues reported will be investigated?

Perception of detection Does the entity seek knowledge of fraudulent activity?
Is there a message sent that that there will be tests made to look for fraud?
  • Are there surprise audits?
  • Is software used to identify issues from data?
Management’s tone from the top

Does the organization value honesty and integrity?

Are employees surveyed to determine whether they believe that management acts with integrity?

Have fraud prevention goals been set for management, and are they evaluated on them as an element of compensation?

Is there an appropriate oversight process by the board or others charged with governance?

Antifraud controls

Are any of the following performed?

  • Risk assessments to determine management’s vulnerabilities
  • Proper segregation of duties
  • Physical safeguards
  • Job rotation
  • Mandatory vacations
  • Proper authorization of transactions
Hiring policies

Are the following incorporated in the organization’s hiring policies:

  • Past employment verification
  • Credit check
  • Criminal and civil background check
  • Education verification
  • Reference check
  • Drug screening
Employee support programs

Are there any programs in place to help struggling employees with financial issues, drug issues, or mental health issues?

Is there an open door policy so that employees can speak freely?

Are anonymous surveys conducted to assess employee morale?

One of the most important things that a board member or member of management can do is to become aware of the ways that fraud can be accomplished. The next section discusses some of the most common ways that fraud can occur and internal controls that might be implemented to either prevent or detect it at the transaction level.

The Report to the Nations illustrates the frequency of fraud schemes by industry. Corruption topped the list for the religious, charitable, and social service sector at 28.8 percent and the educational sector at 31.8 percent. The prevalence of other schemes follow.

Scheme Religious, Charitable, and Social Services Educational Entities
Corruption 28.8 31.8
Billing 25.0 34.1
Non-cash 13.5 17.4
Expense reimbursements 25 15.9
Skimming 19.2 25
Cash on hand 13.5 17.4
Check tampering 25.0 7.6
Financial Statement Fraud 3.8 5.3
Payroll 13.5 7.6
Cash Larceny 9.6 13.6

Billing Schemes, Check Tampering, and Expense Fraud

In billing schemes, the fraudster submits fictitious invoices for payment. With check tampering, the fraudster steals checks and makes them out to him or herself, or another organization under his or her control, or steals outgoing checks to a vendor and deposits them in his or her bank account.


Marie and Carolyn worked for a nonprofit organization that provided meals to the elderly. Marie worked in operations, and Carolyn worked in accounting. The nonprofit spent thousands of dollars each week to purchase food, to package food, and to reimburse volunteers for gasoline and automobile mileage. Marie and Carolyn did not work together and did not know each other very well, but their cubicles were very close together. Although not an eavesdropper by nature, Marie frequently overheard Carolyn defending herself to what sounded like bill collectors. But one day, she noticed that Carolyn wasn’t getting as many calls anymore and was glad that she appeared to have solved the problem. One day, Marie noticed Carolyn slipping what appeared to be a check in her purse. Because it looked like a business check, Marie’s curiosity was piqued. A week or so went by, and Marie noticed Carolyn putting another check in her purse. She thought it was odd but couldn’t understand how Carolyn would have access to checks made out to the company because she worked in accounts payable.

Marie was bothered by these incidents. She was aware of the organization’s open door policy. The policy said that all unusual events should be reported to the internal auditor. She took advantage of the opportunity and discussed the situation with the internal auditor. The internal auditor began to watch Carolyn and put the pieces of the puzzle together.

The Scheme: Carolyn was responsible for approving invoices for payment. She would look to see if the vendor was on the approved vendor list, review the documentation supporting the invoice, and, if the math was correct and the receiving documents agreed, then she initialed the invoice and approved it for payment. There were some invoices, though, that did not have supporting documentation. These were invoices for consulting or other professional services. Carolyn was also responsible for vendor relationships, so she received any checks that came to the organization representing repayments for overpayments to vendors. If an invoice was paid twice, or if for some other reason a vendor wrote a check to the nonprofit, the procedure called for Carolyn to notify accounts payable and give the check to the person in charge of preparing the daily deposit.

Carolyn knew that the information system did not detect duplicate payments. And she knew that monitoring was weak. To perpetrate the fraud, as she was approving the invoice she made a duplicate of it. One she knew the invoice was paid, she submitted the duplicate for payment. When the vendor refund came in, she put it in her purse and deposited it to her own checking account through the ATM.

Fraud Scheme: Duplicate payment scheme


Jerry and Donna both worked for a nonprofit clinical research organization. Jerry was involved in performing research, and Donna worked in the accounting department. They got to know each other very well and decided to form an informal partnership.

The Scheme: Jerry created a company, JEH Consulting, and printed up fictitious invoices for computer consulting services. He actually used a post office box to receive payment but had a bogus address on his invoice that purported to be the address of JEH Consulting. Donna set up a fictitious vendor in the accounting system and approved Jerry’s invoices and sent them through accounts payable. The team started small, and the invoices were below any threshold that would have alerted company personnel to the fact that computer consulting was higher than expected. However, over the 18 months, which included 2 audit cycles, Jerry began to make his invoices larger and larger until, on the second audit cycle, the amount was above the threshold for investigation by the external auditor who was performing analytical procedures. The auditor was aware that often fraudsters create service companies so that there is no need for fictitious receiving documents. The fraudulent payments also tend to get larger over time. He also knew that remittances to post office boxes could be a red flag. The auditor pulled the invoices for the consulting services. Using Google Maps, he determined that the address of JEH Consulting was actually a vacant lot.

Fraud Scheme: Fictitious invoices


Sandra was a bookkeeper for a church. She had been the bookkeeper for about 20 years. Sandra had little oversight of her work because the pastor of the church believed she was an honest person. Sandra had been defrauding the organization for years.

The Scheme: She was paying the utilities and other operating expenses of the church and also paying her own. Because she had been doing it for so long, the auditor’s analytical procedures did not show any unusual increases. This went on until one day the pastor went into the hospital for an extended period of time. The treasurer of the governing board wanted to see the support for the checks that Sandra wrote rather than just sign them the way the pastor did. Sandra’s game was over. Unfortunately, the church chose to let her go quietly rather than prosecute. This is a failing of many nonprofits that do not want adverse publicity. When her activities were investigated, the governing board discovered that she had stolen approximately $600,000 over a 10-year period. In addition to writing checks from the church account to pay her bills, up until the current year she was also reimbursing herself for office supplies and other items from petty cash. In the current year, she began using the debit card that the church treasurer got because he thought it was better than Sandra using petty cash. Sandra realized that when she purchased office supplies, she could get cash back. No one ever saw it because only the name of the vendor showed up on the bank statement. Sandra destroyed the receipts.

Fraud Scheme: Excess purchasing scheme, fictitious (inflated) invoices


Justin had the complete confidence of the chief executive of an international nonprofit. He had the ability to initiate payments to be made to grantees in other countries by wire transfer. He said he needed to do this to keep the payments flowing. The chief executive was often overseas himself. In addition, Justin had very little oversight and complete custody of the assets. The only duty he did not perform was to sign the outgoing checks. The nonprofit used UPS to send packages to the grantees, and the UPS bill was very large. Justin made payments to UPS every two weeks but never reconciled the vendor statement, and no one asked to look at it. Circumstances changed in his life and he needed some cash.

The Scheme: He set up a bank account for his “new” company, UPS Roofing. After the check to UPS had been signed, he stole it and altered the payee. He deposited the check. So many checks were written to UPS that UPS never complained. The nonprofit was a steady customer. After a while he stole another. The board wondered why the organization was so short of cash and hired a consultant to come in and investigate. At that point Justin’s fraud was uncovered.

Fraud Scheme: Check tampering

Billing schemes may be the easiest to accomplish because it is very easy to create invoices. It is also very easy to deposit checks made out to another company into a personal account through an ATM. Bank controls are not sufficient to prevent this activity and banks, would prefer to pay back money for those incidents brought to their attention than to put in costly controls.

Following are internal controls that could be put into place in the organization to prevent or detect billing and other cash disbursement schemes. Note that this is not a comprehensive list of all possible internal controls that could be implemented. For a more complete list, consult the tools referenced in preceding sections.

Control What Types of Occurrences This Could Help to Prevent or Detect

Bond employees that have access to purchasing, cash disbursements, and accounts payable processing. Employee theft bonds can be obtained through insurance companies. The website provides additional information and sources.

This technique will not prevent or detect fraud but will help to compensate the company should fraud occur.
Require employees to take two consecutive weeks of vacation near the end of an accounting cycle. Someone else should perform the duties during that time. If two-week vacations are not feasible, rotate duties so that the person generally performing the function will not have the same access for a period of time. Fictitious invoices, altering invoices, duplicate payment schemes, and stealing checks
Require documentation of the receipt of goods (that is a receiving report) or services (a signature by the individual who had the service performed). This should be independent of the person who approves the invoice for payment. Documentation could be electronic. Management should determine the form that is acceptable to them. Fictitious invoices, altering invoices, duplicate payment schemes, and stealing checks
Management should approve all vendors on the approved vendor list. The list should be reviewed periodically to ensure that no vendor has been added without approval. Fictitious invoices
Reconcile the disbursements records to the accounts payable open invoice file. Reconcile the accounts payable detail to the general ledger. Management should review reconciliations. Fictitious payments

Use of positive pay. Positive pay is a feature that can be added to an organization’s account in which the bank will only pay those items that have previously been identified by name and amount.

Fictitious payments and stealing checks

The following duties should be separated:

  • Check preparation
  • Check signing
  • Ability to change the master vendor file
  • Approval of invoices for payment
  • Accounts payable processing
  • Cash disbursements
  • Mailing checks (do not give checks back to the employee who wrote them or the accounts payable clerk.)

Fictitious checks, excess purchasing, duplicate payments, and stealing checks

Note that although locking up the check stock is a good control, today many frauds are committed when fraudsters obtain bank account information and print their own. Technology has come a long way, and it makes legitimate and fraudulent commerce easier.

Reconcile the bank account promptly and investigate all old reconciling items. Stop payment on items older than 90 days and reissue checks. Bank reconciliations should be reviewed promptly as well.

Fictitious payments
Stamp invoices "paid" to prevent repayment. Duplicate payment schemes
Management should perform analytical procedures comparing budget to actual, current period to prior period. Fictitious invoices, altering invoices, duplicate payment schemes, stealing checks, inappropriate wire transfers, and check tampering
Purchase orders, check requests, checks, and receiving documents should be prenumbered and the series accounted for by an independent person. Fictitious payments and stealing checks
Payments to employees should be authorized by management. Excess purchasing schemes
Wire transfers and other electronic payments should be eviewed by management and, if large enough, by two people. Wire transfer schemes and electronic payment schemes
Manual (hand-written) checks should not be used. If they must be used, senior management should approve them. Fictitious invoices
Invoices should be approved and supported by receiving documents, purchase orders, bills of lading, check requests, or other support. Invoices should be summed and the quantities challenged for reasonableness. Fictitious invoices and excess purchasing schemes

Use of Analytical Techniques to Identify Unusual Disbursement Transactions for Investigation

Today there are several software programs that can help management run tests that will help to identify usual transactions. ACL, IDEA, and even Excel are such software programs. Data from the organization’s general ledger can be downloaded into these programs and certain tests run in a very short period of time. Running such tests sets the tone that employees are being watched, and, according to Joseph Wells, this is a deterrent to fraud. Management could run the following queries:

  • Which employees have the same addresses as vendors?
  • Which vendors use post office boxes to remit payment?
  • Which vendors have initials in their names?
  • To which vendors are the most payments made?
  • Search for duplicate payments (by invoice number and by payment amount)
  • Run Benford’s law to identify unusual patterns in expenses.

In 1938, Frank Benford conducted a study dealing with digit frequencies in data. From that study, he found that there is a probability in numbers that certain digits will be the first, second, third, fourth, fifth, and so on number in the string of digits a certain percent of the time. He built a table that has been used in analytical procedures ever since. An excerpt from Benford’s table follows. 15

of Digit
as First
as Second
as Third
as Fourth
0 .11968 .10178 .10018
1 .30103 .11389 .10138 .10014
2 .17609 .10882 .10097 .10010
3 .12494 .10433 .10057 .10006
4 .09691 .10031 .10018 .10002
5 .07918 .09668 .09979 .09998
6 .06695 .09337 .09940 .09994
7 .05799 .09035 .09902 .09990
8 .05115 .08757 .09864 .09966
9 .04578 .08500 .09827 .09982

This information can be used to investigate occurrences. Not all anomalies in data mean that there is fraud.


Wayne James Nelson worked for the state of Arizona as a manager in the state treasurer’s office. He was convicted of fraud against the state in 1993.

The Scheme: He created several fictitious vendors and began writing checks to it, depositing the amounts in his own account. Over a very short period of time, he wrote 23 checks. The first was $ 1,927.46. The amounts became larger and larger. However, the checks were always under $100,000 because another level approval would have been needed. The total checks written from October 9, 1992, through October 19, 1992, were $1,878,687.58. When Benford’s law was run on these data, the pattern in the checks was almost the opposite of what Benford’s law would show. Most people do not know that there is this pattern in numbers. Many of the checks written began with the numbers 7, 8, and 9. According to the chart, it is evident that these numbers are less likely to be the first digit in a series of numbers. Nelson argued that he did this as a test to show that the accounting system did not have the appropriate level of controls.*

* Mark Nigrini, “I’ve Got Your Number,” Journal of Accountancy, May 1999.

Skimming and Larceny

The two most prevalent schemes in the area of cash receipts and revenue are skimming and cash larceny. According to the 2016 Report to the Nations on Occupational Fraud and Abuse, skimming and larceny occurred in 19.2 (charitable) 25.0 percent (educational) and 9.6 (charitable) and 13.6 percent (educational) of the cases reported, respectively.

Skimming is harder to identify than larceny because cash receipts are stolen before they are recorded in the books and records. In a nonprofit, many contributions that the organization receives are not solicited. In addition, contributions are not like operating revenue in that sometimes there are more than at other times, so the amounts are less predictable, and analytical procedures are practically impossible to perform. With cash larceny, the payment comes into the organization and is recorded in the books; it just never gets to the bank.


Howard works for a nonprofit charity. He is responsible for opening the mail and preparing a list of the checks for deposit. The checks on the list are stamped “for deposit only.” That is, if they make it to the list. Howard also has access to the organization’s stationary. He knows that donors expect an acknowledgement letter, and, if they don’t get it, they call the ED and make inquiries.

The Scheme: Howard started taking the currency that came in because many times there was no indication of who gave them money. Then he became bold because he didn’t get caught and stole checks for which the donations were unrestricted. He wrote each donor an acknowledgement letter on the nonprofit’s stationary and mailed it to them promptly. Like many fraudsters, Howard became greedy and stole more and more cash receipts. He became worried that the bank would identify the checks made out to the organization going into his checking account. After the golf tournament for the year was finished and all the receipts and disbursements were accounted for, he was asked to close the account when he went to the bank to make the deposit. Instead he left it open and began depositing the stolen checks into that bank account. He used the money to pay his mortgage and other bills. Howard got caught when the auditors wanted to confirm the closure of bank accounts that were supposed to have been closed.

Fraud Scheme: Skimming


Jim was responsible for performing the bookkeeping for a pledge drive at his organization. A fund-raiser was held, and approximately $500,000 in pledges was made by enthusiastic donors. Sue, the development director, added up the pledges, wrote the letters thanking the donors for their pledges, and gave the pledge list to the cash receipts clerk to post as contribution revenue. She also gave the list to Jim along with the donors’ addresses and phone numbers for follow-up after the event. The organization had reliable donors, and the cash started coming in. Jim identified the checks that were related to the campaign and began to mark the donors on the list as paid. He gave that information to the cash receipts clerk to post to the accounting records, and he prepared a deposit slip to take them to the bank.

The Scheme: Around the second week after the fundraiser, a check came in for $5,000. Jim was tempted to take the check and deposit it into his account. He listed it in the cash receipts to give to the clerk but never deposited the check into the organization’s account. Instead he deposited it into his own. He rationalized that he only needed the money for a short period of time and fully intended to pay it back before anyone could find out. He volunteered to reconcile the bank account for the month and his offer was gratefully accepted. He listed the check as a reconciling item on the bank reconciliation to make the account balance to the general ledger.

Jim was not able to pay the money back. The ED was supposed to review the bank reconciliation. Although she was two months behind, at the end of the quarter she asked to see them. She also asked Jim why he was performing someone else’s function. Upon review of the reconciling items, she wondered how a deposit in transit could be so old. Jim was caught.

Fraud Scheme: Larceny

Following are internal controls that could be put into place in the organization to prevent or detect cash schemes. Note that this is not a comprehensive list of all possible internal controls that could be implemented. For a more complete list, consult the tools referenced in the preceding sections.

Control What Types of Occurrences This
Could Help to Prevent and Detect
Management should perform analytical procedures comparing budget to actual and current period to prior period. Cash larceny and skimming
Reconcile the bank account promptly and investigate all old reconciling items. Deposits in transit should not be any more than one or two days old. Bank reconciliations should be reviewed promptly as well. Cash larceny and skimming
Keep amounts not deposited in a safe. Stealing deposits and skimming
Consider a lockbox where there is a lack of segregation of duties and large volumes of cash. Cash larceny and skimming
Use multipart deposit forms and reconcile the deposit to the amounts posted in the general ledger. Use prenumbered deposit slips. Cash larceny and skimming
Reconcile receivables to the general ledger. Cash larceny and skimming
Bond employees with access to cash. Cash larceny, skimming, and stealing cash on hand (petty cash)
Management should review the receivables (pledges or accounts) for collectability and follow up. Cash larceny and skimming
Have a mechanism for donors to report issues. Cash larceny and skimming
Two people should count cash. Surveillance could be used in cases where there is a significant amount of cash. Cash larceny and skimming
Segregate the following duties:
  • Opening the mail and logging the receipt
  • Posting the cash
  • Depositing the receipts in the bank
  • Handling complaints from donors
  • Performance of bank reconciliations
  • Writing acknowledgement letters
  • Following up on aged receivables
  • Reviewing bank reconciliations
Cash larceny and skimming

Payroll Fraud

As noted in this chapter, payroll fraud is not as prevalent as fraud involving cash receipts and cash disbursements. However, awareness of payroll fraud is important. Typical fraud schemes are

  • ghost (fictitious) employees and
  • paying more than the appropriate salary.


Zeke needed cash. His job was to review the payroll and withholdings and post the summary information to the general ledger. However, because duties were segregated, he did not have the ability to create a new employee in the system. Hannah was his friend, and she had responsibility for entering new employees in the master payroll file and making changes to the file for pay rate increases and changes to withholding. The accounting manager reviewed the payroll analytically each month, but, because Zeke had been with the nonprofit so long, her review was cursory.

The Scheme: Zeke started visiting Hannah’s cube and talking to her more at work. He was trying to see if he could determine her password to the master payroll file. But Hannah typed in her password too quickly for him to see it. The organization had a policy of changing passwords every 90 days. One day Zeke initiated a conversation with Hannah about this control. Hannah told him that she could never keep up with all her passwords so she wrote them in her calendar and kept them in her desk drawer. This gave Zeke the information he needed to steal the password and give himself a raise. About 6 months later, because he had not been caught, he entered a new employee into the system. He used the social security number of a deceased person he found on the internet. He set the withholdings to zero and made sure the employee number was outside the range of the other employee numbers so that the ghost employee would not appear on the summary that the accounting manager reviewed. Because he had responsibility for posting to the general ledger, he spread the salary over several different account numbers so that none would appear unusual when the accounting manager performed analytical review.

Fraud Scheme: Failure to deposit withholdings and misappropriating them


Shirley worked for a food bank, and she was experiencing a personal cash flow problem. She was the only administrative employee. The organization was in the process of searching for a new ED, so there was no segregation of duties. The board was not working very hard to replace the ED; because the organization was so small, the board believed Shirley could easily handle the work. After all, the less paid out for administrative expenses, the more money was available for the program. The majority of the employees were in operations.

The chair of the board reviewed the results of operations each month, so Shirley was afraid she would get caught if she put a fictitious employee on the payroll. And she couldn’t think of a way to take incoming cash or write checks to herself. The organization had few cash transactions, receiving only one grant check each quarter, which paid for the operating expenses.

The Scheme: One day, when preparing to make the deposit to the IRS for payroll withholdings, she decided to deposit the check in her account instead. After all, no one looked at the regulatory correspondence to the organization, so she believed that she had a long time before anyone noticed. She really intended for this to be a temporary loan.

Fraud Scheme: Additional checks or bonus paid to employees; Expense report fraud


Dean was the administrator of a nursing home association. He was one of the most influential people in the state and lobbied extensively for the organization. The board believed he could never be replaced. There were 50 employees in the organization.

The Scheme: Dean not only abused the travel and entertainment policy, but he also created fictitious expenses and submitted them without guilt. He believed that because of him the nursing home industry was fairly treated by insurers and the state Medicaid agency. He also thought he could get a lot better compensation if he worked for a commercial entity. The board was aware of what he was doing because it had brought to their attention by accounting personnel, but no one was willing to do anything about it. This is not only a case of expense fraud but also an issue that tests the moral courage of the board. Moral courage is more fully explored in chapter 9.

Following are examples of controls that could be used to prevent or detect payroll schemes.

Control What Types of Occurrences This
Could Help to Prevent or Detect
Analytically review the payroll expense divided by number of people on the payroll. Compare budget to actual Ghost employees, overpaying employees, and writing additional checks to employees
Compare the number of people in the organization to the number of checks written. Ghost employees, keeping terminated employees on the payroll, and writing additional checks to employees
For those organizations that still have manual checks, once a quarter or year, hand out the paychecks so that ghost employees are identified. ID should be shown to collect the check. For those with direct deposit, the pay stub could be handed out. Ghost employees, keeping terminated employees on the payroll, and writing additional checks to employees
Segregate the following duties:
  • Master payroll file
  • Reconciliation of payroll and related withholding and benefit accounts
  • Review of payroll and bonus checks
  • Preparation of checks
  • Signing checks
  • Approval of expense reports
  • Posting payroll to the accounting records
Ghost employees, writing additional checks to employees, keeping terminated employees on the payroll, inflating payroll checks, keeping terminated employees on the payroll, giving out unauthorized bonuses, and expense report fraud
Review timesheets for excess hours. Overpaying employees and paying for hours not worked
Require time-reporting mechanisms. Overpaying employees and paying for hours not worked
Use direct deposit. Have an independent person review information that goes to the service organization. Use an imprest account. Overpaying employees, stealing paychecks, writing additional checks to employees, and keeping terminated employees on the payroll.
Lock up personnel files. Ghost employees
Require original receipts and review for reasonableness, compliance with policies, and so forth. Authorizing personnel should not review their own expense reports. Expense report fraud
Use positive pay. Employees writing additional checks to themselves and stealing paychecks
Restrict the use of manual checks. Employees writing additional checks to themselves
All changes to payroll need to be approved. Ghost employees, writing additional checks to employees, keeping terminated employees on the payroll, inflating payroll checks, and keeping terminated employees on the payroll

Controls Over Noncash Items

Noncash items can be stolen very easily from a nonprofit. Noncash items can range from supplies to laptop computers to other portable items. In some nonprofits, such as thrift stores and food banks, the level of noncash assets is proportionally higher. It may be tempting to believe that noncash items are of low dollar value, and some may be, but there have been fraud cases involving the theft of millions of dollars of noncash items over a period of time. When the fraudster sells the goods to others, this is referred to as “back door” sales. In one high profile fraud, approximately $26 million was stolen from a thrift store type of organization. Surveillance is the best option for a control because this type of fraud is difficult to analytically review.

When Processing Is Outsourced

Nonprofit organizations often find it beneficial and less costly to outsource certain processes to other entities. Outsourcing provides the organization with the ability to allow a company with expertise in the area and robust technology to process its transactions for a fee, thereby enhancing segregation of duties and eliminating the need for additional employees. Payroll is a good example of such a process. Another process frequently outsourced relates to processing investment transactions.

When processes are outsourced, it is very important for management to ensure that they understand the capabilities and quality of the service organization performing the processing. Management and the board are still responsible for the existence, accuracy, completeness, and valuation of the information that is processed by other entities. One way to do this is to obtain a system and organization controls (SOC) report. The outside service organization pays for an independent auditor to perform an audit of its controls on selected processes, and the resulting report is the SOC report. Management should review the report to determine if

  • the opinion on the system controls is other than unmodified
  • there were no exceptions in testing that would significantly affect the processing so that management believes the controls are not sufficient for their purposes.
  • the controls specified by the service organization that should be implemented by the user entity (the nonprofit) to prevent or detect and correct errors related to input of the data and output of the information are in place and functioning effectively. This is very important because a service organization can only be responsible for the activities in its system. What happens before the inputs reach it and what happens when the information leaves it can only be monitored by management of the user organization.
  • the time period over which the controls are either understood or tested is adequate for the user organization’s purposes. The SOC reports generally span a six-month period, and the more overlap there is in the user’s year and the period tested by the service auditor, the better. Because of the need for these reports by public companies, they are provided more frequently. In addition, an entity can request a gap letter that will provide some assurance between SOC reports.


A nonprofit used a service organization to process payroll. The nonprofit submitted a tape containing the payroll information to the service organization to perform the processing. The service organization has no control over the contents of the tape. If, for example, a fictitious employee was entered, or if withholding information was not changed by the nonprofit before the tape was sent, the service organization would have no way of knowing that what was being processed was incorrect. In addition, in its list of user controls, the service organization states that the user is responsible for the review of the information processed and should bring errors to the attention of the service organization.

Management should be aware that there is more than one type of SOC report so they can ensure they are using the correct one.

ASOC 1® report addresses the design, implementation and effectiveness of controls over financial reporting systems. SOC 2® reports address controls over aspects of systems such as information security, data availability, data privacy, and data integrity. SOC 3® reports are for public use and provide the highest level of certification and assurance of operational excellence that a data center can receive.

There are also two types of SOC 1 and SOC 2 reports. A type 1 report reports the auditor’s opinion on the adequacy of the design of the controls and whether they are placed in operation. A type 2 report goes one step further. The auditor issues two opinions. One is on the adequacy of the design of internal controls and the other opinion is on the results of tests of operating effectiveness.

Cybersecurity and Not-for-Profits

When people think of cybersecurity and data breaches the first entities that come to mind are large retail companies, financial institutions, and governments. Nonprofits may find it tempting to say, “we are too small or insignificant for anything to happen to us.” But data now shows that nonprofits are being attacked too. One reason could be that they have fewer data security controls and are easier targets, and then there are robots that attack without consideration of whether an entity is large or small. Loss of donor, employee, patient, or client or other sensitive data can cost the nonprofit its financial stability even if the entity is insured because of the loss of its reputation.

In 2015, the National Center for Charitable Statistics (NCCS) was hacked 16 and forms 990, E-Postcards and other documents were accessed. NCCS is a prominent analytical source for nonprofits. It uses its data base of 990s to identify trends. Data rich institutions such as NCCS are often the targets of hackers. They are typically looking for usernames, IP addresses, passwords and other data for the users of the system. In this case, it amounts to 600,000 plus nonprofits that file informational returns. Fortunately, there were no credit card numbers or Social Security numbers in the system.

The Center for Strategic and International Studies, the Heritage Foundation, and the American Enterprise Institute have confirmed that they have been hacked. Through these hacks, it has become apparent that countries such as China are interested in how Washington works and accessing this sort of information is one way to gain insights.

Generally, hackers are after information that they can sell or for malicious intent. In 2016, Presbyterian Medical Center in California experienced a viral attack known as ransomware. 17 The victim entity is required to pay a ransom to gain the release of its system. This type of malware locks access to systems. This type of attack is crippling in a hospital where employees who are shut out of the system must write down patient orders and use faxes to share information. Reports suggest that no patient data was stolen but the attack cost the hospital $17,000 in bitcoin, which was the ransom paid by Presbyterian, and a 10-day slowdown at the hospital. Other hospitals that have experienced these attacks have had their patient information compromised.

Many nonprofits choose to keep quiet about their problems. The Nonprofit Quarterly 18 reported in August 2017 that an unnamed nonprofit had 500 W-2 forms stolen electronically, which were put up for sale. The National Cybersecurity Center (NCC), a nonprofit that provides cybersecurity and training services determined that the records were accessed by an email scam. NCC’s CEO noted that 75 percent of hacks result from user error, not a fault with the technology. This would indicate that training employees is critical in the prevention of attacks. NCC estimates that this issue could cost around $9 million to correct. NCC’s CEO believes that only about half of the nonprofit executives were familiar enough about their systems and cybersecurity issues to have a conversation about it.

GuideStar 19 offers suggestions for nonprofits to implement so they can help protect themselves against attack.

1. The entity should get help. Many nonprofits have limited resources and are not able to hire the IT expertise they need full time. A consultant or other third party can provide a risk assessment and provide advice on how to set up a data security program. It will be important for the nonprofit to do some legwork and identify what sensitive data it has and where it is stored. The nonprofit should focus on activities such as taking credit cards and submitting payroll to a third-party provider.

2. A good data security program just like a good fraud prevention program includes awareness, training, preventive and detective controls, and an incident response plan. Entities have policies that address personal and other devices such as wireless technologies and thumb drives that could put the organization at risk.

Internal Controls Evolve

Internal control should continue to evolve as the external environment and the organization changes. Organizations evolve by growth or changes in the way they do business, but often the internal controls are not reexamined to determine whether they are still sufficient and meet the needs of the organization. Policies and procedures may change but are not always updated in the organization’s policy and procedure manuals.

With all there is to do and with pressure to do more with less, sometimes this important area gets minimal attention. However, as noted, if employees don’t understand what they are supposed to do and why they are supposed to do it, lack of consistency surely follows. And if a new employee comes in to take the place of one who has worked with the process for some time, the new employee will have a difficult time knowing exactly what duties management wanted performed. The internal controls lose effectiveness.


Josh is the ED of a small membership organization. In fact, he founded it in 1970 and is very proud of all it has accomplished. Nearing 65, Josh is preparing to retire and talks about how this important trade group that has achieved such good results for its members is his legacy. During the audit of the financial statements, his auditor asked him, “Do you want this organization to be around for years to come after you leave?” Josh was surprised at the question and said, “Of course, why do you ask?” The auditor said, “All the policies, procedures, and processes are in your head; they have never been written down. How will anyone know what to do if you are not around to tell them?”

And of course, as discussed above, external forces can play a significant role in the need for additional internal controls. The organization may need to commit more resources and focus on internal control. This means that nonprofit management and their governing boards need to be alert for these changes and adapt the entity’s processes and controls. Nonprofits are outsourcing more of their processes such as payroll, investment management, and processing of contributions online. Where this technique helps to segregate duties in certain ways, the tendency may be to believe that if a process is outsourced, no further action is required on the part of the nonprofit. Nothing could be further from the truth. The nonprofit is responsible for the input and output controls on all outsourced processes as well as understanding the quality of the service provider.

Evolving technology has given organizations the ability to use banking controls that institute a positive pay system. As discussed earlier, positive pay enables management to notify the bank of the check numbers and amounts of checks that are authorized to be paid. Any items presenting that are not a part of the list are declined by the bank. This helps to segregate duties without adding additional people. And positive pay is only one of the many banking controls that a nonprofit can use. Organizations should consider new technologies when evaluating their systems of internal control.


Although people don’t want to believe that they or their organization will have a problem from fraud or suffer errors that are more than trivial, the examples of fraud schemes and errors presented in this chapter demonstrate both that no one is immune and that the effects of these problems can be more far reaching and damaging than one might anticipate. Implementing specific controls to address the risk of fraud and error can improve an organization’s assurance that such issues will be prevented or at least detected sooner. The examples in this chapter provide a business case for why internal controls are important. The illustrations of specific controls designed to mitigate the risk of fraud or error provide suggestions for how a system of internal control can be improved. With this knowledge, board members and executives can be better prepared to participate in the design and implementation of an effective system to help protect their organization from these types of risks. Internal controls are very important to the success of an organization. Not only do they prevent and detect error and fraud, but they also help safeguard its reputation.

Appendix A—2013 COSO Framework 17 Principles—Summary©2013


Principle 1. The organization demonstrates a commitment to integrity and ethical values. There are several points of focus.

  • Setting the Tone at the Top
  • Establishing Standards of Conduct
  • Evaluates Adherence to Standards of Conduct and Addresses Deviations in a Timely Manner

Principle 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. There are several points of focus.

  • Establishes Oversight Responsibilities
  • Applies Relevant Expertise
  • Operates Independently
  • Provides Oversight for the System of Internal Control

Principle 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. There are several points of focus.

  • Consideration of All Structures of the Entity & Establishment of Reporting Lines of Responsibility
  • Defines, Assigns, and Limits Authorities and Responsibilities

Principle 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. There are several points of focus.

  • Management and the Board Establish Policies and Practices Evaluates Competence and Addresses Shortcomings
  • Attracts, Develops, and Retains Individuals

Principle 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. There are several points of focus.

  • Enforces Accountability through Structures, Authorities, and Responsibilities
  • Establish and Evaluate Performance Measures, Incentives, and Rewards
  • Management and the Board Consider Excessive Pressures
  • Evaluates Performance and Rewards or Disciplines Individuals


Principle 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. There are several points of focus.

  • Operations Objectives
  • External Financial Reporting Objectives
  • External Non-Financial Reporting Objectives
  • Internal Reporting Objectives
  • Compliance Objectives

Principle 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. There are several points of focus.

  • Includes Entity, Subsidiary, Division, Operating Unit, and Functional Levels
  • Analyzes Internal and External Factors
  • Involves Appropriate Levels of Management
  • Estimates Significance of Risks Identified

Principle 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. There are several points of focus.

  • Management and the Board Have an Awareness of How Fraud Can Occur and Considers Various Types of Fraud
  • Management Assesses Incentives and Pressures
  • Management Assesses Opportunities for Fraud to Occur
  • Management Assesses Attitudes and Rationalizations

Principle 9. The organization identifies and assesses changes that could significantly impact the system of internal control. There are several points of focus.

  • Management Assesses Changes in the External Environment
  • Management Assesses Changes in the Business Model
  • Management Assesses Changes in Leadership


Principle 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. There are several points of focus.

  • Management Integrates Control with Risk Assessments Performed
  • Management Considers Entity-Specific Factors
  • Business Processes
  • Management Evaluates a Mix of Control Activity Types
  • Management Considers at What Level Activities Are Applied
  • Management Addresses Segregation of Duties

Principle 11. The organization selects and develops general control activities over technology to support the achievement of objectives. There are several points of focus.

  • Management Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls and Implements Effective General Controls
  • Management Establishes Relevant Technology Infrastructure Control Activities
  • Management Establishes Relevant Security Management Process Control Activities
  • Management Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities

Principle 12. The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action. There are several points of focus.

  • Management Establishes Policies and Procedures to Support Deployment of Management’s Directives
  • Management Establishes Responsibility and Accountability for Executing Policies and Procedures
  • Management Specifies that Controls Must be Performed in a Timely Manner
  • Management Ensures that Corrective Action is Taken in Response Issues Identified
  • Management Ensures that Controls are Performed by Competent Personnel
  • Management Reassesses Policies and Procedures


Principle 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. There are several points of focus.

  • Management Identifies Information Requirements
  • Management Captures Internal and External Sources of Data
  • Management Ensures that the Systems Processes Relevant Data into Information
  • Management Ensures that Systems Maintain Quality throughout Processing
  • Management Considers Costs and Benefits of Internal Controls

Principle 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. There are several points of focus.

  • Management Communicates Internal Control Information
  • Management Communicates with the Board of Directors
  • Management Provides Separate Communication Lines
  • Management Selects Relevant Method of Communication

Principle 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. There are several points of focus.

  • Management Ensures that the Level of Communication to External Parties is Appropriate
  • Management Enables Inbound Communications
  • Management Enables Communications from External Parties to the Board of Directors
  • Management Provides Separate Communication Lines
  • Management Selects Relevant Method of Communication


Principle 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. There are several points of focus.

  • Management Considers a Mix of Ongoing and Separate Evaluations
  • Management Considers Rate of Change
  • Management Establishes Baseline Understanding of the System of Internal Controls
  • Management Uses Knowledgeable Personnel for Monitoring Tasks
  • Management Integrates Ongoing Evaluations with Business Processes
  • Management Adjusts Scope and Frequency of Separate Evaluations Depending on Risk and Makes Objective Evaluations to Provide Good Feedback

Principle 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. There are several points of focus.

  • Management and the Board Assess Results of Monitoring Procedures
  • Management Communicates Deficiencies in Internal Control
  • Management Monitors Corrective Actions