No matter the size of your not-for-profit (NFP), internal controls are paramount and must be assessed and evaluated on a recurring basis. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Control - Integrated Framework provides a means to identify and evaluate internal controls across five components:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
While this framework may seem complex, it actually can be used as an efficient way to right-size internal controls for NFPs of any size. Listed below are considerations that can help reduce the overwhelm many small NFPs feel when it comes to adopting the COSO framework.
For a strong control environment, ensuring that you have defined roles and reporting responsibilities, both for management and those charged with governance, can go a long way. For smaller NFPs with relatively simple reporting and governance structures, documenting reporting and governance processes and committing to carrying them out on a regular basis generally will suffice.
Many NFPs do assess risk on a regular basis but don’t take credit for it. If you discuss risks facing your organization and how they relate to your internal controls, then you are effectively assessing your risks. Documenting your risks and assessments can be as simple as taking notes from these conversations and can provide a helpful foundation for managing risk over time. Be sure that you consider both financial and nonfinancial risk areas. Ensure that programs, operations, HR, technology, and any other nonfinancial areas are evaluated for potential impacts.
Ensuring that you have appropriate controls in place not just for financial reporting, but also from a technology perspective is central to addressing the control activities component. It is a good exercise to review the written controls in your key financial reporting areas on an annual basis, and to hold a discussion as to whether those are appropriate given the size and complexity of your organization, as well as any staff transitions.
Information and communication
Like risk assessment, obtaining and communicating information are things many NFPs already do, but they might not realize how those processes relate to internal controls. The receipt and dissemination of information from and to internal and external sources are essential to the function of your internal controls. Do you have systems in place that can capture and process the data you need to provide quality information to management and the board and to meet legal and regulatory requirements? Receiving relevant, quality information is critical, and communicating it to the appropriate parties is equally important.
After you identify your key internal control activities and consider any information received from third parties, the final step in the COSO internal control process is to monitor your controls. Continuous monitoring is critical because controls are only effective if they are being followed. Independent auditors may provide relevant feedback in this area through their testing of internal controls, but that is not sufficient for monitoring control effectiveness. Additionally, from a governance perspective, your board should understand management’s monitoring process and receive updates.
While the COSO framework may seem complex, smaller NFPs can efficiently adopt it. Certainly, the volume and depth of controls for an organization with a $2 million budget will be different than those for an organization with a $100 million budget, but at the end of the day, both organizations will develop and continuously evaluate their controls based on the scope of their activities and operations.
Key takeaway #1: For smaller NFPs that have concerns about the amount of time and effort it would take to adopt this framework, remember to take credit for things you already do. Many smaller organizations already have COSO processes in place; they just don’t realize and document it. Do you discuss and analyze fraud risks on at least an annual basis at board meetings? Do you identify and analyze significant changes as they occur? If you answered yes, then you already have the key elements in place for a functional risk assessment process under COSO.
Key takeaway #2: Remember to evaluate nonfinancial areas under the COSO framework. While it is easy to focus only on finances, you may find that controls (or a lack thereof) in nonfinancial areas are the gateway for even larger risks to your organization. What would you do in the event of a cybersecurity breach? What happens if there is a social media incident? These nonfinancial areas will be unique, to a certain extent, for each NFP and is important that they are evaluated for impact and to ensure that appropriate controls are in place.
Implementing a COSO-based internal control framework doesn’t have to be a difficult process. Consider the above as you evaluate the framework’s potential value to your not-for-profit.