In light of the recent COVID-19 outbreak, most nonprofit organizations have now been required to instruct many of their employees to work remotely or implement the use of technology to continue providing programs and collect contributions. This transition is unchartered territory in an environment that is evolving daily. Most organizations have policies and controls that were otherwise already established and were not originally designed to operate in a remote work scenario. With members of key teams, like accounting, working remotely, there is an increased number of people following unfamiliar protocols with indirect oversight, and adapting to the implementation of new technologies. This technology implementation opens up the potential for a break in financial controls and increases the risk that fraud could occur. Be sure to consider the items below during this crisis to ensure that proper financial controls are maintained.
Nonprofit organizations are currently experiencing extensive disruption, so it is necessary for the finance function to continuously operate in a way that allows critical functions, like financial controls, to remain intact. Payroll, processing of cash receipts, accounts payable, and other necessary functions need to remain operating while also ensuring that all revenue streams, including program grants or contribution dollars, continue to be safeguarded. Below are some critical steps which nonprofit organizations should be performing right away to support the financial control system:
- In order to remain successfully operational, it’s crucial to determine which processes are the most vital and take steps to develop alternative processes. Tasks like receipt and disbursement processing, as well as purchasing (including credit cards) and payroll, are the first processes to address. Communicate to all parties involved in these kinds of processes as a means to ensure consistent protocol and provide adequate guidance.
- Employees may require access to specific data to perform their daily functions, so it’s important to make it possible for them to securely gain access to this electronic information. Be sure to involve IT personnel in these decisions as a means to evaluate the safety of system firewalls and security systems.
- Make it a point to communicate to employees what remote-work practices are secure and allowed and which are not. This communication may include explaining to your team under what circumstances they may use unsecured networks. Individuals with access to sensitive data must be reminded of any additional security procedures they will be required to follow now that they are working in a different environment.
- It is essential to track and document any changes made to approval levels, access rights, procedures, or responsibilities. Any unforeseen adjustments to a process could potentially become a point of weakness. Therefore, tracking all changes enables more precise on-going and after-the-fact monitoring.
After the initial disruption, it will be necessary for many nonprofit organizations to operate remotely for an extended period of time. During this time, it is important to note that:
- Processes that have traditionally always been paper-based will transition to an electronic format. Consider electronic approval sign-offs, given that they are unique and identifiable to a specific individual with the appropriate approval authority. It is essential that no-one can falsely apply someone else’s electronic signature, which is preventable by implementing unique password-protected user accounts.
- Determine if there can be alternative delivery channels utilized to continue providing programs and services to members. These delivery channels might include the implementation of technology that will require enhanced security measures to ensure that data is protected.
- Those nonprofit organizations that are cash donation intensive might evaluate additional online platforms to keep contributions flowing. This switch to online platforms will require the implementation of new controls to ensure appropriate access to funds, adherence to restrictions placed on donations, and monitoring for possible fraudulent activity.
During this period, nonprofit organizations may become more reliant on detective (after-the-fact) controls— this kind of disruption increases the risk of failures in the preventative (up-front) controls.
- Nonprofit organizations should make certain that monthly reconciliations continue to be performed and reviewed (such as bank reconciliations, accounts payable reconciliations, and accounts receivable reconciliations) and may want to increase the level of review performed over these reconciliations.
As employees and management staff start to become familiar with the newly implemented processes—or as they begin to be able to return to their former processes—be sure to keep these follow-up steps in mind:
- As referred to in the “short-term” section above, management should be able to use process-change tracking documentation to analyze whether any of the changes can now be reversed and ensure those reversals take place as necessary.
- Nonprofit organizations might continue to deliver services and programs remotely and also utilize the new donation collection methods. Management should perform spot-checks of the new processes to determine if they were correctly followed and if controls were adequate and effective.
- Management should take this opportunity to evaluate their Business Continuity and Disaster Recovery plan (BCDR), determine how successful the strategies were, understand what has been learned, and identify improvements that need to be made.
The disruption, sudden process changes, and remote work environment increase the risk of a breakdown in financial controls. Therefore, during this period, management must make any necessary system modifications to enable activities to continue. Monitoring transactions and processes carefully can help ensure they are being executed correctly and identify potential long-term improvements for processes or the BCDR plan. For more information or help strategizing improvement to your BCDR plan, reach out to a CRI advisor.