Early 2021 started the “Great Resignation”, an ongoing economic trend in which employees voluntarily resigned from their jobs in masses. According to the U.S. Department of Labor, between 4.1 and 4.5 million employees quit their job each month through September 2022, and estimated totals for 2022 will surpass the 47.4 million people who quit their jobs in 2021. While these vacancies are being felt across all organizations, not-for-profits have been hard hit with lacking manpower resulting in stretched team members, both paid and volunteers, and fewer services delivered. With employees and volunteers taking on additional responsibilities, nonprofits should evaluate segregation of duties (SOD) around key processes to ensure effective operations.
Segregation of duties is a fundamental element of internal controls, which requires more than one person to complete certain key duties to prevent fraud and errors. There are four types of functions under the concept of segregation of duties:
The ideal work environment would prevent one person from handling more than one type of function for any process. Utilizing volunteers and/or board members is a viable option for not-for-profits with limited staff. They can play a key missing role, such as being a check signer, second count for a deposit, or assist with a reconciliation. Talk with your board members and volunteers on the roles you might need and see if they have the background/capabilities to help. Addressing SOD shortfalls as soon as possible will help not-for profits maintain the transparency and the integrity that donors are looking for.
Potential risks to a not-for-profit with a lack of segregation of duties includes:
These risks can cause significant damage to an organization such as fraudulent payments, inaccurate financial statements, or delayed month-end close.
A real-world example
An example of this would be the accounts payable process. A standard process for functions under accounts payable would be:
Job responsibilities and system/bank access should be reviewed periodically to ensure no employees perform more than one of these functions. If an employee does perform multiple functions, there is an increased risk of undetected errors and opportunity to misappropriate assets or conceal misstatements.
Steps to take now
If it is determined that an individual has been performing multiple functions within a process, the organization should set up compensating controls to mitigate risks until responsibilities can be adjusted. Examples of compensating controls can include periodic reviews of audit trail for transactions recorded to the general ledger, or review of exception reports.
It is critical that processes such as information technology (IT) and accounting evaluate SOD regularly to prevent inappropriate transactions. To document and evaluate SOD, a policy and matrix should be created outlining roles and responsibilities within the organization. Access roles within key systems should be monitored and evaluated regularly. With manpower limitations, systems can provide good preventative controls when setup appropriately.
For more information on this topic, or to learn how Baker Tilly risk advisory-specialized Value Architects™ can help, contact our team.
The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments.