Internal Controls for Nonprofits — Adapting to the New Normal of Remote Work

The COVID-19 crisis has driven a seemingly overnight shift in employees working from home and has impacted several aspects of everyday work for nonprofits and other industries. Along with adapting your organization’s technology, systems, and work processes for the new realities of remote work, you also need to pay attention to the financial issues and risk management challenges of internal controls.

Now that people are working from home, your processes for approving payments or writing checks for the organization may need to change. Your organization’s leaders might need to take a big picture view of how your financial processes work and decide how to adapt to the new normal where everyone is not in the same building all day.

With the right strategy and careful planning, your nonprofit organization can create an updated system of internal controls that suits the needs of your team while working from home, and serves your organization well throughout this crisis and into the post- COVID era.

Consider these key strategies and insights to drive your planning around internal controls while working from home.

Think strategically about the risks facing your organization now that everyone is working remotely. How does your internal control process need to change?

Different organizations will have different risks, depending on how those organizations work. For example, some organizations might have already shifted to a primarily digital operational environment, while paper might still be the primary mode for others.

Assess your organization based on some of these key questions and considerations:

• How are people handling and managing checks that come into the organization?
• What is the process for approving payments that go out of the organization?
• Are vital documents being kept at an employee’s home?
• How can you ensure the integrity of digital signatures, if needed, to make sure that the right person (and only that person) is signing off on a payment?
• How can you maintain appropriate segregation of duties for your payments process?
• What are your biggest fraud risks in the new environment of working from home?
• Where are the files being saved and who has access to them?

Management is responsible for setting the tone and creating a strong culture of internal controls. Managing the organization’s resources the right way is critical, even during normal times, but especially now during a time of crisis and uncertainty. Just because people are working remotely does not mean the standards and integrity of the work processes should change. This could be the right time and opportunity to implement more virtual and technical tools that can not only help with efficiency, but also improved controls.

Now that people are working remotely, consistent and frequent communication from your organization’s leaders is one of the best ways to maintain and strengthen the culture for internal controls and overall mission of the organization.

One of the most important concepts in internal controls is the segregation of duties—making sure that any one person on the team does not have too much access to resources without oversight. Remote work might require your organization to adapt your procedures and standards for segregation of duties but make sure you keep the right controls in place to prevent employee fraud or stop vulnerabilities from happening.

There are a few ways to maintain the segregation of duties in a remote environment. For example, Microsoft Teams or Slack allow employees to collaborate on documents and establish a digital paper trail of reviews and approvals. Most online billing and payroll platforms offer certain features to provide for multiple levels of review and separate approvals. Due to the size of your team, it may be difficult to have adequate segregation of duties, but remember, oversight and monitoring by the right people can serve as a mitigating control that would help to prevent or detect any unusual activity.

Internal controls are not just about payment processing or financial aspects; your information technology team also has a role to play to help protect your organization. Be proactive in reaching out to your IT staff and discuss the risks and challenges of internal controls for remote work. Talk with your IT team about how to prevent malicious attacks on servers, how to protect your organization from data theft, and how to train your people to adapt to the information security risks of remote work.

Just because people are working remotely doesn’t mean they have to be on their own, especially when managing money or processing payments for the organization. Think carefully about how to build the right review and control processes to adapt to this new reality of work. With the right internal controls in place, your organization can stay safe and financially secure throughout the COVID-19 crisis and into the new normal beyond.

If your organization needs assistance or recommendations in this area our team at Aldrich is available and ready to help. Our technology team is available for consultations at no charge for nonprofits looking to implement a collaborative cloud platform. We’ll help you identify specific challenges and evaluate options to make sure you are set up for success. For additional information, please contact the Aldrich Technology Team.

If you have any questions or would like to discuss your current structure to identify risks, please contact your Aldrich Advisor.