Financial Controls in an Electronic Age – Tips and Warnings
Nonprofits are continually pushed to do more with less. Technology has helped nonprofits keep up with these demands as it has enabled processes and procedures that create increased efficiency and effectiveness. However, the day-to-day processing of invoices and managing of receipts and authorizations in this digital environment require controls to limit risk when so much is easily reproducible, editable, etc. Chris Bertoncini, Director of Financial Consulting Practice, and Karen Hagerty, Senior Consultant, Financial Consulting Practice, at Insource Services Inc., presented some practices that Insource uses in its work acting as the finance and accounting department for numerous nonprofit organizations, as well as some best practices that Insource staff has observed at both nonprofit organizations and for profit companies.
Evaluating risk and implementing and documenting controls in an ever increasing electronic business environment is an evolving field. Different audit firms require different levels of documentation for electronic transactions. The process of conducting transactions is more important than the tools used. The goal of effective financial controls in the digital age is to evaluate risk and to then adopt the controls necessary to mitigate that risk. Organizations need to evaluate what resources they have available to accomplish this and how to most effectively allocate those resources. It is a good idea to identify the greatest area of risk and institute controls for that risk first. The role of the CFO and senior staff in reviewing the process and transactions will always be very important. Going completely electronic will not change that. No matter how sophisticated the controls are, someone will eventually try to go around them. It is important to have someone on staff or a consultant who is a technology expert to advise the organization about your organization’s level of exposure and how to mitigate that risk.
The increasing trend toward electronic transactions increases the exposure of your IT network to outside risks. You need to change passwords frequently and use passwords that not predictable and are stored securely. Smaller organizations might look at using dedicated workstations. There are a number of choices for document sharing: Drop Box, Google Apps., Box, etc. The concept is that you can send documents/information to “the cloud” where is can be shared and accessed by other employees in your organization. These sites are relatively secure, but sending documents and/or information by email is definitely not secure. You cannot trust emails with attachments unless they come from a trusted source. Even faxing documents is more secure than using emails. If you do send important information via emails, your emails should be encrypted.
Online banking and bill paying is becoming more and more widespread. You need to make sure that access to the system is very restricted in your organization and determine the level of access that you will grant: read and write or read only. When using an epaying system, you are wholly dependent on the security system of the bank that you are using – you need to be assured that it is very good. Unopened bank statements need to be reviewed monthly by a senior staff person who is not involved in actually cutting the checks or reconciling the accounts, preferably by someone in the organization who has signatory authority. Chris and Karen did not recommend mobile banking for organizations – it is still very much a consumer product. The use of cell phones to conduct banking business is not a good practice because it is not very secure.