Internal Controls

Having good internal controls is an important measure to reduce an organization's risk of being victimized by fraud and can help prevent or detect material errors in the accounting system.  To assist your organization in identifying risks and designing appropriate internal controls, we have prepared an illustrative example of XYZ, Inc.

XYZ is a nonprofit organization that meets an important need in its local community. XYZ has several program employees at multiple locations who are involved in the daily operations to fulfill the organizations mission and two administrative employees who handle management and general accounting functions. XYZ has an active board of directors who feels passionate about the mission of the organization. XYZ's board knew that the small number of the administrative staff made the organization particularly vulnerable to fraud. Because the board of directors felt strongly about the importance of XYZ's mission, they performed a risk assessment to address fraud risks that could one day hinder XYZ's future operations. Below is a summary of the results of XYZ's risk assessment and the internal controls the board implemented to help ensure the organizations future success.

Cash disbursements

The first and most significant risk area identified was cash disbursements. Prior to the risk assessment, Sam, the controller, performed all accounting functions and banking. Leslie, the executive director, managed the organization's programs with little accounting oversight. The risk assessment revealed that Sam could have taken advantage of the lack of oversight to use organization funds to pay for personal purchases by recording the purchases as the organization's expenses and paying them using XYZ's check book, a type of billing scheme. Sam could also use the company credit card in a similar fashion. Other risks were also identified, such as fraudulent employee reimbursements and check tampering.

To reduce XYZ's exposure to these risks the board mandated a change in procedures to increase internal controls. First to address the risk of the controller recording personal purchases as the organization's expenses and paying them with XYZ's checkbook, the board of directors limited custody to the organization's check stock so that only the executive director had possession and could print checks. The ability to add and change vendors in the accounting system was also given exclusively to the executive director so that the controller would not be able to add vendors and and submit altered invoices for personal purchases.  The board limited record keeping access to the accounting system so that only the controller could post journal entries and record expenses. The board also changed the authorized signers on the account so that only the treasurer, the chairperson and the vice chairperson had the ability to sign checks. As a further precaution, the board signed up for positive pay at its local bank to prevent checks from clearing the bank that were not approved. A process was put into place so that checks were printed only once per week and then given to one of the authorized signers to review with the supporting documentation to verify that only valid business expenses were being paid. It remained the controllers responsibility to reconcile the bank statement against the cancelled checks, however, the board began reviewing the monthly bank reconciliations and the monthly activity of cleared checks.

Payroll disbursements

Like cash disbursements, Sam, the controller, also managed the entire payroll process. Sam collected and reviewed each employee's time card and entered their hours worked during the pay period into their payroll program. Sam also entered the employees hourly wage and benefits information. After entering in the payroll data for the period, Sam was the only person to review the payroll register before it was processed and direct deposit was initiated. This process made it possible for Sam to increase his wages without anyone noticing. 

To better control this process, the board of directors restricted the controller's ability to add employees or change pay rates and other information in the payroll module. This function was given to the executive director. The controller retained the responsibility of entering in each employees time in the payroll system, however, employee time sheets now required the approval of the employees direct supervisor to ensure that hours were not overstated. The executive director reviewed the pre-process and post process payroll registers and a summary of changes to employee rates and benefits to ensure that the payroll was correctly processed and as a double check that the hours each employee worked were not unusual. The executive director was also responsible for transferring money from XYZ's operating account to XYZ's payroll account after the pre-process register was approved. 

Cash receipts

Another significant risk area identified as a result of the risk assessment was cash receipts. Prior to the risk assessment, Sam, the controller, could have used a few accounting tricks to skim (stolen cash receipts before they were deposited) money from XYZ. Because Sam had custody of contributions and program income received, he could have skimmed some of it before it was deposited into XYZ's bank account. If the transaction had previously been recorded as a sale and receivable, Sam could have also have the skimmed cash by removing or reducing the sale in the accounting system, voiding the sale, writing off the receivable, lapping the receivable with a subsequent receipt, etc. If the cash skimmed was an unsolicited contribution, it would have been nearly impossible to detect the theft. 

To reduce the risk of cash being skimmed from XYZ, the board of directors required that two people be present to open the mail at all times to help prevent cash and check contributions from being skimmed before being recorded as received. It was required that while opening the mail, the executive director immediately restrictively endorse all checks received as "For Deposit Only XYZ, inc." and log the amount and source of all cash and checks received. The controller's responsibility included verifying the balance of the deposit and taking the deposit to the bank. The executive director was responsible for reviewing the deposit slip and agreeing it to the daily cash receipt.

If checks or cash were received that were not ready to be deposited for any reason, the controller recorded it in the accounting system as a temporary deposit asset and liability. The executive director was responsible for maintaining custody of the money. 


Performing a fraud risk assessment is a critical step in an ever continuing process to ensure that internal controls are appropriate for your organization. Even though XYZ, inc., in the example above is not a real organization, its internal control model may provide helpful insight into potential risks within your own organization and steps that could be used to mitigate them. Also consider that while these controls may be appropriate for many organizations, they may not be best suited for yours. It is important to think critically of risks as they relate to your own organization in particular and design internal controls accordingly. Please contact us if you would like assistance in assessing your organization's risks and implementing an appropriate system of internal controls.    

Get In Touch

At Synergy Accounting & Tax LLC, we've been serving the accounting needs statewide. If you need help managing any aspect of your home or business's finances, we want to hear from you.

Please call us or fill out this form and let us know how we can be of service. We will happily offer you a FREE initial consultation to determine how we can best serve you.

Thank you for visiting. We look forward to working together!

Synergy Accounting & Tax LLC

848 Dodge Ave 338
Evanston, IL 60202
T: 224-307-5143

© 2016

Privacy Policy  Disclaimer
Back to top

Get In Touch

Client Portal Login

Subscribe to our Newsletter