The essential CFO: internal financial controls

Internal financial controls (IFCs) are the policies and procedures adopted by an organisation to assist in the efficient conduct of its business. Prevention and detection of fraud and errors are often seen as their main objective and the most recognised example would be getting two people to approve a payment.

For charities they are also essential in helping to achieve their aims and objectives by ensuring that assets are properly used, funds are effectively spent, and financial affairs are well managed.

The Charity Commission’s CC8 guidance, IFCs for charities, was last updated in 2012 but is no less relevant today. It states that IFCs are essential checks and procedures that help charity trustees:

• Meet their legal duties to safeguard the charity’s assets
• Administer finances and assets in a way that identifies and manages risk
• Ensure the quality of financial reporting, by keeping adequate accounting records and preparing timely and relevant financial information

Why are they important?

It is a duty of a charity’s trustees to ensure that resources are protected so that the charity can fulfil its aims. IFCs are just one part of a charity’s overall control framework, which should cover all of the charity’s systems and activities.

No system of IFCs, however elaborate, can guarantee that a charity will be totally protected against loss, waste, bribery, theft or fraud, or mistakes or mismanaged conflicts of interest.

But having sufficiently rigorous controls does provide the best chance of protecting an organisation’s assets and is the strongest defence for trustees against the charge of failing in their duties should something go wrong, and of demonstrating compliance with their risk management responsibilities.

What about fraud and financial crime?

The incidence of reported financial crime affecting charities is relatively small compared to the size of the sector. When it does happen the impact can be great, however, so it is important that charities take this risk seriously.

The voluntary nature of charities can make them vulnerable to people who want to misuse charities for their own gain. Financial crimes can result not only in significant loss of funds but also in damage to the public trust and confidence in charities more generally.

Who is responsible for IFCs?

There is no point having effective control procedures in place if they aren’t actually applied and adhered to across an organisation. It is thus important that all those working in the charity whether trustees, staff, and volunteers take the responsibility for IFCs seriously, rather than them being left to one or two trustees or senior staff members, or regarded as applying to some but not others.

This needs to be led from the top and often bringing about the required culture change is far more challenging than identifying what procedures should be put introduced in the first place.

A culture of control needs to be embedded in the operations of the organisation, created by the trustees and senior management, who should lead by example in adhering to the charity’s IFCs. This is even more crucial in a larger organisation where staff and volunteers may be widespread geographically or there are more layers of line management.

How should charities document and review IFCs?

IFCs should be written down as part of a charity’s financial procedures. And they need to be reviewed by trustees regularly – and certainly at least annually –  to check that they are working effectively, and efficiently.

This should include an assessment of whether the controls are relevant to, and appropriate for, the charity and not too onerous or disproportionate.

What are the key controls?

While the list of specific IFCs covering all aspects of a charity’s operations can be exhaustive, and may vary depending on what a charity does, and how it is structured, a key overall principle is segregation of duties. This means ensuring that no single individual has sole responsibility for any single transaction from authorisation to completion and review.

It is even more important in smaller charities where there are less trustees and senior managers to share the burden, but is still an important consideration for larger ones, where there can be an assumption that seniority automatically assumes responsibility.

In practice, for example, a member of the executive management team might not actually be best placed to make authorisations regarding day-to-day administrative activity.

Income controls may include for money received by the following:

• By post
• From public collections and fundraising events
• From Gift Aid
• Legacies
• Tainted donations
• Trading
• Cryptocurrencies

Examples of controls around assets and investments are ones on:

• Fixed assets
• Investment assets
• Cash deposits
• Electronic banking
• Alternative banking
• Restricted and endowment funds

For purchases and payments consider:

• Expenditure on goods and service
• Grant expenditure
• Payment by cheque and debit/credit cards
• Direct debits/standing orders/BACS
• Cash
• Salaries and expenses
• Loans

How should charities monitor IFCs?

IFCs need to be monitored to ensure that they are complied with and provide a sufficiently robust system for managing financial risk. The monitoring of financial activities by trustees and management on a regular basis is a vital part of this process.

A key financial monitoring activity is budgetary control, which means monitoring financial performance against a budget. Proper and realistic estimates of income and expenditure need to be made for each area of the charity’s activities for each financial year. Monitoring procedures should identify and seek explanations for significant over or underperformance of both income and expenditure plans.

Other monitoring activities include a review of expected sources of income and the actual income received.

Provision of financial information to trustees

To facilitate monitoring, which is a vital component of any system of IFCs, trustees need access to accurate, accessible, and timely financial information to enable them to make robust decisions, and identify potential errors. This information will typically include:

• The latest management accounts
• A comparison of budget to actual figures
• An explanation for variances between forecasts and what actually happened
• Details of cash flow and closing bank balances

Should larger charities consider an audit function or audit committee?

The nature of IFCs implemented will depend on the size of a charity and its activities. As size and complexity increase so does the potential role for an internal audit function and/or an audit committee.

The role of internal audit is to look at the effectiveness of a charity’s financial controls and to help trustees and managers identify and assess, manage, and monitor risks.

An audit committee’s role is to help the trustees meet their responsibilities for risk management, having effective internal controls and the efficient and effective use of funds.

As it acts on the authority delegated to it by the trustees it needs to have appropriate terms of reference and a clear reporting line to the main board.

Conclusion

Apart from a few troublemakers, no one sets out to get things wrong in charities, but innocent mistakes can be made. IFCs that guard against errors, and temptation, and create a framework within which trustees are making financial decisions based on the right information mean there is far less chance of things going awry.

Transparency around activity, monitoring and reporting should help, if not eliminate completely, mitigate risk – and allow trustees to maintain the financial control they need so their charity has maximum impact.