Introduction
How can we prevent internal control failure in churches and charities?
One main benefit of good internal controls is their ability to minimise the risk of financial fraud.
Fraud against Christian organisations grew by another $4 billion in just one year, to reach $59 billion by mid-2022. And it is predicted to reach $70 billion globally by 2025, according to the Status of Global Christianity 2022.
This relates to reported cases, which represent roughly 20% of all church fraud cases.
As undesirable and damaging as fraud is, it is not the only consequence of failures of internal control.
Failure of internal controls also exposes an organisation to the risk of errors, non-compliance with laws and regulations, loss or damage to assets, waste and avoidable safety risks.
Where these risks occur, they can have an impact on public trust in the ability of the church to manage its finances and affairs with integrity, and can expose people to harm from non-compliance with regulations aimed at keeping them safe.
The ultimate consequence for a church or charity is the inability to achieve its mission and objectives maximally, as well as reputation damage.
Guarding against internal control failures is therefore paramount for any organisation that cares about protecting its finances and reputation, and wants to fulfil its mission.
This article takes you through reasons why internal controls fail, and provides 5 ways to prevent internal control failure.
Table Stewards uses a light-hearted scene setting approach to introduce its topics, but if you would prefer to dive straight into any part of the article, please click the relevant link in the table of contents above.
Scene Setting
It’s time for the weekly masterclass! In their usual manner, the members of the Learning and Development Committee have arrived to consider the topic for the masterclass with the coach.
Brother Badtrus: It is always a joy to see things done quickly and efficiently for once!
Sister Mary: Here we go again! I get worried when I see you excited about processes. What’s up?
Brother Badtrus: I ran into Lydia taking delivery of refreshments for the new members meeting. She was excited that she was able to place the order for delivery within the hour. She said that she is now a purchase requisition approver as well as a bank cardholder, so she was able to raise her own requisition, approve it herself and make the purchase online with the bank card. If that is not efficiency in action, tell me what is!
Sister Jane: Oh yeah, Lydia was recently promoted and can now approve purchase requisitions in addition to her previous responsibilities that made her a cardholder.
Sister Mary: Nevertheless, it is wrong and against good segregation of duties to raise and approve your own requisition, and then make the purchase yourself. You should know that, after all you have been taught in the masterclasses!
Brother Badtrus: All I know is that, what would otherwise have taken place over 2 days, she was able to accomplish within an hour.
Sister Jane: We should flag this to her manager and ask them to remove the conflicting responsibilities that can make internal controls ineffective.
Coach Emmanuel: Well said, sister Jane. When people change roles, their responsibilities also need to be reviewed to prevent internal control failures.
Brother Sam: Prevent internal control failures? Tell me more!
Coach Emmanuel: You know what, let me explain why internal controls fail and how to prevent internal control failures at our masterclass! Come along and let’s dive right in!
What are internal controls?
Internal controls are the measures, actions or “checks and balances” that an organisation puts in place to mitigate against things going wrong, so that it can reasonably deliver its objectives effectively and efficiently.
An example is the separation (or segregation) or duties control applied to purchases, with one person inputting/preparing a purchase request and a different person with delegated authority, approving the request to purchase, thereby minimising the opportunity for error, unauthorised or fraudulent purchases.
Good internal controls makes the right things happen first time, and minimises opportunities for fraud, error or regulatory non-compliance.
There are various ways of categorising internal controls but simply put, there are 3 main types of internal controls – preventive, detective and corrective. These 3 types of internal controls are explained with examples in our article on why churches need good internal controls.
Why Internal Controls Fail
First, let’s look at why internal controls fail, before we explore how to prevent internal control failure.
-
Inadequate policies and process documentation
Where policies and processes for handling income, expenditure, assets and regulatory compliance are not documented and communicated, this leaves room for confusion, inconsistency in approach and control failure.
For example, a great internal control over cash income is to mandate the banking of cash income intact. This should be reflected in the income policy and built into the cash income handling processes.
Where such a policy is not documented, communicated, and embedded into processes, cash income may first be used to service justified emergencies before the rest is banked, which eventually graduates into unauthorised deductions.
The internal control failure then exposes the church or charity to fraud, poor accountability for income, not having a true picture of what income it receives leading to ineffective business planning, and so on.
-
Poorly designed internal controls
Where internal controls are not properly designed to address the risks faced, or the controls are inefficient, they will fail to address the intended risks and expose the organisation.
In the example of internal controls over cash income, if instead of having a mandatory preventive control of banking all cash intact, a church decides to allow deductions of cash from collections before banking.
It then asks those counting the cash to keep a record of all deductions for internal control and bookkeeping purposes. This would be an inefficient and ineffective ‘control’ that cannot prevent unauthorised deductions or detect where deductions are not recorded.
-
Inadequate training and awareness of internal controls
Internal controls often fail unintentionally because people have not been trained to understand what internal controls are, how they help mitigate risks, and protect them in carrying out their daily operations.
For example, a lack of understanding can mean people write passwords on stickers under their desks, thereby putting the organisation at risk of unauthorised access to sensitive data or fraudulent activity through password compromise.
-
Not reviewing the effectiveness of internal controls
As the saying goes, the only thing that does not change in an organisation is change itself. Even the best of internal controls can fail if they are not regularly reviewed for ongoing effectiveness in mitigating risks.
This includes when there are operational changes. For example, someone responsible for raising purchase requisitions gets promoted and now is able to authorise purchase requisitions.
If the internal controls implemented for purchases are not reviewed, that person could have access to undertake both responsibilities that previously were segregated for effective control.
This exposes the organisation to risks of unauthorised purchases, if that control failure is exploited.
-
Poor organisational culture
Church culture plays a strong role in how internal controls are implemented, adhered to, or disregarded and therefore allowed to fail.
For example, a church may express integrity and accountability as part of its core values but if the leadership use the privilege of their position to override internal controls, this sends the message that ‘it is OK to disregard internal controls when it suits you’.
Sooner or later, others follow suit and pay lip service to internal controls, seeing them as interferences to be avoided when you can.
Internal controls then start failing, thereby exposing the church to risks of misappropriation of funds, loss of assets, inability to trace who carried out transactions, collusion, penalties for non-compliance with regulations and so on.
-
Collusion
The best of internal controls can be derailed by Collusion.
Collusion occurs when people responsible for different aspects of a process that is segregated to ensure internal controls, decide to come together to deliberately override the controls for their own benefit.
Collusion could lead to minor to significant fraud, which can expose an organisation to great financial loss and reputation damage. Read more in our article on how collusion derails internal controls.
Consequences of internal control failure
Failure of internal controls, whatever the cause, exposes any organisation to the risk of fraud, errors, waste, loss of assets, as well as non-compliance with laws and regulations.
Ultimately, this results in financial loss, compromise of people safety, and reputation damage.
People are attracted and retained in a church due to their alignment with the mission and vision of the church coupled with the reputation of that church.
Churches should therefore protect that trust and carefully guard their reputation.
Even the news of a small fraud successfully executed against a church or charity’s funds, can deter future donations, giving, or offerings from members who now see the church or charity as poor at managing money risks.
Similarly, any news of compromise of sensitive data of givers in breach of data protection regulations, can mean that people no longer trust the church with their data (and givings).
There can also be financial and reputation consequences through penalties from regulatory bodies, fines and litigation.
Ultimately, all these impact on the ability of the church to fulfil its mission maximally.
How to prevent internal control failure
-
Build a culture that values internal controls, starting with the tone at the top
Simply put, culture is ‘how we do things around here’. It encompasses the cultivated behaviours, beliefs, values and attitudes that are deemed acceptable by the group of people that make up the environment.
When it comes to culture, the tone at the top matters most.
Culture is promulgated from the top of the organisation – the board of trustees or directors, and senior management – and people take their cue on how to behave, and what is acceptable, not just from what is communicated to them, but also how they see the leadership live it out.
The value placed on internal controls, and the level of adherence to the controls within processes and operations, depends on the culture driven by the tone at the top of the organisation.
Top leadership should clearly articulate the standards and core values that the church wants to promote and embed, including the internal controls to be translated into processes and operations.
For example, promoting a culture of integrity and accountability requires appropriate supporting internal controls. This includes clear roles and responsibilities with good segregation of duties, and audit trail for transparency and accountability of transactions.
When the board and senior management comply with internal control processes, rather than overriding them, they demonstrate value for internal controls and this sends a clear message that ‘we value and comply with internal controls here’.
Everyone complies with no exceptions, not even the founder, board or CEO, and any non-compliance is called out and appropriately dealt with.
-
Design internal controls on the back of robust risk assessments
Internal controls are a response to risk. If risks are not well defined, the internal controls identified to manage the risks will be inadequate.
In turn, to identify risks, the objectives that the organisation is aiming to achieve must be clearly defined.
The identification and design of internal controls and associated processes should stem from the risks identified.
The COSO internal controls framework, widely used globally, refers to these as control activities, defined as “the actions established by the policies and procedures to help ensure that management directives to mitigate risks to the achievement of objectives are carried out”.
For example, to mitigate the risk of financial loss through fraud or errors, which can hinder a church from maximising its finances for the promulgation of
the gospel of Jesus Christ to the world, internal controls that should be considered within finance processes include:
- Segregation of duties – prevents a single person from being responsible for all parts of a process or transaction.
- Bank Reconciliation –helps provide assurance that income is banked intact and expenditure is authorised. Also helps identify unauthorised transactions, and errors in accounting records or in banking.
- Audit trail – to enable the tracking, tracing and verifying of financial activities.
- A variety of controls to prevent and detect collusion such as policies to manage conflicts of interest, job rotation and effective pre-employment checks.
Internal controls should be automated where possible. For example, segregation of duties can be enforced within IT systems by setting users up to only have access to roles they are authorised to perform.
The selection of internal controls should maximise those that prevent things from going wrong (preventive controls).
These should be supported by internal controls that can detect things after the event (detective controls) where appropriate or where no preventive controls are possible.
The risk assessment and identification and design of appropriate internal controls needs proper consideration, with appropriate advice from risk and internal control professionals, to get it right.
For existing processes, risk/control gap analysis can be carried out and actions taken to address or retro-fit internal control gaps to prevent internal control failure.
-
Document Policies and Processes and ensure effective communication, training and awareness
Actions required to implement internal controls should be documented in policies and translated into documented procedures for operational processes.
The documented procedures should include sufficient information on the embedded internal controls and risks they help mitigate, to explain why they are a necessary part of the process.
This helps ensure clarity of, and consistent application of, the internal control processes and operations established to mitigate risks.
It is not enough to have documented policies and procedures; if those who are meant to use them don’t know they exist, why they exist, and how they should be applied.
This calls for effective communication of policies and procedures to new and existing staff, with easy access to documented procedures for carrying out their roles.
Training and ongoing awareness sessions on risk management and internal controls is also essential as it helps operatives understand the why, what and how.
-
Regular review of effectiveness of the system of internal controls
Organisations are continually changing, and changes can mean that internal control processes that are sound today, can be compromised when a change occurs.
For example, a change of personnel necessitates a review of the internal control processes for their new role, to ensure there are no conflicts with previously held responsibilities.
Similarly, when a new risk surfaces, the existing internal controls may be insufficient to respond to the new risk.
New opportunities, operations and activities also require a re-assessment of risks and appropriate control responses.
For example, most churches modified their processes for giving during the Covid-19 pandemic, by introducing giving apps.
If the internal controls required to properly set up the back-end for operating and accounting for income was not also reviewed, the churches may be exposed to both cyber security and financial risks.
Systems of internal control therefore need ongoing review to remain relevant and effective in reasonably mitigating the risks to the achievement of objectives.
Types of reviews that can be carried out include:
- Management reviews – oversight activities by managers as process owners, built into daily operational activities, enabling risks and issues to be managed at source.
- Compliance reviews – an internal review by an oversight function not directly responsible for the daily activities of an operation, but which provides guidance, tools and oversight for that operation. g. a head office finance function carrying out compliance reviews of its branches.
- Internal Audits – a programme of reviews to provide objective and independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively, and makes recommendations for improvement where appropriate.
- External Audits – usually an annual statutory activity that examines the system of internal control as part of an audit of the financial reports, and provides management recommendations as a by-product.
-
Maintain Good Governance
Governance is how organisations are directed, controlled and held to account.
Good governance combines effective direction with accountability as a powerful mechanism against internal control failure.
This is reflected in good organisational structures with clear roles and responsibilities, decision making processes, and internal controls processes based on robust risk assessments.
It also encompasses the policies, strategies, plans, processes and arrangements that steer the organisation in the right direction.
Conclusion
Sound internal controls help organisations to achieve their objectives by mitigating against risks that can stop them.
But the best of internal controls can fail if the factors that cause failure are allowed to occur.
A culture that disregards controls, lack of documentation to guide operatives with training and awareness, poorly designed controls and lack of review of ongoing effectiveness, can make internal controls fail.
Internal control failure can be prevented with good governance, embedding a healthy culture that values internal controls, risk-based design of internal controls, effectiveness reviews, and good documentation and training.
Read our related articles on:
- why churches need good internal controls,
- why risk management is necessary in churches and charities ,
- 6 steps to developing a positive culture for effective church administration;
- good governance in church administration – 9 areas to get right, and
- how segregation of duties help protect church finances.