Introduction
Inadequate internal controls is a common weakness in churches, exacerbated by the environment of trust and forgiveness, alongside fewer resources, exposing churches to high risks of fraud and error.
Operating in an environment where trust is the default is great but for the fact that churches are not exempt from those who take advantage of weaknesses to perpetrate fraud, those who may want to carry out unauthorised activities, or sincere people who may make errors.
Churches also tend to have fewer resources and a high reliability on volunteers, which could make the implementation and enforcement of internal controls more challenging.
It is relatively easy for fraud, misappropriation and errors to go on for long periods before, or without detection in an environment of trust and forgiveness, which is why churches really need internal controls that are effective against such risks.
A 2020 Global Study on Occupational Fraud and Abuse shows that non-profit organisations, which includes churches, are more vulnerable to fraud due to fewer anti-fraud controls in place compared to other sectors.
The median loss for religious organisations was $76k per case. The top control weaknesses in 68% of organisations were lack of internal controls, lack of management reviews and override of existing internal controls.
Implementing effective internal controls is therefore a must for churches to thrive and fulfil their mission.
Good internal controls make organisations get things right first time, and minimises opportunities for fraud or error.
So what exactly are Internal Controls?
Internal controls are the measures, actions or “checks and balances” that an organisation puts in place to mitigate against things going wrong, so that it can deliver its objectives effectively and efficiently.
This article takes you through what internal controls are and why churches need them, types of internal control, and who is responsible for internal controls.
Table Stewards uses a light-hearted scene setting approach to introduce its topics, but if you would prefer to dive straight into any part of the article, please click the relevant link in the table of contents above.
Scene setting
The Learning & Development Committee is about to start their pre-meeting with Coach Emmanuel before the masterclass today. They are all in the meeting room waiting from Brother Badtrus to join them. In walks Brother Badtrus excitedly.
Brother Badtrus: Hello everyone! Sorry I am late. Today is the our new members foundation class and I understand that about 20 people are attending! Isn’t that great?! Sister Comfort called me on my way in saying that the hospitality team needed cash to buy some refreshments for the new members class. As I hold the church debit card, I stopped off at the ATM machine to withdraw some money for the hospitality team. Can’t wait to see and welcome the new members to church!
Sister Mary: How much did you withdraw and did you get a receipt?
Brother Badtrus: Why these questions? What are you implying? Are you questioning my integrity?
Sister Mary: How do you know Sister Comfort will use all the money for refreshments? Why did she wait until today to ask for cash instead of arranging with the church office to order refreshments for delivery today. People work hard to donate to the church, so we have to be sure that no one can take undue advantage of church money. Just saying!
Brother Badtrus: I can’t believe I am hearing this! Where is the place of trust? Aren’t we all Christians for God’s sake!
Coach Emmanuel: Let’s not get worked up over this. The question we need to ask is whether there are adequate internal controls in place to prevent anyone from taking undue advantage of church money.
Brother Sam: What sort of internal controls are you referring to?
Sister Jane: And how do we know whether internal controls are adequate?
Coach Emmanuel: Really good questions. Do you know what, I think we have our topic for the masterclass today! Let’s proceed to the masterclass!…
What are Internal Controls?
Internal controls are the measures, actions or “checks and balances” that an organisation puts in place to mitigate against things going wrong, so that it can deliver its objectives effectively and efficiently.
A quick example is implementing the separation (or segregation) or duties control to purchases, with one person inputting/preparing a purchase request and a different person with delegated authority, approving the request to purchase, thereby minimising the opportunity for error, unauthorised or fraudulent purchases.
Good internal controls makes the right things happen first time, and minimises opportunities for fraud or error.
Internal controls are a measured response to risk. They help safeguard the assets of an organisation, minimise errors and ensure that operations are conducted in an approved manner.
Implementing internal controls also help ensure compliance with regulations and statutory requirements, and reliable financial reporting. Internal controls should be built into business processes, and not treated as an optional add-on to processes
Implemented correctly, internal controls protect the church, and enable it to fulfil its mission.
Another key benefit of internal controls that should not be overlooked is that they also protect the operatives of the controls. For example, where separation of duties have been duly applied in the completion of a purchase, the separate parties involved can feel protected from any suspicion or allegations of fraud.
Why do Churches need Internal Controls?
Every church needs administration to function effectively. The core spiritual business of the church, propagating the Gospel of Jesus Christ, is supported by administrative and service operations.
These include managing its facilities, compliance with regulations, accounting for its collection of tithes, offerings, donations and other giving, procurement of goods and services to support its operations.
All these carry risks, which must be managed through the design and implementation of internal controls appropriate to the size of the church and the risks it is exposed to.
Absence of internal controls open up opportunity for impropriety.
For example, to manage the risk of poor accountability or loss of cash offerings collected during church services, one of the internal controls would be a requirement for a minimum of two people to count the offering.
Another internal control would be to record the collection on counting sheets, which are signed by the counters; and then depositing the money in the bank intact so that the amount deposited matches the amount counted and signed off.
This will be supported by policies and procedures that require all income to be banked intact and correctly recorded in the financial system, confirmed also through bank reconciliations.
Unfortunately, inadequate internal controls is a common weakness in churches. The environment of trust and forgiveness, fewer resources and weaker internal controls makes fraud easier to perpetrate.
A 2020 Global Study on Occupational Fraud and Abuse shows that non-profit organisations, which includes churches, are more vulnerable to fraud due to fewer anti-fraud controls in place compared to other sectors.
The median loss for religious organisations was $76k per case. The top control weaknesses in 68% of organisations were lack of internal controls, lack of management reviews and override of existing internal controls.
Types of Internal Controls
There are various ways of categorising internal controls but simply put, there are 3 main types of internal controls – preventive, detective and corrective.
Let’s look at them in turn, with examples.
Preventive Controls
These prevent things from going wrong.
They usually occur at the beginning of a process. For example, entering a user id and password to access a computer.
Another example is the separation of duties control, which prevents a single person from initiating and seeing a transaction through to completion, thereby minimising opportunities for error or fraud.
For purchases, there should be separation of duties between the person who authorises a request to purchase, the person who places the order, and the person who makes the payment for the purchase.
This prevents a single person from having full control over a purchase, thereby minimising the risk of unauthorised purchases or misappropriation of funds.
Detective Controls
These help to confirm that things have been done correctly or help detect when things have gone wrong so that corrective action can be taken.
Detective controls are not done regularly, as they are designed to find errors or irregularity.
An example is the bank reconciliation, where the transactions in the bank statement are reconciled with the churches records of approved transactions to confirm the complete and accurate recording of transactions, while identifying mismatches for investigation or adjustments.
Corrective Controls
These help an organisation to take corrective action when things go wrong. An example is backing up of data.
An internal control requirement to back up data daily, say on an offsite server, can help the organisation to restore its data in the event of an unforeseen cyber-attack or other data loss event.
Controls under each of these three categories can be automated or manual.
Preventive controls are the strongest of all three, especially when the preventive control is automated.
Preventive controls can help protect the assets of the organisation, minimising errors and fraud, with minimal intervention effort, thereby also making them the most efficient.
A well designed internal control framework should therefore maximise the use of preventive controls, while incorporating appropriate detective and corrective controls.
Who is responsible for internal controls?
The most senior governance body in the church, usually the Board of Trustees or Directors, is responsible for ensuring that the church has the appropriate internal control framework in place to mitigate risks to the achievement of the church objectives, protect its assets, minimise errors, comply with relevant regulations, and to conduct its operations in an approved manner.
They set the tone, culture and environment for internal controls to operate effectively and are accountable for their effectiveness.
They set the strategy and approve the administrative policies that guide the operations of the church, obtain assurance that the controls are operating effectively and take corrective actions where necessary.
Managers, team leaders, church office leaders are responsible for overseeing the implementation of the internal control framework.
Everyone involved in the operational activities in the church is responsible for applying the internal control framework.
You must train staff, volunteers and other operatives to understand internal controls and their role in it.
Also, review the effectiveness of controls regularly as processes change or the environment changes e.g. advancements in technology impacting a process, making parts of existing controls irrelevant or ineffective.
Conclusion
Implementing the right internal controls is critical to the effective operations of churches, safeguarding the assets including finances, reliable financial reporting and compliance with regulations.
Church leaders and stewards need to understand what internal controls are, why they are necessary in churches, what can derail internal controls, and how to effectively implement the right controls to gain assurance towards achieving their goals.
Learn more about how to decide on the Internal Controls appropriate for your Church operations.