Applying the COSO Framework to Nonprofits

Posted on Wednesday, April 24, 2024
Share

Internal controls are key to an effective organization, no matter the type of organization.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s framework was designed to help organizations establish and maintain effective internal controls.  These controls are basically a set of rules and procedures that ensure things run smoothly and minimize risks.

The COSO framework is used by many public companies to implement effective controls and although nonprofits are not required by law to follow the COSO framework, many nonprofits choose to adopt COSO's principles and components voluntarily to improve their internal control environment and governance practices.

While nonprofits may not face the same regulatory pressures as publicly traded companies, they still have a responsibility to their donors and other stakeholders to operate effectively, ethically, and transparently. Implementing COSO's framework can help nonprofits achieve these objectives by providing guidance on risk management, internal controls, and governance.

The framework may seem overwhelming with its 5 internal control components and 17 principles describing the elements of an effective system of internal control, but its essence can be implemented by even the smallest nonprofit.

Let’s look at COSO’s 5 components of internal control and how each can be addressed by smaller nonprofits.

Control Environment

This is all about setting the tone at the top. It involves creating a culture where everyone understands the importance of internal controls and compliance. Think of it as creating an environment where everyone knows what's expected and follows the rules.

Example: The board of directors sets the tone by establishing a code of conduct and ethics for the organization. This code outlines expectations for behavior, integrity, and accountability for all staff and volunteers.

Example: Management demonstrates its commitment to internal controls by regularly communicating the importance of compliance and ethical behavior through training sessions and staff meetings.

Risk Assessment

Here, you identify and assess potential risks that could affect your organization's ability to achieve its goals. It's like taking a look around to see what could go wrong and how bad it could be if it did.

Example: The organization conducts an annual risk assessment to identify potential threats to its operations, such as financial mismanagement, fraud, cybersecurity breaches, or regulatory non-compliance.

Example: After identifying risks, the organization prioritizes them based on their likelihood and potential impact and develops mitigation strategies to address the most significant risks.

Control Activities

These are the actual actions or procedures you put in place to address the risks you've identified. For example, having checks and balances in financial processes or having policies for handling sensitive information.

Example: Segregation of duties is implemented in financial processes to ensure that no single individual has control over all aspects of a transaction. For example, one person records transactions, another approves them, and a third reconciles accounts.

Example: Access controls are established for electronic systems and sensitive information, ensuring that only authorized individuals have permission to view or modify data.

Information and Communication

This is about making sure everyone has the information they need to do their jobs effectively and follow the rules. It involves clear communication of roles, responsibilities, and policies, as well as sharing important information about risks and controls.

Example: The organization maintains clear and up-to-date policies and procedures manuals that outline expectations, responsibilities, and processes for various activities, such as financial management, human resources, and program delivery.

Example: Regular staff training sessions are conducted to ensure that employees understand their roles and responsibilities, as well as any changes to policies or procedures.

Monitoring

Finally, you need to regularly monitor and evaluate your internal controls to make sure they're working effectively. It's like regularly checking to see if everything is still running smoothly and fixing anything that's not.

Example: Internal audits are conducted periodically to assess the effectiveness of internal controls and identify areas for improvement. Audit findings are reported to management and the board of directors, and corrective actions are implemented as necessary.

Example: Management reviews key performance indicators (KPIs) and financial reports on a regular basis to monitor the organization's financial health, operational efficiency, and compliance with regulatory requirements.

In essence, COSO controls help nonprofits ensure they have the right rules and procedures in place, everyone knows what they are, and they're being followed to keep the organization running smoothly and minimize risks.

By implementing these examples within each COSO area, nonprofits can strengthen their internal control environment, mitigate risks, ensure compliance with regulations, and ultimately achieve their mission more effectively.

Contributed by: Carrie Minnich, MAcct, CPA | Partner | DWD CPAs & Advisors

Posted in Mission Minded Nonprofits

Disclaimer: The information contained in Dulin, Ward & DeWald’s blog is provided for general educational purposes only and should not be construed as financial or legal advice on any subject matter. Before taking any action based on this information, we strongly encourage you to consult competent legal, accounting or other professional advice about your specific situation. Questions on blog posts may be submitted to your DWD representative.

"I love working at DWD because of the variety of work I get to experience and the team-like structure that is put in place here. Staff members at any level are more than willing to answer questions and…"
Brandon McKee
DWD Senior Accountant