Applying the COSO Framework to Nonprofits

Internal controls are key to an effective organization, no matter the type of organization.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s framework was designed to help organizations establish and maintain effective internal controls.  These controls are basically a set of rules and procedures that ensure things run smoothly and minimize risks.

The COSO framework is used by many public companies to implement effective controls and although nonprofits are not required by law to follow the COSO framework, many nonprofits choose to adopt COSO’s principles and components voluntarily to improve their internal control environment and governance practices.

While nonprofits may not face the same regulatory pressures as publicly traded companies, they still have a responsibility to their donors and other stakeholders to operate effectively, ethically, and transparently. Implementing COSO’s framework can help nonprofits achieve these objectives by providing guidance on risk management, internal controls, and governance.

The framework may seem overwhelming with its 5 internal control components and 17 principles describing the elements of an effective system of internal control, but its essence can be implemented by even the smallest nonprofit.

Let’s look at COSO’s 5 components of internal control and how each can be addressed by smaller nonprofits.

Control Environment

This is all about setting the tone at the top. It involves creating a culture where everyone understands the importance of internal controls and compliance. Think of it as creating an environment where everyone knows what’s expected and follows the rules.

Example: The board of directors sets the tone by establishing a code of conduct and ethics for the organization. This code outlines expectations for behavior, integrity, and accountability for all staff and volunteers.

Example: Management demonstrates its commitment to internal controls by regularly communicating the importance of compliance and ethical behavior through training sessions and staff meetings.

Risk Assessment

Here, you identify and assess potential risks that could affect your organization’s ability to achieve its goals. It’s like taking a look around to see what could go wrong and how bad it could be if it did.

Example: The organization conducts an annual risk assessment to identify potential threats to its operations, such as financial mismanagement, fraud, cybersecurity breaches, or regulatory non-compliance.

Example: After identifying risks, the organization prioritizes them based on their likelihood and potential impact and develops mitigation strategies to address the most significant risks.

Control Activities

These are the actual actions or procedures you put in place to address the risks you’ve identified. For example, having checks and balances in financial processes or having policies for handling sensitive information.

Example: Segregation of duties is implemented in financial processes to ensure that no single individual has control over all aspects of a transaction. For example, one person records transactions, another approves them, and a third reconciles accounts.

Example: Access controls are established for electronic systems and sensitive information, ensuring that only authorized individuals have permission to view or modify data.

Information and Communication

This is about making sure everyone has the information they need to do their jobs effectively and follow the rules. It involves clear communication of roles, responsibilities, and policies, as well as sharing important information about risks and controls.

Example: The organization maintains clear and up-to-date policies and procedures manuals that outline expectations, responsibilities, and processes for various activities, such as financial management, human resources, and program delivery.

Example: Regular staff training sessions are conducted to ensure that employees understand their roles and responsibilities, as well as any changes to policies or procedures.

Monitoring

Finally, you need to regularly monitor and evaluate your internal controls to make sure they’re working effectively. It’s like regularly checking to see if everything is still running smoothly and fixing anything that’s not.

Example: Internal audits are conducted periodically to assess the effectiveness of internal controls and identify areas for improvement. Audit findings are reported to management and the board of directors, and corrective actions are implemented as necessary.

Example: Management reviews key performance indicators (KPIs) and financial reports on a regular basis to monitor the organization’s financial health, operational efficiency, and compliance with regulatory requirements.

In essence, COSO controls help nonprofits ensure they have the right rules and procedures in place, everyone knows what they are, and they’re being followed to keep the organization running smoothly and minimize risks.

By implementing these examples within each COSO area, nonprofits can strengthen their internal control environment, mitigate risks, ensure compliance with regulations, and ultimately achieve their mission more effectively.

Contact Us

"*" indicates required fields

Interested in Learning More?

We are pleased to offer a complimentary consultation to discuss the needs of your organization.

Related Insights

Photo of Key Items of Communication for Nonprofit Organizations. Photo of Key Items of Communication for Nonprofit Organizations
Picture of an eye.

Key Items of Communication for Nonprofit Organizations

Photo of Steps for Nonprofits to Secure Online Giving Tools. Photo of Steps for Nonprofits to Secure Online Giving Tools
Picture of an eye.

Steps for Nonprofits to Secure Online Giving Tools

Photo of How To Determine A Nonprofit’s Health. Photo of How To Determine A Nonprofit’s Health
Picture of an eye.

How To Determine A Nonprofit’s Health

Disclaimer: The information contained in Dulin, Ward & DeWald’s blog is provided for general educational purposes only and should not be construed as financial or legal advice on any subject matter. Before taking any action based on this information, we strongly encourage you to consult competent legal, accounting or other professional advice about your specific situation. Questions on blog posts may be submitted to your DWD representative.