Internal Control Weaknesses: “I Know Someone Who…”
Some churches operate with a vulnerability without realizing what the consequences could be. They are surprised when something goes wrong, but they probably should have known the risk the entire time. Let’s take a look at some of the specific internal control weaknesses that can exist in a church and why they are a concern:
Weakness: Individuals can access uncounted funds in the safe by themselves.
Risk: Even if it is not standard procedure for one person to access the safe by themselves, if someone can do it, a problem exists. Consider all the people with keys or combinations to your safe. For example, one church discovered the janitor had an extra key to the safe and the spare key to the room it was in.
Weakness: Signed checks are given back to the individual who prepared them.
Risk: That individual could change the payee. Since he or she has the documentation, the individual could create another check to pay the vendor later.
Weakness: The same person has access to both the deposit and donor systems.
Risk: That person could take contributions and post a fictitious entry to the donor system to credit the donor.
Weakness: An individual with access to accounts payable and the general ledger is also a check signer.
Risk: This person could make a payment and sign it without anyone else knowing.
Weakness: Blank checks are signed because it is hard to find signers.
Risk: If a person with access to the general ledger also has access to the signed blank checks, the checks could be written to anyone and for any amount.
Weakness: An individual with access to the general ledger has online banking access.
Risk: The individual could transfer funds to another bank account or process and record a wire transfer without approval.
Weakness: Individual ministries have separate bank accounts that are not recorded in the general ledger.
Risk: The activity is not reviewed or approved by others, leaving the church at risk for embezzlement and the individual(s) in charge at risk of an accusation of wrongdoing.
Weakness: Payroll is processed by one individual, and it is not reviewed.
Risk: The individual could make unapproved pay rate changes or add “ghost” employees to the payroll.
Weakness: Timecards are not signed by a supervisor.
Risk: The hours reported, and the compensation given, may be inaccurate, whether intentionally or accidentally.
Weakness: The ministry lacks adequately trained or knowledgeable staff.
Risk: Employees can make mistakes, leading to poor information, or intentional errors (fraud) could occur but go undetected because of consistent mistakes or sloppiness.
Weakness: Financial information and reconciliations are prepared months after the fact.
Risk: Errors will not be detected in a timely manner, and decisions may be based on incorrect financial information.
Weakness: A single corporate credit card is available for multiple people to use, and the transactions are not appropriately reviewed by a supervisor (someone other than the person on the account).
Risk: Someone could make charges that are not related to church business, and determining the responsible party for any purchase becomes difficult with multiple users.
This list is provided to help you understand how easy it is to overlook some key weaknesses in internal controls. Even if none of these situations exist in your church, it is always good to keep them in mind as financial procedures, records, and personnel often change over time.
The following controls don’t require extraordinary effort, but they can provide at least a baseline defense for your church and the individuals processing cash receipts, cash disbursements, and payroll:
- Always have more than one person handle uncounted funds.
- Provide deposit information to someone in accounting as well as the person processing donor information. The deposit and donor system report should be independently verified to ensure they are in agreement.
- Send detailed donor statements at least annually.
- Use the same controls for checks received as you do for cash. Checks should be stamped “For Deposit Only” as soon in the process as is practical.
- Reconcile the donor system to the general ledger at least annually.
- Ensure that access to the check stock, the ability to post in the general ledger, and check-signing authority involve at least two separate individuals.
- Eliminate or carefully control signature stamps.
- Keep petty cash to minimal amounts and reconcile it periodically.
- Have someone with access to the general ledger review the bank reconciliation and canceled checks on a monthly basis.
- If payroll is processed by one person, ensure it is reviewed and approved by a second person.
- Implement a monthly closing process that details:
- The steps that need to be performed, along with due dates
- Who should prepare the information
- Who should review the information
- Have journal entries prepared by one person and approved by a second person, or have a second person print an entire journal report each month and review and approve it.
The items above are a good starting point. Once these policies and procedures are in place, the next step is to make sure they are documented adequately.
Your church may benefit from having an outside person review your processes to determine where weaknesses may exist. If you encounter any push-back from individuals, remind them these practices are in place as a stewardship principle as well as serving to protect the individuals involved. Framing these tasks that way can change everyone’s perspective on the importance of these matters!
This article first appeared on ChurchLawandTax.com.