Maintaining Internal Controls Over an External Workforce

The rapid shift from an in-person to remote workforce left little time for nonprofits to consider how – or even if – their existing internal controls would be able to protect the organization against fraud in this drastically altered environment.

Not surprisingly, nonprofits have spent the last six months with a much greater focus on business continuity than on internal controls. As organizations begin to find their footing in the “new normal” it is a good time to reflect and ask yourself, “Do we have sufficient internal controls in place to prevent fraud in our remote workforce?”

The fraud triangle, consisting of opportunity, incentive and rationalization, is often used to explain why and how employees commit fraud. While one could argue that all three of these elements are elevated during a crisis like the COVID-19 pandemic, the opportunity to commit fraud is the biggest area affected by a remote work environment.

Fortunately, there are technologies, processes and policies that an organization can put into place to limit this window of opportunity, even while employees are not in the office. One of the most effective is a cloud-based AP/AR environment.

A large area of opportunity for fraudulent activity is the use of online bill pay, which has become a popular and convenient way to cut checks or pay your expenses through electronic funds transfer (EFT). With this increased convenience comes increased employee access and cybersecurity vulnerabilities that make the organization more susceptible to fraud.

Organizations that have limited internal resources to oversee the security and accuracy of the money flowing in and out the organization may want to consider an online third-party company that allows for the documentation of the reviews in a digital setting or that assume the responsibilities and internal controls over the accounts payable and/or accounts receivable functions.

These companies have the ability to augment or perform the same activities as in-house staff, receiving invoices from vendors and trafficking them through the approval and payment process. Added safety measures in these systems include separate logins for all users, including authorized signors, and allow for the implementation of review and signature thresholds that can enhance the current control environment and limit which users can authorize large payments.

This external provider will also maintain a log that tracks payments made and received and automatically deposits cash into designated bank accounts – bypassing the need for internal staff to ever touch the funds.

An online AP/AR provider also creates the segregation of duties that might otherwise be impossible in a small nonprofit with limited back office support. There is an inherent conflict – and significant risk – in having the same employee both initiate transactions and approve transactions. A third-party provider can provide the checks and balances needed to prevent and detect fraud before it happens.

Regain Control

This technology, along with accompanying cybersecurity and internal control policies, is one way you can take back the control you may have lost during the COVID-19 crisis and focus on the important work of keeping your programs running and your nonprofit financially sound.

To discuss your organization’s unique vulnerabilities, concerns and solutions, contact Jaime Rapps, Nonprofit Senior Manager at or 212.223.5072.

Jaime Rapps Jaime Rapps, CPA is a Partner at Grassi and brings nearly 15 years of audit, accounting and tax experience to his role. A member of the firm’s Nonprofit and Healthcare practices, he specializes in financial reporting, audits, reviews, compilations and tax work for clients in these industries. Jaime advises a wide range of nonprofit organizations on financial, operational and compliance matters. He has extensive... Read full bio

David M. Rottkamp David M. Rottkamp, CPA, is an Audit Partner and Nonprofit Practice Leader, at Grassi. David has over 36 years of experience providing audit and advisory services to the not-for-profit and health care industries. David focuses on organizations serving individuals with special needs, religious organizations, educational institutions, membership associations, social service providers, healthcare providers, foundations, and the arts and culture world. David’s technical knowledge allows... Read full bio

Categories: Advisory