Internal controls

Internal controls are the things you do to help manage the risk of an error or a fraud - like getting two people to approve a payment.  And you should write them down as part of your financial procedures. 

You need to make sure not only that you have effective control procedures, but also that your staff actually apply them, and that needs to be led from the top. Your directors need to get behind and support your financial controls, and that culture change is often far more challenging than identifying what procedures should be put in place.

Apart from a few troublemakers, no one sets out to get things wrong, but it happens: people forget to include rent payments because it’s a standing order, write £7,363 instead of £3,763, add up cash collections wrong, allocate income to the wrong project, the list goes on. So it just makes sense to have some processes that have checks for errors and guard against temptation.

You need to review your controls regularly to check that they are working, and that they aren’t overkill – is it worth the cost in admin time to go over every single expenses claim, or could you spot check a sample for the smaller ones?  As Kate Sayer says ’a good control is one that is both efficient and effective.’

For each control activity (authorisation controls, bank reconciliations, taking references for new staff) think about the risk that it’s supposed to be tackling and how effectively it does that. Authorisation controls are often not thought through – just because someone is senior, doesn’t automatically mean they are the best person to sign off a purchase.

There are certain controls that are particularly useful because they tackle several risks, check your data against external information, or the control element is integrated into a piece of work you are already doing. 

Segregation of duties – this is an overarching principle rather than a specific control (and is a term often bandied about by accountants). It’s about managing the risk of people making mistakes (or defrauding you) when they are buying things or receiving your money by making sure that your processes don’t allow for one person to do everything end to end - for example from approving and ordering something to receiving and paying for it – that’s where stories about people refitting their own kitchens on company money come from.

Bank reconciliation – this is a regular task where you check that what you have recorded in your books as going in and out of the bank matches what is in the bank statements. Checking against external records grounds you in reality – if what you are showing as the cash balance in your books matches the balance on your bank statement on a given day (give or take some uncleared items that you know about) you know you have got something right and you can build the rest from there.

If you are uncertain of the process, see how to do a bank reconciliation. 

Review of performance against budget and reporting to trustees – when you are setting a budget and then reviewing performance against it, you might not immediately see that as a control activity, but checking why things are different from budget inevitably throws up some errors as well as more meaningful management information.

Levels of authority – you need to make sure that your staff are aware of what they can commit the organisation to.

Charity Commission Internal Financial Controls for Charities CC8 – the checklist is particularly helpful