By Andrew Brock, CPA, Senior Manager at Blue & Co.

As the new year begins, it is often a time for setting personal and professional goals. The colloquial saying behind this being, “New year, new me!” This article offers several exercises to help strengthen your organization in this new year. We are focused on best practices in the areas of internal controls, information technology (IT), and governance and policies. If your organization needs to revisit any of these areas, we would be happy to discuss with your organization specifically.

Internal Controls

• Are processes and procedures formally documented and reviewed at least annually with both management and the board or finance committee?
• Are authorized check signers updated and reviewed at least annually?
• Are the reconciliations of major accounts (i.e., bank, investment, receivables, payables etc.) being performed monthly and reviewed by someone independent of the process?
• Are donor and/or member databases being reconciled to the general ledger system at least quarterly and independently reviewed?
• Does the organization have a process in place to track restrictions on gifts and the release of these restrictions as appropriations are made? Is this tracking updated monthly as the financials are being prepared?
• Has the organization reviewed its safeguards on ACH and wire transfers, including limits on transfers, who has the authority to transfer, and the processes to ensure review and approval of payments?
• Does the organization have a formal new vendor approval procedure and an approved vendor listing that includes authorized banking information?

IT Best Practices

• Are all software updates and patches applied promptly?
• Does the organization enforce a strong password policy that requires the use of passphrases, password managers, or scheduled password changes?
• Does the organization use dual-factor authentication?
• Does the organization encrypt all hard drives and secure mobile devices through a Mobile Device Management software?
• Does the organization use any type of formal training for employees on an annual basis to educate them on cybersecurity risks?
• Does the organization require the use of a Virtual Private Network (VPN) when working out of the office?
• Does the organization understand the frequency and location of backups and how often does it test the backups are working?
• Does the organization have cyber insurance?

Governance and Policies

• Are board and any decision-making committee minutes being prepared, approved, and retained?
• Does the organization have a policy on cash reserves?
• Does the organization have an investment policy and is this being reviewed at least annually with the investment manager?
• Does the organization have an endowment/spendable policy and is the spending rate being reviewed at least annually?
• Does the organization have a written conflict of interest policy and is there an annual review of this policy with board members for compliance?
• Does the organization have a written whistleblower policy?
• Does the organization have a written documentation retention and destruction policy? Does this policy also specifically address electronic files?
• Does the organization have a formal gift acceptance policy (have you considered the organization’s stance on gifts such as bitcoin or any other cyber currency)?
• Does board and/or finance committee take responsibility for oversight of the organization’s monthly financial statement review (balance sheet, income statement, budget to actual, etc.)?
• Does the board and/or finance committee take responsibility for review of the Form 990 tax filing?

Hopefully, your organization already has many of these best practices in place. However, just like with any exercise, the more that these are continued to be reviewed, worked, and strengthened the better you position your organization to be able to achieve its goals! Please reach out to your Blue & Co. advisor with any questions or needed assistance.