Agency-Wide Risk Assessments – Are You Meeting Your Responsibilities?
Corporate governance plays a significant role in any not-for-profit organization as the decision makers in the organization – generally the board of directors/trustees– are not directly involved in operations.
These members, in most circumstances, are volunteers; however, they have significant fiduciary responsibility, including oversight and monitoring. In general, most fraud and illegal acts occur when there is a lack of internal control or safeguards in place. This usually stems from the lack of segregation of duties and/or lack of monitoring. If a significant fraud occurs at a not-for-profit, the blame is placed on one of two types of people, depending on the nature of the event: those charged with governance – i.e. the board of directors/trustees or C-level persons; or the specific individual(s) who committed fraud. Therefore, it is paramount that the governing body exercise and document in writing the appropriate measures to ensure they are performing the required due diligence and risk assessments to identify issues before they occur.
COSO Internal Control – Integrated Framework
In 1992 the original Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) Internal Control – Integrated Framework was developed and was not revised until recently to take into account the many changes in the marketplace. The COSO Framework describes three types of risks that an organization faces from an internal and external perspective:
- operational risks
- risks of compliance with laws and regulations
- financial reporting risks
A best practice in creating an organizational risk assessment structure – have a formally documented discussion of all internal and external risks and how the organization addresses those risks. Since most fraud occurs at C-level positions, the board of directors/trustees needs to ensure they are strategically positioned to identify significant issues well before an external audit, or worst case scenario, the public identifies it.
Risk Assessment Model
When performing an agency-wide risk assessment, a not-for-profit organization should take into account the following factors and consider the following risk areas:
Risk Area | Risk Identified |
---|---|
Fraud Risk |
|
Financial Statement Risk |
|
Computer Security |
|
Operational Risk |
|
Programmatic Risk |
|
Regulatory Risk |
|
Reputational Risk |
|
Disaster Recovery/Property Risk |
|
Legal Risk |
|
Compliance Level Risk |
|
Strategic Plan |
|
Upon performing this risk assessment, the not-for-profit organization may realize that a new policy is required or changes need to be made to the employee handbook to describe how certain items need to be handled. To ensure that the organization is exercising effective corporate governance, a risk assessment should be performed on a periodic basis (e.g. annually).
Ask Our Experts
To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.