Agency-Wide Risk Assessments – Are You Meeting Your Responsibilities?

Agency-Wide Risk Assessments – Are You Meeting Your Responsibilities?

Corporate governance plays a significant role in any not-for-profit organization as the decision makers in the organization – generally the board of directors/trustees– are not directly involved in operations.

These members, in most circumstances, are volunteers; however, they have significant fiduciary responsibility, including oversight and monitoring. In general, most fraud and illegal acts occur when there is a lack of internal control or safeguards in place. This usually stems from the lack of segregation of duties and/or lack of monitoring. If a significant fraud occurs at a not-for-profit, the blame is placed on one of two types of people, depending on the nature of the event: those charged with governance – i.e. the board of directors/trustees or C-level persons; or the specific individual(s) who committed fraud. Therefore, it is paramount that the governing body exercise and document in writing the appropriate measures to ensure they are performing the required due diligence and risk assessments to identify issues before they occur.

COSO Internal Control – Integrated Framework

In 1992 the original Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) Internal Control – Integrated Framework was developed and was not revised until recently to take into account the many changes in the marketplace. The COSO Framework describes three types of risks that an organization faces from an internal and external perspective:

  • operational risks
  • risks of compliance with laws and regulations
  • financial reporting risks

A best practice in creating an organizational risk assessment structure – have a formally documented discussion of all internal and external risks and how the organization addresses those risks. Since most fraud occurs at C-level positions, the board of directors/trustees needs to ensure they are strategically positioned to identify significant issues well before an external audit, or worst case scenario, the public identifies it.

Risk Assessment Model

When performing an agency-wide risk assessment, a not-for-profit organization should take into account the following factors and consider the following risk areas:

Risk Area Risk Identified
Fraud Risk
  • Is there misappropriation of assets?
  • Is there misrepresentation of financial statements whether due to intentional error?
  • Is there management override of controls?
Financial Statement Risk
  • Risk of misstatement of the financial statements due to an intentional or an unintentional error?
  • Is the organization prepared internally for changes in GAAP and other changes in accounting standards which will significantly affect the financial statement presentation?
  • Do the staff have the necessarily knowledge, skills and experience to prepare and/or review the financial statement data?
Computer Security
  • Is the organization managing its IT security?
  • Are there any risks of theft of information?
  • Does the organization have appropriate safeguards over cloud technology?
  • Are passwords strong and adequately safeguarded by employees?
Operational Risk
  • Discuss risks of fraud, lack of personnel, other factors which could negatively impact operations (market downsize, changes in operations, new operations at the organization)
Programmatic Risk
  • Are the organization’s programs effectively monitored?
  • Does the organization monitor the efficiency of the spend?
  • Are communications to donors and the public consistent across all mediums (financials, website, annual report, 990, etc)?
  • Are the programs meeting the objectives of the organization and the organization’s mission?
  • Are programs profitable and in line with the strategic plans of the organization?
Regulatory Risk
  • Are there any new laws affecting the organization?
  • How is the organization affected by significant legislation such as the Affordable Care Act, Dodd-Frank Act, etc?
Reputational Risk
  • In the event of a negative public event, how will the Organization respond?
Disaster Recovery/Property Risk
  • Risk of a natural disaster, storm, fire, power loss, etc, how should the organization respond?
  • Are the capital assets protected and is there a risk of loss that needs to be considered?
Legal Risk
  • Are there any lawsuits or potential areas where the organization is exposed?
Compliance Level Risk
  • Is the organization in compliance with the grant contracts in place?
  • Is the organization monitoring controls over grant contract compliance and the various elements included in OMB A-133/Super Circular?
Strategic Plan
  • Is the organization updating this risk and incorporating it into the long-term or strategic plan of the organization?
  • Does the organization have a long-term plan?
  • Does the plan that is in place address the strategic initiatives, and are the goals of the organization being measured and benchmarked?

Upon performing this risk assessment, the not-for-profit organization may realize that a new policy is required or changes need to be made to the employee handbook to describe how certain items need to be handled. To ensure that the organization is exercising effective corporate governance, a risk assessment should be performed on a periodic basis (e.g. annually).

Ask Our Experts

To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.