Webinar: Key Policies and Procedures to Promote Good Governance

December 04, 2019

This webinar covers key policies such as conflict of interest, gift acceptance, whistleblower, record retention, and executive compensation that all not-for-profits should have to minimize exposure to risk and abuse, while promoting good governance.

 


Transcript

Moderator:
We are pleased to welcome you to today's webcast. In order to qualify for your CPE certificate, you will need to remain logged on for at least 50 minutes, respond to three out of four polling questions. We would appreciate it if you would complete the evaluation survey following the event. A link to the survey will be emailed to you automatically within the hour following the webinar. You may submit questions using the questions box on your GoTo Webinar panel. We will try to address questions submitted during the program. However, if we're unable to address your question, we will connect with you after the webinar. The presentation is available for download through the handout box on your GoTo Webinar panel. For those who meet the criteria, you'll receive a CPE certificate from EisnerAmperyou@eisneramper.com within 14 business days of confirmed course attendance. Today's speakers are Heather Taylor, Director EisnerAmper, Eldean Wilson, Senior Manager EisnerAmper. I will now turn it over to Heather.

Heather Taylor: Good afternoon. Thank you for joining us today. Over the next 50 minutes or so, we will be discussing the core policies a nonprofit organization should have in place, how the organization can protect itself from IRS scrutiny overcompensation, and the importance of each of the core policies that can be discussed with board members. All nonprofit organizations should have written policies and procedures. The types and contents of the policies that an organization adopts depends on the size, complexity, and maturity of your organization. A smaller, relatively young organization with few staff may operate with simpler policies than those of a more established organization with a large staff and considerable financial resources. Policies should be selected based on what is appropriate for the organization at that particular time in its life. As an organization evolves, the board and staff should review its policies for relevance and update them as necessary.

Heather Taylor:
Nonprofit management and board members are expected to be ethical stewards of the assets in its care. The assets may not be diverted for private purposes. We, as board members and people from the organization are stewards of public funds and public trusts. In addition to legal issues, inappropriate use of or mismanagement of your nonprofit assets presents a significant reputational risk for a nonprofit organization. When the reputation of an organization has been damaged, it can be extremely difficult, if not impossible, to gain the trust back of your donors and your constituents. This impedes fundraising and can lead to the downfall of an organization. So, sound policies that are communicated, enforced, help mitigate these risks.

In addition to mitigating reputational risks, the goals of having written policies in place include protecting the resources of the organization, facilitating the maintenance of accurate records of the organization's financial activities and resources, providing for consistency in action and behavior, providing a resource for training staff and communicating expectations, facilitating compliance with government, legal and reporting requirements. These written policies and procedures enable an organization to communicate what is expected of its employees, and hold them accountable for their actions. Eldean's going to talk about governance policies and the IRS.
Eldean Wilson: Okay. The federal form 990 includes various questions about governance. However, the IRS has no ability to enforce or mandate those compliance. But, please be mindful because, many states have governance requirements built into their not for profit laws and state attorney general’s use those form 990 as a monitoring tool. The absence of corporate policies and procedures can lead to operations of non-exempt purposes or other activities inconsistent with exempt purposes. What particular policy, procedures or practice is adopted by an organization depends on that organization's size, type and culture. Below, there are some of the policies includes questions such as the following. Has the organization provided a complete copy of its forms 990 to all members of its governance board body before the filing? Describe the organization. Did the organization have a conflict of interest policy? Did the organization have a written whistleblower policy? Did the organization have a written documentation, retention and destruction policy? These will all be discussed in further details on the upcoming slides.

Who is involved in creating governance policies? Various organizations, various stakeholders have vested interest in creating governance policies. For example, the development office will be involved in crafting and drafting a gift acceptance policy, the finance committee would be involved in drafting an investment policy, the business office will be involved in the implementation of the policies, and making sure that staff impacted by this policy are adherent to them, such as travel and reimbursement.
Moderator: We have now reached polling question number one. How many employees does your nonprofit organization have? A 1-25 employees. B, 26-75 employees, C greater than 75 employees, D not related with a nonprofit organization. Please remember, in order to qualify for your CPE certificate, you must remain logged on for at least 50 minutes and respond to three out of the four polling questions. We'll give everyone a few more seconds to respond. We are now closing the poll and sharing the results.
Eldean Wilson: 75%.
Heather Taylor: Great, thank you. It looks like there are all different types of sizes of organizations online, and quite a few large organizations. Now we're going to talk about these key areas. These are the key policies a nonprofit organization should have in place. Most of them are applicable in some fashion, regardless of the size of your organization. So let's take a look at each of these policies individually.

Conflict of interest. It's defined as an actual or perceived interest by a staff or board member in an action that results in, or has the appearance of resulting in personal organization or professional gain. Conflicts of interest are going to occur. It's therefore important that conflicts are disclosed, and that the conflicted party recuses themselves from participating in anything related to the conflicting matter. For example, Jane board member is an employee of Help Me Out Bank. The organization is looking for new banks for financing. If Help Me Out Bank is one of the potential providers of the sought out financing, Jane should recuse herself from any discussions and decision making relating to that financing.

There could also be conflicts where a person could be prohibited from serving on a committee. For example in certain States, only individuals independent of the board can serve on the audit committee. As Eldean mentioned earlier, the form 990 asks if the organization has a conflict of interest policy.

Although an organization should have a policy covering both staff and board members, nonprofit board members need a conflict of interest policy because it prevents board members from benefiting in any way from board service. The policy fulfills legal requirements and prevents unexpected penalties. Board members should not benefit financially, personally or otherwise from board events or activities, although the personal satisfaction of serving on a board should always be there.

A nonprofit should adopt and follow suitable policies tailored to the organization. At a minimum, the policy should include making it clear that all should act in the best interest of the organization, define what constitutes a conflict both under state law and under the internal revenue service regulations, and how those conflicts will be managed. Recusal of conflict to policies from discussions and votes should be a requirement, and also require annual completion of a conflict of interest questionnaire, and how interim conflict should be disclosed when they appear during the year.

A conflict of interest questionnaire responses should be reviewed by a board committee. I do chair the audit committee at Rutgers University, and our policy requires that the conflicts be disclosed and discussed with the audit committee on an annual basis. Conflicts that arise should be documented in the minutes that should include who had the conflict, what matter it related to and the actions taken.
Eldean Wilson: Related party transactions. What is a related party? A related party transaction is a transaction that takes place between two parties who hold a preexisting connection prior to the transaction. Example, this includes a family member of an officer of the organization who receives compensation greater than $10,000.

Monitoring of conflict of interest forms that are not signed. Conflict of interest forms should be signed annually and reviewed by management timely in order to monitor related party transactions. What is the bidding process? The bidding process... Who holds the bidding process should ultimately sign a conflict of interest form. He or she should be clear of all conflicts. Is the transaction known to the board? Is it being properly disclosed in the financial statements? Is the board aware of the conflict? If a board member is involved, where they, he or she should be excused when decisions were made relating to that transaction. Should loans to employees be allowed? If loans are allowed by two employees, the loans between interested person, i.e. CEO, should be disclosed on the tax returns. Should loans from board members be allowed? Document in policy if loans from board members are allowed. This should be properly disclosed in the financial statements form, and from 990.

Disclosures in the federal form 990 and all financial statements. GAAP financial statements require that transactions with related parties be disclosed for relationship amongst related entities. Financial statement treatment will depend on where the control and economic interest exists. A related entity may need to be combined with the reporting entity, or just require disclosure of the transactions. For example, this will include a parent entity and its subsidiaries. Also, in order to properly present related party transaction in the financial statement, such relationship should be identified by the board and management.

These slides give an example of part I of the 990 code form, that asks about independent voting members. The question is, number of voting members of the governance board. If the CEO is a voting member who receives a compensation from the organization, then he or she is a non-independent member. Also, a voting member doing business with the organization is also considered a non-independent member if he or she meets the threshold of greater than $100,000.
Heather Taylor: The code of ethics, sometimes referred to as code of conduct or statement of values, demonstrates the organization's commitment to do the right thing. This policy guides the organization's decision making activities as well as the behavior of its staff, volunteers and board members. I had a client where, one of its members charged personal airline tickets to the organization's credit card with the intention of paying it back. Since she intended to pay it back, she didn't see anything wrong with what she did until it was brought up by the CFO. Fortunately, the controls of the organization did catch this charge that was made.

In the second instance during the audit, a client staff member noticed that an invoice we selected for testing was mistakenly left off an email evidencing its approval for payment. She edited the email to include the missing invoice number, then printed it out and provided the email to the audit staff as evidence that the invoice had been approved. Since the invoice had actually been approved, but just not documented, she didn't think there was anything unethical about what she did. In both cases, the person didn't think what they did was unethical or wrong. A clear code of conduct policy could have prevented these situations. In the second instance, this instance was brought up to the executive director, the board, and eventually, ethics training was provided for the entire staff so that they were aware of what was expected and what unethical behavior looked like.

A code of conduct typically addresses the following areas, the values, what are the values of the organization? What do you expect? Honesty, integrity, transparency, confidentiality and other things that the organization feels are important to their mission. Guidelines for making ethical choices, that includes both what you believe are ethical choices and unethical choices. Transparency in everything that's done. Integrity in governance and in your day to day, commitment to abide by the organization's mission statement. Everybody needs to be aware of what that mission statement is, and have it lead the direction of their actions. Stewardship of assets, and consequences of not adhering to the code of ethics should be both discussed and enforced.
Moderator: We have now reached polling question number two. Does your organization have a code of ethics or statement of values? A, yes. B, No. C, I don't know. Please remember, in order to qualify for your CPE certificate, you must remain logged on for at least 50 minutes, and respond to three out of the four polling questions. We'll give everyone a few more seconds to respond. We are now closing the poll and sharing the results.
Eldean Wilson: 77%.
Heather Taylor: It's great to see that almost 80% of those on the phone are aware of, have and are aware that they have a code of ethics or a statement of values in their organization. Moving on, a whistle blower policy protects employees who report any activity that he or she considers being illegal or dishonest, and establishes procedures of reporting an incident, and how incidents are addressed. It also encourages employees to say something if they see something.

Federal law, and at least 45 states have enacted laws to protect whistle-blowers from retaliation. Having a formal whistleblower policy will help your organization comply with state and federal laws. The policy should include a process for reporting an incident, which could be set up in various ways. The reporting, or the first line of reporting could be to the whistleblower superior, if that person is not involved with the incident or a specified board member. The organization could also use a hotline number or website designated for individuals to report incidents, which could be anonymous or they could disclose who they are.

It's important for an organization to take all complaints seriously and determine if the accusation has merit, and if so, follow through with further investigation and action. Failure to follow through on a whistleblower complaint can lead to internal, external, and or legal consequences. Depending on the situation, the organization may want to consult its attorney before completing any in depth investigation, so that the investigation is done properly and any evidence found is admissible.
Eldean Wilson: Hold on. What can go wrong with travel and entertainment? This is an area that is highly susceptible to employee fraud. Several things can go wrong here. Travel and entertainment is considered an industrial risk for not for profits, and special attention should be paid to the particulars of the policies and procedures.

Lack of receipts. There are no appropriate receipts and other supporting documentation for the purpose of the expenses incurred. Management wants to make sure that there are always receipts and appropriate documentation when an employee is getting reimbursed for a particular expenditure. Inappropriate expenses. These can become considered as luxury hotel suites, charter jets, bottles of wine, et cetera. Excessive expenses. These are flying first class, spousal travel, expensive meals. Management should be aware flying first class, or even spousal travel can be taxable.

Subordinate approving boss expenses. In this case, this is a very common and frequent occurrence. The ED/CEO should be approved by a member of the board. The controller/CFO expenses should be approved by the CEO, et cetera. Lack of travel and expense reimbursement policy is not followed. Management should annually communicate this policy to all employees.

Corporate credit cards, what can go wrong? Personnel charges should not be allowed. Management should communicate annually to all users of credit cards, that usage of the card for personal expenditures are strictly prohibited. This can ultimately result in misappropriation and misuse of the organization's credit card.

Timely reconciliation. Timely reconciliation of credit card statements need to occur in order to catch anomalies. Reconciling credit card statements months subsequent to when the charges were incurred can lead to errors, et cetera. Too many individuals having access to credit card can weaken controls. A significant volume of users and transactions can often give rise to TAF and misuse of credit cards by fraud. Corporate credit cards should be issued to only a few high level employee, so that usage may be kept to a minimum, in order to strengthen the internal controls over disbursements, and help present misappropriation of assets.

What to include in a travel and expense reimbursement policy. Sorry. The finance function should be responsible for implementing these policies. What type of expenses will the organization reimburse? The policy should be clear and specific. For example, travel, car rentals, business meals, office expenses, et cetera, can be part of an organization policy. What expenses are not allowed? The policy should make it very clear what expenses are not allowed, such as childcare, personal grooming, dry cleaning, parking tickets, airline upgrades, et cetera.

Explicit statement that corporate cards may not be used for personal charges. Management should make it clear within their policy, that corporate card should not be used for personal charges. What types of documentation must accompany reimbursement requests? Is there a threshold for reimbursement by management? Should the organization set a limit of maybe $20? There should be a specific policy requiring what type of documentation should accompany the reimbursement.

Mileage reimbursement requests should include details pertaining to business purpose, the date of travel, miles driven in excess of a normal commute. Parameters for timely submission. Timely submission will result in timely review. This can be done on a monthly basis, probably immediately after expenses are incurred, etc. But, parameters should be set by the organization for timely submission of expenses. Who's responsible to approve those expenses? Expenses should be approved at the right level before submitting for processing. For example, the CFO should not be approving the CEO's expenses. A board member should be at least reviewing the CEO's expenses, vice versa.

The goal of defining the objective of the policy is not just to define the rules of the travel and expenses, but to also ensure that employees clearly understand how to behave responsible while spending the organization money. A well-defined and communicated policy leads to low fraud rate, and overall reduced spending.
Heather Taylor: We have seen with our clients, we've looked at expense reports and looked at who approves them, and when there isn't a policy put in place, or even if there is a policy in place, but it's not adhered to or it's not followed or followed up by management, that there is quite a bit of abuse and spending of company assets, that an organization really doesn't have much of. For example, in my last example where the person charged their airline tickets, if the CFO wasn't reviewing those expense reports, that wouldn't have been caught. But, there's other examples where the upper management does a lot of traveling. We've looked at some of their expense reports, and all they're doing on their expense report is putting down 50 miles, 30 miles. "Oh, this month I traveled 200 miles," but there's no information on the day that they went, where they went, and the business purpose for that. But, nobody was saying anything to the executive director. They were just paying their expense report.

So, the people who are filling them out, are requesting these expenses aren't necessarily being fraudulent in their requests. They're putting down what they think is reasonable, and if there's no policies to follow, they just don't know any differently. So, it's really important that the organization both has a policy, and enforces the policy and communicates the policy, so that the use, with limited assets or limited resources for the organization, that it's actually going to the right place.
Eldean Wilson: Expense reimbursement and taxable fringe benefits. This is a chart that's on I believe schedule J of the 990, and asks these questions. If an organization checks yes to these, do they indicate a taxable benefits? And if so, is it being properly reported? Areas of abuse are housing, spousal travel, et cetera. As I indicated before, spousal travel can be taxable, so we want to be aware of that. Also, housing can be taxable. For example, housing for a CFO, an organization gave housing to a CFO, that's more than likely taxable. Housing for a clergy or a minister may not be, more than likely is not taxable. Housing for a headmistress that needs to be on premise or on location for students, more than likely may not be taxable. So organization needs to pay attention to what are considered taxable fringe benefits.

The other question also is, did the organization require substantiation prior to reimbursing or allowing expenses incurred by all directors or trustees? Organization wants to make sure that they ask for and require substantiation prior to reimbursing or allowing expenses.

Compensation, who sets executive compensation? Executive compensation can be set by executive committee, a compensation consultant. Organizations just need to make sure they establish who's responsible for setting those compensation, that they are clear of conflicts. Compensation can also be set by a compensation committee.

What metrics are used to determine fair compensation? Fair compensation can... Comparability data can be used. Was a compensation study completed in order to set this compensation? These are tools that are available to organization in order to set or determine fair compensation. Are there any state laws, caps on compensation? Organizations want to make sure and understand if there are any state laws, caps on compensation. Are those setting compensation independent or might there be a conflict of interest that merit recusal? Is there a board member who's not independent, that's involved in the process? If there is, then he or she needs to recuse themselves when setting this compensation.

Does the board understand the standard definition of taxable versus non-taxable benefits and state limits, with respect to employee benefits? I've just indicated before about taxable housing versus nontaxable. The board just needs to be aware, and have an understanding when given compensation and benefits what would be considered taxable and nontaxable to the CEO or executive director. What about concerns about remuneration over $1 million? For this year, the IRS has a question on the 990 that imposes an excise tax on organization that pays to any covered employee more than 1 million in remuneration, or pays an access pay out during the year. As indicated, this is new for the tax year 2018.
Heather Taylor: Why this is of great importance, the things that Eldean was talking about is that, if the organization does not have a process in place that covers these types of things when they're setting a compensation for upper management, if the IRS comes in and believes that the compensation is excessive, and the organization does not have a process in place, then the organization then has the burden of proving that that compensation is reasonable. If they do have these policies in place, it shifts the burden to the IRS to prove that the compensation is not reasonable. So, this is very important that every organization has this in place regardless of the size of the organization.
Eldean Wilson: Payments on the compensation arrangement will be presumed to be reasonable, and a transfer of property with be presumed to be at fair market value if, one, the transaction was approved in advance by an authorized body. Two, prior to making its determination, the authorized body obtained appropriate comparability data. Three, the authorized body adequately documented the basis for its determination concurrently when making that determination, and four, compensation is reported appropriately.

When in doubt, take hint from the form 990 schedule J. There are several questions that are asked on the 990, which indicates whether or not compensation has been set appropriately and properly. As I indicated before, did the organization use a compensation committee? Was it an independent compensation consultant? Is there a written employment contract? Did the organization use a compensation survey or study? Is there approval by the board or compensation committee? These are all tools that the organization can use when setting compensation for the CEO, or executive directors, or top management.
Heather Taylor: The IRS, since they're asking these questions, they have this information up front as to whether the organization has actual policies in place. So, if an organization isn't checking these boxes, it really is raising a red flag to the IRS that if there's excessive compensation, or if there's potential excessive compensation, then the organization does not have much of a leg to stand on if the IRS comes knocking on their door.
Moderator: We have now reached polling question number three. What state do you work in? A, New Jersey, I'm sorry, A, New York, B, New Jersey. C, Pennsylvania, D, California, E, other. Please remember, in order to qualify for your CPE certificate, you must remain logged on for at least 50 minutes and respond to three out of the four polling questions. We'll give everyone a few more seconds to respond. Okay. We are now closing the poll and sharing the results.
Heather Taylor: Looks like we have the East Coast covered. That's great, and other, 12% is somewhere other than tristate area. So, thank you for joining us. A document retention policy is a document management policy. The policy should identify what documents must be retained, and for how long. A document can be paper, digital, or even something on the cloud these days. The policy relates to certain critical documents, but not every piece of paper file or email that the organization has. Particularly, it addresses corporate records, finance and administrative documents and development and fundraising documents.

The policies should also address when and how often documents should be purged or destroyed. This is critical as it relates to legal matters. For example, we've all heard of Enron, and reports of its illegal document shredding. They waited for the whistle to be blown, and everybody started shredding all their documents. Documents that were critical to the investigation started disappearing. So, if documents are destroyed in a scheduled manner, then these types of illegal actions and matters may be prevented.

The table below, and on the next page, can be used as a guide. But, each organization must consider its own state laws as to what must be maintained as well as the nature of the organization. For example, an organization that works with children may be required to retain documents relating to each child until they reach 18, or they may be required to retain them permanently. If they are required to retain the documents until they reach age 18, the organization may have a policy in place that does an annual purge and destruction of documents of anybody that reached 18 within that year.

If your organization accept contributions, it's best practice to have a gift acceptance policy. This policy allows your organization to maintain discipline in gift acceptance and administration. This discipline prevents the acceptance of gifts that would cost the organization excessive time and money, and potentially reputation. If the policy defines certain types of gifts, then the organization can decline a gift that doesn't adhere to the policy, as opposed to just saying no to somebody because they don't... Maybe the person raising the money doesn't feel it's right, or happily accepts a gift, shares it with the board, but then the board comes back and says, "We can't accept the gift." Then, they have to go back to this donor and tell them that they can't accept that gift.

Some donors want to give non-cash gifts that are difficult to convert into cash. So, the policy should define what types of gifts are and are not acceptable, which can relate to autos, boats, real estate, and other similar assets that might not be usable by the organization, but then they can't turn around and get cash for them. The policy should also define types of companies or individuals that are unacceptable to accept gifts from those organizations, or individuals that conflict with the values of the organization. We've seen a lot of examples of this in the press over time. A current type of example would be an independent school. They probably wouldn't want to accept the gift from a vaping company, or a person convicted of certain crimes. In addition, as Eldean mentioned earlier, there's a question on the form 990 that asks if the organization has a gift acceptance policy. Also, schedule M of the form 990 requires disclosures of non-cash gifts received when they're in excess of $25,000.

What can go wrong? There's a lot of things that could go wrong, and if you haven't had them in your organization, it's hard to understand that any gift or that a gift could be a bad thing. What if you get a horse? It's happened. You may get donation of real estate that has here a squatter, or it might have environmental issues that you don't know about. So that, when you go to try and sell the property, then the environmental issues come out and now you're spending money on something that you can't even sell. You could also get interests in companies, S corporations or partnerships. The income from those partnerships or S corporations would flow down to the organization, could be unrelated business income tax. You could then have tax payment due on this income, but you haven't received any cash, the income is just paper income on a K1. So, unless there's a distribution from the organization, now you're paying tax on something that you haven't recognized any income from.

There are a lot of different ways or different things that people can try and donate, that may not be beneficial to the organization. I did recently have a client that was a school, that was offered a donation of a house that was on the edge of the existing school property. Normally, that would have been a great way for the school to expand this property line. So, while it looked good on the surface, there was a stipulation that the organization had to maintain the house and pay all of these expenses for the donor's parents to live there until they passed, and then they would get full access to the property, and the house itself.

So, we talked through all the different scenarios with the client, and then the organization weighed its pros and cons and decided not to accept the house, because the burden of up keeping that house without getting any cash from, that donation for they didn't know how long, was not worth getting that donation itself.

For the reasons noted on the previous slide, a gift acceptance policy should include, the mission of the organization and the policies and purpose, the purpose of the policy, the types of gifts or assets, and the forms of the gift the organization will and will not accept besides cash. You have to consider stocks, real estate, autos, charitable trusts. Each of these non-cash items comes with its own administrative burden and potential costs. Is the organization willing to take on those types of costs or define that those types of things are not going to be accepted?

It should also include minimum gift requirements for certain types of gifts such as endowments and restricted contributions. For example, endowments must separately be tracked for each investment, for investment income and spending. Acceptance of small amounts for endowments can become excessive administrative burden. So, if you accept endowments of any dollar amount and somebody gives you $50 to be held in perpetuity and you can only use the income off that $50 for use for general purposes, that would be very difficult to track.

Many organizations set a limit of 50,000 or a 100,000 as a requirement for an endowed asset, because of the administrative burden it takes to manage that asset. There also may be times that legal counsel should be sought to deal with the acceptance of complex gifts. So, it should also be defined in the policy when counsel would be sought. The policy should also address if any types of gifts require board approval, either a dollar threshold or a complex gift. It could be very general and broad, but if, if the board should get involved, that should be included in the policy itself.

Cybersecurity is the hot topic these days. We could provide a whole session on these types of policies. So for today, we're just going to briefly talk about the types of policies that should be considered. Some of these are policies in of themselves, and some of these items could be embedded in other policies or just a general IT policy.

Data protection and privacy is paramount. You must protect the information of your donors, constituents and employees, and therefore an organization should have policies surrounding information protection. Reputation is critical to a nonprofit, so a social media policy can define acceptable or non-acceptable social media behavior. This could be personal social media as well. An organization may not think that they have control or have a say in what a person does in their personal life, or with their personal social media, but the actions of its employees reflects on the organization itself. So, if you really care about those types of things, or if there's a potential for people's actions to affect your organization, that kind of policy should be in place.
Heather Taylor: For example, there's been numerous times where recently, a school teacher posted racially discriminatory views on his Facebook feed. Once the media got a hold of that, there was plenty of bad press for the school. Then, the school now had to deal with what to do about that person, because it was done in their private life. So, how do they take action with their employee as far as the organization is concerned, because they didn't do it at work? So, a policy would put in place the types of things that are acceptable, and if they do something against that policy, what would be the consequences?

The SOC 1 Report is a report that relates to internal control of service providers, such as your payroll company or your investment companies. It's important to understand what controls your service provider has in place to protect data, and to process the information that you're providing to it. These reports should be reviewed to make sure that they have those types of things in place. User de-provisioning relates to whether there's procedures in place when someone leaves the organization or changes position. Have you revoked, or is there a process to revoke access to the systems?

Many of the organizations or people on the line today, are from large organizations. If you have hundreds of employees and they work for various different departments, somebody may leave and it may take time in order for the information regarding that employee leaving to get to the IT department, to the business department. So, they may be gone for weeks and weeks without having their access to the systems revoked. That could really leave the organization open to fraudulent activity from the person who is gone. So, it's really important to have that done timely, and a policy in place so that the reporting is done timely.

It is important for each organization to determine what policies make sense for them, and then work on putting them in place. So, it's not a one size fits all, and the policies don't have to be complex, but they should all be considered. The below are other policies to consider. We're not going to talk about them in detail, but your organization should have an audit committee charter if it has an audit committee. It defines the purpose and responsibilities of the committee.

A fundraising code of conduct can be an add on or in place of the gift acceptance policy. This defines how fundraising should and shouldn't be conducted. An investment policy assists the organization in effectively supervising, monitoring and evaluating its investment assets. An endowment spending policy establishes guidelines on endowment fund spending to meet cash flow needs, while preserving endowment corpus in a prudent manner. An operating reserve policy is establishing reserves to ensure the stability of the mission, programs, employment and ongoing operations of the organization. A reserve should be established to provide a cushion against unexpected events, losses of income or large unbudgeted expenses.

Delegation of authority policy stipulates areas in which the board has reserved authority, and areas which the board has delegated authority to the executive director and administration. So, so everybody is clear of their responsibilities. A designation of funds policy establishes guidelines over board designated funds. It could cover funding, purpose uses, spending rate investment and other provisions of those designated amounts. In older organizations, we have seen that there are board designated funds that were established decades ago with no current guidance on how the funds should be used. Many times they just sit there as designated funds not being used. There was no policy ever established. So, in having policies established for these funds, board members and management going forward knows exactly why the funds were put in place and what they're for and how they should be spent.
Eldean Wilson: What are the key takeaways for your organization? Inventory the policies currently in place. As Heather indicated, are you missing a policy related to the audit committee charter, are you missing an investment policy, are you missing a whistle blower policy? Organizations should periodically check their policies that are currently in place to verify what they're missing and what they needed. I must say, this is an area where we will find a lot of management letter comments, as with the review of their internal controls and we see what policies are missing from the organizations, and what policies are needed.

Determine what policies should be in place, and why. Are they updated and consistent with the organization tax exempt status? Management should make sure that those policies are in line with the organization tax exempt status. Drafting the policies for board review, input and approval. This is a key step. However, management needs to make sure that the policies are adopted and operating effectively. Many times, you see that policies are drafted and the organization have them drafted, however, they're not adopted by the board and they're not implemented. So, it's great that management will draft the policy, but wants to make sure that those policies are followed.

Establish a means of effective communicating policies. How do you make your employees aware of the policies in place? Is that via employee handbook? Is it regular staff meeting? Is it an accounting manual? Management needs to make sure that all employees are aware of the policies, and communicating those policies effectively to their employees. You also need to ensure policies are consistently enforced. Good housekeeping is always warranted. Each stakeholder that is i.e. board of trustees, the development department, audit committees, needs to stay involved and updated to make sure that policies are enforced.

You also need to consider when exceptions may be acceptable. Is there a threshold of receipts, as I indicated before for a traveling reimbursement policy? Is there a particular threshold? Is $20 your floor? Make sure that this is also documented in your policy. Management also need to create a process for updating those policies. One, how often should the policy be updated? Is this on a monthly basis? Is this on an annual basis? Is it every six months? Management needs to determine that. Who is responsible for updating what policy? For example, HR would be involved in a manual, accounting manual the CFO or the accounting department would be involved in that, development policy, gift acceptance policy, the development department may be involved in that. You also want to document your changes to the policy. Always make sure that the governance body is involved in the process.
Moderator: We have now reached polling question number four. What topic would most interest you in the future? A, new accounting pronouncements. B, governance. C, cybersecurity, D 990 related matters. E not sure. Please remember, in order to qualify for your CPE certificate, you must remain logged on for at least 50 minutes and respond to three out of the four polling questions. We'll give everyone a few more seconds to respond. We are now closing the poll and sharing the results.
Heather Taylor: Right. Thank you very much for your feedback. That will be helpful in us putting together the future webinars for you. In wrapping up, there are plenty of examples and guidance on the internet for all the policies we discussed today. Listed here are a few specific resources to consider. Specifically the National Council of Nonprofits, if you go to their website, they have examples of all types of policies. But, if you do search or any of the policies on the internet, you're going to find a plethora of information and samples.

There is one question that came through. It asks, for document retention, how long do you need to keep an original invoice if you use a paperless AP system? Well now, in today's age where a lot of things are paperless, the length and time that you should be keeping them is the same whether you're paperless or in paper. So the list, the schedule that had in a previous slide talks about AP invoices. So, even if you're on a paperless system, the time you should hold them would be the same.

Seeing no other questions, I want to thank you for joining us this afternoon. Please feel free to reach out to us if you ever have any questions, and have a great day. Thank you.
Moderator: We hope you enjoyed today's webinar. Please look out for a follow up email with a link to the survey and presentation. For those who meet the criteria, you'll receive your CPE certificate from EisnerAmperyou@eisneramper.com 14 business days after confirmed course attendance. Thank you for joining us.

About Heather Taylor

Heather Taylor is an Audit Director with over 25 years of experience in the public accounting and auditing profession. Heather has significant experience working closely held corporate entities and not-for-profit organizations.

About Eldean Wilson

Eldean Wilson is a Senior Manager in the Not-for-Profit Services Group, with more than 20 years of experience in planning and administration of nonprofit audits.

Have Questions or Comments?

If you have any questions about this media item, we'd like to hear your opinion. Please share your thoughts with us.

* Required