News

Authored by Greg Douglas, Senior Manager 

I recently had the opportunity to travel to Colorado with a group from my church to work on a post-forest fire mitigation project in the mountains outside Colorado Springs. Our group worked with a local nonprofit that provides forest-firefighting coordination and mitigation services. We worked in a section of the San Isabel National Forest that had burned in an 18,000-acre fire in 2016. The mitigation nonprofit had a plan for the week to address issues of flooding and property damage being experienced in the valley below, resulting from extreme water runoff and debris that originated from the now barren mountainside. The plan entailed planting oats, which germinate within days of being planted, and native grasses, for long-term stabilization, along a strategic section of the mountainside to provide ground cover to slow the flow of water and the erosion of the mountainside into the waterways below. Additionally, the plan called for the construction of a series of approximately 100 log erosion barriers (LEBs), which are like man-made beaver dams that lay perpendicular to the slope of the mountainside in a pattern like a carnival Plinko game board.

During one of our water breaks, my mind drifted back to my day job (as an auditor) as I noticed the similarity of our week’s work to the application of a system of internal controls that we auditors look for with an audit client. The mitigation nonprofit team identified an inherently risky point in the landscape of the mountainside. The mitigation nonprofit’s experienced staff designed a plan (a control) to deal with this inherent risk. We were now spending the week assisting them in implementing the plan. They clearly had in place three of the four steps of the internal control process we look for in considering our clients’ internal controls in an audit engagement —

• Identification of an inherently risky point in the financial reporting system – like one of my nonprofit clients having a bookkeeper with the ability to approve invoices, write and sign checks, reconcile bank statements, and record activity to the general ledger. The classic segregation of duties risk for many small nonprofits.
• Design a control to mitigate the inherent risk – like the management of my client nonprofit requiring that the monthly bank statement, with images of checks and deposit tickets, go unopened to a person a level above the bookkeeper before the bookkeeper gets the bank statement to prepare the monthly bank reconciliation.
• Implement the control – as the person above, the bookkeeper actually reviewing the bank statement and images on a monthly basis.

The fourth step in the process – monitoring the control’s implementation and operation – in the case of the forest mitigation nonprofit, will be a combination of continued visual inspection of the mountainside and LEBs by that organization’s staff and the local property owners during major rainstorms and spring’s snow thaw. Similarly, my nonprofit client will need to monitor its internal control implementation and operation, perhaps through methods such as:

• A monthly task list sign-off by the person responsible for the control’s performance, which asserts the task was performed
• Markups on the bank statement made by the control performer identifying the transactions asked about during the control’s performance
• Periodic inquiry of the control performer by another member of management regarding the performance of the task
• The control performer’s signature on the monthly bank statement indicating the statement and its contents have been reviewed

By covering all the steps in the internal control process – Identification of the Inherent Risk, Design of a Control, Implementation of the Control, and Monitoring of the Control’s Performance – the mitigation nonprofit is taking proactive steps to deal with the inherent risk present in the region. The same basic internal control process can be used by organizations of any size to deal with the inherent risks they face in safeguarding assets and presenting financial statements free of material misstatements.