Non-profit businesses are famous for operating on a shoestring budget and often don't have the resources to establish strong accounting policies and procedures and enough people to properly separate duties., which is an essential protective procedure. A small staff, whether paid or volunteer, makes it imperative for the Executive Director and board members to be consistently involved in hands-on review, and possibly execution, of the day-to-day transactions.
1) Policies and Procedures. The organization's leadership should establish written guidelines outlining how operations are going to be conducted every day without exception. This would include policies for board oversight, which should be constant and intentional. In the beginning policies and procedures will need to be reviewed regularly to make sure the organization is adapting to growth and requirements unforeseen at start-up. There should be unified commitment from all board members that there will be zero-tolerance for policy and procedure violations and certainly illegal activity. This commitment should be communicated to employees, volunteers, and donors.
2) Physical Access. Limit access to exterior doors, office doors, closets and file cabinets. Put a lock on areas where cash, blank checks, off-line personal information (employees, volunteers, and donors), and valuable equipment is maintained. Limit access to those who need it to carry out their daily responsibilities. When possible, use keys that cannot be duplicated. Maintain a list of all keys, what they open, and who has them. Have users sign for their keys when received, and the key guardian should sign for a key when it's turned in. When someone who has a key no longer needs it, get it back. This becomes a big deal if unauthorized access is suspected or something goes missing.
3) Protecting Income. Every non-profit should get a merchant card account with a terminal in the office and a secure gateway on a payment page on the website that captures the donor's name and address and encrypts their payment card information. Encourage donors to use their credit cards to donate. If the organization has off-site events, most processors have a swipe attachment for cell phones so event donations can be received via credit or debit card. The fees that are paid for these accounts are well worth the security provided. Do not under any circumstances write down credit card information that has to be input later.
Cash and checks coming in through the mail or over the counter need to be handled in such a way that no one person has control of the process of receipting, recording, and depositing. Preferably, the bookkeeper should only be recording income and not touching it. Donations should be listed along with the donor information and amount. Regardless of what the procedure is, the Director should review each deposit, comparing it to recorded income and to the list of donors. Deposits should be made every day without fail.
4) Protecting outgo. Blank check stock should be locked up with access limited to someone other than the authorized check-signer and the bookkeeper. Check numbers should be spot-checked and reconciled whenever new checks are retrieved for processing. The bookkeeper should never have check-signing authority.
5) Bank reconciliation. In a very small shop, the bank statement should be mailed to, and reviewed carefully by, a board member. The reconciliation should be completed by someone who does not record transactions or write checks. At a minimum, the reconciliation should be reviewed by someone in authority who cannot access or sign checks, with extra attention on reconciling items and cancelled checks.
Internal fraud most often occurs when an employee or volunteer reaches the crossroads where opportunity meets need and justification. You cannot control the circumstances that push a normally trusted person to consider theft, or the internal tug and pull that eventually convinces them that it is OK to steal from you. But you can control the opportunity. No matter how small, you can establish some controls to help protect the organization from the loss, and the employee from the inevitable results of defrauding and embezzling.