A proven yet little-known framework for asset protection

We see it all too often in the headlines: Fraud can happen within any organization. Which is why all organizations—and especially nonprofits—must protect their assets.

There are two primary areas of fraud: 1) fraudulent financial reporting, and 2) misappropriation of assets. Most define asset protection as taking steps to watch over cash, inventories or equipment that might walk out the door. But fraudulent financial reporting, which is often done to cover up misappropriation of assets, could easily rob your organization of its greatest asset: your reputation.

Nearly twenty years ago, financial and accounting industry groups came together under the Committee of Sponsoring Organizations (COSO) to address the issue of asset protection. Their solution: a five-part, top-to-bottom framework for helping nonprofit organizations design and implement internal controls.

The framework, titled “Internal Control – Integrated Framework,” goes beyond simply putting controls in place. It provides a foundation—a structure—that promotes asset protection throughout the entire organization. It lays the groundwork for reliable financial reporting, compliance with laws and regulations, and effective, efficient operations.

The framework revolves around five fundamental components, which are included—along with a brief description of each—in the list below.

1. Control Environment – The control environment essentially sets the tone of the organization. Factors include integrity, the ethical values of the organization’s people, and management’s philosophy and operating style. Regardless of its size or type, an organization’s environment should foster integrity and ethical behavior. Best practices related to this component include hiring qualified, vetted staff members, fostering communication and conducting proper supervision.

2. Risk Assessment – Risk assessment is the identification and analysis of risks (internal and external) relevant to the achievement of the organization’s objectives. It also focuses on determining how an organization’s risks should be managed.

3. Control Activities – Control activities are the policies and procedures implemented throughout the organization to promote compliance with management directives. Control activities may include approvals, reconciliations, verifications, monitoring operating performance, segregation of duties, security of assets, staff training, job descriptions, and documenting transactions.

4. Information and Communication – Good internal communication is crucial for every organization—and should include the reporting of key metrics to its board of directors in a clear and timely manner. Effective external communication—which may be directed to customers, vendors, the general public, regulators, etc.—is important, too.

5. Monitoring – Once a control structure is in place, it requires on-going monitoring and immediate corrective action in response to any instances of noncompliance.

All organizations, regardless of their current situation, should take another—or first—look at the COSO framework. The full framework and additional resources are available on the COSO website. For more information, visit http://www.coso.org/guidance.htm.

Your audit professional can help

Independent auditors are required to use the COSO framework when analyzing an organization’s internal controls. Be sure to ask your audit professional about how your organization measures up. They may also be able to provide recommendations for implementing the framework.

Taking the right steps to protect your organization’s assets is key to sustainability and growth—and can ultimately strengthen what matters most: your mission.