Over the last few years, we have seen some clear trends and evolving practices on governance and risk management. This summary will allow you to assess some best practices we have observed so you can evaluate ideas and opportunities for possible improvement or evolution within your own not-for-profit organization.
- Bring More Focus to Information Technology Risks
We find that most boards do not have technology risks assigned to a specific board committee. Given the risks in this area, we believe it would be advisable to have this risk assigned to a board committee, likely as part of the audit committee charge. This would include over the longer term, adding someone with information technology expertise to your audit committee.
Many organizations may benefit from the periodic use of an outside consultant to help assess the state of affairs within IT. An outside consultant could help identify risks and suggest approaches to reduce said risks.
Larger entities might have the benefit of fresh perspective and new ideas, but many not-for-profit organizations have smaller IT functions. Not-for-profits with smaller IT departments might not be able to step back and assess risks and mitigations in a robust way to make sure that these matters are given some degree of priority and attention.
Given the influx of threats to data security, we also believe that every IT department should have at least one employee whose primary duties include data protection.
- Plug In Insurance Considerations Into the Risk Process
One of the largest risk management investments organizations will make is their insurance coverage. Management often makes the decision for the insurance coverage for the organization. Leadership will meet with insurance brokers to discuss new developments, consider emerging risks and other circumstances that may lead them to modify their insurance coverage. Your audit committee should be included in the conversation at the point that management is ready to recommend a course of action.
You may want to invite insurance brokers to present to the audit committee every few years, as they will likely bring invaluable insights into changes and developments in the insurance market as well as perspective on what other like-organizations are doing.
- Become More Transparent Relative To Tax Compliance
Most organizations review the Form 990 filing with the audit committee and make the full document available to the board. Included in this review, if applicable, should be the Form 990-T, Exempt Organization Business Income Tax Return. Unrelated business income tax can be a large source of risk for your organization, given your organization must decide what to report as unrelated and related. We recommend that you invite your consultant to the audit committee meeting to review these forms.
For entities with state income tax exposures, there should be a more in-depth conversation relative to your jurisdictional filing judgments. The conversation should consider two elements: in which states do we file and why do we file in those states; and in which states do we not file in and why we do not file in those states.
Sometimes a matrix format can be used to illustrate positions and exposures by state. Some organizations may make the decision not to file in states with small exposures. If the audit committee understands the state income tax exposure dynamics, committee members may have a better grasp of the judgments management makes from time to time.
- Ensure Greater Benefit Plan Oversight
As the plan sponsor and fiduciary, your organization bears responsibility for the accuracy of its benefit plan. Your organization should consider enlisting your audit committee to assist in meeting the regulatory requirements involved in benefit plan financial reporting. Audit committees can help your organization address compliance concerns with the benefit plan by reviewing recent benefit plan audit reports, or at least by understanding a summary of the results of those audits. An audit report will indicate which areas need to be improved. The report can also help guide future risk management efforts so there is clarity on the risk and conditions that are present in the benefit plan programs that might affect the sponsor.
- Consider The Risks Of Outsourced Services
Many organizations have the misconception that because a service is outsourced, it does not need internal controls. The responsibility for the service, regardless of who performs it, remains with your organization. You may have key controls as a user of the outsourced service that you need to be attentive to as well.
You need to ensure that you have adequate controls over outsourced services, including vendor performance or conformance when outsourcing. Your vendor contracts should include provisions that specifically address a vendor’s failure to perform. It should also address any security breaches that affect either your organization or the vendor.
Audit committees can help manage controls around outsourced services if they have a matrix of all outsourced activities that includes the key risks for that vendor and the organization’s approach to monitoring that vendor. Your organization should also create a “report card” for each outsourced area that details its key risk findings.
Other Risk Management Practices to Consider
If your organization has the resources, you should consider establishing a chief compliance officer (CCO) position. Though often found in large organizations, CCOs are appearing in organizations that makes less than $100 million in revenue as well. CCOs often participate in the audit committee meetings and share their perspective and knowledge about risk management and potential exposures to litigations or claims. Additionally, creating a compliance position relieves the chief financial officer of your organization from some of his or her enterprise risk management responsibilities.
Your organization should also consult with your financial statement auditor. Your auditor may be able to share with you best practices noted in other organizations that might be of benefit to you. Auditors may also be able to divulge their perspectives on risks and results associated with areas of rotational emphasis that might add value and insight in terms of the risk management process.
For More Information
If you have specific questions, comments or concerns on governance and risk management practices, please contact us here.
Mike Burns is the CBIZ MHM National Not-for-Profit Practice Leader. He can be reached at 617.761.0584 or email@example.com.
Copyright © 2015 CBIZ Tofias & Mayer Hoffman McCann P.C. - Tofias New England Division. All rights reserved. CBIZ Tofias and Mayer Hoffman McCann P.C. - Tofias New England Division are separate and independent legal entities that work together to serve clients. CBIZ Tofias is a leading provider of tax and consulting services. Mayer Hoffman McCann P.C. - Tofias New England Division is an independent CPA firm providing audit and other attest services. This article is protected by U.S. and international copyright laws and treaties. Use of the material contained herein without the express written consent of the firms is prohibited by law. Material contained in this alert is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their business.