Charities – have your controls evolved ready for the next phase?

During the UK lockdown, the majority of charities had to adapt their processes when government restrictions meant that staff had to work from home.

As the latest restrictions begin to ease and more staff return to the office, it is important to reassess what your processes and policies should look like going forward.  Whilst it may make sense for things to change to reflect more face-to-face working, it is not sensible to lose any efficiencies which were gained.  Now is a great opportunity to review whether your procedures are fit for purpose going forward and we have summarised a few points to help in your evaluation.

1. Have the changes made resulted in an easier and more efficient process?

The main difference introduced during remote working has been that authorisations, reviews and approvals have been performed electronically.

For some organisations this may have pushed them towards a new purchase approval system where purchase requisitions, orders and invoices are now initiated and filed online along with the approvals at each stage of the process.  It would not be sensible for this reduction in paper filing, ease of access to documents and a clearly documented authorisation trail to be lost

However, there may also be organisations where goods received notes and invoices are received in paper copy and scanned and emailed individually to budget holders for approval.  If valuable staff time is being spent scanning and filing, is this a cost effective and sustainable solution?

2. Does the new operation of a control provide the same/sufficient risk mitigation?

Whilst temporary changes to controls may have been introduced in haste to address immediate needs, it is now time to properly evaluate whether they provide the same or at least sufficient, mitigation of the risks they need to cover.

It may be that a full paper trail wasn’t retained, mid-levels of approval were removed or there was less segregation of duties for certain tasks with just a final approval at a more senior level. If risks are adequately mitigated with less steps then the Trustees may agree for permanent changes to processes to be made; if not staff need to be instructed to return to following full procedures.

3. Are sufficient records kept of the approval process?

If you are moving towards a more paperless way of working, it is essential that documents are properly filed. For small charities this may be achievable with basic software but for those with more complex records it may be cost-effective to invest in some virtual cabinet filing software.

If approvals are made by email rather than with a secure electronic signature, it is important that a clear trail is retained as evidence.

You must also ensure that electronic records and approvals are sufficiently protected to prevent unauthorised access and amendments.

4. Do the charity’s policies need to be updated to reflect new ways of working?

Where it is agreed that permanent changes are made to processes, it is important that the charity’s policies and financial regulations are updated to reflect this, especially to clarify what is meant by electronic approvals or signatures.

You should also review the IT policies and GDPR policy to ensure that any new software and Apps introduced during remote working are properly documented.

5. Were there checks and reviews which could not happen remotely?

This could include a review of fixed assets for damaged/missing items, fire safety drills or certain training courses.  A return to the office should prompt these being reinstated and booked in with appropriate regularity.

Similarly, there may have been reviews and authorisation which have not been required for many months, such as expense claim approvals.  It might be an appropriate time to remind your staff of the correct procedures to be followed.

6. Are there new risks which require additional procedures to be introduced?

Any review of processes and controls should consider the risks they are trying to mitigate. Given the changes we have seen during 2020 and 2021, the charity should review its risk register and ensure this is a comprehensive list of the key risks to be addressed going forward.

Similarly, if your charity has adapted to generate alternative funding and income, operate in new areas or provide new services, you need to ensure that you have properly considered the associated risks for these new areas and put in place a clear policy on how these are mitigated.

Independent scrutiny

If you have an internal audit provider or in-house team, now may be a good time to plan your next phase of work. This will help to provide the Trustees with an independent check that the financial controls, systems and policies you have in place are properly designed to effectively mitigate your risks and are operating correctly. It can also identify where controls are weak or absent and provide recommendations of controls to be introduced or how to bring existing processes in line with best practice. You may also want to consider a third-party review of non-financial areas such as health and safety or detailed IT controls.

If upon reading this article, you feel that your policies and procedures would benefit from an external firm providing internal audit scrutiny then please do get in contact with one of the Kreston Reeves team who will be happy to help.