Page Contents

Internal controls
What are internal controls
What are preventative controls
What are detective controls
Communicating and implementing internal controls
Internal controls checklist

Internal Controls

In order to ensure that financial information is accurate and to protect the church’s assets and employees, the church must implement and maintain internal controls. While it is important for the church to trust its members and employees, there is increasing pressure on churches to manage finances in a more professional way. Internal controls are critical in managing finances in an effective and professional manner.

What are Internal Controls?

Internal controls are the systems, processes and policies that protect the assets of an organisation. They facilitate accurate recording of financial transactions, reliable financial reporting, efficient operations and assist with prevention and detection of fraud and error. An example of a simple internal control is having two unrelated people count tithes and offerings. This reduces the risk of fraud and error compared to only having one person count.

A church will have different internal controls over different income and expense streams; i.e. any sales income will have different internal controls to tithes and offerings. Note that an effective internal control will consider financial procedures and persons responsible for the task. Using the example of two people counting tithes and offerings, this control is not as effective where the two people are related as it has more potential for collusion. There should be a segregation of the financial procedures with different people as much as possible.

Implementing an effective internal control system is largely about ensuring the reputations of the people who handle the resources, both employees and volunteers, are protected in their work and ensuring the reputation of the church as a whole.

Internal controls can broadly be divided into two categories:

  • Preventative; and
  • Detective

An effective and efficient internal control system will encompass a mix of both preventative and detective controls.

It is obviously more difficult for a small church to implement preventative controls, therefore detective controls will need to be more heavily relied upon.

What are Preventative Controls?

Preventative controls are designed to prevent errors, unauthorised use of assets or the misappropriation of assets. These controls might include:

  • Segregating duties and incompatible functions. The objective is to ensure that temptation is removed and, where possible, one person cannot initiate a transaction as well as record the same transaction making it possible to disguise a misappropriation. For example, the person who receives cash should be different from the person who enters the details into the accounting system to minimise the risk of misappropriation.
  • Access controls which limit the ability of unauthorised persons to process financial transactions.
  • Multiple authorisation requirements e.g. dual cheque signatories and electronic banking passwords.
  • Authorisation of transactions by a person who has day to day knowledge of expected expenses and is in a supervisory role.
  • Review of transactions before they are completed.
  • Third party documentation of transactions.
  • Various approval limits in relation to transactions, for example, all payments over $1,000 must be approved by church leadership.
  • Review of exception reports prior to finalisation of the transaction.

What are Detective Controls?

Detective controls are designed to find errors, unauthorised use of assets or the misappropriation of assets. These controls may include:

  • Management review of specific transactions;
  • Comparison to historical financial information and budgets;
  • Identifying, setting and monitoring key performance indicators;
  • Review of exception reporting, for example, a review of changes to the payroll master file;
  • Review of transactions after they are completed;
  • Board review of management accounts;
  • Internal audit procedures;
  • Reconciliation processes over assets and liabilities; and
  • A robust audit process.

Communicating and Implementing Internal Controls

The responsibility for the design, implementation and oversight of the internal control system is held by the church’s leadership. It is important that the internal control system is documented and reviewed on a regular basis. It is greatly beneficial for new board members to have access to documentation that outlines the key internal controls in place. This is to ensure that it continues to be appropriate and effective in reducing the risks to an acceptable level. Documentation of the internal control system helps to inform those involved in the financial transactions of the importance of the role they play. Where there is a change of treasurer, it can be useful in giving the new treasurer an understanding of the control system in a timely manner. There should be regular checks to confirm that the documented controls are operating as they should.

All people involved with processing financial information need to be committed to maintaining effective internal controls. Employees and volunteers need to understand the importance of controls and why they have been put in place. It is important that employees and volunteers understand that the controls are in place as much to protect them and their reputation as it is protect the church.

To help you to document controls you may find the Internal Control Assessment System (ICAS) useful. See ICAS template.

Internal Controls Checklist

We have prepared a list of typical internal controls within the relevant income and expense streams. Note that this is not a complete list of all internal controls but a guide to assist in developing internal controls. It may not be possible for the church to implement all of the internal controls due to limited employees and volunteers.

Controls for Income and Receipts