As nonprofit organizations increase receipt of donations via credit card, debit card, or ACH transactions, the need for oversight to prevent fraud becomes essential. Generally speaking, nonprofits must have a reliable payment processor and spread responsibilities to prevent a hijacking of gifts. Four ways to structure accountability are:
- Ask your payment processor about their own level of security. Your processor should have an audited statement of internal controls. PCIDSS-compliant is basic; look for an SOC 1 Type 2 report, which is also called a SSAE 16, Type 2.
- Involve multiple staff members in the relationship with the processor. Ask executive level, IT/MIS and accounting departments to collaborate on the set up and/or monitoring of the account relationship. While one person may direct the set-up, other staff must verify the accuracy of routing information and instructions. Likewise, multiple staff should review the monthly transaction reports. You don’t want to unnecessarily tempt an employee by giving them too much control without accountability.
- Segregate duties for payment processor relationship management. The person who is authorized to make changes to the accounts should not be the same person reconciling monthly statements. Similarly, a senior level staff person should receive a notice whenever changes are made to the account. The person reconciling the statements should not be part of the payment processor relationship.
- Allow donors to access giving records. Whether on paper or electronically, acknowledging gifts is another traceable means of verifying donations.
Electronic fraud is too easy and too potentially costly to trust just one or even two employees for e-payment management. Accountability and redundancy of duties ensures that a nonprofit, keeps donations flowing for the intended purpose. And stellar internal controls not only protect funds from misuse, but also preserve an organization’s reputation of integrity.