In Hong Kong, most non-governmental organizations (NGOs) are charitable institutions with tax-exemption status which play a critical role in developing the society, improving communities and promoting citizens’ participation in various fields such as healthcare, education, environment and poverty alleviation.
As at March 2019, there were 9,906 charitable institutions which are exempted from tax under section 88 of the Inland Revenue Ordinance, reflecting an increase of over 13% compared to March 2004. In the year of assessment 2017-18, the approved tax-deductible donations made by corporate and individuals to charitable institutions amounted to a total of HK$12.8 billion1.
Why do small NGOs need internal controls?
NGOs generally utilize public funds from government, charitable funding bodies or public donations to serve their beneficiaries. Regardless of their size of operations and funding, all NGOs are faced with risks in various areas of their operation just like commercial companies. Fostering a culture of governance and check and balance in the operations and delivery of services is an important way for NGOs to demonstrate that their resources have been put to good use for achieving their missions.
While small NGOs may not have their own internal audit units, they are still required to be accountable to various stakeholders by sustaining a sound internal control system to manage their risks properly. By implementing internal controls in key areas, small NGOs can minimize fraudulent activities from occurring, use resources transparently and effectively, comply with the necessary laws and regulations, and ultimately build a respectable and trustworthy reputation.
The Internal Control Toolkit for Small Non-Governmental Organizations serves to guide NGOs to improve their accountability and transparency by providing them with insights on common risks faced by small NGOs within four selected processes aligned with the flow of resources and funding. These processes include budget preparation and monitoring, income processing and management, payroll processing and adjustments, and procurement of goods and services.
What is the relationship between risks and controls?
Risk is the threat from an event, action, or circumstances that may negatively affect the achieving of an organization’s missions. Internal controls are mechanisms or procedures carried out by an organization or rules to mitigate or reduce the risks to an acceptable level. Example of risks and controls include:
- Situation at hand – One staff is responsible for maintaining staff master list and the preparation and processing of payroll payment.
- Risk – Fictitious employees created in the staff master list could not be identified and are processed for payroll, leading to loss of funds.
- Control – Segregate the conflicting duties to ensure the accuracy and completeness of payroll information.
For typical examples of “what could go wrong” (i.e., risks) and corresponding internal control practices that could be established, please refer to the Internal Control Toolkit for details.
Act Now
Four immediate steps that small NGOs can take:
- Revisit the organizational and governance structure, roles and responsibilities of each process owner, as well as policies and procedures established within key processes
- Collaborate between the board and staff to strengthen the control environment and communicate the importance of internal controls
- Be proactive about addressing emerging risks within the organization
- Refresh and enhance the internal controls based on the dynamic change and needs of the society