Nonprofits are adapting to fundraising trends and increasingly turning to the online donation option. Online donation service provider PayPal reports that over 200,000 nonprofits received donations in 2011 using its services. As a result, questions often arise about the types of internal controls that should be in place.
Standard IT controls
If you are among the nonprofits turning to online donations, be sure to employ data encryption, account access rights, and password security as you would in any information technology (IT) application. Have your website alert the donor that he or she is leaving your organization’s website and is being directed to a third party to make the donation. A great “insider” tip is to remember to remove any access rights initially granted to the IT consultant who linked the online service provider account to your website.
Segregation of duties
Your online provider should send email alerts when donations are received in your account. Depending on the provider, you may have to request this alert as an initial control when you set up your software. PayPal allows its customers to log in and print a list of all amounts received. Again, check with the service provider you select on its protocol.
For proper segregation of duties, give one employee permission to transfer funds to the operating account. Have at least one other person who is not authorized to make the transfers match the dollar totals from
- email alerts received (this person should receive these emails directly)
- a printout log of the activity
- the transfers made
This control process should occur at least monthly, and the documentation relating to the process should be initialed and filed.
PayPal, for one, provides a memo space with each donation in which donors can designate uses for their donations. Alternatively, as the nonprofit, you can set up separate “donate” buttons on your website for different uses of the funds. For accounting purposes, be sure to track these donations separately since they represent restricted funds. As a reminder, be sure to treat each email alert as if it were a letter of donation, sending the donor your customary correspondence for tax purposes.
Once funds are transferred to the operating account, normal cash controls should resume. And don’t forget: when an employee with access to the online donation account leaves your organization, you should cease his or her access rights by modifying email notification settings and changing the passwords used by all existing authorized employees as soon as possible.
As you and other nonprofits increasingly take advantage of this low-cost fundraising tool, it will be essential to establish the proper controls to ensure all donations are safeguarded and put to work to fulfill the organization’s mission and the donor’s intent.
If you have any questions about internal controls for receiving online donations, please contact LaPorte CPAs & Business Advisors Manager Michael (Mickey) Simon, CPA, at firstname.lastname@example.org or 985.892.5850.