When not-for-profit leaders consider updating their policies and procedures manuals, it may seem that the reasons for delaying the project outnumber the pages in the document.
Making changes to the manual is time-consuming. Policies and procedures in the organization may be so siloed that maintaining a manual becomes a challenge. And by the time the ink dries on the newest edition of the document, a new law or regulation may be enacted that requires changing the manual again.
The result is that many organizations have manuals that are incomplete, out of date, badly written, poorly understood, and inadequately enforced. Yet there’s no question that a high-quality policies and procedures manual can provide underlying documentation that helps an organization run effectively and efficiently.
“The policies that you put into place are to make sure that the staff knows what they should be doing,” Hilda Polanco, CPA, CGMA, founder and CEO of not-for-profit financial consulting organization FMA, said at the AICPA Not-for-Profit Industry Conference on Wednesday in Maryland. “The policy development is one step, and then there is the training for the staff.”
The basics of an effective policies and procedures manual are straightforward. The best manuals are clearly written and easy to understand, with a table of contents that’s easy to use for employees who wish to quickly refer to material on a certain topic.
Any acronyms used should be commonly understood, and the most effective language will not be condescending, while limiting use of the words “should” and “must,” said Amy West, CPA, CGMA, the CFO of AHRC New York City, which supports people with developmental disabilities. Saying an employee “must” turn in expense reports sounds more threatening than saying an employee “is responsible for” turning in expense reports.
The best manuals also are created and updated by welcoming information and input from people at all levels in an organization, with a bottom-up approach rather than a top-down system, West said at the conference. People who feel they have a say in the creation of the manual will be more likely to follow the rules it contains.
“Getting buy-in from your staff is critical to developing and maintaining policies and procedures that are effective,” West said.
She said it may be easier to keep manuals up to date if you write the date approved next to each policy so it’s clear whether new rules have been issued.
Dozens of policies may be included in an organization’s manual, but Polanco highlighted six that are especially important for reducing risk:
- Revenue and donor acknowledgement policies. To reduce the possibility of fraud, the person who handles revenue acknowledgement letters should not have access to modify the donor database and should not have access to the finance department for cash or deposits, Polanco said. “There’s a check and balance between the finance and development departments, and obviously the reconciliation achieves it,” she said.
- Approval process over company credit cards. Staff members need to understand that company credit cards are a privilege. To receive a company credit card, Polanco said, employees should agree to terms in writing that enable the company to withhold funds from their pay if they misuse the card. Employees should understand that serious abuse of card privileges may lead to termination or prosecution.
- Segregated payroll responsibilities. If payroll responsibilities reside in human resources, one employee may have the ability to both add people to the payroll and write payroll checks. That presents a big fraud risk. For that reason, Polanco said, it may be more appropriate for finance to handle payroll.
- Conflict-of-interest policies. Board members, executives, and senior staff who negotiate and commit to contracts should sign agreements stating that they will avoid outside influences that may conflict with their duties with the organization, Polanco said. When conflicts of interest are not addressed, it becomes easier for personnel to act on their own behalf at the not-for-profit’s expense or award contracts to someone other than the most qualified vendor.
- Whistleblower policies. An anonymous hotline that exists outside the organization would encourage employees to come forward with reports of malfeasance. The policy also should address the proper method for investigating complaints, and employees should be notified and reminded that the hotline exists.
- Cybersecurity policies. The constant threat of hacking that exists today makes it essential for an organization to have a policy that addresses cybersecurity. Employees need to be made aware of the ways they can help the organization prevent fraudsters from gaining access to sensitive data and systems.
Updating an entire policies and procedures manual can be an overwhelming task that Polanco suggests is better to undertake a little bit at a time. At AHRC, West said, 25% of the manual is reviewed and updated every six months, so that over the course of two years, the entire manual receives scrutiny. Of course, with changes resulting from developments such as new laws or regulations, AHRC updates the relevant material immediately.
Policies and procedures manuals are of little use if employees aren’t aware of them, so they should be provided to all affected staff. An online version with hyperlinks from the table of contents to relevant sections of the manual may be useful, and some organizations require employees to sign documents stating that they have reviewed the policies and procedures manual.
Staff training associated with the manual may be more successful if the organization makes it entertaining.
“Everyone [at AHRC] dreaded going to this training on an annual basis until two years ago, when our staff education department said, ‘Well, why don’t we do Compliance Jeopardy?’ And last year we did Compliance Family Feud,” West said. “In those two examples, people really enjoyed the training and actually I’m sure learned more than they did in the past.”
Once the manual is created or updated, it’s up to the board and management to establish the tone at the top about enforcing it. This means that the policies and procedures apply to the organization’s directors and leadership as well as to staff.
For instance, Polanco said, the CEO should not be exempt from having his or her expense reports reviewed. She said that typically the board treasurer or the chair of the board finance committee or audit committee would be responsible for those tasks.
Meanwhile, management’s efforts to back the policies and make the manual available to all staff can encourage staff to adhere to a document that is designed to enable effectiveness and efficiency.
“You need to clearly communicate the importance, the benefits, and the impact of policies and procedures,” West said. “And you really can’t hold staff accountable for following a policy or procedure if they don’t know that it exists.”
—Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is a JofA editorial director.