People who have attended my training courses will be familiar with one of my favourite diatribes - against authorisation controls. It is a standard recommendation that charities should have two people authorising financial transactions. This is usually taken to mean that two trustees should authorise payments out of the charity's bank account. Most bank mandates allow for dual authorisation for amounts over a certain value. This does potentially help to prevent someone emptying the charity's bank account. However, it is probably as much for the bank's protection as the charity's.
There are simple ways in which dual authorisation might be ineffective. The most obvious one is that the first person to authorise the payments assumes that the second person will be checking the validity of the transactions, so they just press go or sign the payments off. When the second person comes to authorise the payments, they assume that the first person already performed checks, so they also simply press go or sign the payments off as well. The result is that no one has actually checked the validity of the payments. It would be much clearer if one person knew they were actually responsible.
Another way in which authorisation can be ineffective as a control is that people do not know what they should be checking before they authorise something. Few managers receive training and think their role is to check whether a payment is within budget. And when this is at the point of approving an invoice, they do not know whether it is within budget, but take a guess. Managers will typically assume that the finance team is checking the invoice is from an approved supplier, the goods or services have been received and the price is as quoted. Finance teams assume that managers are checking all that. Again, the upshot is that no one checks any of this properly. Audits throw up evidence of this all the time. We find duplicate payments for the same services and invoices addressed to different organisations: one charity had been paying its neighbour's electricity bills for years. Fraudsters also know that authorisation is a weak control, which is why invoices from bogus suppliers or fake invoices from legitimate suppliers are the most common frauds. Slipped into a pile of invoices to be authorised, the busy manager just signs them all off.
So what should you be doing?
Approval and authorisation should be used as part of the control framework, but in combination with other control activities such as review and monitoring. For it to be effective, you need to provide training to those responsible for controls and supervise the implementation of the controls. Spot checks and testing a sample of transactions could replace some authorisation controls. Testing will provide you with assurance that the procedures are being followed and are effective. Clear roles and responsibilities are always essential, so think about whom you designate as signatories.
Kate Sayer is a partner at specialist auditors Sayer Vincent