Home > Resources For You > Blog > Risk Management Internal Controls Internal Audit > Risk Management, Internal Controls, Internal Audit

Risk Management, Internal Controls, Internal Audit

By ISCA (republished) On 21 Nov 2016

This article was first published in the IS Chartered Accountant, November 2016. Re-published with permission from the Institute of Singapore Chartered Accountants (ISCA).

Charities are stewards of the public’s trust and are held to high standards of integrity on how they manage and use their financial resources. In the two-part article “The Regulatory Framework of Charities” (published in the July and September issues of this journal), we discussed the regulatory measures put in place to ensure their accountability and transparency. The statutes and guidelines governing the operations of Charities was covered in the first part and in the second part, the accounting standards regulating their financial reporting.

To enhance the public’s trust, Charities could also look into improving their organisational governance, specifically on how they manage risks. This fourth article of the series “Helping Charities Do Good Better” explains the need for Charities to manage risks, and explores how Charities – even the smaller ones[1] – can build an effective risk management model through implementing internal controls and conducting internal audits.



Charities rely largely on the public for donations to carry out and sustain their missions. Fraud and misuse of funds can weaken the public trust in the Charity sector. “What can possibly go wrong?” “What should then be done to mitigate or manage it?” – these are two essential questions that all staff and board members should ask when managing an organisation. Besides the loss of assets and funds, such lapses could also have other detrimental effects, such as lowering the morale of staff and volunteers, that will inevitably impact the ability of the organisation to sustain itself. It is therefore critical for Charities to engage in sound risk management. This involves the identification of major risks that apply to them, as well as the development of strategies to mitigate these risks. In the UK the Charity Commission has recommended that Charities should also include appropriate statements in their annual reports to cover, for example, the person who is responsible for risk management.

Types of Risks faced by Charities

Charities are exposed to a diverse range of risks both financial and non-financial in nature. The nature and types of risks faced by an organisation would, generally, depend on its size as well as the type and complexity of activities it undertakes. Additionally, the wider environment in which the Charity operates, including the financial climate and any changes in legislations, has to be considered in assessing its risk exposure as well.

A system of classification, as illustrated in Table 1, provides a good way for Charities to ensure that the key areas of risk are considered and identified.

Generally, Charities are familiar with the need to manage financial risks. However, the management of the other categories of risk, such as operational risks, is equally important. Should any Charity not identify and manage its key risks adequately, a simple incident would be all it takes to tarnish its reputation. As Warren Buffett once said, “It takes 20 years to build a reputation and five minutes to ruin it.” A case in point relates to the incident in 2011 that was widely reported in the media, concerning the abuse of an elderly resident in a nursing home. While that lapse – which reflected the home’s inability to provide adequate care for the elderly – was non-financial in nature, the incident nevertheless impaired the home’s reputation.

Mitigating Risks

Having in place formal risk management procedures to identify risks will help Charities to promptly respond and effectively deal with such risks when they occur. For example, when one Charity discovered missing funds from its accounts in FY 2014, its board was able to swiftly respond to the incident. Formal risk management procedures were already in place, which allowed the misconduct to be quickly detected. Most of the funds were recovered and the negative implications were thereby minimised.

As a regulatory measure, there are laws and guidelines to ensure that Charities have at least the basic risk management policies [3]. For example, the Charities Act stipulates that Charities are required to conduct annual audits or an examination of accounts. Additionally, both the Charities Act and Code of Governance for Charities and Institutions of a Public Character (IPCs) (2011) specify that IPCs should have policies for the management and avoidance of conflicts of interest, as well as related party transactions. Beyond these requirements, Charities could also include a “reserves” policy in their annual reports, and undertake a regular review of the policy and reserves levels, as this could also help them identify potential financial and operating risks.

These requirements form a baseline of the risk management procedures Charities have to possess in order to demonstrate good governance. N. Subramaniam, a board member of AWWA Ltd, shares a few examples of best practices for risk management. AWWA Ltd is a local non-profit organisation that provides community-based programmes and services to people of all ages.

Box Story 1 Examples of best practices for risk management

  1. Have a board of management that manages operations with an awareness of risks unique to the organisation.
  2. This board of management is to identify the risk strategies suitable to the organisation and also set its risk appetite according to its size and financial position.
  3. Draw up a risk profile that sets out the principal risks of the organisation and corresponding mitigating procedures, then have the profile reviewed by the Risk Management Committee for completeness and objectivity.
  4. Ensure that a culture of risk awareness is developed among staff members in their day-to-day operations.
  5. Consider the need for appointing a Chief Risk Officer who would, among others, develop plans to mitigate risks, monitor the progress of the risk mitigation activities, and create risk measurements and disseminate reports to the board and management.
  6. Have regular management/staff meetings to increase risk awareness and discuss actual experience and actions taken to lessen the impact.

Source: N. Subramaniam, a board member of AWWA Ltd

Risk Management Strategy: Internal Controls

To further mitigate risks, the board should establish strategies to address risks through maintaining a sound system of internal controls. Internal controls refer to the checks and procedures which enable the board to meet their legal obligations to safeguard their organisation’s assets and minimise the risks in administering the Charity’s finances. It also aims to ensure the quality of financial reporting and compliance to laws and regulations governing Charities.

According to the Committee of Sponsoring Organisations (COSO), internal controls help “entities achieve important objectives and sustain and improve performance”.[4] Having functioning internal controls is also crucial in strengthening the Charity’s transparency and accountability, which are essential to draw in new volunteers and donor contributions.[5]

Internal Audit as part of Internal Controls

As part of internal controls, Charities could also have internal audits to assess the Charity’s current internal controls system. This would provide Charities with independent and objective assessments of the effectiveness and efficiency of their internal control procedures. With regular internal audits, the board of directors and senior management can be reassured or be made aware of the necessary steps to be taken to improve their risk management strategies.

Lilian Tay, CEO of Shared Services for Charities (SSC), provides her expert opinion on how Charities can develop effective internal controls (Box Story 2).

Box Story 2 Risk Management advice from Lilian Tay, CEO, Shared Services for Charities



Shared Services for Charities is a charity for Charities that aims to improve governance and organisational excellence in non-profit organisations. SSC partners with volunteers to provide professional services in the areas of governance and internal control consultancy, policies and procedures documentation and internal audit services.  

“Risk is universal and exists to threaten the achievement of objectives for Charities. Thus, regardless of the size of Charities, internal controls are necessary to mitigate risks to an acceptable level for improvement of performance and sustainability. Having secure internal controls in place would also give donors and volunteers greater confidence in Charities. Some common areas of internal control weaknesses across all the three lines of defence have been identified by Shared Services.

To begin, it is commonplace to find Charities with incomplete or obsolete policies and procedures. This may result in unwarranted risk-taking due to confusion, inconsistent practices, going beyond risk tolerance levels or even risk appetite. A lack of resources has also become the “excuse” of some of the smaller charities for not putting proper segregation controls in place. Even so, these measures are fundamental and should not be neglected.

In order for internal controls to work effectively, it is important to set the right tone and have it resonate across the whole organisation. Moreover, to ring-fence internal control structures, a third line of defence would be required in the form of an independent review, best performed by a professional firm which has a good track record of reviewing the effectiveness of internal controls for Charities. Finally, a robust whistle-blowing policy and hotline management system by an independent firm would provide added assurance.”


The “three lines of defence” model, adopted by the for-profit sector, could provide Charities with a simple way to coordinate important risk management responsibilities. Figure 1 illustrates the summarised model. [6]


The first and second lines of defence play a crucial role in developing corresponding strategies to manage identified critical risks. Their performance is reviewed by the third line of defence, which is the internal audit. Taken together, the three lines of defence form a hierarchised organisational structure to support high standards of governance and risk management.


Charities, by nature, exist to serve the public good. They have obligations to demonstrate high levels of ethical behaviour, transparency, accountability and compliance with the law. To do so, governing board members of Charities should ensure that they establish risk management strategies, as well as develop strong internal control policies to mitigate potential risks.


For smaller Charities that might have not the necessary resources to deal with all identified risks, they should, nonetheless, have these risks documented in their annual reports so that the public can be made aware of such risks. These procedural checks and balances would help safeguard the finances and assets of Charities, and assist them in setting up strong governance structures to promote greater professionalism in their administration.


Accountants can volunteer their services by aiding Charities in identifying risks and developing relevant internal controls to mitigate these risks. Also, they can consider becoming honorary internal auditors to provide an independent assessment of Charities’ risk, as well as to provide periodic reports to the board on findings and recommendations on their governance policies.


Another area where accountants can help Charities relates to helping them set up accounting systems to establish the full cost of providing a programme or a service. Given the limited resources available to Charities, an understanding of the full cost of the programmes and services would help them better allocate resources to the most appropriate programmes and services. Additionally, to provide Charities with a more sustainable funding model, there has been a growing call in the US and UK for funders to take into account the full cost that Charities would have to incur to carry out their programmes or provide their services. We will examine full-cost accounting in the next article.

To find out more about skills-based volunteering opportunities, ISCA members can contact ISCA Cares.

Dr Isabel Sim is Senior Research Fellow, Department of Social Work, Faculty of Arts and Social Sciences, National University of School (NUS) as well as Director (Projects), Centre for Social Development (Asia). Associate Professor Alfred Loh and Professor Teo Chee Khiang are both from the Department of Accounting, NUS Business School. The writers gratefully acknowledge the contributions of Gong Yuan, Claribel Low and Koh Luwen, Research Interns, NUS.

[1]About half the number of Charities in Singapore are relatively small, with gross annual receipts of less than $250,000. Source: Commissioner of Charities Annual Report 2015 published by Charities Unit, MCCY;

[2]Readapted from UK Charity Commission (2010). “Charities and Risk Management”;

[3]For more information, please refer to the relevant statutes for Charities at and Code of Governance for Charities and IPCs, in its entirety, at

[4]COSO of the Treadway Commission (2013). “Internal Control – Integrated Framework: Executive Summary”;

[5]Guidance on how Charities could improve their internal controls is provided by the National Council of Social Service (NCSS);

[6]The Institute of Internal Auditors (2015). “Leveraging COSO across the Three Lines of Defense”;