As auditors of not-for-profit organizations, we are often asked what policies are critical for organizations. Though much depends on the type and size of the organization, there are three key policies that all not-for-profits should have:

  1. Code of ethics
  2. Whistleblower policy
  3. Record retention and document destruction policy

Code of Ethics

One of the most valuable assets of a not-for-profit is its reputation.  In recent years more and more organizations have had public scandals that have impacted the organization by severely reducing its contributions and grants, or by making the organization close its doors forever. One of the easiest ways to help prevent damage to an organization's valuable reputation is through the "tone at the top" principle. "Tone at the top" is primarily conveyed through the actions of management and the board, both internally and externally, but also through policies such as a code of ethics.

Employees and board members come from different backgrounds and will often have different definitions of ethical behavior. By defining an organizations ethical behavior, a code of ethics establishes a common framework for employees, management, and the board to make decisions while interacting with donors, grantors, vendors, and the media. Furthermore, it can reduce subjective or inconsistent management decisions, which saves time, money, and potential adverse results from an unethical decision.

When preparing the organization's code of ethics management should:

  • Define what ethical behavior means at the organization and provide specific examples of unacceptable behavior.
  • Convey the significance of the policy by requiring all employees and board members to sign a copy upon hire or appointment to the board.
  • Periodically review the policy for relevance and changes in current laws or norms of the organization.

Whistleblower Policy

The 2014 Report to the Nations Global Fraud Study published by The Association of Certified Fraud Examiners, noted that tips are the most common way of discovering fraud.  The report also noted that, by adding a fraud hotline, an organization can increase the number of frauds detected and, on average, cut the cost of fraud by 41% and the time to detection by 50%. Establishing a whistleblower policy can make a big difference to the organization's reputation and bottom line.

When preparing the organization's whistleblower policy, management should:

  • Clearly state that fraudulent activity is not tolerated by the organization and it is the responsibility of all employees to report violations or suspected violations.
  • Include a "no retaliation" section, noting that retaliation will not be tolerated in any form and if it does occur it will be promptly investigated. The Occupational Safety and Health (OSH) Act passed in 1970 protects workers from retaliation under 22 federal laws.
  • Provide a hierarchy for reporting issues internally, including options for when the person in question is the person that would typically receive the complaint. In this situation the policy may direct the employee to contact someone on the board.
  • Reference the organization's code of ethics policy. This policy often requires the board, management, and employees of the organization to observe high standards for business and personal ethics.
  • Consider including a whistleblower hotline, which provides additional anonymity and has been shown to make employees more likely to report potential or actual wrongdoing.
  • Illustrate examples of what is considered fraud and would therefore be reported through this process versus another type of complaint that should be resolved through other outlets.  These examples will help direct employees to appropriate outlets and will reduce the costs of investigating items that are not fraud.

Record Retention and Document Destruction:

Organizations retain documents for a number of reasons, and some documents are legally required to be maintained for a specified period of time. Others are critical in supporting accurate accounting records, and others are retained for knowledge transfer when there is a turnover in staffing. All of these needs must be balanced against the organization's physical and electronic storage capabilities.

When preparing the organization's record retention and document destruction policy, management should:

  • Begin by determining what types of documents the organization has. These may include employee records, accounting records, tax records, board minutes, email communications, department policies, and federal or non-federal grants and contracts.
  • Find out if any document types are governed by federal, state, local or international statutes.
  • Assign a retention period for each type of document. For some documents, professional judgement must be used. Typical retention periods include:
    • 3 years: employee applications, I-9 forms, and cash and credit card receipts
    • 7 years: contracts, journal entries, employee offer letters, and invoices
    • Permanent: corporate documents, IRS application for tax-exempt status, IRS determination letter, annual audits, and IRS form 990 tax filings
  • Describe not only the system for filing and maintaining the documents, but also the process for destroying the documents once the established time period has passed.
  • Create a process to review all retained documents and establish their destruction timeline. Ensure that the documents are destroyed on time. If the documents are not destroyed they are legally discoverable if the organization were to be sued.
  • Decide how the documents should be destroyed. If the document is confidential in nature, a secure method to shred physical documents must be established. Examples of confidential documents may include social security numbers, dates of birth, or bank account information.
  • Identify who within the organization is responsible for the different types of documents.  The organization may choose to designate one person in the accounting department for retaining accounting records and another within the human resource department for maintaining employee personnel records.
  • Require draft documents to be destroyed as soon as official signed versions are available.
  • Remind employees that it is a crime under Section 802 of the Sarbanes Oxley Act to intentionally destroy, alter, falsify, etc. any records, documents, or tangible objects that are involved in or could be involved in a U.S. government investigation or prosecution of any matter, or in a Chapter 11 bankruptcy filing.
  • Create a system to halt all document destruction once the organization is aware that it is under investigation or it may be subject to legal proceedings.

By adopting these three policies, an organization can protect its valuable reputation, be more efficient in making decisions, detect fraud in a timely manner, and protect the organization from knowledge loss and excess liability.


If you have any questions or comments about this topic, please contact Maxine G. Romano, Director, Audit & Accounting, at Email or 215-441-4600.

Information contained in this alert should not be construed as the rendering of specific accounting, tax, or other advice. Material may become outdated and anyone using this should research and update to ensure accuracy. In no event will the publisher be liable for any damages, direct, indirect, or consequential, claimed to result from use of the material contained in this alert. Readers are encouraged to consult with their advisors before making any decisions.