Skip to content

How to Implement Internal Controls in Small to Medium-Sized Nonprofits

Sep 2, 2022

Financial controls are processes put in place by an entity to prevent or detect errors. Their main purpose is to keep accounting records accurate and reliable. A network of internal controls can be a safety net to catch and deter fraud, such as skimming, misappropriation of assets (like inventory), and payroll theft.

Controls can be manual, automated, or, as they are at most entities, a combination of both. Small to medium nonprofits often struggle to balance the fine line between having sufficient internal controls to protect the organization and having too many internal controls that become burdensome to a small accounting department. Let’s outline some of the key controls that you can put into action:

Budget vs actual

Be thoughtful when developing your budget and perform monthly variance analyses to ensure that transactions align with expectations. Regular reviews reveal discrepancies, so be sure to always document your reviews.

Segregation of duties

No one person should handle a given transaction process (initiating, recording, approving, and reconciling). Implement checks and balances to ensure funds are always deposited and disbursed appropriately. For example, if one person writes the check, then someone else signs the check. If you are depositing funds, have one person count the money, and someone else makes the deposit. In addition, it is always a good idea to require two signatures on checks.

Document, document, document

Although it can take a little extra thought and attention, documentation is your best friend.

Formalize internal policies. Employees should have access to written policies and procedures for basic accounting functions, such as how to pay vendors. All employees should know exactly where to go for help or questions with those policies.

Provide documentation to support all financial transactions. All checks, statements, quotes, invoices, and other transaction-related materials are supported through adequate documentation. For example, every expense report should be backed by receipts and approved before an employee is reimbursed.

Provide guidance and encourage open communication

Ensure appropriate controls are in place so employees do not feel like they are put in a position where they can be suspected of wrongdoing. Regularly ask for input and provide adequate supervision.  Encourage “doing the right thing.” The work environment must encourage and allow employees to voice concerns or report red flags. Ensure your team is properly trained, familiar with policies and procedures, and knows where to go for help if anything feels suspicious.

Verify with regular reviews

Any significant process or documented transaction should require an additional level of review and approval performed by someone independent of the process. These reviews should be performed monthly, at least. For example, the bookkeeper might provide a list of checks for weekly review or require the treasurer to review a list of new vendors from the accounting system monthly.

Implement security measures for the handling of cash and checks

Ensure that cash and checks are secured in locked drawers or a safe. Always limit access to cash registers, drawers, and safes. Monitor cash drawers, tracking beginning and ending cash balances and assigned staff. Restrictively endorse checks upon receipt. Record every check in a log upon receipt, and make sure to reconcile to deposits on the bank statement.

Perform reconciliations of key accounts

Routine and thorough reconciliations are a powerful control to help identify and correct discrepancies. All key accounts should be reconciled on a monthly basis, and any necessary adjustments should be recorded. Have the treasurer or finance committee review the reconciliation and ensure that the review is documented and signed.

We live in a technology-driven world

Technology is only getting more advanced, so it’s vital that we keep up and apply certain safeguards to protect our electronic data. For all electronic logins, choose obscure passwords. Ensure your policy states that employees should never share passwords but should change them periodically. Do the same for building entry codes and access to safes. Ensure that you have a password-protected server backed up regularly (and, if possible, in a remote location) and restrict access to any files containing sensitive information, such as payroll. Always safeguard credit card numbers and keep them confidential. For third-party softwares, inquire as to whether they have a SOC 1 report. This will provide a variety of user-entity controls that you should implement to ensure that controls are operating effectively within those systems.

Keep fraud in mind

Maintaining a certain level of professional skepticism can help ensure that you are paying attention to risks. Continuously review your controls and ensure they are operating effectively. Put the element of surprise on your side when watching for employee misconduct by performing financial reviews or internal audits at random times.

HR controls

Formalize onboarding procedures, including background checks during onboarding and periodically through employment. Require approval from the executive director or a finance committee member for all new employees added to the payroll. Ensure someone is there to fill in for employees taking a vacation.

Review significant contributions for donor restrictions

Significant contributions should be reviewed by the bookkeeper and the executive director to identify donor restrictions.

Analyze donor restricted contributions

On an annual basis, donor-restricted contributions should be analyzed to determine if purpose restrictions have been met by the organization. This can include reviewing expense reports by fund from the general ledger to validate that the costs were incurred to meet purpose restrictions.

Reconcile donor database to the general ledger

A reconciliation of the donor database to the general ledger should be performed at least annually.

Create a month-end close checklist

Create a list that includes all month-end controls, such as account reconciliation, financial statement preparation, review of manual journal entries, the check register, and payroll reports. The list should contain two columns for preparer and reviewer signoff, and each task should be initialed and dated. This review can be performed by other accounting personnel, the executive director, or a finance committee member.

Remember that internal controls only work if they are performed for the purpose of having controls; to keep accounting records accurate and reliable. If your nonprofit organization struggles to find the right balance of internal controls, reach out to your local CRI nonprofit professional for support with your unique situation.

Relevant insights

Join Our Conversation

Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.

This field is for validation purposes and should be left unchanged.