“Internal controls” are financial management practices that are systematically used to prevent misuse and misappropriation of assets, such as occur through theft or embezzlement. Internal controls are generally described in written policies that set forth the procedures that the nonprofit will follow, as well as who is responsible. The goal of internal controls is to create business practices that serve as “checks and balances” on staff (and sometimes board members) and/or outside vendors, in order to reduce the risk of misappropriation of funds/assets.
Example of a basic internal control: A policy that requires two signatures on a check is a basic internal contol. This business practice is designed to prevent one person from having sole authority for writing checks on the nonprofit’s behalf.
Example of an internal control that every nonprofit can put into practice: A policy to lock the office door when no one is monitoring the entrance. This policy is designed to minimize the risk of theft of computers that can happen in broad daylight, and with very little time needed to unplug, pick up, and carry away some of the nonprofit’s most precious assets.
More examples of internal control policies:
- A policy requiring that employees may only be reimbursed for expenses that are approved in advance, in writing;
- A “segregation of duties” policy requiring that the person who logs in checks received in the mail is not the same person who is responsible for depositing checks. Similarly, the same person should not both prepare the payroll, and also distribute or have custody of the payroll checks.
- A periodic review by an objective person of the list of all vendors receiving fees/checks from the nonprofit (because a common scheme involves creating a fictitious vendor).
- A policy to keep all cash in a locked drawer and to deposit cash and checks in the bank, soon after they are received.
- A policy to conduct a background check of employees who handle money, prior to hire and periodically throughout employment.
Where should you start? The top priority for any nonprofit is to put in place at least the basic internal controls that address who has access to the nonprofit’s bank accounts, and who has authority to spend money on the nonprofit’s behalf, whether via check, cash, credit card, or some other means.
Most internal controls are common sense – but not all those described in the resources below may make sense for your nonprofit. Your nonprofit’s insurance agent or broker, or an accountant, can provide advice about what is needed at your nonprofit.
Practice Pointers
- If your nonprofit uses checks, who has access to blank checks? And who is authorized to sign them? Perhaps using other methods to transfer payments than check-writing is a risk management strategy to consider.
- Does everyone in your nonprofit (including board members) know how money moves through the organization? Creating a flowchart will help everyone visualize the journey, which can also prompt discussion about who is responsible at which stages, and where internal control weaknesses could exist.
- Know what documentation you should be keeping, and be consistent. Adopting a written policy helps everyone know what the expectations are, such as for requesting reimbursements. Examples: Reimbursement of expenses over $5 requires a receipt; All vendors must submit invoices that include a detailed description of services rendered. Other examples described here: Protecting assets with sound internal controls (Minnesota Council of Nonprofits)
- Two easy steps even very small nonprofits can take to strengthen internal controls are: (1) conduct a "surprise internal audit" - An unexpected examination of how cash and checks flow through the organization, and what vendors are receiving payments for, can deter fraudulent schemers; (2) Make sure that a second person, besides the designated "bookkeeper," sees bank statements. This offers another layer of transparency and protection to the organization. You can read more about these two easy strategies here: How to lessen segregation of duties problems in two easy steps (CPA Hall Talk)
- This is very basic: Define who is responsible for what functions in your organization. Read about Five Internal Controls for the Very Small Nonprofit (Blue Avocado)
Additional Resources
- Guide to Internal Controls and Financial Accountability for not-for-profit-boards (New York State Attorney General)
- Internal controls (Greater Washington Society of CPAs)
- A primer on detecting, preventing, and investigating nonprofit fraud, embezzlement and charitable diversion (Venable, LLP)
Disclaimer: Information on this website is provided for informational purposes only and is neither intended to be nor should be construed as legal, accounting, tax, investment, or financial advice. Please consult a professional (attorney, accountant, tax advisor) for the latest and most accurate information. The National Council of Nonprofits makes no representations or warranties as to the accuracy or timeliness of the information contained herein.