Internal controls are the processes and policies that a nonprofit follows to ensure its financial statements are correct, its assets are safe and accounted for, and that it followed all necessary laws and procedures to ensure compliance.

Why does a nonprofit need internal controls?

Accountants discussing internal controls, whether it be the COSO framework or risk mitigation, usually find their audiences fast asleep. Despite the insomnia cure, nonprofits should carefully consider their internal controls.

I’ve been involved with nonprofits who’ve had their money and computers stolen by staff members via fraud. This has becoming increasingly difficult to detect without internal controls due to the sophisticated nature of modern-day financial crime. For example, people write bogus checks or use other fraudulent means which ultimately enable them to steal assets from the nonprofit. Although such mishaps make me angry—after all, who steals from a nonprofit?—these things happen because people can become desperate or greedy. It’s also extremely frustrating because these crimes could’ve been prevented or identified much sooner, had the right internal controls been in place.

Moreover, since donors are essentially the lifeblood of any nonprofit, it’s absolutely crucial to make sure they have financial statements which they can rely on so that their trust can be earned. While theft of cash or assets may be the worst betrayal, internal controls ensure that nonprofits have such accurate financial statements for their stakeholders to investigate. Staff and board members, as well as donors, all rely on a nonprofit’s financial statements to make strategic, operational, and funding decisions. Having the right controls in place ensures that stakeholders can trust the financial statements to reflect the true state of the nonprofit.

Finally, some donors—especially larger grantors—will specifically ask for an organization’s internal control policy as a prerequisite for making a donation. These requirements are easier to meet if internal controls are already defined and executed in advance.

What is an internal control?

An internal control is a policy or procedure used to safeguard assets, such as cash and equipment. Moreover, it ensures that they are used appropriately, that financial statements are accurate, and that compliance with legal requirements are enforced.

Controls can be preventative or detective. Preventative controls help to prevent fraud or misstatement before it occurs. One example is where the person responsible for paying invoices is separate from the person who creating the invoices. Detective controls identify fraud or misstatement after it happens. For instance, reconciling cash in the accounting records to the bank statement will identify any discrepancies.

However, internal controls have a tradeoff, namely: quantity vs. efficiency. On one hand, the more controls are implemented, the less efficient the organization will be, since it will spend more time executing the controls. On the other hand, more controls increase the likelihood that an organization will have correct financial statements and be less susceptible to fraud.

As such, an organization should carefully consider the amount of risk they face when developing a control policy. For instance, an organization that handles lots of physical cash should consider the threat of theft and institute more processes to ensure cash can’t be swiped or diverted. An organization that handles lots of complex grants should consider implementing more controls for financial statement preparation and budgeting. When an organization has a firm grip on the risks it faces, then it becomes easier for the organization to understand where to place more controls.

What are examples of internal controls?

Small nonprofits are usually unable to create a lot of controls. They’re too busy trying to survive, and often just trying to make it through each day. With that said, having even a few controls in place can greatly reduce the possibility of fraud or misstatement. A few really common and helpful examples are:

• Bank reconciliation: Reconciling the ending bank balance to the ending balance in the accounting records is a key control that all organizations should perform monthly. This is a detective control.
• Segregation of Duties for Payments: Having separate people make payments from those recording payments helps reduce the possibility of one person committing fraud. Segregation of duties is a preventative control.
• Electronic only donations: Limiting donations to only electronic forms reduce the chances of someone swiping the cash.
• Multiple cash counters: Anytime cash is handled, there should be two people who count it and sign for it.
• Locked check stock: Checks should be locked up and only authorized signers should have access to the checks. Ideally, two people are present when checks are being written.
• Financial Close: A list of activities performed during month end closing should be listed and checked off to ensure completeness.

Larger nonprofits will have a much more robust set of controls. A full set of controls may touch every single account on the financial statements.

How should nonprofits document their internal controls?

Nonprofits should keep a document with the list of internal controls. For example, who is responsible for each process, who is impacted for each control, and any exceptions to the rule. Each person who is impacted by the control should review the document and sign off that they understand the process or control.

This internal control document should be reviewed at least once a year. If a significant change in the organization’s size, status, staff number or composition, or situation occurs, then the control policy must be reviewed again. Part of the review should include asking whether the procedures documented are being followed, or whether they have changed and why.

As nonprofits become larger or more sophisticated, they should also consider documenting compliance with the control. That means having a checklist and sign-off each time a control is potentially executed. These compliance checks become the first step to a larger control audit, but they also require significantly more effort from staff members.

Conclusion

The topic of internal controls isn’t the sexiest, but it’s one that every nonprofit must consider. By carefully planning, documenting, and following a set of internal controls, a nonprofit can avoid instances of fraud or financial misstatement that could potentially cause its downfall.