Reviewing and Updating Your Nonprofit’s Internal Controls

December 27, 2018 | Tyler Harvell

Tyler Harvell's portrait

By Tyler Harvell, CPA, MBA

Nonprofits generally face limited resources as they depend on contributions from donors. If nonprofits don’t have checks and balances in adherence to internal controls, the doors can become wide open to fraud. Unfortunately, the economic conditions of recent years have only increased the likelihood of employee theft, making internal control measures more important than ever. A nonprofit can reduce the risks of failing internal controls by regularly reviewing and updating your organization’s internal controls and concentrating energies on its biggest risks.


A detailed internal control policy potentially contains hundreds of items related to everything from governance to financial statements to payroll to information technology. If your nonprofit has never drafted such a policy, talk to a CPA about doing so.

Most nonprofits, however, engage in far fewer risky activities and should, therefore, zoom in on a smaller group of controls that can benefit the organization and be more cost effective. For example, a startup that is putting donations to work as quickly as they come through the door probably doesn’t need to worry about investment and property management policies initially. 

However, such a nonprofit would benefit from implementing rules regarding cash receipts and disbursements. These include segregating duties (so that, for example, the same staffer who enters an invoice should not be approving the invoice), requiring dual signatures on checks, and performing monthly bank reconciliations by a person not involved in the cash receipts or disbursement process.


Even the best internal controls can’t protect your nonprofit from fraud if managers override them. It is always good to remember that a lock on a door will keep honest people from breaking in, but a criminal will enter no matter how well the door is locked. This is why it is a good idea to ask a CPA to observe how well your organization is adhering to controls and to identify any potential risks.

Another good line of defense may be your board of directors or the audit committee component of the board. Your board can help prevent management-perpetrated fraud by:

• Ensuring that material weaknesses identified in management letters by auditors are addressed
• Developing budgets
• Regularly reviewing internal financial statements, including comparisons to budget
• Signing off on completed IRS forms, such as Forms 990.

Your board of directors might also stipulate additional policies, such as requiring the approval of at least one board member on the rare occasion a manager needs to override controls. A good example would be having certain volunteer board members as check signers, so that if management needs an additional signer, a board member could sign checks instead of letting the checks be released with just one signature.

Your board should also look for signs that managers aren’t following internal control policies to the letter. For example, failing to report risks and actual management overrides in a timely manner. Accounting and reporting errors along with disputes with auditors or outside advisors are possible signs that a manager may be committing fraud. The board could address some of these issues by giving employees of the nonprofit opportunities to speak freely by setting up a fraud hotline or having a whistle blower policy in place.


Your current staff may have a lot on their plates, so some procedures might be forgotten in the process of completing transactions for the entity. If a staff member were to leave, more procedures would fall on someone else’s plate until another person can be hired. It is good practice to review  the policies designed to prevent fraud with employees and managers alike. If you have any questions HHM stands ready to help.