All nonprofits need the following 13 minimum financial internal controls, regardless of size: segregation of duties, monthly bank statement reconciliation, enforce cash handling procedures, limit credit card use, record and review all income, control the disbursement process, monitor and validate expense reimbursements, provide regular financial reporting and review, manage payroll and timesheet controls, create and use budgets, adopt a conflict of interest policy, adopt a whistleblower policy, and define banking account authority.NPCROWD.COM
I must admit that when starting a nonprofit, getting a good financial internal controls policy template is just difficult to find.
Most resources talk about how every nonprofit is different and therefore you need to build your own.
While there is truth to that statement, we’ve found there are 13 base topics that should be minimally covered for all nonprofits.
These topics form a foundation from which you can add more details, when the time is right or as wise counsel indicates it is needed.
The point is to start with these instead of waiting for the perfect template to appear. You need to protect your organization today.
Why Do Nonprofits Need Financial Controls and Policies?
Nonprofits need financial controls and policies to prevent fraud and theft, and to provide public accountability for the management of funds. These controls provide a separation of duties across multiple individuals, ensuring the proper handling of assets, and providing for financial transparency.
We hate to break it to you, but nonprofits do fall prey to fraud, theft, and misappropriation of funds on an all too frequent basis. Most financial losses like these can be quickly and easily avoided through basic internal financial controls.
According to the 2020 Report To The Nations from the Association of Certified Fraud Examiners, the average loss from a fraud event in 2020 was $639,000 while the median loss was $75,000. And we know from experience that this is only a subset of “reported” fraud cases. Many more are never reported and handled internally within the organization.
I don’t know about you but $75,000 – $639,000 can go a long way to impact capacity building within a nonprofit organization.
[Also Read] – Our article about “Capacity Building Grants“
No matter if you are a solopreneur just starting a nonprofit, a medium-sized nonprofit that has been around for a few years, or a large nonprofit with decades of experience, review your policies to ensure your protections are right-sized for where you are today.
Let’s look at the 13 topics that should go into every nonprofit’s financial policy/controls document.
1. Segregation Of Duties
When we talk about segregation, or separation, of duties, we are referring to the fact that no single person should be able to complete a financial process without another person being involved at some stage in the process.
For those who remember the cold war, we might recall photos of nuclear bomb silos and the reported protection that no missile could be launched without two people, each having a separate key, required to insert and turn the key switch at the same time before a launch would occur.
This was to make us feel good that a single rogue individual could not start World War 3 on their own. A check and balance existed.
It is similar with the separation of duties.
For example, for disbursements, the person who enters the payment request must not be the same person who approves the payment or signs the check. Even with digital/ACH payments a workflow that separates duties is possible. (Link is our companion article)
Most financial processes in a nonprofit can be segregated into four categories of duties. These are represented as individuals who have/are:
- Access to assets
- Access to accounting records/systems
- Management or control positions
- Independent oversight
The same person should not cover more than one of these categories in a given process. The person who signs the check (access to assets) should not be the same person who enters the transaction into the accounting system (access to accounting records).
Even if your nonprofit has no staff, assigned Board members to provide coverage so that the segregation of duties exists. For example, the treasurer can review the monthly bank reconciliations and bank statements, signing them to acknowledge review and approval (independent oversight)
A minimally viable financial policy will make a statement about the segregation of duties and then describe that segregation for each of the sections below requiring them.
[Also Read] – Our companion article about maintaining appropriate segregation of duties with ACH and electronic payment systems.
2. Monthly Bank Statement Reconciliation
One important task is to ensure that someone with independent oversight reviews the bank statements against the list of transactions for the month as part of the monthly reconciliation.
In many organizations, this will be performed by a board member, perhaps one functioning in the role of Treasurer.
Now, it is quite likely that the reconciliation may be prepared by the accountant or another financial team member. However, it is important that the independent oversight be done by comparing the account transactions, against the monthly financials, against the original bank statement.
Original bank statements are an important component of this process. Why? Well, we are preventing fraud and misappropriation of funds. The bank itself isn’t going to lie about the balance in the account. Yet, documents prepared by the nonprofit organization could be edited to present a false balance in order to hide inappropriate disbursements.
Be sure your policy states who will reconcile the bank statements, sign off on them, and then keep the reviewed documents on file for audit review.
3. Cash Handling Procedures
No need to overcomplicate this one. It’s the process for handling cash, no matter where it comes from.
To put it simply:
- Ensure at least two people receive, record and monitor all cash. (access to assets)
- A third person should reconcile the cash to the record of receipt and then make the deposit.
- Log all cash received in a log book of some sort, paper or digital. (access to accounting records)
- A management team member should always verfiy the deposited amount matches the logged amounts. (independent oversight)
That’s it. Multiple eyes to hold each other accountable.
4. Credit And Debit Card Use
Credit cards are a convenient and fast way to make purchases as they are needed within your organization. This convenience along with the proliferation of cardholders means that credit cards are arguably the number one source of financial theft and misappropriation in organizations today.
Therefore, a strong financial policy should address the following credit card controls:
- Who receives a credit card (limit the number of cardholders)
- Sets policy around appropriate use of credit cards (i.e. No personal purchases)
- Declares the requirement to abide by credit limits and purchase approval limits
- Ensures monthly review of credit card purchases, receipt documentation, and approvals.
One thing to catch is that no individual should be able to review and approve their own transactions.
As an example, a good policy might indicate that the Executive Director reviews all credit card transactions and associated documentation on a monthly basis. (Management or control position) However, they should not be able to review their own transactions. (Access to assets)
So, your policy might include that the Board Chair or Treasurer will review the Executive Director’s credit card transaction on a monthly or bi-monthly basis. (Independent oversight)
5. Disbursement Process / Payments
When you think about money going out from your organization to individuals and vendors, these are disbursements. It’s typically your accounts payable items. Everything from receiving a bill or invoice, the approvals and payments need to be considered.
So what does a good financial policy include as it relates to your payables? First, the person who approves the payment (management control) should be different than the person to makes the payment (access to assets).
Every payment request should be reviewed to ensure four things:
- payment has not already been made (prevent double-payment)
- listed goods or services have been received
- classification of expense is correct
- invoice/request amounts match the check/payment amount
Finally, determine if you maintain a petty cash account. If you do, list the process for requesting funds, disbursing and receiving funds, logging and reconciliation, and deposit reviews.
6. Expense Reimbursements
Reimbursing staff and volunteers for approved expenditures is a common process. Yet, it is another common area where fraud can occur with more frequency than others.
The best first line of protection is to include a policy requiring all reimbursable expenses to be pre-approved by a supervisor or above.
Even with pre-approval, you should require original receipts and documentation for each item in a reimbursement request.
Don’t forget about the segregation of duties. The person issuing or approving reimbursements should never approve or issue their own reimbursement. Have a second person do the work to prevent any potential for impropriety.
Even with credit cards in use, mileage reimbursements are a very common type of reimbursement. These should include a requirement for tracking mileage or a printed Google map of the route taken showing mileage. Each trip should also document the purpose of the trip with the ability to verify the veracity of the trip.
A common clarification needed in an organization is to clarify in your policy the types of trips available for reimbursement and where mileage is allowed to begin and end.
You might state that mileage begins and ends at the office address unless it is less mileage to begin or end at a different location on the route.
For example, let’s say I go to a supply warehouse to pick up an order. The warehouse is 30 miles from my house, but only 5 miles from the office and I make the trip on a day I am working in the office. I can only collect 10 miles of mileage because I am already expected to make the trip from home to the office as part of my normal workday. I only went 10 miles out of my way.
You decide your policy but be clear for your staff and for those reviewing how well you adhere to your stated policy.
[Also Read] – Expense tracking and reimbursement systems are helpful here. We have a round-up post on these systems as an alternative to Expensify. You’ll find it helpful.
7. Income Recording And Deposits
All revenues, no matter the source or type, must be recorded promptly upon receipt. This may be in a log or journal, either digital or paper.
Checks received should be immediately be marked with a restricted endorsement as part of the logging process. Your policy can specify how often checks will be processed, no less than weekly.
What is a restrictive endorsement? A restrictive endorsement on a check limits the use of the check. The most common restrictive endorsement is “For Deposit Only,” which limits the check to only being deposited, not cashed. More restrictive endorsements can include “For Deposit Only” for a specific business name, bank, and account number.
Usually, this endorsement is made by an ink stamp that is stamped in the endorsement area on the back of the check. The endorsement will say something like:
For Deposit Only ORG NAME BANK NAME Acct #1234567890
Pro Tip: Get a self-inking deposit stamp if you will be processing many checks daily or weekly.
8. Financial Reporting
The regular, monthly review of a nonprofit’s financial situation is a healthy thing to do and is a legal requirement in some states. This process also helps ensure the opportunity for misappropriation is lessened because there is regular review and oversight.
This is a time to refer to your Articles of Incorporation and your By-Laws. In many states, your By-Laws may already define required financial reports and frequency of review. If so, these should be reflected in the reporting section of your financial policy.
At a minimum, we recommend your policy include the monthly creation, review, and approval of at least two reports:
- Statement of position (Balance Sheet)
- Statement of activities (Income Statement or Profit & Loss Statement)
Additionally, we would recommend a budget variance report or at least a report of budget variances that are greater than 25%.
9. Payroll / Timesheet Controls
By far, payroll and wages are the top expense categories for many nonprofits. At the same time, your HR team will remind you that there are Federal and State laws requiring certain records to be maintained.
When it comes to the financial side of payroll, we must have tight controls in place.
If you have hourly staff, a good policy will indicate the frequency of when timesheets, digital or print, are to be submitted, reviewed, and approved. Every volunteer or employee in this category should be required to log their time.
Your policy should also include the frequency and process for the submission, review, approval, and submission of payroll of all pay and exemption types.
The person submitting the payroll register for approval should be different than the person who reviews and approves payroll.
Each payroll should be reviewed by someone in a management or control position to ensure 4 things at a minimum:
- Timesheets have proper employee and supervisor approvals
- Leave pay usage is properly recorded
- Reasonability of the payroll allocations
- All payroll employees are valid
Much like the bank statement reconciliation, have a board member or treasurer (independent oversight) review the executive leader’s payroll records to ensure appropriateness.
As a final note, it is not uncommon for an Executive Director to receive an annual bonus at the direction of the Board. Just have the board chair document the request and approval of the board, along with the amount, and send it to the finance leader. This can serve as backing documentation for the additional pay.
Estimating your revenue and expenses each fiscal year in the form of a budget is something every nonprofit should do.
This allows an organization to track what was anticipated versus what the reality is. Not only does this help you manage your expense to revenue ratio, it can also help detect potential problems.
When monitoring budget to actuals on a monthly basis, a sudden drop in recurring known income could be a sign that someone is taking a portion of revenue before depositing it in the bank. This is known as skimming.
A good financial control policy should include the requirement that the organization develops an annual budget on a regular cycle. It is also common that the policy requires the Board to approve the budget before the fiscal year begins.
This helps manage expectations and can also be a tool to help board members see how they can help with fundraising.
11. Conflict of Interest Policy
Every organization needs a conflict of interest policy. Depending on the state of your incorporation, this might be required for your board. However, we need it to apply to all our staff.
So, adopt a Conflict of Interest policy and refer to it in your financial controls.
The goal is to ensure that no board member or employee can be a party to a decision, contract, or disbursement if they have a personal interest in, or receive benefit from, such decisions. The policy will require disclosure of such interest conflicts in order to ensure that impartiality is used at all times.
12. Whistleblower Policy
Like the Conflict of Interest policy, a Whistleblower policy is standard fair in most organizations today.
A whistleblower policy performs three functions.
- Encourages employees, volunteers, or board members to come forward about illegal practices or policy violations with credible information.
- Declares the protection from retaliation of the individual coming forward by the organization.
- Clearly defines the individuals on staff, the board, or outside parties, to which such information should be reported.
So, adopt a whistleblower policy, share it with the board and employees, and then refer to it in your financial controls policy.
13. Banking Authority
There is one major place we have yet to provide protection, banking.
Specifically, who is able to open bank accounts, investment accounts, and lines of credit.
Secondarily, who are the authorized signatories on such accounts?
Your financial policy should address these items with clarity. Be sure to review your By-Laws as some of these details may already be covered there. You do not want your financial policy to be contradicted by your By-Laws or vice-versa.
It is not uncommon that the Executive Director and Board Treasurer be the signatories on banking accounts and that the Board must approve the opening of any banking accounts. Yet, the accountant may help complete paperwork and details under the direction of the ED and Treasurer with the approvals documented.
BONUS TIP: Use Secondary Detail Documents
I may get flack from some purists out there, but I highly recommend keeping things simple, until they need to get more complex.
One way to do this is to keep your Financial Policy / Controls document short and sweet by referring to secondary documents that specify more detail where needed.
As an example, for your Conflict of Interest and Whistle Blower Policies, don’t copy and paste them into your policy document. Simply refer to them and ensure they are available to staff and your auditors.
Instead of listing every step and segregation of duty detail, create a matrix with each row being a process and each column being a segregation of duty step. (See below) A picture really can be worth a thousand words. :)
What are internal controls for nonprofits? Internal controls are financial management practices that prevent the misappropriation of assets such as embezzlement, fraud, or outright theft. These internal controls are defined through documented policies and procedures.
Do nonprofits need two signatures on checks? While such a process does ensure accountability, it can be burdensome for regularly occurring transactions. A similar amount of oversight can be achieved by having single signatures on checks and a different person with independent oversight reviewing all transactions as part of the bank statement reconciliation. We do recommend two signatures be required on checks or payments over a specific threshold amount. i.e. All checks over $5,000 require two signatures.
Disclaimer: This post may contain affiliate links. These links, if used and purchases made, we may earn a small commission. These affiliate programs do not impact the recommendations we make or the resources we refer you to. Our focus is on providing you the best resources for your nonprofit journey.