Why Nonprofits Need Internal Controls

8 min read

May 21st, 2024

Nonprofit leaders have an altruistic outlook, working toward the best outcomes and trying to see the best in everyone. Unfortunately, this optimistic perspective can leave nonprofit organizations vulnerable to fraud. A study from the Association of Certified Fraud Examiners (ACFE) that looked at more than 2,500 cases of fraud found:

• Nonprofit organizations accounted for 9% (191 cases) of all the fraud cases examined.
• Nonprofits suffered median losses of $75,000.
• The average fraud-related nonprofit loss was $639,000.

These types of losses would be devastating to most organizations. However, unfortunately, the study also found that nonprofits tend to have fewer internal controls in place, leaving them more vulnerable to fraud. In addition to individuals overriding existing internal controls (14%) and a lack of management review (19%), an overall lack of internal controls (35%) accounted for the top three organizational weaknesses.

Fraud is not only devastating for nonprofits due to the monetary losses, but fraud also significantly damages a nonprofit organization's reputation and the trust it has built among donors, constituents, and the community.

When people volunteer their time or donate their hard-earned money, they must feel confident that their resources will be put to good use, and having resources lost to fraud is not a good use. As a result, an organization that lacks internal controls and is vulnerable to fraud will inevitably struggle to build trust with donors and see its funds diminished.

Preventing fraud with internal controls is vital to donor trust and the ultimate survival and success of your nonprofit organization.

What Are Internal Controls?

Internal controls are bookkeeping, accounting, record-keeping, and auditing policies, processes, and procedures. Internal controls are used in an organization's financial management to ensure the integrity of compliance and reporting while helping to prevent internal fraud. Additionally, internal controls can help improve operational efficiency and organizational leadership.

Types of Internal Controls and Examples

Internal controls fall into two primary categories, preventive controls and detective controls. Preventive controls are intended to prevent errors and fraud from occurring, while detective controls aim to detect instances of fraud or errors that were not adequately prevented by the organization's preventive controls.

Common Preventive Controls

• Separation of duties and power
• Checks and balances
• Access controls
• Approval authority requirements
• Physical controls
• Risk assessment
• Cybersecurity
• Employee and volunteer training

Common Detective Controls

• Routine audits
• System monitoring
• Trial balances
• Account reconciliation
• Standardized record-keeping and reporting

Some sources also refer to a third category of controls which are referred to as corrective controls. Corrective controls are new or revised preventive and detective controls that are put in place in response to irregularities, errors, or instances of fraud.

Read More: A Nonprofit’s Guide To Outsourcing to an Expert Remote Team

The Top 5 Benefits of Internal Controls for Nonprofits

The benefits of internal controls are significant. Some of the most notable advantages of implementing sound internal controls include:

1. Safeguarded Funds - Internal controls minimize the risk of monetary losses due to fraud.
2. BuildingTrust - Internal controls demonstrate operational integrity, helping to build trust with your nonprofit's donor base.
3. Protected Donor, Employee, and Volunteer Information - You further build trust and integrity by safeguarding the personal information of your donors, employees, and volunteers.
4. Consistent Policies and Procedures - Internal controls help to establish consistent policies and procedures, improving compliance and reporting.
5. Better Leadership - With internal controls, nonprofit leaders benefit from more reliable and accurate financial information for better budgeting and leadership decisions.

9 Internal Controls Best Practices for Nonprofits

1. Define Your Internal-Control Goals

Nonprofit leaders should have a concrete understanding of what they intend to achieve with internal controls. Internal-control goals should include objectives like reducing the risk of fraud, safeguarding personal information, achieving compliance, improving financial integrity and transparency, and increasing the reliability of your financial reports.

2. Create a Culture That Supports Internal Controls

A culture of internal controls spreads from the top down. In the ACFE study:

• 39% of fraud cases were committed by an owner or executive director with a median loss of $250,000
• 35% were committed by a manager or supervisor with $95,000 in median losses
• 23% were committed by employees with a median loss of $21,000

Clearly, those at the top present the greatest threat and risk because they have the most access, power, and influence in an organization. Those in charge have the power to implement internal controls (or not) and the influence to persuade an employee to bypass internal controls (often for convenience or the sake of saving time).

Executive directors, board members, department heads, and program leads must lead by example, adhering to and respecting internal controls every day.

3. Assess Your Organization's Risk

When assessing your organization's risk, you need to think like a criminal. Look at every aspect of your nonprofit, trying to find vulnerabilities. Consider the physical security of your space, cybersecurity, policies and procedures, checks and balances, and separation of duties.

For example, consider:

• Whether your server is easy to access, whether you could find employee passwords in their planners or desk drawers
• If donor information is stored in a locked file cabinet
• How easy it would be to submit fraudulent expense reimbursement requests
• What types of documents are shredded and what types of documents go out in the regular trash/recycling
• How many signatures are required on checks
• If your USB ports are accessible and active
• If computer screens are visible from outside office windows
• Whether anyone would notice if you "cooked the books"
• Who is responsible for reconciling accounts (Are they also responsible for writing checks and making cash deposits?)
• If you diligently delete user access for former employees
• How often you download software updates
• How often you provide security training to employees

Having an objective perspective when assessing your nonprofit's risk can be challenging. In this step, it can be highly useful to enlist an expert consultant to help you identify weak spots in your preventive and detective controls.

4. Identify, Define, and Document Your Nonprofit's Control Activities

When establishing internal controls, you should identify and define your organization's control activities. Control activities include everything you do to maintain and support security in your nonprofit. During this step, reference your risk assessment, looking at the vulnerabilities you have identified. Next, establish policies and procedures to mitigate these vulnerabilities and reduce your risk of exposure.

Your nonprofit needs to have documented, written policies and procedures regarding every aspect of its internal controls.

The Top 7 Nonprofit Board and Management Reports

The Ultimate Guide to Nonprofit Reporting for Executive Directors 

[FREE DOWNLOAD]

5. Use a Three-Person Team

If you only have one or two people managing your back office, then your organization is at a significantly increased risk of fraud. A three-person team is the minimum requirement for implementing adequate internal controls in your financial department. Adequate separation of duties and power in addition to proper checks and balances require at least three people. With a three-person team, one person writes the checks, another approves the checks, and a third person reconciles the accounts.

6. Leverage Opportunities for Outsourcing and Consulting

Most nonprofits operate with limited budgets (and using the word "limited" here feels like an understatement for many nonprofits). As a result, nonprofits often can't afford to hire a three-person team in-house, bring on a full-time IT expert, or pay the high salary of a controller or CFO. However, nonprofits can afford to outsource these positions by hiring consultants and third-party professionals to assist.

With outsourcing, nonprofit leaders have lots of options such as:

• Bringing in a consultant to help you assess your nonprofit's risk and establish sound internal controls
• Routinely hiring a company to execute internal audits
• Shifting the burden of compliance and financial controls to an outsourced client accounting service provider for more sound financial operations

Outsourcing provides an excellent opportunity for nonprofits to access the benefits of the back office or IT department of a high-budget corporation at a small fraction of the cost.

Read More: Why Isn't My Nonprofit Successfully Raising Money?

7. Provide Training and Communication

Internal controls are useless if your employees don't know they exist or how to follow them. Once you have documented your internal controls, you need to provide employee training, the tools and resources to work within a sound system, and clear communication about why internal controls are important.

Additionally, make sure your team knows you have also put detective controls in place so they understand they will be held accountable to following policies. However, it's best not to disclose the exact nature or schedule of these detective controls because this can make it easier for a potential fraudster to find and exploit any vulnerabilities that still exist.

8. Implement a Routine System of Monitoring Internal Controls

Adequate detective controls require routine monitoring of your systems. This means you should be reconciling accounts regularly, scheduling internal audits, and even using third-party security consultants to help test the fortitude of your employees.

9. Take Action With Corrective Controls and More Training

If you discover new vulnerabilities, errors, or signs of fraud, then you should revisit and revise the preventive controls you have in place. Offer additional training to your employees and make changes to correct past oversights. The sad truth is that internal controls are never complete or perfect. The landscape of security and technology is constantly shifting. So, nonprofit leaders must continuously strive to strengthen security and protect organizational integrity.

Strengthen Your Internal Controls With Outsourced Accounting for Nonprofits

As mentioned above, outsourcing is an excellent resource for improving your nonprofit's internal controls. An outsourced back-office team can help shift the burden of compliance and security to an experienced third-party provider. Additionally, an outsourced team ensures you always have enough people managing your back office and you're always working with industry experts who stay up to date on the best accounting software and tools for nonprofit organizations. With an outsourced team, you can strengthen your internal controls, protect your nonprofit's reputation, and build trust with donors - all while steadily working to improve your nonprofit's financial health and mission impact.