In the long run, these controls will ensure your nonprofit successfully fulfills its mission and makes a lasting impact. ❤️
That said, designing nonprofit internal controls from scratch can be a challenge. Nonprofit leaders already have to navigate complex regulatory requirements, from financial reporting to tax law. So where do you begin? 🤔
In this article, we'll help you get started with the strong internal controls every nonprofit needs.
What are nonprofit internal controls?
Nonprofit internal controls are systems, mechanisms, and procedures that help an organization manage risk while preventing errors and fraud. These written policies create a standard for how operations and financial activities should be conducted, ensuring that everyone is held accountable. 🔐
Internal controls are always applicable to the nonprofit's staff, but might also extend to the board of directors and outside vendors. These control policies are usually related to financial management, which means that anyone involved in handling the nonprofit's funds should have a clear understanding of them.
Example of a nonprofit internal control
For example, as a simple internal control, you might require that two people sign all checks. This helps to ensure the accuracy of payments and can help prevent embezzlement, theft, and other misappropriation of assets. 💰
Nonprofit internal controls can range from basic procedures like the above to intricate systems involving separation of duties, audits, and advanced digital security measures. The key is to strike a balance that safeguards your nonprofit's assets and integrity without stifling efficiency or productivity.
Does my nonprofit need internal controls?
The short answer is YES. Internal controls are crucial for nonprofits of any size. Even if you don't have enough staff or resources to create an extensive system, having some form of internal controls in place is better than nothing.
It's also important to bear in mind that your nonprofit might need different types of internal control depending on your unique situation. For instance, you may require more extensive measures if you have remote staff 💻 or work with high-risk partnerships and vendors. ⚠️
7 internal controls every nonprofit organization should have
Now, let's delve into the seven internal controls every nonprofit should consider implementing. These specific controls will help ensure your organization operates with transparency and accountability.
1️⃣ Access to sensitive data
This nonprofit internal control should limit access to sensitive information, such as financial statements, bank accounts, and accounting software. Ideally, all nonprofits should have a clearly outlined system defining who is allowed access to what kind of data. 📝
This control system might include policies like:
Changing passwords every 6 months
Limiting bank account access to specific individuals, such as your CPA and executive director
Requiring two-factor authentication for anyone accessing the nonprofit’s financial information
A regular, scheduled review of who has access to which type of data
You should also outline how access will be given—for example, via a password-sharing app or by sharing credentials over the phone.
If someone needs access to your nonprofit's bank accounts, this is particularly important. Depending on your bank, you might have only one set of login credentials to share, which is both inconvenient and extremely risky. Since you have no control over what that person can do once they're signed into your account, anything could happen. 😬
That's why Relay (hello! 👋) helps nonprofits control banking access with secure, role-based logins. 👥 Relay is an online banking and money management platform built for nonprofits like you—whether you want to give board members limited, read-only access, or need to fully delegate financial tasks to your accountant.
💡Read more: How safe is online banking?
2️⃣ Segregation of duties
This nonprofit internal control is all about separating specific duties within the organization to make things more secure. It requires more than one person to complete certain key tasks, such as approving payment and making the actual transfer. 💸
For example, instead of one person handling all the payroll duties, you can divide the responsibilities between three people:
One individual enters payroll data
The second approves the data entry
The third person is responsible for distributing the paychecks
This breakdown ensures that no single individual has control over the entire process, greatly reducing the risk of fraud and human error. Segregation of duties is also an affordable security measure since it doesn't require specialized staff or new software. Just be sure all processes and duties are formally defined in a written policy. 📝
3️⃣ Monthly bank reconciliation
This internal financial control is one of the most important and effective ways to stay on top of your cash flow as a nonprofit. Bank reconciliation ensures that your nonprofit's financial statements are accurate by comparing the cash account balances with the bank statement. 📊
This task is usually done by the organization's bookkeeper. However, it's good practice to have an additional, internal staff member reconcile your accounts each month—that way, two different people are closely reviewing your financial records, ensuring a high level of accuracy. 🧐
While this can time-consuming, Relay helps nonprofits speed up bookkeeping and reconciliations with detailed transaction data—you'll see clean, standardized vendor names and categories for every transaction.
Plus, Relay's integrations with QuickBooks Online and Xero mean you (and your bookkeeper) will see the most up-to-date and accurate banking data every time you log into your accounting system.
4️⃣ "Surprise" internal audits
To both prevent and prepare for potential audits, it's critical to track expenditures, disbursements, fundraising income, and other financial transactions. But how do you know that your accounting records are accurate? 👀
A surprise internal audit could be the answer. This type of audit is exactly what it sounds like—it's when you have an independent auditor come and review your nonprofit's records without any prior warning. This can help your organization identify any areas that need to be tightened up before a real IRS audit.
You might already be required to do an independent audit each year, depending on your state's laws. Even if these rules don't apply to your organization, however, an annual internal audit can be a great way to make sure your processes are air-tight. 🙌
5️⃣ Physical security
For some nonprofits, this internal control is an obvious one. Depending on your organization's size and resources, physical security might mean a combination of locks on doors 🔒during the day (for staff safety), locked filing cabinets (to store confidential documents like blank checks), or even CCTV systems (for extra protection).
Even something as simple as implementing a check-out policy for credit cards and blank checks can add an extra layer of security. The most important thing is to have a clear, written policy covering physical security and make sure that all staff members are aware of it.
6️⃣ Staff spending and expense reimbursement
Whether your team needs to pay for travel or make a last-minute supply purchase, it's important for nonprofits to properly manage employee expenses. 💸
Here are a few examples of nonprofit internal controls related to staff spending:
When possible, all purchases should be made with a company debit card (to limit the number of expense reimbursement requests)
Receipts must be submitted for all expenses over $5
For purchases over $200, explicit approval is required from your manager or the finance department
Expense reimbursement requests must be submitted within 30 days of the expense
For most nonprofits, it's unrealistic to think that the executive director will be able to pay all expenses with a single company credit card. 💳 But it can also be overwhelming to manage dozens of expense reimbursement requests each month (or distribute petty cash).
Issuing multiple debit cards for specific employees, programs, or projects can help—for example, if a certain staff member is leading a short-term project with lots of expenses, you could instantly issue them a virtual debit card with a set spending limit. 🙌
With Relay, you can issue 50 virtual or physical debit cards for specific purposes, whether it's for the marketing department or your newest education program. You can also set spending limits, and if you notice any suspicious activity, instantly freeze cards from your computer or phone. 📲
7️⃣ Background checks
According to one survey, 96% of businesses conduct background screenings before hiring, and not-for-profit organizations should be no different. Whether you're interviewing full-time staff or volunteers, a clear process for screening applicants is critical to your nonprofit's safety and security. 🔒
At a minimum, this should include verifying references and criminal background checks. Depending on your organization's operations and the roles you're hiring for, other types of screening might also be necessary. For example, if the role has anything to do with financial management or handling sensitive data, a credit check might be a good idea. ☑️
In this internal controls policy, be sure to outline how background checks will be stored and who has access to the results. You'll also want to double-check that your policy aligns with federal and state laws.
Following through with nonprofit internal controls
The key to successfully implementing nonprofit internal controls is to do it sooner rather than later. Your policies might not be perfect at first, but they can always be adjusted—just be sure to document any changes and communicate them clearly to everyone involved. 🗣️
Once you've created your nonprofit internal controls, it's important to stay consistent. That means setting clear expectations for employees and volunteers and enforcing your policies without exception. 📝 It might be tempting to overlook small discrepancies, but doing so can lead to bigger problems down the road.
Ultimately, whether you're managing a small nonprofit or an international organization, remember the purpose of these internal controls: risk management, accountability, transparency, and the long-term success of your nonprofit.
🔐 Relay: Your money — protected
Nonprofit organizations use internal controls to keep their finances safe and secure, but it’s not always easy. That’s why Relay’s online banking and money management platform is designed to help nonprofits stay on top of cash flow.
At Relay, we help nonprofits keep their money safe with a combination of advanced security features like encryption technology, two-factor authentication, and more. Plus, our real-time transaction data means you can always stay on top of your finances—and quickly address any errors or discrepancies. 🔒
Relay also allows nonprofits to speed up bookkeeping and securely collaborate with their financial advisors, like nonprofit accountant Ufuoma Ogaga. Ufuoma uses Relay to help her clients stay audit-ready, prevent fraud, and gain greater visibility into cash flow.
With Relay, nonprofits also get:
✅ 20 individual, no-fee business checking accounts: Organize income, expenses, and cash reserves with multiple checking accounts—with no overdraft fees, maintenance fees, or minimum balance requirements.
✅ Automated savings: Relay helps you build your nonprofit reserves with automated savings. Plus, you’ll earn 1-3% APY1 on every dollar.
✅ Entirely online banking: Open checking and savings accounts, issue debit cards, and send and receive payments completely online—no in-person branch visits required.
✅ 50 virtual or physical debit cards: Create new debit cards for specific projects and expenses, and get instant access to virtual debit cards for online and mobile payments.
Ready to get started? Sign up for Relay today.
