Protecting Assets and Sound Internal Controls

Man at iPad

by the Nonprofit Risk Management Center

There are many safeguards that your nonprofit can employ to ensure that financial transactions are properly authorized, appropriated, executed and recorded. Fortunately, establishing good internal controls requires more of an investment of attention than money. Thus, very small nonprofit or even all-volunteer groups can institute appropriate controls and reap the benefits. Choose those that work and that you can sustain. Generally, internal controls fall into four categories: proper authorization and approval, proper documentation and accurate recording, proper physical security, and early detection.

Proper Authorization and Approval

Identify a select group of people with decision-making responsibility, and clearly define the who, what, where and when of financial transactions. Some strategies include:

  • establishing an annual budget — provide the board with time to review it and ask questions and have it approved before the start of the fiscal year;
  • creating a purchasing process that tracks purchases from request through payment; and
  • making sure that staff know who has authority to obligate the nonprofit’s funds.

Proper Documentation and Accurate Recording

Establish accounting routines to ensure that no false transactions are processed and that all valid transactions are recorded for the correct amount and accounts. Some strategies include:

  • requiring that all vendors and consultants submit detailed invoices for goods and services provided to your nonprofit;
  • requiring receipts for expenses of more than $5 for reimbursement; and
  • demanding documentation is attached to check request forms.

Proper Physical Security

Ensure that only those that are authorized have physical or indirect access through documents or computers to money, securities, real estate and other valuable property. Some strategies include:

  • ensuring that blank checks are locked up and controlled by someone other than the person who cuts checks;
  • requiring that another staff member sign out blank checks;
  • using passwords to prevent access to accounting software and records by staff or visitors who do not need to know them;
  • changing passwords every six weeks; and
  • depositing daily receipts (checks, cashiers checks, money orders and cash) in the bank each day.

Early Detection

Establish a safety net to detect ongoing fraud and minimize the total loss to the organization. Some strategies include:

  • ensuring that the executive director or other senior manager receives and reviews the monthly bank statement(s) before a staff member performs the bank reconciliation;
  • cross-training several staff so they can make bank deposits and perform other essential accounting duties when the regular bookkeeper or accountant is absent, and instruct them to report any irregularities; and
  • engaging the services of a certified public accounting firm to conduct an annual financial statement audit that is reported to the board without staff present.

Implement those steps that make sense for your nonprofit, given the nature of your operations and extent of resources available for internal controls.