717.761.7171

Strengthening Internal Controls for Nonprofit Organizations 

Strengthening Internal Controls for Nonprofit Organizations 

Summary: 

  • Strong internal controls help nonprofits prevent fraud, safeguard assets and ensure reliable financial reporting.  
  • Governance oversight and leadership tone are foundational to an effective internal control environment.  
  • Segregation of duties reduces risk and errors. 
  • Electronic payments, including ACH and credit cards, present elevated fraud and misuse risks for nonprofits.  
  • ACH controls should focus on authorization, verification, access restrictions and transaction monitoring.  
  • Credit card controls should address card issuance, spending limits, documentation and independent review.  
  • Ongoing monitoring, documentation and periodic reassessment strengthen accountability and audit readiness. 

Internal controls are a fundamental component of nonprofit governance. They help organizations safeguard assets, ensure reliable financial reporting and comply with donor restrictions, grant requirements and regulatory obligations.  

While internal controls are often associated with audits, their value extends far beyond compliance. Well-designed controls support operational efficiency, reduce fraud risk and reinforce trust with donors and stakeholders.  

The Purpose and Objectives of Internal Controls 

Internal controls are designed to provide reasonable assurance that an organization achieves its objectives related to operational effectiveness, financial reporting reliability and compliance with applicable laws and policies. For nonprofits, this means ensuring funds are used for their intended purpose, financial information is accurate and timely and donor-imposed restrictions are respected. 

These controls are not meant to eliminate all risk or create unnecessary administrative burden. Instead, controls should be risk-based and proportional, reflecting the organization’s size, complexity and activities. When properly designed, internal controls support mission delivery. 

Segregation of Duties 

Segregation of duties is a core internal control principle intended to prevent any one individual from controlling all aspects of a financial transaction. Ideally, authorization, recordkeeping and custody of assets are handled by different people. This separation reduces the risk of errors or fraud going undetected. 

Many nonprofits also operate with limited staff, making ideal segregation challenging. In these cases, compensating controls become essential. These controls may include supervisory review of reconciliations, dual approvals for transactions or board-level review of financial activity. While compensating controls do not replace segregation, they significantly reduce risk when implemented consistently. 

Governance and Oversight 

Effective internal controls begin with strong governance. The board of directors is responsible for establishing expectations around accountability, ethical conduct and financial oversight. While boards are not involved in daily operations, they play a critical role in approving key policies, reviewing financial statements and asking questions that support transparency and risk awareness. 

Consistent board engagement reinforces the importance of internal controls and signals to management and staff that accountability is a priority. This oversight is particularly important in areas involving financial risk and electronic transactions. 

Management’s Role 

Management is responsible for designing, implementing and maintaining internal controls. This includes ensuring policies are followed, controls are functioning as intended and issues are addressed promptly. Leadership behavior is critical in shaping organizational culture. When leadership demonstrates commitment to internal controls, staff and volunteers are more likely to adhere to established processes and report concerns. 

Risk Assessment as the Foundation of Control Design 

Risk assessment is a vital step in designing effective internal controls. Nonprofits face varying levels of risk across different processes, including cash handling, disbursements, payroll, financial reporting and electronic payments. Identifying these risks allows organizations to focus control efforts where the potential impact is greatest. 

Risk assessment should be revisited regularly, particularly as organizations adopt new technologies, expand programs or change funding models. Controls that were helpful in the past may not address current risks appropriately. 

Controls should be tailored to the organization’s structure and resources. Smaller nonprofits may not be able to fully segregate duties but can still reduce risk through alternative controls such as management review, board oversight or periodic independent checks. 

Controls Over Key Transactions 

Cash Receipts, Disbursements and Financial Reporting  

Controls over cash receipts help ensure that funds are accurately recorded, deposited promptly and reconciled to accounting records. Disbursement controls focus on authorization, documentation and review to ensure payments align with organizational policies and donor restrictions.  

Payroll and journal entry controls support accuracy and prevent unauthorized changes to financial records. Timely reconciliations and management review during the financial close process are essential to producing reliable financial statements. These foundational controls remain critical even as organizations shift toward electronic payment methods. 

Credit Card Risks and Control Strategies  

Credit card usage introduces a different set of risks for nonprofits, particularly related to misuse, unauthorized spending and inadequate documentation. While credit cards offer convenience and operational flexibility, they can weaken controls if not properly managed. Clearly defined credit card policies should address who is authorized to hold a card, acceptable use, spending limits and required documentation. Limiting the number of cards issued and setting transaction limits reduces exposure if a card is lost or misused.  

Independent review is a critical control for credit card activity. Cardholders should not be responsible for reviewing or approving their own statements. Management or finance staff should review statements regularly to ensure charges are appropriate, supported by receipts and aligned with organizational purpose. Monitoring for unusual spending patterns helps identify potential issues early. Integrating credit card activity into regular financial reporting and reconciliation processes strengthens oversight and supports audit readiness. 

ACH Risks and Control Strategies  

ACH transactions present elevated risk for nonprofits due to their speed, volume and reliance on electronic authorization. ACH fraud often stems from phishing attacks, credential compromise or unauthorized changes to vendor banking information, making both technical and procedural controls essential.  

A key control is the separation of ACH initiation and approval. Individuals who initiate payments or banking changes should not be the same individuals who approve or release those transactions. When staffing limitations prevent full segregation, nonprofits should implement compensating controls such as enhanced management review or secondary approvals to reduce risk.  

Multi-factor authentication is an important safeguard for ACH systems, particularly for users with payment authority. Requiring MFA for banking portals and payment platforms significantly reduces the likelihood of unauthorized access, even if login credentials are compromised. Verification procedures are equally important. Changes to vendor banking information should be confirmed through a secondary communication channel rather than relying solely on email requests.  

Bank-level fraud prevention tools such as Positive Pay and ACH filters are also helpful. These programs help identify or block unauthorized transactions before funds are released and should be actively monitored to remain effective.  

Cyber insurance is also an important risk management tool, but not a substitute for strong controls. Coverage often depends on the presence of safeguards such as MFA, documented approval processes and bank fraud prevention programs. Regular monitoring of ACH activity, review of transaction reports and periodic reassessment of user access help ensure controls continue to operate effectively. When ACH controls are integrated into the broader internal control framework, nonprofits can balance operational efficiency with strong financial protection. 

Documentation, Monitoring and Continuous Improvement  

Documented policies and procedures provide clarity, consistency and accountability. They reduce reliance on individual knowledge and support continuity during staff transitions. Documentation also strengthens audit readiness and demonstrates sound governance practices to donors and regulators.  

Internal controls require ongoing monitoring to remain effective. Regular review of financial activity, management oversight and periodic internal assessments help identify control gaps and emerging risks. Audit findings and management letter recommendations provide valuable insight into areas for improvement and should be addressed proactively. 

Protecting Your Nonprofit’s Finances 

Strong internal controls are essential to nonprofit accountability, transparency and long-term sustainability. As electronic payments such as ACH transactions and credit card usage become more common, nonprofits must ensure that controls evolve to address these heightened risks. By focusing on governance oversight, risk-based control design, segregation of duties and intentional management of electronic payment activity, nonprofits can significantly reduce financial and operational risk.  

Internal controls are not about limiting flexibility or creating unnecessary bureaucracy. They are about protecting the mission, ensuring responsible stewardship of resources and maintaining the trust of donors and stakeholders. Brown Plus works with nonprofit organizations to evaluate internal control environments, strengthen financial processes and support confident governance in an increasingly complex financial landscape. Contact us today to learn more about how we can help. 

Posted In: Attest | Nonprofit Organizations | Insights

About the Author - Lauren Fenner, CPA

Lauren is an Audit Principal at Brown Plus with over 12 years of public accounting experience.

As a key leader of the Brown Plus Nonprofit Practice, she is responsible for planning, performing and supervising audit, review and compilation engagements to approximately 65 nonprofit organizations, governmental entities, school districts and public charter schools. Lauren serves as a dedicated member of the Brown Plus Accounting and Auditing (A&A) Committee, which reviews strategies and best practices for the Firm’s A&A clients and processes. She also serves as a subject matter expert and presenter for Brown Plus’ nonprofit-related educational seminars.

Disclaimer: Information provided by Brown Plus as part of this blog post is intended for reference and information only. As the information is designed solely to provide guidance and is not intended to be a substitute for someone seeking personalized professional advice based on specific factual situations, responding to such inquiries does NOT create a professional relationship between Brown Plus and the reader and should not be interpreted as such. Although Brown Plus has made every reasonable effort to ensure that the information provided is accurate, Brown Plus makes no warranties, expressed or implied, on the information provided. The reader accepts the information as is and assumes all responsibility for the use of such information.