Internal Controls for Nonprofits: Best Practices Guide Nonprofits face unique financial accountability pressures. Donors, boards, regulators, and the public expect funds to be protected and used for mission purposes. Without formal internal controls, even well-intentioned organizations are exposed to fraud, errors, and compliance failures.

The stakes are high: nonprofits account for 10% of all occupational fraud cases, with a median loss of $76,000 per incident. For charitable and social service organizations specifically, that figure climbs to $85,000. More troubling, 32% of fraud cases are attributed to a lack of internal controls, and 19% occur when existing controls are overridden.

This guide covers what nonprofit internal controls are, the core categories you should understand, essential policies every organization should implement, practical tips for smaller teams, and how to maintain controls over time.

TLDR

  • Internal controls are written policies and procedures that protect nonprofit funds and reduce the risk of fraud or error
  • The five core categories are segregation of duties, revenue controls, disbursements, payroll, and financial reporting
  • Board members and compensating controls fill segregation gaps when small nonprofits lack sufficient staff
  • Fraud losses and detection time drop with annual policy reviews and surprise audits
  • A fractional CFO delivers cost-effective expertise to build and maintain an internal controls framework

What Are Nonprofit Internal Controls — and Why Do They Matter?

Nonprofit internal controls are the written policies, procedures, and practices that govern how an organization handles money, authorizes transactions, and reports financial activity. They serve as the "checks and balances" that reduce the risk of misuse, errors, or misappropriation of funds.

Three Types of Internal Controls

Nonprofits should understand and implement all three control types:

  • Preventive controls stop problems before they occur (authorization requirements, dual signatures, password policies)
  • Detective controls identify issues after they happen (bank reconciliations, audits, variance analysis)
  • Corrective controls fix problems once discovered (restatements, policy updates, remedial training)

Three nonprofit internal control types preventive detective and corrective explained

Each layer catches what the others miss — prevention alone is never enough.

Why Controls Matter to Nonprofits

Internal controls protect four critical areas:

  • Tax-exempt status: The IRS reviews governance through Form 990 and states that "a well-governed charity is more likely to obey the tax laws, safeguard charitable assets, and serve charitable interests."
  • Donor trust: Contributors expect funds directed toward the mission. Financial mismanagement erodes confidence and threatens future giving.
  • Grant compliance: Federal recipients must follow OMB Uniform Guidance (2 CFR 200.303), requiring documented internal controls aligned with COSO or GAO frameworks.
  • Fraud prevention: One incident can undo years of mission work. Organizations without fraud awareness training experience losses nearly 50% higher than those with it — and it takes an average of 24 months to uncover fraud without proper controls.

The 5 Core Categories of Nonprofit Internal Controls

Category 1 — Segregation of Duties

No single person should control all aspects of a financial transaction — authorization, recording, and custody. Most fraud prevention experts rank this as the single most important internal control category.

Concrete example: The person who receives donations should not also deposit them or reconcile the bank statement. Divide these three tasks among three different people:

  • Authorization — approves the transaction (e.g., signs off on a donation acknowledgment)
  • Recording — enters it into the accounting system
  • Custody — handles the physical cash or check

According to the ACFE, nearly 30% of nonprofit fraud cases occur because one person handles multiple financial tasks without oversight.

Category 2 — Revenue and Cash Receipts

Controls over incoming funds create a clear, documented trail from receipt to bank deposit:

  • Log all donations immediately upon receipt
  • Use restrictive check endorsement ("For Deposit Only")
  • Make deposits within one business day
  • Require two people present when counting cash at events
  • Maintain a detailed receipts journal

Each step should involve a different person from the prior step to maintain segregation.

Category 3 — Disbursements and Payables

Money going out requires equally tight controls:

  • Pay only from invoices, never from statements alone
  • Use check request and approval forms
  • Require two signatures on checks above a defined threshold (commonly $5,000–$10,000)
  • Prohibit the same person from approving and executing payments
  • Periodically review the full vendor list for unfamiliar or suspicious names

Fictitious vendor schemes are one of the most common forms of nonprofit fraud, accounting for 31% of cases at organizations with fewer than 100 employees.

Five nonprofit disbursement controls checklist with fictitious vendor fraud statistic callout

Category 4 — Payroll Controls

Payroll typically represents the largest expense for nonprofits and requires dedicated controls:

  • Require supervisor-approved timesheets before processing
  • Separate payroll preparation from check distribution
  • Conduct periodic reviews of the payroll register for fictitious employees or duplicate payments
  • Rotate payroll duties periodically to prevent single-person dependency

A payroll audit catching one ghost employee has, in several documented cases, uncovered broader scheme patterns — making these reviews worth far more than their time cost.

Category 5 — Financial Reporting and Monitoring

The first four categories prevent problems at the transaction level. This fifth category is the oversight layer that catches what slips through — and gives boards and leadership the accurate data they need to act:

  • Monthly bank reconciliation by someone independent of transaction processing
  • Regular budget-versus-actual variance review
  • Board-level financial statement review at every meeting
  • Documented journal entry oversight and approval
  • Cybersecurity basics: password policies, limited system access, multi-factor authentication, and phishing awareness training

Organizations that formalize this monitoring layer — particularly board-level review — are also significantly better positioned for audits and grant reporting requirements.

Essential Internal Control Policies Every Nonprofit Should Have

Conflict of Interest Policy

A board-approved conflict of interest policy should define what constitutes a conflicted relationship, require annual written disclosure from directors and key employees, and prohibit interested parties from voting on related transactions.

This policy signals governance quality to funders and is often required by them. Key compliance benchmarks:

Cash Handling and Expense Reimbursement Procedures

Cash handling policy essentials:

  • Locked storage for all cash
  • Same-day or next-day deposit requirement
  • Minimum two people present when counting cash
  • Detailed transaction logs
  • Never commingle petty cash with incoming donations

Expense reimbursement policy requirements:

  • Pre-approval in writing for any expense to be reimbursed
  • Submission of itemized receipts (not credit card statements)
  • Designated approver who is not the person submitting the request
  • Executive director expenses approved by board chair or treasurer

No one, regardless of position, should approve their own expenses.

Vendor Due Diligence and Document Retention

Vendor controls:

  • Check references before awarding contracts
  • Require formal invoices, never pay from statements alone
  • Periodically review the full vendor list for unfamiliar or suspicious names
  • Verify W-9 forms and tax identification numbers

Billing fraud accounts for 31% of fraud cases at small nonprofits — making vendor oversight one of the highest-return control areas for smaller organizations.

Document retention policy: Nonprofits should maintain a board-approved schedule for retaining financial, legal, and governing documents:

Keep permanently:

  • Articles of incorporation
  • IRS determination letter
  • Audit reports
  • Year-end financial statements
  • Tax returns (Form 990)
  • Board meeting minutes
  • Real estate deeds and mortgages

Retention varies by state statute of limitations:

  • Employment and payroll records
  • Vendor contracts
  • Donor records

The IRS requires Form 990 to be publicly available for three years beginning with the filing due date.

Background Checks and Personnel Controls

Any staff member or volunteer who handles money or has access to financial systems should undergo a background check before being granted access. No federal law requires it, but the risk exposure from skipping this step is rarely worth it.

Mandatory vacation rotation serves as a fraud deterrent — extended absences allow irregularities to surface. Fraudsters often avoid taking time off because their schemes need constant hands-on management to stay hidden.

Practical Guidance for Small Nonprofits with Limited Staff

True segregation of duties is difficult when an organization has only two or three staff members, or is all-volunteer. The majority (59%) of U.S. nonprofits have annual budgets less than $50,000, making dedicated finance staff impractical.

Compensating Controls for Small Teams

When full segregation isn't possible, use these workarounds:

  • Board member receives bank statements directly and reviews them before handing to staff
  • Board finance committee member performs monthly reconciliations independently
  • Rotate financial review responsibilities among trusted board members
  • Implement surprise internal audits examining cash flow and vendor payments

Four compensating controls for small nonprofits with limited staff and segregation gaps

These steps won't replace full segregation of duties, but they create accountability where staffing constraints make formal controls impractical.

Tone at the Top

Leadership modeling is especially critical in small organizations. When the executive director submits receipts, gets approval for expenses, and follows policies without exception, it sets a culture of accountability that deters casual rule-bending throughout the organization.

Board members reinforce that culture by asking pointed questions, requesting documentation, and treating financial oversight as a standing expectation — not a special occasion.

Fractional Financial Leadership

Small nonprofits without a dedicated finance professional can engage fractional financial leadership — a fractional CFO or COO who designs a right-sized internal controls framework, trains staff, and provides ongoing oversight without the cost of a full-time hire.

One Abacus Advisory offers this kind of support exclusively for nonprofits. Engagements cover audit preparation, internal controls implementation, compliance, and board-ready financial reporting, scaled to what the organization actually needs.

During a leadership transition at the Philadelphia Zoo, for example, One Abacus conducted a comprehensive accounting assessment, optimized their NetSuite environment, and improved month-end close processes — all while keeping a lean finance team operational.

How to Build, Strengthen, and Maintain Internal Controls Over Time

Step 1 — Conduct a Controls Assessment

Before building new policies, audit what currently exists:

  • Map how money flows through the organization (a simple flowchart works)
  • Identify who has access to bank accounts and authorization to spend
  • Note where single points of failure exist
  • Document current policies, even informal ones

This assessment becomes the baseline for prioritizing improvements.

Step 2 — Document Everything in Writing

Verbal agreements are not controls. Every policy should be captured in a written financial policies manual — covering at minimum:

  • Cash handling and disbursement procedures
  • Expense reimbursement and authorization rules
  • Board financial review schedules
  • Grant compliance and reporting requirements

Documented controls are essential evidence during audits or funder reviews. The OMB Uniform Guidance explicitly requires federal grant recipients to "document" internal controls.

Step 3 — Review and Update Annually

Internal controls are not set-and-forget. Conduct a formal annual review, or after any significant organizational change:

  • New leadership transitions
  • New funding streams or grant requirements
  • Rapid growth or downsizing
  • System implementations

Include an annual risk assessment to identify new vulnerabilities based on current operations.

Step 4 — Build in Accountability Structures

Assign ownership for each control area:

  • Establish a finance committee with clearly defined review responsibilities
  • Designate a board member to receive bank statements directly
  • Schedule regular financial statement review at board meetings
  • Consider periodic surprise internal audits

Surprise audits are associated with a 50% or greater reduction in both fraud losses and fraud duration.

Four-step nonprofit internal controls implementation process from assessment to accountability

For organizations ready to formalize this work, a fractional CFO can serve as both the architect and the ongoing monitor of your controls framework — without the overhead of a full-time hire. One Abacus Advisory has built and strengthened internal controls for nonprofits including the San Diego Food Bank and Laguna Playhouse, designing systems that fit each organization's actual capacity and compliance requirements.

Frequently Asked Questions

What are the 5 main internal controls?

The five core categories are:

  • Segregation of duties — no single person controls all aspects of a transaction
  • Authorization and approval — requiring proper sign-off before funds move
  • Reconciliation and review — independent verification to catch errors
  • Physical and IT security — protecting assets and financial data
  • Financial reporting oversight — ensuring accurate information reaches decision-makers

What is an example of a nonprofit internal control?

A practical example is requiring two authorized signatures on checks above $5,000. Another is having a board member receive and open bank statements before they are passed to the bookkeeper, creating independent oversight of cash activity.

What are the four types of financial controls?

The four types are:

  • Preventive — stop problems before they occur (e.g., authorization requirements)
  • Detective — identify issues after the fact (e.g., reconciliations)
  • Corrective — fix problems once discovered (e.g., policy revisions)
  • Directive — establish expected behavior through policies and codes of conduct

What is the rule of 3 in nonprofit organizations?

The "rule of 3" divides financial duties across three people: one receives and records funds, a second prepares the deposit, and a third reconciles the bank statement. This ensures no single person controls the full transaction cycle, significantly reducing fraud risk.

How to maintain control of a nonprofit?

Strong ongoing control comes down to a few consistent habits:

  • Review and update written financial policies at least annually
  • Maintain active board-level oversight through a finance committee
  • Conduct periodic audits or surprise reviews to catch gaps early