Nonprofit Internal Controls: What To Do With the End In Sight



Tada!! Here it is, the last post in the internal controls series. The last two things I’ll talk about (don’t look so happy) is detection and maintenance.


I often try to impress that internal controls don’t just address the “bad stuff”, they catch mistakes as well. But, as we see in the headlines everyday fraud within nonprofits does exist and has to be addressed.

To me, it’s much easier to detect fraud if one has a good grasp of what it is and when it occurs. Many categorize fraud as either a misappropriation of assets and/or  fraudulently reporting finances. Which means vulnerabilities will lie where the goods/money are or when it comes time to report.

Fraud can be further broken into three elements: 1. opportunity 2. motivation 3. attitude/rationalization. Which means someone is more likely to commit fraud if in a circumstance they feel warrants their actions (disgruntled or hard times at home) and have the opportunity. One of the resources I reference below outlined a few good signs to look out for that might signal the need for further investigation:

  • unexplainable absences
  • staff member is not willing to, or won’t, take vacation
  • staff member prefers not to delegate tasks
  • donations and grant income appear good  but cashflow is tighter than it should be
  • vendors are complaining that payments are made late
  • the monthly financial statements, or any report for that matter, are consistently prepared late or look funny

Where fraud is suspected or discovered organizations are encouraged to:

  • act normal and keep  everything confidential until there is a more through investigation
  • put the suspected person or persons on paid leave and contact its attorneys/accountants
  • consider hiring a fraud investigator
  • check its insurance coverage and notify the insurance company


So there’s no sense in going through all this trouble, only to to have everything crumble six months after put in place. To me, nurturing, assessing and maintaining internal controls is the second most important step of the process. A few instances where internal controls may become most vulnerable (and you may want to watch for the need to possibly change, adapt or remove them) are:

  • when restructuring the organization be it hierarchies, how things are reported, to whom, etc;
  • as major donors or funding sources develop or revenue streams change;
  • As programs or funding is added or removed, gained or lost;
  • as personnel is increased or decreased or there is a change in leadership.

Actions an organization can take to ensure there’s longevity include:

  • the ED dialoging with staff every now and again to understand how things work on the transaction level ;
  • conducting mini-audits. For example, the Board can choose a line item revenue or expense, sit with the staff with oversight and talk about how the figure was determined;
  • implementing a whistleblower program for when a staff or volunteer believes there’s been an indiscretion. This doesn’t have to be a production. It can be a confidential number ( there are companies that offer this service),  internet mailbox or a past or retired board member. This helps create that self policing environment and could be distributed not only to staff but vendors, volunteers,  clients and donors.
  • Ensuring everyone follows policy and morale isn’t lowered by  allowing for exceptions; and
  • Avoid at all costs going into an internal control frenzy (creating too many controls at one time makes people more inclined to ignore them).

Lastly,  internal controls ain’t cheap. Many of the things I’ve talked about may warrant the need for additional resources (staff, money, assets, technology). And even where initial implementation doesn’t require additional resources,  effectively maintaining them may. It’s important organizations get comfortable communicating to its donors and funders that in order to remain effective and grow an organization must continue to nurture itself; which requires reinvestment. That means having the flexibility to direct money toward administration and capacity building. Because when you think about it, those organizations that don’t adequately invest in themselves ( and fall into that trap of allocating its 2% of the revenue) still end up losing out on money in some capacity, be it fraud or loss. 


CompassPoint Internal Controls Checklist
Jackie Breland’s Internal Controls Checklist

Other Posts You Might Like

The Contract Process and Steps to Managing it: Part I [INTERACTIVE GRAPHIC]

Have You: Created a Gift Acceptance Policy?

Succession Planning Series Part II:  Legal Issues

Have You: Looked At Your By-laws