Nonprofit Internal Controls: A Practical Guide for Small Organizations

Why internal controls matter for nonprofits

Nonprofits are entrusted with other people’s money. Donors give to support a mission. Grantors award funds for specific programs. Board members accept fiduciary responsibility for organizational assets. Internal controls are the mechanisms that protect those assets and demonstrate to stakeholders that the trust is warranted.

The Association of Certified Fraud Examiners (ACFE) publishes data showing that small organizations — those under $100,000 in revenue — suffer disproportionately high median losses per fraud case. The typical scheme runs for 12 months before detection. The most common fraud vector at nonprofits is unauthorized disbursements, which is precisely what dual authorization and segregation of duties prevent.

Beyond fraud, controls reduce errors. Accidental miscodings, missed restriction tags, and unreconciled accounts create audit findings even when no fraud is involved. Good controls catch these errors before they become audit issues.

The five core controls

Segregation of duties. The person who approves a payment should not be the same person who processes it, and neither should be the same person who reconciles the bank account. This applies to check-writing, electronic payments, and petty cash.

Dual authorization. Any payment above your board-defined threshold requires two approvals. Define the threshold in writing. $2,500 is a common threshold for mid-size nonprofits; smaller organizations may set it lower.

Independent bank reconciliation. The monthly reconciliation must be performed by someone without transaction-processing authority, and reviewed and signed by a supervisor or board officer.

Restricted fund access. Accounting software should enforce role-based access — program staff can view their grant fund but cannot process transactions in other funds or the operating account.

Board financial review. The board or finance committee reviews monthly financial statements and approves any payments to executives. Annual review of the audit management letter is required.

Handling limited staff situations

A small organization with two finance staff cannot achieve full segregation across all duties. The compensating controls available:

Assign bank reconciliation to a board treasurer or volunteer accountant
Require board approval for all disbursements above $500
Have the executive director review all transactions entered by the bookkeeper before month-end close
Use software with immutable audit trails — if a transaction is changed after posting, the system records who changed it, when, and what the original value was
Conduct quarterly surprise reviews of a sample of transactions

Document these compensating controls in written policies. Auditors evaluate compensating controls explicitly. A well-documented compensating control is better than an undocumented gap.

What auditors look for

Auditors test controls in two steps: design effectiveness (does the policy say the right things?) and operating effectiveness (is the control actually being performed?). A policy that exists on paper but is not executed results in a finding.

Evidence of execution: signed bank reconciliations, dual-signature records on checks, board meeting minutes reflecting financial statement review, and software audit logs showing access restrictions were active.

How fund accounting software supports controls

Fund accounting software built for nonprofits includes role-based access controls that enforce fund restrictions structurally. Audit trails capture every transaction entry and modification. Period-end close prevents backdating transactions without explicit override authorization. These software controls directly address the most common control weaknesses auditors find in small nonprofit accounting environments.

Like what you're reading?

Try RestrictedBooks free for 30 days — no credit card required.

Segregation of duties: The internal control principle that distributes the steps of a financial transaction — authorization, recording, custody of assets, and reconciliation — among different individuals. Prevents a single person from both committing and concealing fraud. When limited staff makes full segregation impossible, compensating controls (board oversight, independent review, software audit trails) are required.

Dual authorization: A disbursement control requiring two independent approvals before a payment is made. For checks, this means two signatures. For electronic payments, two approvals in the payment system. The threshold above which dual authorization is required should be defined in written policy and approved by the board.

Bank reconciliation: The monthly process of comparing the organization's general ledger cash balance to the bank statement balance, identifying and explaining all differences. The reconciliation must be performed by someone other than the person who processes payments, and the completed reconciliation should be reviewed and signed by a supervisor or board officer.

Material weakness: An auditor-identified deficiency in internal controls that creates a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected. A material weakness finding in an audit report is serious — it can jeopardize grant renewals, trigger grantor investigations, and increase the next year's audit fee. Repeated material weakness findings can trigger regulatory attention.

Q&A

What internal controls should a nonprofit have?

At minimum: segregation of duties between transaction processing and approval, dual authorization for payments above a defined threshold, monthly bank reconciliations performed by someone other than the transaction processor, restricted fund access limiting each staff member to the funds relevant to their role, monthly financial statement review by the executive director, and quarterly or monthly board review of financial statements. Organizations subject to single audit requirements (federal expenditures over $750,000) must also comply with 2 CFR Part 200 internal control requirements.

Q&A

How do small nonprofits implement segregation of duties with limited staff?

Full segregation across four duties (authorization, recording, custody, reconciliation) requires at minimum three people. Many small nonprofits cannot achieve this. The compensating controls available to small organizations include: a board member or treasurer performing the bank reconciliation, requiring board approval for all disbursements above a low threshold, having the executive director review all transactions entered by the bookkeeper, using software with audit trails that capture every change, and conducting periodic surprise reviews of petty cash or transaction batches. Document the compensating controls explicitly in your policies.

Q&A

What internal controls do auditors look for at nonprofits?

Auditors evaluate the design and operating effectiveness of controls in five areas: authorization of transactions (is approval required and documented?), recording of transactions (are transactions recorded completely, accurately, and timely?), safeguarding of assets (are physical assets and financial accounts protected from unauthorized access?), segregation of duties (are incompatible functions separated?), and independent reconciliation (are balances verified by someone without transaction processing authority?). They also look for a written fraud risk assessment and evidence that management reviews financial information and investigates anomalies.

What are the most important internal controls for a nonprofit?

If you must prioritize, these three have the highest impact: independent bank reconciliation (catches both errors and fraud), dual authorization for disbursements (prevents unauthorized payments, which is the most common nonprofit fraud vector), and restricted fund access in your accounting software (prevents accidental or intentional misuse of restricted grants). Document all three in written policies approved by the board.

Can a nonprofit pass an audit without formal internal controls?

An audit can be completed without formal internal controls, but the auditor will issue findings for each control deficiency. Significant deficiencies and material weaknesses in the audit report have consequences: grant renewals may be conditioned on remediation, some grantors require a clean audit before renewing funding, and state charity regulators review audit findings. More practically, the absence of controls creates the conditions for undetected fraud — the Association of Certified Fraud Examiners reports that nonprofits are disproportionately affected by occupational fraud relative to their assets.

How do internal controls differ for nonprofits vs for-profit organizations?

The core principles are the same, but nonprofits face two additional requirements: restricted fund management (controls must ensure restricted grants are spent only on authorized purposes) and board fiduciary responsibility (the volunteer board is legally responsible for the organization's assets, which places controls on board members themselves — board members cannot approve payments to themselves without a conflict of interest procedure). Nonprofits also commonly have volunteer financial involvement, which creates training and access control challenges that for-profit organizations do not face.

Want to learn more?

Learn More

Keep reading

How to Track Restricted Funds in Nonprofit Accounting

A step-by-step guide to setting up fund categories, coding transactions, reconciling balances, and preparing compliant reports for restricted donations and grants.

Best Nonprofit Accounting Software (2026)

We compared 6 accounting tools for nonprofits with $500K-$10M budgets. Here's what each does well and where each falls short.

Best QuickBooks Alternative for Nonprofits in 2026

QuickBooks uses a for-profit equity ledger that forces nonprofits into spreadsheet workarounds. RestrictedBooks is built for fund accounting from the ground up.

Nonprofit Financial Statements: What to Produce and How (2026)

A guide to the four required nonprofit financial statements — Statement of Financial Position, Statement of Activities, Statement of Functional Expenses, and Statement of Cash Flows — with example structures and Form 990 alignment.