4 Important Types of Internal Controls Policy to Protect Your Nonprofit’s Finances (+ Free Sample)
Organizations can implement a series of internal controls to beef up the security around important information and various financial assets. While no one can ensure their funds are completely protected, understanding the available options, and adding them to your nonprofit treasurer checklist, to help safeguard your data is definitely a great first step.
We provide you with 4 important types of internal controls which can make all the difference when protecting your finances, and we even scoured the internet for the best nonprofit internal policy out there to help you put everything together for maximum effect!
Here’s what we’ll cover today:
- What Is an Internal Controls Policy?
- #1: General Controls
- #2: Organizational Controls
- #3: IT Controls
- #4: Physical Controls
What Is an Internal Controls Policy?
An internal controls policy is a set of "checks and balances" which often exist as written statements, policies, reporting requirements, descriptions, and procedures. Internal controls and financial accountability for nonprofit boards is paramount and the internal controls policy should have board approval. This documentation is designed to save time while reducing incidents of embezzlement, theft, fraud, misconduct, security breaches, loss of data, and other loss prevention concerns.
All organizations, whether a small nonprofit or a large corporation, require directors to have internal plans in place to provide protection for not only funding and accounts but also staff and volunteers.
Pro Tip: While all entities need controls, a small nonprofit often has unique needs. If your organization falls in this category, consider implementing five internal controls for small nonprofits.
In addition, internal controls policies dictate who is authorized to perform certain duties e.g., the treasurer, controller, bookkeeper, accountant, or executive director, and who is allowed to access accounts or sensitive data to reduce risk exposure and limit misappropriation of organizational funds.
It is particularly important to institute internal financial controls in accounting, as this department is deeply involved with cash handling and accounts, often dealing with large sums of money.
What is an internal controls policy? Corinne is wondering the same thing!
There are four major categories that we will consider when determining the best financial policies to safeguard your nonprofit or charity: general controls, organizational controls, IT controls, and physical controls.
Here is an example of what one looks like in the form of a free sample! The NC government website does a great job of providing guidelines for internal controls.
#1: General Controls
The basic controls consist of standard procedures for practically any situation which, while they may seem simple, can make a huge difference with security and transparency concerns.
- Frequent Auditing
Taking the extra time to go through the financial data and frequently reconcile it with bank statements can allow you to catch any potential errors or questionable activity early, which can limit the damage or resolve a situation before it becomes a problem. A review can also catch basic accounting errors early before they cause unplanned expenses and negatively impact net assets. Audit results should be provided to the executive director and the rest of the board as a part of the monthly nonprofit treasurer report (check out our nonprofit treasurer annual report template for additional details).
- Ad Hoc Reviews
In addition to planned audits, choosing a particular aspect of bookkeeping and accounting for an impromptu review and in-depth analysis can help discover additional discrepancies. These reviews may be a part of the treasurer checklist and may highlight the need for new financial policies or procedures to provide additional security measures or improve efficiency. Additional examples may help your team determine what is most appropriate for your procedures. If you find that is the case, check out our sample financial policy for nonprofit organizations.
- Background Checks
Any staff member who is in a position of authority, or who works with sensitive data or financial information, should have a background check performed before they are granted access to data. While this is not a foolproof procedure, it will allow you to clarify any points with your new hire while providing you some reassurance that you have brought on the right person for the job.
Pro Tip: For added security, consider whether you want to investigate bonding your nonprofit treasurer. In addition to passing a background check with flying colors, bonding provides additional reassurance that your entity will be reimbursed if something does go awry after the selection process.
- Two-Person Authentication
A simple preventative measure is to simply make sure that purchasing transactions, expenditures, and other monetary situations over a predetermined threshold have a witness or two to provide their signatures. Not only does this ensure transparency, but it also provides extra security by having another person who is in the know about transactions. This is also helpful when delivering cash to bank accounts or other locations. To make this process more efficient and not require two signatures for post-it notes, you may want to define a cap at which two signatures is required, perhaps for any purchases over $500.
#2: Organizational Controls
Give some consideration to these techniques that involve managing work duty organization and how procedures are implemented. Segregation of duties ensures that one person does not have all authority helps to prevent an abuse of power. Also, and more commonly, having multiple people review helps in error reduction as mistakes tend to decrease as the number of eyes on a document increases.
- Segregate Duties
For example, a system of checks and balances can be in place over financial responsibilities, so that there are three separate people responsible for payroll, reimbursements, and check distribution. With different staff working at different steps in the process, a mistake is more likely to be noticed before it becomes an expensive error that can impact your budget. The team can collaborate to determine how the mistake was made and what process changes need to be made to prevent similar issues from occurring in the future.
- Delegate Authority
Assigning more than one person to a specific responsibility can also serve as a verification system, much like the two-person authentication mentioned in the previous section. A second person working on a task is likely to reduce risk and provide additional security for these high-integrity operations.
#3: IT Controls
Computer software is an important and integral part of many nonprofit organizations. Nonprofit treasurer software and various other programs contain all sorts of sensitive information such as bank account access, member databases, financial reports, transaction data, donor information, and more.
Matt is setting up some of his organization's IT controls!
Controlling and monitoring the use of technology helps to prevent situations where people are enticed by opportunity. The fewer people who have access to important security information, the fewer opportunities people have for misappropriation.
- User Access
The simplest way to keep people who should not be allowed to view or interact with private or sensitive information such as finances, vendors, donors, and account information is to limit access to this information to the people who really need it. Carefully monitor who has authority and clearance to access specific information. Your nonprofit policies and procedures manual should indicate how to handle turnover to ensure that all codes and users are up-to-date.
- System & Data Security
Protecting user authorization and access won’t lessen vulnerabilities from cyber-attacks. Although hackers targeting nonprofits is uncommon, many nonprofits do have access to sensitive data e.g., information, so it is better to be safe than sorry. Consequently, it’s important to have high-quality security systems installed to ensure that outsiders can’t find a way to break into your records or accounts. These security measures can still provide additional protection against internal threats as well, providing monitoring and notifications of unusual activity which can prove an invaluable alert system.
Pro Tip: If you are using an online software for nonprofit management (like Springly), discuss security systems with your software provider and find out what protocols are in place. At Springly we run weekly tests to verify that all of our clients data is safe and have dedicated cyber security specialists on staff.
#4: Physical Controls
Physical controls are procedures in place within the environment itself to ensure low-risk situations. These options cut down on simple mistakes as well as wrong-doing and can be as simple as remembering to lock the door or safe in the office.
Here are some other options which can mitigate improper handling and access to funds and secure data.
- Cash Management
Where you store your money can play a significant role in loss prevention. If it is a very public area or is placed in a security container that is not particularly secure, these circumstances allow for additional opportunity and potential access to that money.
How much cash you keep on hand can also be a decisive factor. Make it a procedure to transfer money to a bank as soon as possible. This avoids human error like accidentally counting the money twice, adding a few dollars, and forgetting to record it. Ensure your organizational controls outline which trustworthy individuals are in charge of this.
- Document Management
Make sure to keep documents with sensitive information, like a deposit receipt, invoices, and payroll checks, in locations where they are protected. It is a common error to leave important documents out on desks or in places where they can be taken or read by those who have no business with that type of information.
The perils of private information on donors or clients have been well-documented with lawsuits and other responses to security breaches. Take steps to make sure these documents are stored in a safe and secure location.
- Document Destruction
The same rules apply to destroying physical documents when they are no longer necessary. Ensure that critical or private information is shredded or otherwise completely destroyed and disposed of where a general bystander cannot access it. Just like you would do with your personal credit card information!
Springly is trusted by over 20,000 nonprofits to help them run their organizations on a daily basis. Try it, test it, love it with a 14-day free trial!