The Blog

Financial thoughts to keep you focused on money matters

Internal Controls For Small Nonprofits: Internal Review

best practices board finances foundation fraud reporting Sep 14, 2023

     As a nonprofit organization, I want you to be committed to protecting and stewarding all your resources. But, I know that many of you are scratching your heads, wondering how to do that when you only have one staff person. Well, today I want to share the next installment in my  series of five elements that will help you protect your nonprofit when you have a small staff. Today we will focus on implementing internal reviews. 

What’s the Difference Between Internal Review and a Nonprofit Audit?

     Internal reviews are designed to evaluate the effectiveness of your organization's policies and procedures, internal controls, and risk management systems. You may have designed a really nice set of processes, but how do you know  that those processes are still being honored? The solution lies in an internal review. Note that I didn't call it an “audit” because sometimes that term can be confusing.  In the nonprofit world, the term “audit” generally refers to the independent opinion given by a third party CPA firm evaluating the organization’s financials. For the purposes of this article, we’ll be discussing “internal review” rather than “audit”. 

     At this point, you’re probably wondering who should conduct an internal review, especially if you have a tiny staff.  Who should actually be the internal reviewer? Well, it just needs to be someone different than the person doing the task. In my first article in this series, I shared about how to separate duties, even in small nonprofits. (You can read that article here)  Sometimes this separation of duties can utilize additional person to do a review. The reviewer could be anyone from a completely independent third person to a a friend of your nonprofit with a financial background. It could also be a small business owner who knows how to look for these things. You’re looking for someone who's different than the person who regularly does the financial tasks. Keep in mind, this might just be a service opportunity for someone completely different from those already involved.

5 Elements of Nonprofit Internal Review

1. Review Financial Documentation

     The first step in the review process is to review the financial documentation. Not every single document, but a random selection of financial documents, such as the payments that went out and the receipts of money that came in. They should check to ensure these records are  well documented, that necessary for the mission, and supported by the proper approvals or reconciliations. (Read more about bank verifications  in last week’s post) 

2. Compliance Review

      The independent reviewer should also be looking at compliance review. There are many regulations, filings, and payments that need to be made by a nonprofit to protect their status. Your reviewer should be doing an internal review of the status of each of these items:

  •  Payroll taxes 
  •  941
  •  W-2
  •  990
  •  1099
  •  State filings (like franchise fees or charitable solicitations) 
  •  Cost reports or other grant-associated reporting

3. Review Revenue Reconciliations

     The third step in the process is to review revenue reconciliations. Each situation varies greatly depending on the the nonprofit’s primary revenue source. I’ll generalize two examples here:

Donation-Driven Nonprofits

 If your nonprofit is driven primarily by donations, you have a potentially separate donation software where donor records of gifts are kept. You’ll want to make sure that that system is agreeing to your financial reports, so there should be a reconciliation done between the twIn addition, I would highly recommend that you continue mailing donor statements regularly. This serves as a verification tool to those donors, ensuring them that the gifts they sent were actually received. For this step,, any questions that arise about these records  should be directed to someone independent of the person recording them in order to detect anything that might be missing. So you might direct these questions to the Executive Director or to the treasurer.

Fee-Based Nonprofits

 If you're another type of revenue example, you might be a fee-based nonprofit. You might have services that you provide or clients that you serve, and that directly ties to a revenue that's created. Well, in this case, you’d want to take program reports that show the number of clients you serve, and then multiply by the amount you are reimbursed by a grant or that client pays a certain fee. This gives you a projection of what the revenue should be, and then you investigate the difference. That's a key step that a reviewer can do. And these don't all have to be done by the same person. You can divide these tasks up and give them to different people. 

4. Review Financial Systems

     Next, you’ll want to have somebody review the financial systems to make sure they’re still working. Every two to three years, you need a reviewer to  check and see if the things that are written in your financial policy and procedure document or financial handbook are actually in place currently. They're testing them to see if they are they really happening. Are they really working? They might also be identifying weaknesses or new threats that need to be mitigated. This will help ensure that your prescribed financial processes are being maintained even after changes and staff transitions. changes 

5. Overall Review

     Lastly, you need an overall review that is really about helping to create fraud detection in your organization. This is such a significant issue in nonprofits primarily because they often have such a small staff. This can create situations where everything is handed over to one person and that one person then has ample opportunity to commit fraud, even though that may have not been the kind of person they even intended to be when they started out. But, their motivations and their rationale may just get them caught. So in your organization, look for transactions that are missing documentation or that were not properly authorized or seem to be repeated or duplicated. Are there any new vendors that you don't know that the organization has been doing business with? Tracking and tracing things like that can be an awesome part of an internal review.

     You can protect your nonprofit from fraud and the misuse of finances. It's really critical, and I know it's challenging when you're a small nonprofit, but I hope today's lesson really did remove some of the mystery and give you some real actionable steps. This is part two of a five part series. Come back for the next week for more actionable steps to help protect your small nonprofit. If you're looking to assess the risk of fraud in your nonprofit, check out my free Fraud Risk Assessment with 12 key questions you can be asking yourself to see how your nonprofit measures up and help you find some of those risks in your own organization.

Sign Up to Receive Financial Tips in Your In Box

We hate SPAM. We will never sell your information, for any reason.