Nonprofit Internal Controls: A Framework for Financial Integrity

Internal controls are the policies, procedures, and system features that protect a nonprofit's financial assets, ensure accurate reporting, and prevent fraud. They are not optional governance niceties. They are essential safeguards that your external auditor evaluates every year, that your board is responsible for overseeing, and that donors and funders increasingly expect before making significant commitments.

The problem for most small and mid-size nonprofits is not that they do not believe in internal controls. It is that they cannot implement them in their current environment. Spreadsheets have no built-in controls. Anyone with file access can change any number at any time. There is no approval workflow, no access restriction, no audit trail. Policy can say one thing; the system makes enforcing it nearly impossible.

This guide explains the COSO internal control framework — the most widely used standard in nonprofit financial management — and what each component looks like in practice at organizations without large finance teams.

---

The COSO Framework: Five Components

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published an internal control framework in 1992 that has been updated twice and remains the dominant standard for evaluating organizational internal controls. Your external auditor uses some version of this framework when assessing your control environment.

The five components are: control environment, risk assessment, control activities, information and communication, and monitoring activities. Each has practical implications for how your nonprofit operates day to day.

---

Component 1: Control Environment

The control environment is the foundation. It represents the organization's commitment to integrity, ethical values, and competent management of financial resources. Auditors assess whether the organization's culture, governance, and leadership create conditions in which controls can operate effectively.

What this looks like in practice:

• A board that actively reviews financial statements and asks questions, rather than rubber-stamping reports
• A written code of ethics or conduct that applies to staff and board
• An Executive Director who sets clear expectations about financial accuracy and does not pressure Finance staff to misrepresent results
• Clearly documented financial policies (expense reimbursement, check signing authority, credit card use, gift acceptance)
• A Finance Committee or Audit Committee that meets regularly and independently of management

The spreadsheet problem: Control environment policies can be written regardless of what system you use. But when the system has no access controls, no audit trail, and no enforcement mechanisms, policy is aspirational. The control environment cannot compensate indefinitely for a system that enables anyone to override any control with a keypress.

---

Component 2: Risk Assessment

Risk assessment is the process of identifying and evaluating financial risks to the organization. It is not a one-time event but an ongoing process that should be part of budget planning, strategic planning, and board meetings.

What this looks like in practice:

• Annual identification of the top financial risks facing the organization: concentration of revenue in one funder, compliance risk from new federal grants, fraud risk from turnover in the Finance department
• Assessment of which risks are most likely and most consequential
• Documentation of how the organization plans to mitigate or manage each identified risk

Common risk categories for nonprofits:

• Revenue concentration (more than 30% from a single source)
• Restricted fund compliance risk (growing restricted fund portfolio with inadequate tracking)
• Fraud risk (limited staff enabling one person to control full transaction cycles)
• IT and data security risk (inadequate backups, shared passwords, legacy systems)
• Compliance risk (approaching Single Audit threshold, new state operations requiring registration)

Risk assessment does not require a formal enterprise risk management system. It requires honest, documented conversation at the board and senior staff level about what could go wrong and how the organization is addressing it.

---

Component 3: Control Activities

Control activities are the specific policies and procedures that ensure management directives are carried out. This is where the rubber meets the road — the actual controls in daily operation.

Key control activities for nonprofits:

Segregation of duties. No single person should be able to initiate, approve, and record a financial transaction. Even with limited staff, compensating controls (board review of bank statements, dual authorization for payments above a threshold) can substitute for full segregation.

Authorization and approval controls. Payments above defined thresholds require specific authorization. Journal entries require review. Budget modifications require board or Finance Committee approval. These controls are policy-level, but they must be enforced by the system or through documented review processes.

Bank reconciliation. Monthly reconciliation of all bank accounts, performed by someone other than the person who signs checks. Reconciliations should be reviewed and signed off by the CFO, Controller, or Executive Director.

Physical controls. Restricted access to check stock, credit cards, and cash. Dual counts for cash receipts. Secured storage for financial records.

Period locks. Closed accounting periods cannot be modified without specific authorization. This prevents backdating of transactions and ensures that financial statements reflect only authorized activity.

IT controls. User access reviews, password policies, multi-factor authentication, system access revoked promptly when staff depart.

---

Component 4: Information and Communication

The information and communication component addresses whether financial information is captured, processed, and communicated accurately and timely to the people who need it.

What this looks like in practice:

• Financial statements distributed to board members at least 30 days before each board meeting, with enough time for review
• Grant budget vs. actual reports distributed to program managers regularly enough to influence spending decisions
• Clear communication channels for reporting suspected errors or fraud (part of the whistleblower policy)
• Documentation of accounting policies so that any qualified staff member could perform core functions

The documentation problem: At many small nonprofits, financial processes live in one person's head. The Controller knows how restricted funds are tracked, how the functional expense allocation works, and where all the grant files are. This is a control failure waiting to surface. Financial procedures need to be documented well enough that a qualified replacement could perform the function within two weeks of being hired.

---

Component 5: Monitoring Activities

Monitoring is the ongoing evaluation of whether controls are operating effectively. Controls that were designed correctly can degrade over time — staff changes, system changes, and organizational growth all create opportunities for controls to slip.

Monitoring activities include:

• External audit and auditor management letters, which identify control deficiencies that the organization should address
• Internal review by the Finance Committee or Audit Committee of key reconciliations, bank statements, and transaction details
• Self-assessment processes in which Finance staff periodically review compliance with documented policies
• Whistleblower reports and how they are investigated and resolved

Acting on audit findings: Many organizations receive management letter comments year after year about the same control deficiencies. This represents a monitoring failure. Management letters are not just formalities — they are the auditor's documented assessment of where your controls are inadequate. Each finding should have an owner, a remediation plan, and a timeline.

---

How Software Either Enforces or Undermines Internal Controls

The COSO framework describes controls that should exist. Whether they actually operate depends heavily on the systems in use.

In a spreadsheet environment, controls are enforced by human behavior: someone must remember to get approval, someone must remember to reconcile, someone must remember not to change historical data. Memory and habit are not controls. They are assumptions that break under time pressure, staff turnover, and the daily demands of running a nonprofit.

Software either enforces controls by design or relies on users to comply. sherbertOSOS implements controls at the system level: role-based access prevents unauthorized actions rather than just prohibiting them by policy; period locks prevent modification of closed periods without administrator authorization; the audit trail captures every transaction and change automatically without requiring anyone to remember to document it; approval workflows enforce authorization requirements before transactions can be posted.

Controls enforced by the system are controls that operate every time, for every user, without exception. Controls enforced by policy operate as well as the people implementing them remember to comply.

For the audit trail infrastructure that supports information and communication controls, see Why Audit Trails Matter for Nonprofit Financial Data. For access control implementation, see Role-Based Access Control for Nonprofit Financial Systems.

---

Frequently Asked Questions

What are the most important internal controls for a small nonprofit?

Segregation of duties (or compensating controls where full segregation is not possible), dual authorization for payments above a defined threshold, monthly bank reconciliation by someone other than the check signer, board review of financial statements, and prompt access revocation when staff depart. These five address the most common control failures at small organizations.

How do I know if my internal controls are adequate?

Your external auditor evaluates controls as part of the annual audit. Management letter comments identify deficiencies. If you receive the same comment more than once, your remediation plan is not working. You can also conduct internal control self-assessments using the COSO framework as a guide.

Can software replace internal controls?

Software can enforce controls — access restrictions, approval workflows, audit trails, period locks — in ways that policy alone cannot. But software cannot replace governance. You still need written policies, staff training, board oversight, and a culture that takes financial integrity seriously. Software is the enforcement mechanism; governance is the framework within which it operates.

What is the difference between a control deficiency and a material weakness?

A control deficiency exists when a control is missing or not operating as designed. A significant deficiency is a control deficiency serious enough to merit attention by governance. A material weakness is a deficiency so significant that there is a reasonable possibility of a material misstatement in the financial statements. Material weaknesses require immediate remediation.

---

The Bottom Line

Internal controls are not bureaucracy. They are the mechanism by which nonprofits protect the assets entrusted to them by donors, funders, and the public. Every control that is missing is an opening for error, fraud, or compliance failure.

The COSO framework is not a compliance checklist to be completed once. It is a management discipline — an ongoing process of identifying risks, designing controls, and monitoring whether those controls are working. Organizations that treat it as such have cleaner audits, stronger donor relationships, and fewer financial crises.

→ Subscribe to the sherbertOS newsletter for practical guides on internal controls, compliance, and nonprofit financial management.