Last updated: June 29, 2026
Internal controls are the written policies and routines a nonprofit uses to safeguard its money, keep its records accurate, and prevent misuse of funds. Money changes hands constantly in a nonprofit through donations, grants, purchases, payroll, and reimbursements, and weak controls put both the organization's reputation and its 501(c)(3) status at risk.
The good news is that strong internal controls do not require a large finance team or complicated systems. They require clear rules, consistent habits, and a second set of eyes where one person cannot handle every step alone.
Key Takeaways
- Internal controls combine preventive measures (stop problems before they happen) and detective measures (catch issues after the fact).
- The gold-standard framework is the five COSO components; even small nonprofits benefit from applying them.
- Segregation of duties is the cornerstone — when full separation isn't possible, add compensating controls like independent reviews.
- Real-world results matter: One K-12 school reduced lost receipts from roughly five per week to fewer than five over seven months and cut month-end reconciliation from hours to minutes by implementing per-person budget-capped cards and real-time visibility.
- Modern spend management tools make these controls practical at scale without adding red tape.
What internal controls are, and what they protect
Internal controls are the checks and balances on staff, board members, and outside vendors that reduce the risk of error, theft, and misappropriation. They fall into two broad categories that work together.
Preventive controls stop a problem before it happens, such as requiring written approval before a purchase is made.
Detective controls catch a problem after the fact, such as an independent review of the monthly bank statement.
Both types matter. A nonprofit with only preventive controls may miss ongoing issues, while one that relies only on detective controls often discovers problems too late to prevent damage.
Controls scale to the size of the organization. A two-person shop and a fifty-person organization need the same core principles applied at different levels of formality.
The goal is never perfection on paper. It is reliable protection that actually works when real people handle real money under real pressure.
For a broader view of how these controls fit into overall financial operations, see our guide on nonprofit expense management best practices.
Why internal controls matter for nonprofits
Donors and grantors expect their money to be stewarded well, and a clean control environment is how a nonprofit demonstrates that commitment in practice. The board carries a fiduciary duty to protect the organization's assets and mission, and internal controls are how that duty becomes daily reality rather than a statement in the bylaws.
Strong controls also make audits, grant reviews, and Form 990 preparation far less painful because the records are already organized and the transactions already documented.
Perhaps most importantly, good controls let leaders delegate spending with confidence. When the rules are clear and the visibility is real, staff and volunteers can act quickly without creating hidden risk. Controls are guardrails that protect the mission, not red tape that slows it down.

The five components of internal control
The recognized framework for internal control comes from the Committee of Sponsoring Organizations of the Treadway Commission, often called COSO. Nonprofits of every size benefit from applying these five components, even if they never use the formal name. Here is how each one shows up in practice.
- Control environment: the tone leadership sets, including a code of conduct, clear financial roles, and consistent ethical expectations from the top down.
- Risk assessment: the ongoing work of identifying where money could go missing, records could be misstated, or restricted funds could be spent on the wrong purpose.
- Control activities: the day-to-day actions such as approvals, reconciliations, segregation of duties, and physical safeguards over cash and checks.
- Information and communication: accurate, timely records that reach the board, staff, and external parties who need them in a usable format.
- Monitoring: regular review to confirm the controls are working as intended and to adjust them when roles change or the organization grows.
These components are not a one-time project. They form a cycle that repeats as the nonprofit evolves. For deeper reading on the official framework, visit the COSO website.
The core internal controls every nonprofit needs
Most of the controls below are either preventive or detective, and a healthy organization runs both. The strongest systems combine clear rules that stop problems before they start with independent checks that catch anything that slips through.
Segregation of duties
The cornerstone control is simple in principle: the person who authorizes a transaction, the person who records it, and the person who holds or has access to the asset should not be the same individual. In practice this means the person who opens the mail and logs incoming checks should not also make the bank deposit.
The person who prepares payroll should not also distribute or sign the checks. When these duties sit with one person, that individual can both create and conceal errors or misuse.
Small and mid-size nonprofits rarely split every duty cleanly across separate people. That reality leads directly to the next set of practices.

Compensating controls for small teams
When full segregation is not possible, add a second set of eyes through compensating controls that do not require extra headcount. A board member or treasurer reviews the monthly bank statement before the bookkeeper files it.
A second person, not the bookkeeper, receives the unopened statement from the bank. The board or finance committee runs an occasional surprise review of how cash and checks move through the office.
These steps add independent verification without adding staff. The key is that the reviewer must have enough knowledge to spot problems and enough independence to act on them.
Real-world example: A private Christian K-12 school with ~540 students and ~100 staff previously relied on just five shared cards across the entire campus (including a children's center). Staff often played "hide and seek" to locate a card, leading many teachers to front purchases personally and request reimbursements.
After implementing 60+ individual and loaner cards with per-person budgets and real-time visibility, the school reduced lost or chased receipts from roughly five per week to fewer than five across seven months of the school year. Month-end credit card reconciliation dropped from a lengthy manual process to just a few minutes of weekly checks.
Authorization and spending approval
Written approval rules and thresholds make expectations consistent. Define who can approve what and at what dollar amount the decision moves up a level.
Require expenses to be approved in advance and in writing whenever possible, with a receipt required above a modest threshold. Keep the rules simple enough that staff will actually follow them rather than work around them. Approval workflows that fit how your team already operates reduce both risk and friction.
Real control over who can spend
Many nonprofits get purchasing controls wrong because they focus on the physical card rather than the authority behind it. A high-limit card kept in a drawer and checked out by staff feels like control, but the person holding it can spend far beyond what they were authorized to spend.
Real control ties a right-sized budget to each person who spends so the amount they can spend matches the amount they were approved to spend. A detective layer strengthens it further: real-time visibility means finance sees a charge the moment it posts, not weeks later when the statement arrives.
One school finance office put this into practice by giving administrators a self-loading limit they could manage within their own budgets, with anything above a set threshold routing automatically for higher approval. Classroom teachers received smaller fixed limits for day-to-day supplies.
Shared visibility across the team let finance spot and resolve questions quickly. The result was fewer lost receipts, faster month-end work, and spending that stayed aligned with approved budgets. Explore spend management tools designed for these exact controls.
Bank and account reconciliation
Monthly reconciliation is a core detective control. Someone independent of the person who records transactions should review the reconciliation for completeness and accuracy.
The most common failure is the bookkeeper reconciling their own work with no second review. Connecting cards and bank activity directly to the accounting system shortens the close and reduces manual entry errors that create their own control problems.
Sync with your accounting software turns reconciliation from a monthly scramble into a routine check.
Documentation and written policies
Writing controls down makes expectations clear and consistent across staff and volunteer turnover. Require receipts and vendor invoices with enough detail to show what was purchased and why.
Maintain a written reimbursement policy that treats the person being reimbursed as a vendor and tracks those payments separately from payroll. This separation keeps bank reconciliation clean and avoids unnecessary payroll-tax complications.
Keep receipts matched to every transaction so the audit trail stays intact.
Tracking restricted funds
Donor-restricted gifts can only be spent on their stated purpose. Controls must keep restricted money separate in both the records and the actual spending so it does not accidentally support general operations.
Without clear tracking, restricted dollars can be spent on the wrong things, creating both a compliance problem and a donor-trust problem. Tracking restricted funds protects both the money and the relationships that generated it. For more on this critical area, see our guide to tracking restricted funds in a church or nonprofit.
Board and finance committee oversight
The governance layer sits above day-to-day operations. The board or finance committee reviews financial statements on a regular schedule, approves the annual budget, and adopts the organization's control policies.
A conflict-of-interest policy signed annually by board members is a basic board-level control because board members have a fiduciary duty to act in the organization's interest rather than their own. The IRS asks about governance practices on Form 990, so good oversight also supports clean filings. Learn more about church and nonprofit spending controls.
A nonprofit internal controls checklist
Use this checklist as a starting point and adapt it to your organization's size and activities.
Cash and donations
- Two people handle incoming mail and check logging separately from deposits.
- Cash and checks are stored securely and deposited promptly.
- Every donation is recorded, and receipts go out for gifts of $250 or more.
Spending and purchasing
- Purchases are approved in advance against a written threshold.
- Each spender has a budget that matches what they are authorized to spend.
- Card statements are reconciled by someone who cannot spend on the card.
Reconciliation and records
- Bank and card accounts are reconciled monthly.
- An independent person reviews the reconciliation.
- Receipts and invoices are kept and matched to transactions.
Governance and policy
- The board or finance committee reviews financials on a set schedule.
- A conflict-of-interest policy is adopted and signed annually.
- Internal control policies are written down and updated when roles change.

Common internal control weaknesses
These gaps appear frequently and are straightforward to close once named.
One person controls authorizing, recording, and holding money. Segregate the duties you can and add independent review for the rest.
No one but the bookkeeper sees the bank statement. Route the unopened statement to a second person for review before it reaches the bookkeeper.
High-limit cards sit unused with no budget tied to the holder. Replace the shared high-limit card with right-sized budgets per person so actual spending authority matches approved limits.
Reimbursements run through payroll and muddy the books. Set up the person being reimbursed as a vendor and pay by ACH on a separate track from payroll.
There is no conflict-of-interest policy. Adopt a simple policy and have board members and key staff sign it annually.
Receipts go missing and no one follows up. Require photo capture at the point of purchase and use automated reminders or temporary card locks when documentation is late.
The board reviews financials once a year, if that. Move to a quarterly or monthly review schedule so problems surface while they are still small.
Who is responsible for internal controls in a nonprofit
Responsibility is shared across layers. The board sets policy and provides oversight through regular financial reviews and approval of major decisions.
Executive leadership designs the specific controls and enforces them in daily operations. Staff follow the procedures and document their work so the audit trail stays complete.
An outside auditor or accountant tests the controls independently and reports on any material weaknesses.
Controls fail when any one layer assumes another layer has it covered. The board cannot delegate oversight entirely to staff, and staff cannot assume the board will catch every issue. Clear communication across these layers keeps the system working even when people change roles.
Frequently asked questions
What are the internal controls of a nonprofit organization?
Internal controls are the written policies and routines that safeguard assets, keep records accurate, and prevent misuse. They include segregation of duties, spending approvals, reconciliations, documentation requirements, and board oversight.
These practices reduce the risk of error and misappropriation while making financial reporting more reliable.
What are the 5 main internal controls?
The five components are control environment, risk assessment, control activities, information and communication, and monitoring. The control environment sets the ethical tone and clear roles.
Risk assessment identifies where problems are likely to occur. Control activities are the daily actions such as approvals and reconciliations.
Information and communication ensure accurate records reach the right people on time. Monitoring confirms the controls continue to work and adjusts them when needed.
What is the 33% rule for nonprofits?
The 33% rule is the IRS public support test. A 501(c)(3) public charity generally must receive at least one-third of its total support from the general public or government sources over a rolling five-year period to maintain public charity status rather than being reclassified as a private foundation.
A 10% facts-and-circumstances test offers an alternative for organizations that fall slightly short. New nonprofits are not tested until their sixth year. Learn more from the IRS.
What is the 80/20 rule for nonprofits?
The 80/20 rule is a common benchmark used by watchdogs and some donors, not a legal requirement. It suggests that roughly 80% of spending should go to program activities and no more than 20% to overhead and administration.
The exact ratio varies by organization type, size, and stage of growth. A healthy nonprofit funds the overhead it needs to deliver its mission effectively rather than chasing an arbitrary percentage.
How often should a nonprofit review its internal controls?
Review internal controls at least once a year and again whenever a key finance role changes or the organization grows significantly. Role changes are the moment when informal workarounds and assumptions quietly stop working, so a fresh look prevents gaps from widening unnoticed.
Conclusion
The highest-risk areas are almost always who can access the money and who can authorize spending it. Segregate the duties you can, add a second set of eyes where you cannot, and write the rules down so they survive staff and volunteer turnover.
Real organizations see measurable improvements when these principles are put into daily practice. Nonprofits that pair strong foundational controls with modern spend management tools often find the process becomes lighter rather than heavier.
Preventive controls (clear approval thresholds and right-sized per-person budgets) and detective controls (real-time visibility, automated receipt capture, and independent reviews) work together seamlessly.
For example, the K-12 school referenced earlier staged its rollout deliberately. Starting with the operations department (maintenance, IT, and vehicles) helped iron out workflows.
Then the team expanded to administrators, and finally to teachers and coaches. They now use self-loading limits for admins (with escalation above $5,000) and labeled loaner cards tracked on a dashboard.
Amazon purchases sync automatically with line-item detail and receipts. This eliminates the old "Amazon, $X — go figure it out" reconciliation headache.
If your nonprofit wants spending limits, approvals, real-time visibility, and receipt automation built into the tools your team uses every day, explore how KleerCard supports these exact internal controls for nonprofits and schools.
Ready to strengthen your controls without adding complexity? Sign up for free or schedule a demo to see the platform in action.

.avif)


.png)
.avif)
.png)
.avif)

.avif)
.avif)

.avif)




.avif)

.avif)





















