Internal controls that work at small scale.

The minimum control set.

• Segregation of duties — whoever writes the check shouldn’t be the only one reconciling the bank.
• Approval thresholds — clear rules for who approves what dollar amounts.
• Bank statement review by someone outside the bookkeeping role.
• Credit card and reimbursement policy with documentation requirements.
• Conflict of interest policy — reviewed annually.
• Document retention and password security.

When you can’t segregate duties.

In a two-person finance function, full segregation isn’t possible. The fix is board-level oversight: a treasurer who reviews monthly bank statements, an audit committee that asks the right questions, and external review of unusual transactions.

Why controls matter more in nonprofits.

Internal controls in a nonprofit aren’t about Sarbanes-Oxley or shareholder protection. They’re about fiduciary duty to donors, beneficiaries, and the public. A control failure in a small nonprofit can mean a closed organization, a destroyed reputation, or in the worst case, an Attorney General investigation. The risk is concrete; the controls are not optional.

The minimum controls every nonprofit needs.

• Segregation of duties. No single person initiates, approves, and records a transaction. In small nonprofits where staffing is tight, the board treasurer or another board member sometimes provides the third pair of eyes.
• Bank reconciliations done independently of the bookkeeper. Monthly, reviewed by someone other than the person making entries.
• Dual signatures or dual approval for checks above a threshold.$1,000, $5,000, $10,000 depending on size — written into policy.
• Expense policies in writing. Who can incur what kind of expense, with what approval, supported by what documentation.
• Credit card controls. Statements reconciled monthly, receipts attached, transactions reviewed by someone other than the cardholder.
• Restricted fund tracking. Restricted gifts are accounted for separately and spent only on restricted purposes.

What auditors look for.

Annual audits review internal controls as part of the standard procedure. The most common findings in nonprofit audits are:

• Lack of segregation of duties (especially in organizations under $3M).
• Bank reconciliations performed by the same person who records transactions.
• Missing or weak documentation for expense reimbursements and credit card purchases.
• Inadequate restricted fund tracking.
• Board oversight that is procedural rather than substantive.

None of these findings are catastrophic individually. Combined, they suggest a control environment that needs investment.

Questions boards ask.

How do we know our controls are working? The audit will catch some things. An internal review — informal, but documented — once a year, of a sample of transactions, is the next layer. The treasurer or finance committee can do this with the controller or fractional CFO.

What if we’re too small for proper segregation of duties? Compensating controls. Board treasurer reviews monthly bank statements directly. Two-person approval on disbursements above a threshold. Outside CPA does the close. These work.

How often should we review our policies? Every two to three years, formally. Whenever the organization changes size, structure, or risk profile, informally.