5 internal controls for very small non profits

Guest blogger Kelly Wessel is all about the importance of internal controls in preventing fraud for small businesses and nonprofits. But some very small nonprofits think they can't create the separation of duties normally required. Not so. Here's a scaled back way for small nonprofits to add layers of controls. 

By Kelly Wessel
Fraud Investigator and Forensic Accountant

Nonprofit businesses are famous for operating on a shoestring, often without the resources or knowledge or staff to establish strong accounting policies and procedures. Those conditions can often lead to employee fraud or volunteer embezzlement. But no matter how small your nonprofit is, there are procedures that can be implemented to mitigate the impact of internal fraud.

A small staff, whether paid or volunteer, makes it imperative for the executive director and board members to be consistently involved in hands-on review, and possibly, execution, of the day-to-day transactions.

Here are five steps that even the smallest nonprofit can implement.


Establish written guidelines outlining how daily operations will be conducted every day without exception. This would include policies for board oversight, which should be constant and intentional. Lacking enough staff for a separation of duties, it is critical that policies be adhered to without exception. The board should adopt a zero tolerance approach to any policy and procedural violations and certainly for any illegal or unethical activity. Volunteers and employees need to be aware of that commitment.


Access control is very important. File cabinets, supply closets, drawers or safes where cash, blank check stock and any personal information about employees, volunteers or donors, such as personnel files, must be kept locked and access limited. Do not make extra keys or give the safe combination to anyone. Don’t write it down and put it in the desk drawer of an unlocked office. Where possible, get keys that are cannot be duplicated. Maintain an access list of what keys are made and who has them. If you give a volunteer a key so they can come in to help with a project, get the key back when the project has ended. This can become a very big issue in the event of a theft or unauthorized access is suspected.


Although it may be possible to completely eliminate checks and cash from your donors, make every effort to move people to secure online donation. Although there have been many hacks of retailers and third parties that has exposed credit card information, the merchant payment backbone has never been hacked. Get a merchant card account with a terminal in the office or even a mobile swipe terminal that plugs into your smartphone. Add a secure gateway on the donation page of your website that is just a pass through to the Merchant account. This ensures the credit card is encrypted and the donor’s information protected. Do not attempt to take credit cards on your own by writing the numbers down into a spreadsheet or maintaining that credit card in any offline methods.  Encourage donors to use their credit cards to donate. The fees paid for these accounts are well worth the security they provide. And in some cases, payment processors offer an option to have the donor pay the fees as well. You’d be surprised how often a donor will pick up the tab for that security.

No one person should receive, record and deposit donations. The bookkeeper should record the donations only and not have access to the checks. In a small office, the director should review each deposit, compare it to the recorded income and the list of donors. Deposits should be made daily. 


Blank check stock should be locked up with access limited only to the authorized check-signer and preferably, the bookkeeper.  Check numbers should be spot-checked and reconciled whenever new checks are retrieved for processing.  The bookkeeper should never have check-signing authority. 


In a very small shop, the bank statement should be mailed to and reviewed carefully by a board member, with extra attention to cancelled check copies.  In a perfect world, the board member would reconcile the bank statement. If that’s not possible, the reconciliation should be reviewed by a board member who cannot access or sign checks.

Internal fraud most often occurs when an employee or volunteer reaches the crossroads where opportunity meets need and justification. You cannot control the circumstances that push a normally trusted person to consider theft, or the internal tug and pull that eventually convinces them that it is OK to steal from you. But you can control the opportunity. No matter how small, you can establish some controls to help protect the organization from the loss and the employee from the inevitable results of defrauding and embezzling.

Kelly Wessel is the president of Wessel Accounting. In partnership with Portfolio, they offer a fraud and cybersecurity assessment and management service called BizSafe. Small businesses and nonprofits are at great risk, but they aren’t helpless. Contact us for information on keeping your BizSafe.