An internal control policy is a system of clear rules, procedures, and actions that help safeguard your nonprofit organization and prevent fraud. Whether you’re managing a large organization or a very small one, it’s important to have a written manual that describes your internal control policies.

A well-written internal control policy manual will help clarify each individual’s role, responsibilities, and authority over financial transactions. Especially during times of transition, such as staffing changes or organizational growth, this policy will help guide your team and spell out specific authority levels and restrictions.

Be sure that all of your staff have easy access to your internal control manual, and keep this policy updated whenever new roles or positions are created.

An example of a simple internal control policy is shown below. You can customize this with more detail regarding roles/positions, accounts, payment methods, and data storage. For example, if you use a third-party bill payment system, discuss who has access to that system and what permissions they may have. You may also want to include other topics, such as gift acceptance policies, asset protection, payroll, or other policies that might apply to your specific organization.

Sample Internal Control Policy

Segregation of Duties

No single person should have control over all parts of a transaction. Segregating these duties helps to reduce the organization’s risk of fraud and prevent errors or mistakes.

• The person who requests an expense should not approve that expense.

• The person who approves an expense should not maintain the accounting records.

• The person who receives payments or opens the mail should not make bank deposits or maintain the accounting records.

Reconciliations

The organization’s financial accounts should be reconciled on a regular basis to ensure that all transactions are properly approved, recorded, coded, and documented. Any errors or discrepancies should be researched and addressed in a timely manner.

• All bank accounts, credit card accounts, and other financial accounts should be reconciled on a monthly basis.

• The financial institution’s monthly statements should be compared to accounting records and all available supporting documentation, checking for mathematical accuracy and proper categorization of each transaction.

• Any accounting errors, discrepancies, or omissions should be immediately researched, resolved, and documented.

Authorizations and Approvals

Proper authorization and approval must be obtained before a transaction is processed.

• Transactions may be authorized by signature or electronic approval. In the case of electronic approvals, the approver’s password should never be shared with another person.

• The approver is responsible for reviewing all supporting documentation and ensuring that the transaction is appropriate, accurate and compliant with all of the organization’s policies, rules, and regulations.

Supporting Documentation

Documentation should be provided to provide clear evidence or support of each transaction.

• All expenses should include an itemized invoice, purchase order, and/or receipt showing the payee name and remittance information, the amount of the expense, and the purpose of the expense.

• All revenues and donations should include a sales receipt or transaction report showing the date of the transaction, the method and amount of payment, and the purpose of the payment, including any donor restrictions.

• Supporting documentation should be saved to a physical and/or electronic location (such as an on-site file room or cloud-based document storage system) and retained for a predetermined period of time.