December 2012

Internal Control Considerations for Not-for-Profits

Understanding basic concepts of internal control is nearly universal, but implementing an effective internal control structure is a challenge that Walker & Armstrong can help you address.

Jay Parke, CPA

Through our experience in serving a variety of not-for-profit clients, we have become particularly alert to common internal control breakdowns that can lead to a heightened risk of material misstatement of the financial statements and, in a few isolated cases, fraud. This in turn can result in a loss of credibility among stakeholders, e.g., donors, grantor agencies, creditors, rating agencies and the general public.

Often, the importance of strong internal controls becomes more apparent after an incident occurs, such as:

  • a restatement of the financial statements;

  • an instance of fraud;

  • noncompliance with laws, regulations or the terms of grants and contracts; or

  • the delayed issuance of audited financial statements.

On the positive side, adequate internal controls can improve operating efficiency and effectiveness, increase employee morale, and improve a not-for-profit's financial position.

Not-for-profits are often challenged in determining the correct balance of costs versus benefits involved in establishing and maintaining internal controls. Devoting excessive resources can be counterproductive and may have the opposite effects of those desired. The appropriate balance depends on many factors unique to each not-for-profit and requires careful evaluation of available resources and risks.

A starting point is an understanding of the various components of internal control that affect your organization. It is important to understand these components in theory and then consider the practical applications.

Following is an overview of five areas comprising the internal control structure:

  • Control Environment

  • Information and Communication

  • Risk Assessment

  • Monitoring

  • Control Activities

The first four components are often referred to as “entity-level controls” because they have a pervasive effect on the accomplishment of management's control objectives. In contrast, the fifth component encompasses policies and procedures and specific activities established to help ensure that management directives are carried out. These controls are necessary to counter the effect of poorly designed or non-operational entity-level controls.

Control Environment

A positive control environment provides the foundation upon which all other aspects of internal control rest. The organization-wide tone is set by management, with the oversight of governance, and is disseminated throughout the organization by adherence to ethical practices, monitoring and, when unethical behavior occurs, appropriate disciplinary action. In addition, training and retaining competent individuals and providing relevant and timely feedback regarding job performance are critical to good management of a not-for-profit entity.

How an organization evaluates and accepts risk is also an indicator of a well-functioning control environment. The inability to focus on critical risk areas can result in threats to the security of the entire organization. Also, intentionally assuming unnecessary risks can result in a heightened potential for lost resources. For example, devoting a large amount of resources to capital projects that are not essential to providing services may result in excessive debt and wasteful use of liquid assets.

Information and Communication

Inter- and intradepartmental communication is another key control that, if neglected, can undermine the integrity of a not-for-profit entity. Decision makers in not-for-profit organizations may not fully anticipate the financial ramifications of their decisions, including contractual arrangements and their impact on financial reporting. As a result, transactions that could have a material effect on financial statements may not be recorded in a timely manner because there may be inadequate communication regarding a resolution or agreement. For example, a board may approve an agreement of which the finance department may not be immediately made aware, causing key transactions to be left unrecorded.

In addition, if programs and departments do not receive accurate financial information in a timely manner, their ability to make sound decisions is adversely affected. In situations where accounting records are not current, programs and departments may use separate recordkeeping systems, which leads to inefficiencies and greater potential for errors in accounting and reporting.

Risk Assessment

In the current economic and regulatory environment, the ability to evaluate and respond to risks is more relevant than ever. Handicapped by increasingly scarce financial and human resources, not-for-profit entities must make decisions on how to best allocate those resources to ensure that essential aspects of its mission are carried out. The concepts embodied in the “enterprise risk management” (ERM) framework developed by the Treadway Commission’s Committee of Sponsoring Organizations are vital to assessing and responding to risks.

There are different levels in which ERM can be implemented (i.e., full versus partial); however, the overall approach generally follows this sequence:

  1. Focus on a small number of top priorities.

  2. Leverage your existing resources.

  3. Build on existing risk management activities.

While it is important to acknowledge the importance of ERM, it is also important to prevent ERM implementation from taking on a life of its own and hindering the accomplishment of key objectives.


Monitoring is how management evaluates the functional sufficiency of an internal control system. The nature and extent of monitoring vary with the organization’s size and complexity and its available monitoring resources. Unfortunately, the monitoring process is often a weak area within not-for-profit organizations, particularly when responsibility is not assigned to a specific individual or group.

While larger not-for-profits may have an internal audit department, that option is not economically feasible for all not-for-profit entities. However, fiscal restraints should not hinder an organization from developing a monitoring process that includes identification and monitoring of key risk areas. For example, having a process to identify restrictions on contributions is essential to maintaining accountability to donors.

In addition, providing timely and sufficient responses to donors, funding agencies and lenders is essential to maintaining compliance and credibility necessary to ensure future funding opportunities.

Control Activities

Not-for-profit entities often devote substantial resources to design and implementation of control activities, such as:

  • the review of financial results (e.g., budget versus actual);

  • policies and procedures;

  • segregation of duties;

  • physical custody and control over assets;

  • proper initiation and execution of transactions;

  • accurate and timely recording of transactions; and

  • appropriate access restrictions.

Segregation of duties is a key control activity often affected by the current economic environment. As the level of human resources in not-for-profit organizations declines, there is a heightened risk that individuals who are part of a key process have too much access and control over the initiation and recording of transactions. This in turn results in an increased risk of errors and misappropriation.

Also, a critical element to a successful control environment is well defined and current documentation of control processes and procedures that outline responsibilities and authorizations of control functions. As tasks, functions and controls change, a strong control environment requires written documentation, continual monitoring and timely updating of processes and procedures. In addition, best practices include personnel training and timely communication of control changes.

Control activities are an integral part of a well functioning internal control structure. However, in a not-for-profit organization's environment, control activities often take such precedence that sufficient resources are not dedicated to the four other internal control components.


The development and maintenance of strong internal controls is not only a best practice; it is a prerequisite for demonstrating accountability, maintaining efficiency and complying with laws and regulations and the terms of grants and contracts and donor requirements.

The key steps are:

  • obtaining an understanding of key control components,

  • evaluating risks and available resources,

  • implementation, and

  • monitoring.

Design and implementation require coordination and good communication among all functional areas of the organization.

There are many resources available to not-for-profits to assist in developing and implementing a strong internal control structure. Resources include publications issued by the Treadway Commission’s Committee of Sponsoring Organizations and the American Institute of Certified Public Accountants (AICPA). Locally, experienced public accounting firms such as Walker & Armstrong serve as convenient and reliable sources of information and guidance.