Back to Insights

How to Establish Strong Internal Controls Despite Limited Resources

Kathleen O. Galaska, CPA
Kathleen O. Galaska, CPA Director, Audit & Accounting

According to the Association of Certified Fraud Examiners’ 2020 Global Study on Occupational Fraud and Abuse, organizations lose approximately five percent of their revenue to fraud each year, with nine percent of fraud cases being reported by not-for-profit organizations. The top control weakness relates to a lack of internal controls. Not-for-profit organizations often struggle with developing the proper internal controls due to limited resources including people, time, and funds.

Segregation of duties is an essential element of an internal control system for all organizations.  The basic principle of segregation of duties is that critical steps in a process are dispersed over multiple individuals or departments. By avoiding giving one individual all of the power, segregation of duties limits that person from having excessive control and misusing that control in a fraudulent manner.

The four main duties are:

  • Authorizing transactions
  • Recording transactions
  • Reconciling transactions
  • Custody of physical assets or records

Separating the duties of these tasks can be difficult with limited resources. It’s crucial that controls go outside of the accounting department and include the leadership team and board of directors as needed. This may include certain tasks such as sending unopened bank statements directly to the board treasurer or having the executive director review important reconciliations.

An easy control to implement is requiring double signatures for checks over a certain amount or assigning separate individuals for initiating and approving electronic payments. Organizations may also consider whether it is more effective to outsource certain accounting functions. Surprise spot checks and required vacation policies will also help hold employees accountable to policies and procedures.

Maintaining written policies and procedures helps establish best practices and defines roles and responsibilities. This will allow for easier transitions during mandatory vacation times or periods of employee turnover. Writing out policies will also highlight areas of weaknesses or point out where oversight may be needed from leaders.

Mitigating controls, including this oversight, should also be put in place. When the treasurer examines budget vs. actual results, reviews external audit reports at board meetings, and inspects internal financial statements, it demonstrates the monitoring process which may reduce the risk of fraud. Monitoring may also take place by using automated controls including bank alerts for activity over a certain dollar amount or electronic payment notifications.

IT controls also assist in preventing issues. The first area to focus on is user access rights and ensuring that individuals only have rights to access areas that are needed for their particular role. Administrative rights should be used sparingly. Users should be analyzed on a periodic basis to remove rights for areas not needed or changed to read-only to avoid risks. Password protection should be enforced including length of password, complexity requirements, and expirations of passwords on a periodic basis.

Finally, no preventative internal controls are completely foolproof, so it’s important to implement detective controls. These are intended to catch problems after they have occurred. The 2020 study noted above reported that 43 percent of fraud is detected by a tip, with a typical fraud case lasting 14 months before detection. An organization will experience a larger financial loss the longer that fraud remains undetected. Creating a positive and transparent work environment and implementing a whistleblower line and/or email within your organization can allow for the reporting of questionable behavior. A fraud hotline can lower losses and detect the fraud more quickly. Organizations should also invest in training employees in fraud awareness so team members can recognize fraud quickly.

Not-for-profit organizations should strive to develop the right combination of controls, including preventative and detective controls, to set up a strong internal control system. While some of these controls will necessitate the use of the organization’s limited resources, the benefits will far outweigh the costs.

Contact Katie Galaska, Director, Audit & Accounting, at Email for more information about this topic.


Information contained in this alert should not be construed as the rendering of specific accounting, tax, or other advice. Material may become outdated and anyone using this should research and update to ensure accuracy. In no event will the publisher be liable for any damages, direct, indirect, or consequential, claimed to result from use of the material contained in this alert. Readers are encouraged to consult with their advisors before making any decisions.

Contact the Author

Kathleen O. Galaska, CPA

Kathleen O. Galaska, CPA

Director, Audit & Accounting

Not-for-Profit Specialist, Owner Operated Private Companies Specialist, Private Equity-Backed Companies Specialist

Contact Us

We invite you to connect with us to discuss your needs and learn more about the Kreischer Miller difference.
Contact Us
You are using an unsupported version of Internet Explorer. To ensure security, performance, and full functionality, please upgrade to an up-to-date browser.