Internal Controls and Fraud Prevention

📖 Reading· ~12 min

How internal controls protect your organization from fraud and error — and what the board's oversight role looks like in practice.

Key Takeaways

✓Separation of duties is the single most important control — no one person should control all steps of a transaction.
✓The fraud triangle: pressure + opportunity + rationalization. Boards can eliminate opportunity.
✓Most nonprofit fraud is committed by long-tenured, trusted employees — not outsiders.
✓The board ensures controls exist; it does not operate them. Meet with the auditor without management present.

Separation of duties: the single most important control

Separation of duties means that no single person controls all steps of a financial transaction. Ideally, the person who authorizes a payment is different from the person who writes the check, who is different again from the person who reconciles the bank statement. In small organizations where full separation is not possible, compensating controls — such as board review of bank statements — become essential.

Median Revenue Lost to Fraud

ACFE research: the typical organization loses approximately 5% of annual revenue to occupational fraud

$117K

Median Loss Per Case

Median fraud loss across all organizations — faith communities are not immune and are often targeted due to trust-based culture

18 Months

Median Time to Detection

Most fraud goes undetected for over a year without proper controls — early detection requires active board oversight

The fraud triangle

Common nonprofit fraud schemes

The most common schemes include check tampering (forging or altering checks), payroll fraud (ghost employees or inflated hours), expense reimbursement fraud (personal expenses submitted as business costs), and skimming (stealing cash before it is recorded). Red flags include reluctance to take vacations, living beyond one's apparent means, and an employee who insists on handling financial tasks alone.

The board's oversight role

Essential Internal Controls

Segregation of Duties

No single person should authorize, record, and reconcile the same transaction. Even in small offices, split cash handling from record-keeping.

Dual Signatures on Large Checks

Require two authorized signers on disbursements above a defined threshold (commonly $1,000–$5,000). Set the limit in your financial policies.

Independent Monthly Bank Reconciliation

Someone with no authority over cash receipts or disbursements reviews and reconciles bank statements every month.

Annual Independent Financial Review or Audit

At minimum, a review engagement by an outside CPA. Audits provide a higher level of assurance and are required by many grantors.

Board oversight actions — do these annually

Adopt a written fraud prevention policyDocument the organization's control expectations and consequence for violations.Adopt a whistleblower protection policyRequired for 501(c)(3) organizations under the Sarbanes-Oxley Act.Require management to report on control effectiveness annuallyThis should be a board meeting agenda item — not a staff memo.Meet with the external auditor without management presentAuditors are more candid without the ED in the room.Review bank statements or reports directlyDo not rely solely on management summaries — request originals.