Internal Control and Internal Audit Guidelines for Schools

Financial statements

  • Are monthly financial statements prepared on a timely basis and submitted to the school’s board?
  • Do the financial statements include all funds (unrestricted, temporarily restricted, and permanently restricted)?
  • Do the financial statements include a statement of financial position and statement of activities?
  • Do the financial statements provide sufficient explanatory notes to provide context for financial data?
  • Are account balances in the financial records reconciled with amounts presented in financial reports?

Guidelines for Handling Digital Contributions

Digital gift theft is as simple as redirecting the flow of the digital funds and covering up the missing funds. Gifts are flooding in through schools' websites and other portals, as givers use debit and credit cards, ACH (Automated Clearing House) debits to their bank accounts, electronic checks, charges to their cellular accounts, and even virtual currency, using a variety of devices, including their computers, tablets, and smart phones.

To understand how to prevent your school from being a victim of digital theft, you must first understand the basics of how electronic giving is set up. There are three basic elements in establishing digital giving:

  1. Giving platform. Typically, the school collects credit card information and, depending on the way it’s designed, the bank account information through  online giving. To ensure your giving platform is secure, look for SSL (Secure Sockets Layer) encryption, which establishes an encrypted link, allowing data to be transmitted securely between browsers and web servers (you’ll know if you see “https” in the web address instead of just “http”).
  2. Payment processor. The giving platform is in between the giver and the payment processor (also called the merchant account provider), which processes the gift and delivers it to the ministry’s financial institution. It is usually a third-party service using a system of computer processes to receive, verify, and accept or decline credit card transactions on behalf of the ministry through secure Internet connections.
  3. Giver management system. While some giving platforms have the option of processing giving records, most organizations host giving records on their own IT systems, which may or may not easily integrate with a giving platform.

Strong internal controls for digital giving include:

  • Building a strong, multi-person payment processor relationship. Digital giving involves interaction with at least one outside vendor—the payment processor. Who should have the initial and ongoing interaction with this and other vendors in the digital giving process?

While one person must initially establish an account with each payment processor, multiple staff should verify the initial set-up, including a high-ranking ministry staffer.

  • Limit authorized changes to payment processor accounts. After initially establishing a payment processor relationship, changes to the account routing number should be limited to high-ranking ministry staff, none of whom participate in the reconciliation of digital funds or have access to the giver management system.
  • Set notifications to come any time changes are made to payment processor accounts. Each payment processor should be requested to immediately notify a high-ranking ministry leader of any change to the bank routing information.
  • Verify that the payment processor has internal controls in place. How do you evaluate the quality of the internal controls employed by your payment-processing vendors? Only by insisting it has a SSAE 16 Type 2 (also commonly referred to as a SOC 1 Type 2) report issued by an independent auditing firm covering its internal controls.
  • Require regular payment processor transaction reports. All payment processor transaction monthly reports should be received by a high-ranking school leader, in addition to a staff member more directly involved with the transactions. Use the reports to confirm the proper routing number was used.
  • Reconcile digital giving accounts regularly. A high-ranking school official should begin each examination of digital gifts with the following reconciliations:
    • Bank accounts to payment processor transaction reports. This reconciliation ensures that all digital gifts were deposited in the appropriate bank account.
    • Giving records to payment processor transaction reports. This reconciliation verifies that all digital gifts are recorded in the giver management system (this is in addition to verifying that all non-digital gifts are recorded).
    • Giving records to bank accounts. This reconciliation verifies that all digital gifts deposited into bank accounts are reflected in the giving records.

Guidelines for Handling Funds and Special Events

  • Adopt policies to prevent problems. Written policies are the ounce of prevention that could avoid serious problems at your school. Adopt a series of detailed policies that outline the procedures to be followed from the time the money is collected at a special event, received in the mail, or delivered to the school—until the money is deposited in the bank.
  • Make accountability and confidentiality dual goals. Too many organizations focus so much on confidentiality that accountability takes too low a priority. True, some confidentiality is sacrificed when good accountability exists. But the organization that does not balance confidentiality and accountability is treading on dangerous ground.
  • Use confidentiality statements. Counters should sign a written statement of con­fidentiality before participating in the counting process. If the commitment of confidentiality is broken, the individual(s) should be removed from the team of counters.
  • Always follow the principle of two. When a school leaves the cash in control of a single person—even for a short time period—before the count has been recorded, it is a blatant invitation for problems. When sole access to the cash is allowed, most people will not take any money. However, for some, the temptation may be too great.
  • Have counters complete tally sheets. Tally sheets should be completed that separately account for loose checks and cash that were received. This separation of money serves as a control amount for the later posting to donor records.
  • Use a secure area for counting. For safety of the counting team, confidentiality, and avoidance of interruptions, provide a secure area in which the offering can be counted. The counters should have an adding machine, coin wrappers, tally sheets, and other supplies. The adding machine should have a tape (instead of a paperless calculator) so the counting team can run two matching adding machine tapes of the offering.
  • Deposit all proceeds intact. Event proceeds should always be counted and deposited intact. Depositing intact means not allowing cash from the event to be used for the payment of school expenses or to be exchanged for other cash or a check.
    If proceeds are not deposited intact, an unidentified variance between the count and the deposit could occur. Additionally, if an individual is permitted to cash a check from event funds, the school may inadvertently provide the person with a canceled check that could be used in claiming a charitable tax deduction.
  • Properly identify donor-restricted funds. All donor restrictions should be carefully preserved during the counting process. These restrictions are usually take the form of an instruction attached to a check or simply a notation on the check.
  • Place contributions in a secure location when they are stored in the school. If contributions are stored in the school, even for short periods of time, the use of a secure location is important. A safe implies security, while an unlocked desk drawer connotes lack of security. But defining security is often not that easy.
  • Follow these steps:
    • Use a safe with two locks.
    • Require two individuals to open the safe, one with the key and the other with the combination.
    • No one is permitted to have both the combination and the key to the safe.
    • Change the combination at regular intervals.
    • After placing funds in the safe, each individual must sign the safe opening log (names, date, time)
  • General
    • Are cash handling procedures in writing?
    • Has the bank been notified to never cash checks payable to the organization?
  • Offering counting
    • Are at least two individuals present when cash receipts are counted?
    • Are all checks stamped with a restrictive endorsement stamp immediately?
    • Are donor-restricted funds properly identified during the process of counting contributions?
  • Depositing of funds
    • Are all funds promptly deposited? Are receipt records compared with bank deposits?
    • Are all cash receipts deposited intact? Cash receipts should not be used to pay cash expenses.
  • Restricted funds
    • Are donations for restricted purposes properly recorded in the accounting records?
    • Are restricted funds held for the intended purpose(s) and not spent on operating needs?

Donation records/receipting

  • Are individual donor records kept as a basis to provide donor acknowledgments for all cash contributions and all other single contributions of $250 or more?
  • If no goods or services were provided in exchange for a gift, does the receipt include a statement to this effect?
  • If goods or services were provided in exchange for a gift, does the receipt include a statement to this effect?
  • Are the donations reconciled from the weekly contribution counting sheets to the donor records for a selected time period?
  • If goods or services were provided in exchange for a gift, does the receipt
    • inform the donor that the amount of the contribution that is deductible for federal income tax purposes is limited to the excess of the amount of any money and the value of any property contributed by the donor over the value of the goods and services provided by the organization, and
    • provide the donor with a good-faith estimate of the value of such goods and services?
  • Are the donations reconciled from the weekly contribution counting sheets to the donor records for a selected time period?

Cash disbursements

  • Are all disbursements paid by check (except for minor expenditures paid through the petty cash fund)?
  • Is written documentation available to support all disbursements?
  • Is there an accountable reimbursement plan for expenses?
    • Do employees report and substantiate expenses within 60 days of incurring the expense?
    • Does the substantiation include original receipts and documentation of the time, place, amount, and purpose of expenditure?
  • Is a petty cash fund used for disbursements of small amounts? If so, is the fund periodically reconciled and replenished based on proper documentation of the cash expenditures?
  • If a petty cash fund is used, are vouchers prepared for each disbursement from the fund?
  • Are prenumbered checks used? Account for all the check numbers, including voided checks.
  • Are blank checks ever signed in advance? This should never be done.

Information reporting

  • Has the organization filed Form 990 or received written confirmation that it is exempt from the Form 990 filing requirement?
  • Has the organization filed Form 990-T for gross unrelated business income over $1,000 per fiscal year, if required?
  • Were payments made to recipients (other than corporations) of at least $10 in royalties or at least $600 in rents, payments for services, prizes and awards, or medical and health care payments?
    • Did the organization obtain Form W-9 for all applicable recipients and file Form 1099-MISC?
  • Was a Form 1099-INT provided to each recipient of interest totaling $600 or more during the calendar year?
  • Did the school file Form 5578 concerning a statement of racial non­discrimination with the IRS?

Payroll tax reporting

  • Does the organization withhold and pay the employee’s share of FICA taxes for all nonministerial employees?
  • Does the organization pay the employer’s share of FICA taxes for all nonministerial employees?
  • Were timely deposits of employment taxes made?
  • Was a Form 941 filed for each quarter of the previous calendar year?
  • Were the totals from the four quarterly Forms 941 verified with the totals on Form W-3 prepared at year-end?
  • Was a Form W-2 given to all persons classified as employees (including any ministers) by January 31?
  • Were Form W-2 and Transmittal Form W-3 provided to the IRS for all persons classified as employees (including any ministers) by January 31?

Bank statement reconciliation

  • Are written bank reconciliations prepared on a timely basis? Test the reconciliation for the last month in the fiscal year. Trace transactions between the bank and the books for completeness and timeliness.
  • Are there any checks that have been outstanding over three months?
  • Are there any unusual transactions in the bank statement immediately following year-end? Obtain the bank statement for the first month after year-end directly from the bank for review by the audit committee, or obtain the last bank statement (unopened).

Savings and investment accounts

  • Are all savings and investment accounts recorded in the financial records? Compare monthly statements to the ledger.
  • Are earnings or losses from savings and investment accounts recorded in the ledger?

Land, buildings, and equipment records

  • Are there detailed records of land, buildings, and equipment including date acquired, description, and cost or fair market value at date of acquisition?
  • Was a physical count of any inventory taken at year-end?
  • Have the property records been reconciled to the insurance coverages?

Accounts payable

  • Is there a schedule of unpaid invoices including vendor name, invoice date, and due date?
  • Are any of the accounts payable items significantly past due?
  • Are there any disputes with vendors over amounts owed?

Insurance policies

  • Has a schedule been prepared of insurance coverage in force? Does it reflect effective and expiration dates, kind and classification of coverages, maximum amounts of each coverage, premiums, and terms of payment?
  • Is workers’ compensation insurance being carried as provided by law in most states? Are all employees (and perhaps some independent contractors) covered under the workers’ compensation policy?

Amortization of debt

  • Is there a schedule of debt, such as mortgages and notes?
  • Have the balances owed to all lenders been confirmed directly in writing?
  • Have the balances owed to all lenders been compared to the obligations recorded on the balance sheet?

Securities and other negotiable documents

  • Are any marketable securities or bonds owned? If so, are they kept in a safe-deposit box, and are two signatures required for access?
  • Have the contents of the safe-deposit box been recently examined and recorded?

Credit cards

  • Has the organization ensured that its credit card merchant processor and any related systems are secure? A security audit should be available from your processor.
  • Are there any organization-owned credit cards?
    • Is there written documentation for all uses of organization-owned credit cards?
    • Has there been an independent review of the organization’s use and appropriateness of all organization-owned credit cards?
    • Are there any signs of personal use of organization-owned credit cards? This should be avoided. If this should happen, these amounts must be refunded to the organization or added to taxable compensation.

Copyright and licensing issues

  • Does the organization have a policy of prohibiting the unlawful duplication or use of copyrighted works?
  • Does the organization pay an annual fee to Christian Copyright Licensing, Inc. for the right to reproduce copyrighted music?
  • Does the organization have a policy which prohibits the showing of rented or purchased videos without authorization of the copyright owner?
  • Does the organization comply with all computer software licensing agreements?


  • Are federal (and state) minimum wage and overtime requirements observed for applicable employees?
  • If overtime payments are required, has the organization taken steps to avoid paying overtime through compensatory time off?
  • Is there a record retention policy specifying how long records should be kept?
  • Are record retention and storage requirements formally considered at year-end?
  • Do you know the location of the original deed of all property?
  • Is the organization in full compliance with restrictions imposed by the deed or mortgage?
  • Did the organization refrain from participating in (directly or indirectly) a particular candidate’s political campaign for public office?



This text is provided with the understanding that ECFA is not rendering legal, accounting, or other professional advice or service. Professional advice on specific issues should be sought from an accountant, lawyer, or other professional.


Follow @ecfa