Governance & Oversight Reference

This reference consolidates high-level nonprofit accounting topics commonly referenced by organizations and those responsible for financial oversight. Sections are provided for orientation and general understanding rather than procedural guidance.

Governing Body Roles and Responsibilities

The governing body—typically the Board of Directors—is legally and ethically responsible for the organization’s overall direction and integrity. In a nonprofit, the board acts as the “fiduciary,” a term derived from the Latin word for trust. Their primary role is to ensure the organization remains sustainable and that every dollar is used to further the mission.

The Three Legal Standards of Conduct

To fulfill their fiduciary duties, board members are generally held to three legal standards of conduct:

  1. Duty of Care: Board members must be active and informed. This means attending meetings, reviewing financial reports before they are discussed, and asking difficult questions when the numbers don’t align with the mission.

  2. Duty of Loyalty: The organization’s interests must always come first. Board members must disclose any potential conflicts of interest and must never use their position for personal or professional gain.

  3. Duty of Obedience: The board must ensure the organization remains obedient to its central purposes, as defined in its articles of incorporation and bylaws, while complying with all state and federal laws.

Financial Responsibilities of the Board

In the context of nonprofit finance, the board’s role is one of oversight, not management. A high-functioning governing body focuses on these specific responsibilities:

  • Approving the Annual Budget: The budget is a financial map of the organization’s priorities. The board must ensure it is realistic and aligns with the strategic plan.

  • Monitoring Financial Performance: Boards should receive and review monthly or quarterly financial statements. This isn’t just a formality; it is the process of comparing actual results against the budget to identify and address financial red flags early.

  • Ensuring the Annual Audit or Review: If an audit is required, the board (often through an Audit Committee) hires the independent CPA firm and reviews the final report and management letter to ensure any internal control weaknesses are corrected.

  • Safeguarding Assets: This includes overseeing the executive director’s performance and ensuring the organization has adequate insurance and internal controls to prevent fraud.

The Difference Between Governance and Management

A common pitfall in smaller nonprofits is “founder’s syndrome” or “micro-management,” where the board begins performing the daily bookkeeping or administrative tasks.

Effective governance maintains a clear line: the Staff manages the execution of the work (recording transactions, paying bills, managing programs), while the Board manages the mission and the high-level financial health. This separation of duties is, in itself, a critical internal control that protects the organization from error and malfeasance.

 

Internal Controls and Risk Awareness

Internal controls are the “safety valves” of an organization. In the nonprofit sector, they do more than just prevent errors; they protect the organization’s reputation and ensure continued donor trust. When a nonprofit or a business partners with highly regulated entities (such as government agencies, healthcare systems, or financial institutions), these controls become part of a larger framework known as Third-Party Risk Management (TPRM).

The Foundation of Internal Controls

Internal controls are the policies and physical safeguards designed to provide reasonable assurance regarding the achievement of objectives in operational effectiveness, reliable financial reporting, and compliance with laws.

For most organizations, the gold standard for these controls is the segregation of duties. This principle ensures that no single individual has enough authority to execute a transaction from start to finish. A simple example is ensuring that the person who authorizes a payment is not the same person who signs the check or reconciles the bank statement.

Risk Awareness and the TPRM Factor

When you partner with a regulated entity, you are no longer just managing your own internal risks; you are a “Third Party” in their risk ecosystem. Regulated entities are required to perform due diligence on their partners to ensure that a lapse in your security or finances doesn’t result in a lapse in theirs.

Third-Party Risk Management (TPRM) focuses on several key risk domains:

  • Financial Risk: Does the partner have the fiscal health to deliver on the contract?

  • Operational Risk: Can the partner maintain service if their systems go down?

  • Compliance/Regulatory Risk: Does the partner follow the same stringent data privacy (e.g., HIPAA, GDPR) or anti-fraud laws as the regulated entity?

  • Reputational Risk: Will an association with this partner damage the regulated entity’s standing in the community?

Implementing a Risk-Aware Culture

A “spreadsheet nightmare” isn’t just an efficiency problem; it’s a risk factor. Regulated partners look for automated, repeatable processes that minimize human error. To move toward a more sophisticated risk posture, consider the following:

  • Documented Workflows: Every financial process should be written down. If an auditor or a TPRM reviewer asks how you handle a vendor payment, you should be able to produce a manual, not just a verbal explanation.

  • System Permissions: Use your accounting software to enforce controls. Restrict access so that staff only see the data necessary for their specific role.

  • Regular Monitoring: Internal controls are not “set it and forget it.” The board and management should perform periodic “spot checks” to ensure policies are actually being followed.

The Value of Being “Audit-Ready”

For nonprofits, maintaining high-level internal controls and a robust TPRM posture isn’t just about avoiding trouble—it’s a competitive advantage. When a large foundation or a government agency chooses a partner, they prioritize organizations that can demonstrate they are low-risk. By treating internal controls as a core part of your mission rather than an administrative burden, you position your organization as a professional, reliable choice for high-impact partnerships.

 

Documentation and Recordkeeping

In any professional organization, documentation is the “evidence” of your activities. It is the bridge between a transaction happening and that transaction being validated by an auditor, a donor, or the IRS. Whether you are a for-profit business or a mission-driven nonprofit, the mantra remains the same: If it isn’t documented, it didn’t happen.

The Purpose of a Paper Trail

Recordkeeping is not just about archiving history; it is about providing a transparent trail that justifies every financial decision. For nonprofits specifically, this documentation proves that you have honored donor intent and followed the board-approved budget. For businesses partnering with regulated entities, robust recordkeeping is a non-negotiable requirement of Third-Party Risk Management (TPRM).

Primary Documents to Maintain

A comprehensive recordkeeping system should categorize documents into several key areas:

  • Corporate Records: These include your Articles of Incorporation, Bylaws, Board Meeting Minutes, and IRS Determination Letter. These prove your legal existence and tax-exempt status.

  • Financial Records: This includes invoices, receipts, bank statements, and canceled checks. These must be linked to specific entries in your Chart of Accounts.

  • Grant and Contract Records: For every grant received, you must keep the original agreement, all reports submitted to the grantor, and evidence that the funds were spent according to the restricted purpose.

  • Personnel and Payroll Records: Documentation of hours worked, tax withholdings (Form W-2, 941), and benefits administration. In a nonprofit, this also includes time-tracking data used to allocate salaries across different functions (Program vs. Admin).

Digital Transformation and “The Source of Truth”

The era of the “shoebox full of receipts” is over. Modern accounting relies on digital document management where the “source document” (the invoice or receipt) is attached directly to the transaction in your accounting software.

  • Real-Time Capture: Use tools to scan or photograph receipts at the point of purchase. This prevents loss and ensures that the “Why” of the expense is recorded while it is still fresh in the employee’s mind.

  • Cloud Security: Digital records must be backed up and secured with appropriate permissions. Your recordkeeping policy should define who can view sensitive financial or personnel data.

  • Searchability: A digital system allows you to respond to an audit or a donor’s question in minutes rather than days.

Retention and Disposal Policies

You cannot keep everything forever, but you must keep everything for long enough. Your organization should have a written Document Retention and Destruction Policy. This policy should outline specific timelines based on IRS guidelines and state laws. Generally, many financial records are kept for seven years, while permanent records (like board minutes or real estate deeds) are kept indefinitely.

Pro-Tip: Your policy should also include a “Legal Hold” provision. If the organization is notified of an audit or legal action, the normal destruction of records must be immediately suspended.

Professional Guidance

Because recordkeeping requirements can vary significantly based on your industry, the state you operate in, and the specific grants you receive, it is vital to consult with a professional. A CPA or legal counsel can help you draft a retention schedule that keeps you compliant without drowning the organization in unnecessary paperwork.

 

Policy Frameworks and Governance References

A Policy Framework is the structured collection of rules, guidelines, and processes that an organization uses to achieve its goals and maintain compliance. While Governance refers to the system by which an organization is directed and controlled, the Policy Framework is the mechanism that translates that governance into daily action. For any professional organization, this framework acts as the “Operating System” that ensures decisions are made based on established principles rather than individual whims.

The Governance Hierarchy

Effective governance follows a clear hierarchy. Each level provides the authority for the level beneath it:

  1. Articles of Incorporation & Bylaws: The foundational legal documents that define the organization’s purpose and the highest level of authority (the Board).

  2. Board-Approved Policies: High-level statements of intent (e.g., an Investment Policy or a Conflict of Interest Policy). These represent the Board’s “voice.”

  3. Administrative Procedures: The granular “how-to” steps managed by staff to execute those policies (e.g., how to submit a travel reimbursement request).

  4. Internal Controls: The specific checks and balances built into those procedures to prevent error or fraud.

Why a Framework is Essential

Without a formal framework, an organization suffers from “ad hoc” management. This creates several risks:

  • Inconsistency: Different staff members may handle the same type of transaction in different ways, leading to unreliable financial data.

  • Knowledge Loss: When key employees depart, the organization’s “memory” of how things are done leaves with them.

  • Audit Failure: Auditors and regulators (including TPRM reviewers) look for a framework that proves the organization is managed systematically.

Integration with External Standards

A robust framework does not exist in a vacuum. It must be mapped to external requirements to ensure the organization remains in good standing.

  • GAAP Compliance: Ensuring that financial policies align with generally accepted accounting principles.

  • Regulatory Compliance: Mapping policies to IRS requirements, state laws, and specific grant conditions.

  • Third-Party Risk Management (TPRM): For businesses partnering with regulated entities, the policy framework must demonstrate that the organization meets the security and financial standards of the partner.

The Lifecycle of Policy Governance

Governance is not a static event; it is a continuous cycle. A strong framework includes a schedule for regular review and updates.

  • Drafting: Policies should be drafted by those who understand the operational reality, with input from legal or financial professionals.

  • Approval: Formal policies must be approved by the Board or a designated committee to establish authority.

  • Communication: Staff must be trained on the framework. A policy that sits in a binder and is never read provides no protection.

  • Review: Policies should be reviewed at least every two years (or more frequently in highly regulated environments) to ensure they still meet the organization’s needs and current laws.

Key Takeaway for Accountants

For the finance professional, a policy framework provides the “backbone” for the Chart of Accounts. It defines how those accounts are populated and who is responsible for the data. By advocating for a strong governance structure, you are not just managing numbers—you are building a resilient organization that is capable of scaling and weathering external scrutiny.

 

Oversight, Monitoring, and Review

In a robust financial system, Oversight, Monitoring, and Review represent the “inspections” that ensure the organization’s financial structure remains sound and compliant. While policies define how things should be done, these three activities provide the proof that they are being done correctly. For the nonprofit professional, these processes are the practical application of the Duty of Care, providing the evidence necessary to satisfy donors, auditors, and regulated partners.

Defining the Three Pillars

To build an effective system, it is helpful to distinguish between these three distinct but related functions:

  • Monitoring (The Continuous View): This is an ongoing, management-level activity. It involves the routine checking of financial transactions and performance against expectations. For example, a monthly “Budget vs. Actual” analysis is a monitoring activity used to catch variances before they become crises.

  • Review (The Periodic View): Reviews are “deep dives” into specific areas at set intervals. This might include a quarterly review of credit card statements by a supervisor, an annual insurance coverage assessment, or the formal year-end financial audit conducted by an independent CPA.

  • Oversight (The High-Level View): This is the responsibility of the Governing Body (the Board). Oversight does not mean doing the work; it means ensuring the work is being done. The Board exercises oversight by asking probing questions about the monitoring reports and review findings presented to them.

The Mechanics of Effective Monitoring

For accountants and bookkeepers, monitoring is about creating a “closed-loop” system where errors are caught and corrected internally. Key monitoring activities include:

  • Variance Analysis: Identifying why actual spending differs from the budget. Is it a timing issue, an unexpected expense, or a sign of a deeper structural problem?

  • Reconciliations: Ensuring that the sub-ledgers (like Accounts Payable or Grant Receivables) always match the General Ledger.

  • Spot Checks: Periodically testing a random sample of transactions to ensure that the required documentation (receipts, approvals) is present and follows the established policy.

The Board’s Role in Review and Oversight

The Board’s primary tool for oversight is the Financial Reporting Package. This package should be standardized so that Board members can become familiar with the format and focus on the data. Effective oversight includes:

  1. Approving the Audit: The Board (or Audit Committee) should meet with the external auditor to discuss the “Management Letter,” which highlights any weaknesses in internal controls found during the audit.

  2. Evaluating the Executive Director: Oversight includes ensuring that the organization’s leadership is managing resources effectively and ethically.

  3. Reviewing Key Ratios: Monitoring metrics like the “Months of Cash on Hand” or the “Program Efficiency Ratio” to ensure long-term sustainability.

Transparency for Stakeholders and TPRM

When an organization is subject to Third-Party Risk Management (TPRM) reviews by a regulated partner, the first thing the reviewer will ask for is evidence of oversight. They aren’t just looking for your bank statements; they are looking for Board Meeting Minutes that prove the financial statements were reviewed and discussed.

A “spreadsheet nightmare” makes oversight difficult because the data is hard to verify. A clean, multi-dimensional system allows for “drill-down” capabilities, where a Board member or auditor can start at a high-level summary and easily see the supporting documentation for any specific number. This level of transparency builds the “radical trust” required for high-stakes partnerships and large-scale donor support.

This material is provided for general educational reference purposes and does not constitute legal, accounting, audit, or advisory guidance.