Lesson 135 · The Grant Architect

135. Internal Controls

30 min

By the end you'll be able to

  • Apply the COSO framework to a federal grant environment.
  • Design a segregation-of-duties matrix appropriate for organization size.
  • Specify compensating controls when full segregation is not feasible.
  • Document an internal controls narrative an auditor can rely on.

Internal controls are the boring, lifesaving systems that prevent fraud and demonstrate to auditors that your organization is managing federal funds responsibly. The cornerstone of internal control under 2 CFR Part 200 is segregation of duties, which means that the person who requests a purchase is not the same person who approves it, the person who makes a deposit is not the same person who records it, and the person who authorizes pay is not the same person who hires.

In this lesson you will design a segregation-of-duties matrix appropriate for your organization size, including the compensating controls that small nonprofits use when a single bookkeeper handles multiple functions. You will learn to document approval thresholds, dual-signature requirements, monthly reconciliations, and the supervisory reviews that catch errors before they become findings. You will also learn how the COSO framework (control environment, risk assessment, control activities, information and communication, monitoring) maps onto a federal grant.

By the end you should be able to write an internal controls narrative that you can hand to an auditor, a board treasurer, or a federal monitor and have it read as evidence of a mature operation. Strong controls do more than prevent theft. They protect honest staff from suspicion, prove institutional capacity to funders, and pave the way for larger awards in the future.

Common mistakes

These are the traps learners hit most often on this topic. Knowing them in advance is half the fix.

  • Treating internal controls as an accounting concern only.

    Controls span operations, HR, IT, and program activities. Limiting them to the finance office leaves large attack surfaces uncovered.

  • Documenting controls that nobody follows.

    A controls narrative that does not match observable practice is worse than no narrative at all, because the gap itself becomes a finding.

Practice problems

Try each on paper first. Click Show solution only after you've made a real attempt.

  1. Problem 1
    Your organization has one bookkeeper and one executive director. Design a segregation-of-duties scheme that still satisfies federal expectations.
    Show solution

    The bookkeeper records transactions, prepares deposits, and processes payroll. The executive director approves all purchases, signs checks above a low threshold, and reviews monthly bank reconciliations prepared by the bookkeeper. Add the board treasurer as a compensating control by having them receive and review unopened bank statements quarterly and sign off on the bookkeeper's reconciliation. Above a higher threshold (for example $5,000), require dual signatures from the executive director and a board officer.

Practice quiz

  1. Question 1
    Which pair of functions must be separated to satisfy basic segregation of duties?
  2. Question 2
    What is a compensating control?

Lesson 135 recap

Internal controls are the lifesaving infrastructure that prevents fraud and proves capacity. Segregation of duties plus documented compensating controls form the spine of any defensible grant operation.

Coming next: Lesson 136 — Time and Effort Reporting

Next, we drill into the single most cited audit finding area in federal grants, time and effort reporting.

Saved in your browser only — no account, no server.