Understanding internal controls for charities and non-profits.

Article | Nikki Loan | 22nd May 2023

If you have any questions or concerns please do not hesitate to speak to your PEM contacts directly

Speak to someone

Internal financial controls for charities (CC8) has long been the “go to” guidance on basic internal controls that the Charity Commission expect to be in place. This guidance was updated in April 2023 to reflect the increasing use of the internet for banking, donations and other transactions.

It covers alternative banking arrangements and cryptoassets to highlight areas where trustees may not be sure that they have addressed risks and questions that a 21st century charity may be addressing. (Some of the risks around cryptocurrency are explored at the start of this newsletter). Funds transferred using alternative banking methods have recently been included in the annual return so additional questions around controls match that development.

If the charity has activities that the trustees do not feel are covered by the checklist or their current risk assessment, procedures then they should be supplementing the questions for those areas.

The style of the checklist has changed to reflect key areas of control and supervision and should be logical for trustees and management to complete. Although the questionnaire has yes/no responses to its questions, we would advise all charities to document why they are satisfied the response is a yes, and develop an action plan where there is a no that is relevant to the activities of the charity. If the charity has activities that the trustees do not feel are covered by the checklist or their current risk assessment, procedures then they should be supplementing the questions for those areas.

The first section covers general principles for all charities – questions to establish how well trustees understand the financial controls in place and their duties. Questions focus on:

  • understanding whether the controls are appropriate (requesting professional advice if unsure)
  • understanding the charity’s financial information and the methods of monitoring keeping track of the reporting
  • understanding whether controls are embedded in the organisation
  • carrying out an annual review of the controls – internally or with the help of internal audit
  • ensuring appropriate segregation between roles
  • ensure that procedures are in place for reporting
  • suspicious incidents

The next section covers operational risks. The key points here are around understanding whether there is sufficient training and knowledge of policies by trustees, staff and volunteers, including an understanding of:

  • why the charity is at risk from financial crime
  • what the rules are around hospitality, acceptance of donations, register of interests, managing conflicts
  • how the charity controls access and storage of data

Following the overview, there were some more detailed questions around internal financial controls for banking. These cover how bank accounts are opened, reconciled and monitored.

Online Banking

As a development from the previous CC8, there are questions relating to online banking around security of electronic devices, management of passwords (and PINs) and understanding who is approved to access passwords and PINs.

The income section works through challenging trustees and management to identify whether they have controls to manage the completeness and accuracy of income recognition from all sources, and the ongoing security of that asset:

  • donations (including procedures around ‘tainted charity donations’)
  • public collections and fundraising events
  • received online and via card readers through the post
  • donations of cryptoassets
  • trading income
  • legacies whether gift aid is claimed wherever possible.

The flow of the expenditure section is also updated to reflect the potentially increased levels of payment being made by individuals rather than through central purchasing and finance systems.

They are updated for services such as Google Pay and Apple Pay. For all methods where control over purchasing is effectively delegated to the individual, charities must be sure that clear policies are in place and have appropriate oversight as these delegated processes give increased scope for an individual to commit an unwary charity without authorisation.

This section also includes questions around paying wages, salaries, expenses, grants and handling related party transactions. The key here is having clear policies in place around identifying and managing conflicts and subsequent related party payments that can be followed. Internal financial controls for assets and investments comes next with questions covering use of assets, registers and insurance. It also touches on GDPR controls and controls over the use of restricted funds and endowment, if your charity has those funds.

Investments is encapsulated by an understanding of Charities and investment matters: a guide for trustees CC14 trustee duties when investing charity funds.

Finally there are questions on:

  • loans
  • hospitality
  • internal audit and audit committees

Trustees have a legal duty to manage their charity’s resources responsibly, including implementing appropriate financial controls and managing risk. Increasingly, charity auditors, independent examiners and others will hold them to account and ask to see their assessment and understand that judgment. This demands more than a feeling, or a general assurance from those two which financial controls have been delegated. The guidance accompanying the CC8 checklist recommends that charities that are required to have an external audit, should have an internal audit committee. This assessment of internal controls may be one of its tasks.

Next steps

If you would like to discuss any of the points raised in this article, please contact PEM.

Share this content with your network:
Nikki Loan - Partner - Audits and Accounts - PEM

About the author

Nikki Loan

With over 25 years experience in the charity and not for profit sector, Nikki has provided audit services and accounting support Read more about this author …

Speak to one of our experts


  • I have read and accept the Terms and Conditions. Please read our Privacy Policy to understand how we will use your personal information.