Blog tag: Best-practices

Resources for our community of volunteer treasurers, accountants, and board members of small nonprofit organizations.

Photo by A Healthier Michigan | CC BY-SA 2.0


Featured Post

New: Single Category Reports

A new report is available to Nonprofit Treasurer users: the Category Report. While transactions have always been grouped by transaction category on all of our reports, we've heard that sometimes users would like to report on a single category (like, "dues"). Find the new Category Reports on our Reports page and let us know how it works for you!

screenshot category reports example

Another thank you to our users for the constructive feedback in the monthly survey. Category Reports comes directly from a user suggestion - Thank you!

Recent Posts

Pro Tip: Craft Your Payments Campaign for Effective Sharing on Facebook

When creating a Payments campaign, be sure to consider how it will perform on your organization's Facebook page. The campaign title and first few sentences will be displayed in your Facebook post when you share the campaign url, so make this important piece of the campaign page informative and brief!

Facebook post example

Payments campaign page example

Learn more about Payments:

Nonprofit Treasurer Takes Security Seriously

We understand that small nonprofits rely on our application to hold their organization’s financial data – and we take this responsibility seriously. We have earned the trust of our customers by providing a responsive and reliable application, and here we describe our commitment to keeping our application robust and secure.

Account security
We serve our website exclusively via HTTPS, using SSL certificates from a leading, reputable authority. Our application uses encrypted sessions to maintain a reliable and secure connection to our servers, and user credentials are stored as salted hashes – so passwords are effectively impossible to extract that in the unlikely event of a data breach.

Software security
Our systems run the latest LTS (long-term support) version of Ubuntu Linux provided by one of the worlds most trusted (and fastest) cloud VPS providers, Linode. All server applications are updated automatically (daily) with any security-level updates and all other software patches are applied on a monthly schedule. Our servers have been ‘hardened’ according to current AppSec standards, including comprehensive firewall blocking, dynamic ssh denial, request logging, and regular automated security auditing.

Data security
All customer data is stored in state-of-the-art Postgresql database(s) configured with narrow access rules that silo each account’s data separately. Data access is granted in a tiered hierarchy, limiting data exposure even within our application. Automated backup snapshots are performed daily and stored externally.

Email security
Transactional emails are used to validate new accounts and provide users with password reset tokens, and is configured to provide one-way (outgoing) email service only. All NPT emails are sent through a secure, established third-party email provider (SendGrid) with sophisticated traffic monitoring to provide traffic our users with a trusted email source that is highly unlikely to be hacked.

Payment processing
All payment processing is done through Braintree (a Paypal company), which has been certified to PCI Service Provider Level 1 (the most stringent level of PCI DSS certification available). Payments are made via a three-legged tokenization architecture, where payment data is transmitted to Braintree directly from the user’s computer (or phone) and confirmed by passing an encrypted token back to our servers - ensuring that credit card information is never passed to nor stored our NPT servers.

Incident reporting
All disruptions to Nonprofit Treasurer’s normal performance, including security incidents, are published promptly on our Twitter feed, @nptresurer and may be viewed by anyone at . If you need to report a problem or any security concern, you may DM our team via Twitter at that account also.

New: Create (and Launch) a Fundraising Campaign in 3 Minutes

Five Internal Controls for the Very Small Nonprofit

This article is reprinted with permission from Blue Avocado, the practical and readable online magazine of American Nonprofits, for nonprofits. Subscribe free by visiting

Segregation of duties, checks & balances... difficult to implement in the organization that has perhaps three or fewer staff, or only a few active board members in an all-volunteer organization. We asked CPA Carl Ho, who works with dozens of small nonprofits, what would be the five most important, most do-able controls for small groups:

  • 1. The first and most important consideration is to set the control environment, that is, to let everyone know, from the top down, that there are policies in place and everyone has to follow the policies. In so many organizations the top person makes exceptions for himself or herself about policies, which sets a sloppy or even unethical tone. Then other people don't think they have to follow procedures, either, and they start cutting corners. The top person can't ask for reimbursement for anything for which they don't have a receipt. The management team members must all use time sheets themselves, get approval for travel expenses, have their credit cards scrutinized.

    Emphasize the importance of ethics and controls at staff meetings, and demonstrate that everyone follows the rules, all the time.
  • 2. Define clearly who is responsible for what. It's very common in small organizations, where not as much needs to be written down, for people to say, "I thought she was going to check the invoice." For example, with invoices: who is responsible for checking the math? Who is responsible for approving the invoice to be paid?
  • 3. Physical controls. Lock it up. Computers should be locked to desks, and they should be protected with passwords. Put checks in a locked drawer. Among other abuses, there are too many cases where someone comes in and takes checks from the middle of the checkbook.
  • 4. If there's cash involved -- such as at a fundraiser or box office at a performance -- have two people count all the cash together.
  • 5. Reconciling the bank statement is a very crucial step. It's very unlikely that someone is going to steal from you and run away forever. Reconciling the bank statement means that embezzlement can't go on for very long.

    Ideally someone other than the bookkeeper (or whoever handles the money) reconciles the bank account from an unopened statement. That's a strong check on the person who handles the money. But in a small nonprofit there may not be a bookkeeper, and there may be only one person who does everything. In these instances someone else, such as a board member, should receive the unopened bank statement, and look it over before giving it to the bookkeeper or the sole staffperson.
There are several controls that are commonly recommended but that you haven't mentioned. Could you comment on them?
For example:
  • Payroll? Payroll controls at small organizations are actually easy because everybody knows everybody, so it's harder to create fictitious employees and pay them. The one area for attention is approval of timesheets for people working on an hourly basis. In these cases someone -- who knows what work they did -- should review and approve timesheets.
  • Two signatures on checks, or on large checks? This is okay as a policy, as long as you know that banks don't enforce this policy, nor can you hold them liable for a check that goes through with only one signature. Two signatures is a good policy so that someone sees the big checks, but it's more about setting the right tone than about preventing theft.
  • The person handling money not allowed to sign checks? Bookkeepers should not sign checks. But in a really small organization this may not be practical. One approach is to allow the bookkeeper (or the person who handles the money) to sign small emergency checks, for no more than $100 or $200. If everybody knows this rule, it helps to set a tone of accountability. And again, it will be caught by the person who does the bank reconciliation.
  • Any concluding thoughts? In even the smallest organization, there can be another person who looks over things periodically, checking whether an expense was too high, was legitimate, whether the payroll taxes were paid. If you combine this with an atmosphere and environment that emphasizes following procedures and high standards of accountability, you still may not be able to prevent theft completely. But you'll prevent honest people from crossing the line, and you'll catch anything before it gets too serious.
Carl Ho, CPA is a partner at Le, Ho & Company in Daly City, California, and serves as the auditor for many small and large community nonprofits in the San Francisco Bay Area. He loves to bicycle, and can't wait to try out the unicycle he just ordered by mail. He also loves roast duck. [Editor's note: who doesn't?]

Protecting Your Nonprofit Organization From Embezzlement and Fraud

A reporter was suprised when his son's coach was arrested for embezzling funds from the youth league's bank accounts. Bill Pennington wrote a New York Times feature, The Trusted Grown-Ups Who Steal Millions From Youth Sports highlighting similar occurances of fraud and embezzlement and demonstrated how destructive and pervasive these events are.

Board leadership must create an anti-fraud environment and put into practice regular reviews and financial best-practices to reduce risk to the organization. Using a cloud-based accounting software application with multiple users like Nonprofit Treasurer can certainly help your organization provide a transparent (and fraud-resistant) environment, but it is not the only practice your board must take. These short articles provide a good starting point to evaluate your risk and define some concrete measures that should be in place at your AVO:

What Do I Need To Do as the Treasurer of an All-Volunteer Organization?

The full scope of the role of the treasurer of a non-profit organization is not always apparent to a newly appointed volunteer board member. Individuals are often asked to serve their organization with no prior experience as a treasurer, and while the tasks of maintaining the group’s checking account and reporting account balances to the board are certainly primary, there are other responsibilities that profoundly impact your organization’s mission and members.

Guidelines found in the blog posts, What is the Role of the Treasurer? , I’m a Volunteer Treasurer, what now?, and Duties of the Treasurer of a Nonprofit Corporation are good resources. An excellent summary of the treasurer role can be found in Treasurers of All-Volunteer Organizations: Eight Key Responsibilities, and important advice is given in Bookkeeping Mistakes To Look Out For, and Day 6: Find Your Successor.

Lacking, however, is the emphasis upon the role of the treasurer as opposed to the treasurer the individual; realizing that volunteering as the treasurer is not forever and that the individual is but a transient caretaker of the role that will live on after one's tenure. A great treasurer will strengthen the financial systems of an organization, leaving a structure that is less dependent upon any single individual volunteer and maintaining continuity as the other individuals pass through the role.

The result of this orderliness is a reduced burden on subsequent volunteers and the organization.

Quick Start: Using Categories

Introduction to Nonprofit Treasurer