As not-for-profit (NFP) organizations turn their attention to planning for 2026, a disciplined focus on internal controls and risk management will be essential to sustain mission delivery, financial integrity, and stakeholder trust. The environment facing NFPs remains complex—governance expectations are rising, regulatory obligations continue to evolve, and technology brings both efficiency with Generative AI and cyber exposure. Against this backdrop, organizations that strengthen their control environment, align internal assurance with strategic objectives, and proactively manage key risks will be better positioned for resilience and impact.
Internal assurance as a strategic enabler
Internal assurance is more than an audit exercise—it is an independent evaluation of whether processes and controls are effectively managing risk and supporting objectives. Done well, it enhances stakeholder confidence, improves operational efficiency, protects against fraud and error, and supports compliance. For 2026 planning, leadership should ensure assurance activities are risk-based, connected to organizational goals, and informed by an updated risk assessment that reflects the current operating context.
Build on a strong control environment
The control environment is the foundation that shapes behavior, ethics, and accountability. Boards and executive teams should set a clear tone at the top, reinforce ethical expectations, and align authority and responsibility with organizational structure. Practical steps include:
Clarify governance roles: Ensure the board, audit/finance committees, and management understand oversight responsibilities and escalation pathways.
Reinforce HR practices: Leverage hiring, training, performance evaluation, and discipline to embed control consciousness and ethical conduct across staff and volunteers.
Align management philosophy: Promote transparency, evidence-based decision-making, and openness to remediation when issues arise.
Focus control activities where risk is greatest
While preventive, detective, and corrective controls all matter, control design should be prioritized where the risk is most material. For 2026, several areas warrant heightened attention:
Financial management and reporting: Address liquidity and cash flow monitoring with reliable forecasting and variance analysis. Strengthen revenue recognition procedures to ensure accuracy and consistency, especially where donor restrictions and grant conditions apply. Regular reconciliations and financial close checklists help catch errors early.
Segregation of duties: In smaller teams, use compensating controls (e.g., independent reviews, system-enforced approvals) to mitigate the risk of a single individual controlling end-to-end transactions.
Expense authorization and documentation: Define thresholds, pre-approval requirements, and documentation standards. Periodically test samples for compliance and follow up with corrective action plans.
Vendor and procurement controls: Standardize vendor selection with competitive bidding, conflict-of-interest attestations, and periodic vendor performance reviews. Monitor changes to vendor master files and enforce dual approvals.
Elevate technology governance and cybersecurity
Generative AI technology can streamline reporting, automate workflows, and enhance audit readiness, but it introduces risks if adoption outpaces governance. Priorities include:
Cybersecurity basics: Implement multi-factor authentication, least-privilege access, regular patching, encryption, and phishing-aware training. Conduct periodic security assessments and tabletop exercises for incident response.
System integration and data quality: When implementing or upgrading ERPs or reporting tools, ensure robust project governance, data validation, and end-user training. Poor integration can undermine decision-making and controls.
Business continuity and resilience: Update disaster recovery and continuity plans to reflect current systems and vendors. Test backups and recovery time objectives, and clarify roles during disruptions.
Strengthen compliance discipline
Non-compliance with grant terms, donor restrictions, and evolving regulatory obligations can jeopardize funding and reputation. For 2026:
Map requirements to controls: Maintain a register of applicable regulations, grant conditions, and donor restrictions, and link each to specific controls, owners, and monitoring procedures.
Enhance restricted fund tracking: Use system functionality to track restricted funds by purpose and time and reconcile to donor agreements and reporting commitments.
Leverage periodic audits: Internal and external audits should inform a rolling remediation program with clear owners, timelines, and verification of issue closure.
Manage fraud and misconduct risk proactively
Fraud risks intensify where duties are not segregated, oversight is inconsistent, and pressures increase. Key actions:
Update fraud risk assessments: Consider cash receipts and disbursements, third-party relationships, procurement, and reporting manipulation risks.
Implement hotlines and issue tracking: Confidential reporting and structured investigations deter misconduct and support early detection.
Test high-risk areas: Apply data analytics to identify anomalies in spend, duplicate vendors, or unusual adjustments.
Advance governance and board effectiveness
Effective governance sets direction and sustains accountability. Boards should:
Refresh composition and skills: Ensure financial, technology, compliance, and risk expertise are present. Provide ongoing education on emerging risks.
Use dashboards and KRIs: Establish concise reporting on financial health, control exceptions, audit findings, cyber posture, and compliance. Prioritize trend analysis and root causes.
Engage in strategic risk oversight: Tie risk appetite to mission priorities, and review contingency plans for funding volatility and operational disruptions.
Embed continuous monitoring and improvement
Monitoring converts controls from static checklists into a living system. Practical steps:
Define control owners and metrics: Assign responsibility and track performance indicators (e.g., close timeliness, reconciliation breaks, policy exceptions).
Conduct periodic self-assessments: Have process owners attest to control performance, with internal audit validating results.
Close the loop: Translate findings into corrective actions and verify effectiveness post-remediation.
Leverage technology thoughtfully
Unified platforms can streamline audit management, controls testing, policy workflows, risk registers, and board reporting. When evaluating tools, focus on:
Data integration and linkage: Reduce manual rework and version control issues by connecting source data to reports, disclosures, and dashboards.
Workflow and accountability: Enable automated approvals, task tracking, certification workflows, and issue management to strengthen compliance and transparency.
A Practical Roadmap for 2026
- Reassess enterprise risks and refresh the control framework accordingly.
- Prioritize liquidity, revenue recognition, segregation of duties, and procurement controls.
- Fortify cybersecurity, business continuity, and system integration governance.
- Tighten compliance with donor restrictions and grant requirements.
- Enhance board oversight through skills, reporting, and risk engagement.
- Institutionalize monitoring, issue management, and continuous improvement.
- Adopt enabling technology to automate, link, and evidence controls.
NFPs that approach 2026 with a robust control environment, disciplined internal assurance, and targeted risk management will protect their missions, inspire stakeholder confidence, and operate with greater agility amid uncertainty.
Need help assessing risk, tightening internal controls, or improving audit readiness for 2026? Contact a CBIZ not-for-profit professional to talk through practical next steps.
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.
