Skip to main content
GrantPipe logo GrantPipe logo

How to Set Up Grant Spending Controls and Approvals

Published: Last updated: Reviewed:

TLDR

Grant spending controls are not the same as a purchasing policy. They are a specific framework that governs expenditures against restricted funds - who can authorize what, how budget categories are maintained, what requires funder prior approval, and how the transaction trail is documented. Under 2 CFR 200.303, federal grantees are required to maintain effective internal controls over federal awards. The controls must be written, operational, and demonstrable.

Purchasing Policy vs. Grant Spending Controls: The Distinction

Most nonprofits have a purchasing policy in the employee handbook or financial policies manual. It defines approval thresholds - who can approve purchases under $500, who handles larger purchases, when competitive bidding is required.

Grant spending controls build on that foundation but serve a different purpose. A purchasing policy governs organizational spending. Grant spending controls govern expenditures against specific restricted funds, within specific approved budgets, subject to specific funder requirements.

The two documents need to be consistent. They serve different audiences in different contexts. Your purchasing policy is reviewed by your auditor as part of the general financial statement audit. Your grant spending controls are reviewed by your single auditor and any program-specific auditors as part of their assessment of your internal control over federal awards.

Organizations that point to their purchasing policy when asked about grant spending controls are describing a gap, not a system.

The Authorization Framework

Grant spending authority needs to be defined at three levels.

Routine grant expenditures within approved categories. These are transactions that fall within an established budget line, do not require funder prior approval, and are within the authorized spending period. Program managers and senior program staff are typically authorized to initiate these. A threshold applies - amounts above the threshold require finance or executive review.

Non-routine expenditures. Transactions outside normal budget categories, above threshold amounts, or involving a cost type that triggers funder prior-approval requirements. These require finance director or executive director review before the expenditure is made. The review is documented - not a verbal okay.

Funder prior-approval items. Any expenditure that requires written approval from the awarding agency before it can be incurred. Examples under 2 CFR 200.407 include equipment purchases, changes in key personnel, subcontracting arrangements, and budget modifications above rebudgeting thresholds. The internal authorization is necessary but not sufficient - funder approval must be obtained first.

Building Segregation for Small Teams

The segregation of duties standard in 2 CFR 200.303 is adapted from government internal control guidance - designed for entities larger than most nonprofits. The principle remains valid: distributing key functions across different individuals reduces the risk of undetected error or fraud.

For grant spending, the functions to separate are:

  • Transaction initiation (deciding to spend money and submitting the request)
  • Transaction authorization (approving the expenditure)
  • Transaction recording (entering it in the accounting system)
  • Transaction reconciliation (confirming the record matches the bank)

In a mid-sized nonprofit with a development director, a finance manager, and an executive director, full segregation is often achievable with some planning. In a smaller organization where the same person must perform multiple functions, compensating controls substitute - typically a second-level review that provides independent scrutiny.

The compensating control must be documented and actually performed. A policy that says “the executive director reviews all transactions” that is not actually being carried out is not a compensating control. It is an aspiration.

What the Written Documentation Looks Like

When auditors ask for your internal controls documentation for grants, the document they want covers:

The authorization matrix - who can approve what, at what levels, for which grants.

The segregation of duties structure - which functions are separated, and for any functional overlaps, what compensating controls are in place.

The process for obtaining funder prior approvals - how the organization determines whether funder approval is required, how it is requested, and how it is documented.

The budget monitoring process - how often budget-to-actual comparisons are run, who reviews them, and what the escalation process is when a category approaches its limit.

The reconciliation process - how often grant accounts are reconciled against the general ledger, who performs the reconciliation, and who reviews it.

The exception handling process - what happens when a control is not followed, who is notified, and how the exception is documented.

Testing Your Own Controls

The most valuable audit preparation activity is running your own controls test before the auditors arrive. Pull a sample of recent grant expenditures - 10 to 15 transactions across different grants and budget categories. For each one, verify:

Was there a documented approval before the expenditure was made? Not a retroactive confirmation - a prior authorization.

Did the approval come from the person authorized under the authorization matrix for that expenditure type and amount?

Was the transaction charged to the correct grant and the correct budget category?

Is there adequate supporting documentation attached to the transaction?

If any transaction fails these checks, that is a finding preview. Fix the documentation if it can be fixed. Update the controls if the process failed. Document the corrective action.

The auditor who arrives after you have done this work finds a stronger controls environment and a team that can explain it.

Free resource

Get the Grant File Audit Checklist

A complete checklist for building an audit-ready grant file - organized by grant phase from pre-award through closeout and record retention. Delivered by email.

We'll email the resource and a short follow-up sequence. Unsubscribe any time.

Email is required because the download link is delivered by email, not on-page.

DEFINITION

Segregation of duties
An internal control principle that distributes key functions across different individuals to reduce the risk of error or fraud. For grant spending: the requesting, approving, and payment functions should be performed by different people.

DEFINITION

Authorization matrix
A written document that specifies who in the organization can authorize expenditures, at what dollar amounts, for which cost categories, and under which grants.

DEFINITION

Compensating control
An internal control that reduces the risk of an identified weakness when the primary control (such as full segregation of duties) cannot be implemented. Must be documented and demonstrably effective.

Q&A

What do auditors examine when reviewing grant internal controls?

Auditors look for three things: written documentation of the controls, evidence that the controls are actually operating (transaction-level testing), and whether exceptions to the controls were detected and addressed. A well-written controls document with no evidence of operation fails on the second test. Evidence of operation with no written controls fails on the first.

Q&A

What is the most common internal controls finding for nonprofits?

Inadequate segregation of duties is the most frequently cited internal control weakness in nonprofit single audits. The second most common is lack of documented authorization - expenditures processed without a documented approval preceding the transaction.

Frequently asked

Frequently Asked Questions

What does 2 CFR 200.303 require for internal controls?
2 CFR 200.303 requires non-federal entities to establish and maintain effective internal control over federal awards that provides reasonable assurance the entity is managing federal awards in compliance with federal statutes, regulations, and grant terms. The controls should be consistent with COSO or Green Book guidance for internal controls in the federal environment.
What is the difference between a purchasing policy and grant spending controls?
A purchasing policy governs how the organization buys things generally - approval thresholds, vendor selection methods, procurement documentation. Grant spending controls are a specific overlay that governs expenditures charged to restricted grants: which budget categories are available, what requires funder prior approval, how restricted fund balances are monitored, and how the audit trail is maintained.
How do you document compensating controls when segregation of duties isn't fully possible?
Document the limitation explicitly - for example, 'Due to staff size, the same person initiates and processes payment for transactions under $500. The compensating control is a monthly reconciliation reviewed and signed by the Executive Director.' Auditors accept genuine compensating controls; they do not accept undocumented workarounds.
How often should internal controls be reviewed?
Annually at minimum - as part of the fiscal year-end closing process. Also review when: a key staff member in a control role leaves the organization, a new significant federal award is received with different compliance requirements, or a monitoring finding or audit result identifies a control weakness.

Keep reading

Compare options

01

Grant Compliance Software for Nonprofits

Grant compliance software should help nonprofits stay audit-ready after awards are active. This page defines the category for grant recipients and shows what to verify before buying.

02

Grant Compliance

Next step

See the workflow in GrantPipe.

Start a 1-month free trial and test donor, grant, restricted-fund, and compliance work in one place.

Start your 1-month free trial