Nonprofit Access Controls and Managing Risks

Who Has Access to Your Nonprofit’s Financial Systems? Why Access Reviews Matter

Someone needs temporary access. A new system gets added. A role changes. A person leaves. No one goes back to clean it up. Before long, the organization has too many people with too much access, and not enough visibility into who can do what. 

That creates risk. 

For nonprofits, this matters more than many leaders realize. Finance systems often touch sensitive information, cash movement, payroll, government accounts, and donor or vendor records. If access is not reviewed regularly, weak controls can develop without anyone noticing. 

The question is simple: 

Do you know who has access to what in your organization right now? 

Access tends to grow without a plan 

In many organizations, access is granted one request at a time. 

Someone needs to process a payment while another team member is away. Someone gets admin rights to help with setup. A finance consultant is added during a transition. A board member is given access for a short-term need. Then months go by, and no one revisits it. 

Over time, access starts to reflect history instead of current responsibilities. 

That is where problems begin. 

The issue is not just whether people are trustworthy. The issue is whether access still matches their role. 

Good internal controls are not built on trust alone. They are built on clear roles, limited access, and regular review. 

The areas every organization should review 

When we talk about access, we are not just talking about one system. 

A proper review should look across the full finance and admin setup. 

CRA access 

This is a big one. 

Who has access to your CRA business account? Who is listed as an authorized representative? Who can view filings, payroll accounts, tax information, or correspondence? 

In some organizations, people are added to CRA access and then forgotten. A former ED, outside bookkeeper, or past finance lead may still be connected long after their role has ended. 

That should be reviewed. 

Online banking access 

Banking access should never be assumed. It should be checked. 

Who can: 

• view account balances 

• download statements 

• set up new payees 

• initiate payments 

• approve payments 

• change banking details 

These are not all the same level of access, and they should not be treated the same way. 

One of the biggest risks in any organization is when too much banking access sits with too many people, or when no one is clear on who can actually move money. 

Payment platform access 

This includes the systems used to pay bills, process reimbursements, issue e-transfers, or manage expense tools. 

Ask yourself: 

• who can enter a payment 

• who can approve a payment 

• who can release a payment 

• who can change vendor details 

• who can update banking information 

• who can access payment history 

If the same person can do everything from start to finish, that is worth looking at. 

Accounting system access 

Not everyone needs full admin access to the accounting system. 

Some people may only need reporting access. Some may need to post transactions. Some may need access to vendor records. Very few should have broad rights to change settings, edit key data, or control all users. 

A lot of organizations give people more access than they need simply because it is easier at the time. That convenience can create problems later. 

Payroll access 

Payroll access should also be reviewed carefully. 

Who can: 

• process payroll 

• add or remove employees 

• change salary or wage information 

• access remittance records 

• see confidential employee data 

• update direct deposit information 

Payroll touches both money and privacy. Access here should be tightly controlled. 

Why this matters 

When access is not reviewed, the risk is not always obvious right away. 

But over time, weak access controls can lead to: 

• higher fraud risk 

• mistakes that are harder to trace 

• privacy issues 

• unclear accountability 

• poor segregation of duties 

• former staff or contractors keeping access they should not have 

• unnecessary exposure in key systems 

Even without misconduct, broad or outdated access makes it harder to manage errors, protect information, and maintain confidence in the process. 

And in many cases, the bigger issue is not that someone did something wrong. 

It is that no one realized they still could. 

Common signs there may be a problem 

A lot of organizations already know something feels off. They just have not stopped to review it properly. 

These are some of the common signs: 

• no one has a current list of who has access to each system 

• access is granted informally and not documented 

• people share logins 

• there is no standard offboarding checklist 

• staff have changed roles, but their access has not changed 

• former employees, consultants, or vendors may still have access 

• admin rights have been handed out too broadly 

• no one reviews access on a regular schedule 

• the organization relies on memory instead of documentation 

If any of that sounds familiar, it is probably time for a closer look. 

Access should change when roles change 

One of the most overlooked parts of access control is that it is not just about people leaving. 

It is also about people changing roles. 

Someone who once needed payment approval rights may no longer need them. Someone who helped during a busy transition period may still have accounting access that should have been removed. Someone who stepped in temporarily for payroll may still be sitting in the system with more permissions than necessary. 

Access should not be permanent just because it was once appropriate. 

It should reflect what the person needs now. 

What a simple access review can look like 

This does not need to be complicated to be useful. 

Start with a list of your key systems, including: 

• CRA 

• online banking 

• payment platforms 

• accounting software 

• payroll systems 

• expense tools 

• credit card platforms 

• donor or merchant accounts if they affect financial activity 

Then for each system, list: 

• who has access 

• what level of access they have 

• why they need it 

• who approves that access 

• whether it still makes sense today 

From there, you can identify: 

• access that should be removed 

• access that should be reduced 

• systems where admin rights are too broad 

• places where no one is clearly accountable 

• gaps in your offboarding process 

A review like this can be simple, but it can still uncover important issues. 

This should be part of your regular process 

Access reviews should not happen only after a problem. 

They should be part of normal operations. 

At a minimum, organizations should review access: 

• when someone leaves 

• when someone changes roles 

• when a contractor engagement ends 

• when a new system is added 

• at least once a year as part of a broader controls review 

This is also something boards and leadership teams should care about. It is not just an admin detail. It is part of protecting the organization’s money, information, and processes.