How to Secure Your Grantmaking Processes with Effective Internal Controls

Your grantmaking system is one of your organization’s most valuable assets. It contains a history of past grant requests, payment method information, and personal stories. Your grantees hand over their information fully trusting your team to review materials, make a decision, and protect their information.

You also have a promise to keep to your stakeholders that you will fund appropriate organizations that reflect your funding organization’s mission.    

That trust hinges on internal controls to manage and secure your grantmaking system. Here are strategies and best practices you can use to properly maintain grantee information and carry out your organization’s mission, all while remaining compliant with local, federal, and organizational regulations and standards.    

Understand How You Get Grantee Information

Knowing how information gets into your system is the first step in establishing strong internal controls. When you identify where it comes in, you can put controls in place to make sure the data is correct and secured.

It may arrive in your system through manual data entry. This can cause issues because there are fewer gatekeepers for manual entry. For example, an organization that doesn’t meet your funding criteria may send a completed application to a staff member who immediately adds it to the system. If that individual is not properly trained in verifying eligibility, they might be entering in a request that falls outside your guidelines.

It also may come in via an online application portal.  Because it is a timesaver and more accessible to grantees, applying via an online portal is probably the more popular method. The applicant will be responsible for locating and completing the application independently, so make sure that it is accessible, and the instructions are clear.

Consider the space where applicants are finding your application on your website. Is it obvious what the applicant is applying for and what they need to do next? If it’s difficult to tell, take some time to add a few paragraphs of context describing your funding organization’s mission and types of applicants it will consider. Explain all criteria, such as location parameters or budget size. Being upfront and clear about your qualifications can cut down on applications that don’t meet the qualifications, saving time for both the organizations applying as well as your review team.    

You can also set up more check points to be confident with the data your system is receiving. Build an eligibility quiz or multi-stage applications to serve as a filtering process. The eligibility quiz asks the applicant a few criteria questions, such as their location or demographics of the people they serve, to determine if it makes sense for them to proceed into the application. Quizzes and other filtering tools can be a good way to ensure you are not wasting applicant’s time if they won’t be a good fit, and limiting the applications you review to only the organizations that meet those qualifications.   You can also use conditional logic, so you only collect the information you need based on the program or grant they are applying for.

Enforce Due Diligence Cross Checks

Another way to ensure a prospective grantee aligns with your team’s values is to cross check potential funding recipients against international watch lists. This is an essential due diligence step to make sure you are not funding a group or individual that has been flagged by a government agency for potentially illicit activities. In addition to losing the trust of your stakeholders and bad PR, funding organizations on those lists can lead to losing your tax-exempt status. Hopefully, you will never encounter this issue, but you need a clear procedure for how to proceed if a grantee or organization is a potential match.    

Check to see if your grantmaking system gives you the ability to directly search these watch lists. For example, Blackbaud Grantmaking’s tool enables users to see if any contacts or organizations are potential matches with entities listed on a watch list. Users can even perform a batch search to look for a group of individuals all at once.

However, even if your software does not give you access to watchlists, many of them are publicly available. Below is a list of several freely accessible watchlist tools:    

  • Bank of England sanction list   
  • Bureau of Industry and Security   
  • Canadian list   
  • European Union list   
  • Excluded parties list system   
  • FBI most wanted   
  • HHS office of the inspector general exclusion list   
  • International criminal police organization   
  • Office of foreign assets control   
  • Politically exposed persons – foreign official   
  • Terrorist exclusion list   
  • United Nations sanctions list   
  • World Bank ineligible firms   

Verify Application Completeness

There is a saying about the importance of good data entry: garbage in equals garbage out. In other words, if the data going into the system is bad, then that will negatively impact every task you need to complete using that data.

If your applicants are not filling out critical information about their requests, how can your team make informed decisions? Tracking data points like purpose of the request, project scope, and objectives are especially crucial to ensuring that each project is within your team’s eligibility guidelines and aligns with your values. And once you’ve approved a request for funding, having all the grantee’s tax and financial information makes the payment process go quickly and smoothly.   

One easy way to ensure that your grantee and request profiles contain all necessary data is to make fields required in the backend of your grantmaking system. Sit down with your colleagues and make a list of fields essential to meeting your team’s reporting and analysis. The list should include basic details like contact information and addresses. They could also include more detailed information that would be relevant to compliance, like a grantee’s tax statuses or tax ID numbers.

Many grantmaking systems enable users to customize their own categories and fields. Examples could include “Program Area,” “Number of Employees,” “Populations Served,” or even more detailed data entry about tax information. Any fields essential to segmenting and grouping your request and grantee records should definitely be required.  

Assign the Appropriate Staff Access

Take proper steps to ensure your staff has appropriate rights with viewing, adding, editing, or deleting data. Those who need to make changes should have rights to do so and those who simply need to just see information entered by organizations should have view-only rights.

Evaluate a user’s daily routine to decide what security controls should be in place. If a user is no longer working with your organization, be sure to properly inactivate their user access. Also don’t be shy about limiting which users on your staff can perform which data entry. Giving too many individuals the power to make that choice could result in confusion and sloppy data entry.   

Often, an applicant needs to share additional documentation to supplement their request for funding. This could include images, a list of employee salaries or organization chart, board member list and contact information, and personal stories of individuals impacted by the nonprofit.

The most secure method of receiving that documentation is having the applicant attach them via the online application portal. Once it is uploaded to your system, make sure only the right users have access to sensitive documents. In Blackbaud Grantmaking, for example, there is a checkbox to make documents “shareable” or not with outside reviewers examining requests. If it’s necessary to save a physical copy of documentation, create a secure location for storage—not just your downloads folder.

Create Role-Based Dashboards for Simplified Reviews

Once it’s review time, eliminate the risk of mismanaging data by giving decision makers a central hub to manage their assignments. Admins can build role-based dashboards for users. For example, if a grant manager logs in to review their assigned requests, they are all in one spot. No need to search the system for each individual request.

Use queries and lists to group records that meet the desired criteria and have them easily available in a dashboard. From there, grant managers can navigate to their assigned grants, view information, make notes, upload attachments, and manage their grants from the application to decision phase. This strategy ensures that the process is efficient and only relevant information is included in the dashboard display.   

Make Internal Controls an Ongoing Priority

Good security is not a “set it and forget it” task. Once you have considered these internal control suggestions, schedule a routine internal audit. This should be an ongoing responsibility in which your team is evaluating and reevaluating which methods are effective in keeping your system secure and up to date. Communicate results to staff, board members, and supporters to maintain trust of your organization’s stakeholders. Establishing and following these internal controls will empower your organization to safely store data, maintain compliance, and only fund organizations that align with your values.   

Want to learn more about the role of internal controls for grantmaking organizations? Check out the white paper, Internal Controls for Grantmakers: How to Drive Operational Efficiency for Better Outcomes.