By the time the audit request list lands in your inbox, most of the work has already been done. Or not done.
Such is the situation in many Church Extension Funds. Daily interest is being accrued. ACH files are moving. Investor statements need to tie out. Loan balances need to reconcile to the general ledger. Meanwhile, key data may still live in spreadsheets, a legacy servicing platform, and someone's carefully maintained workbook that only one person fully understands.
When that's the environment, an internal controls assessment can feel like an annual disruption. It shouldn't. For a CEF, it's one of the clearest ways to protect investor trust, borrower confidence, board oversight, and the ministry itself. Good controls don't exist to slow down ministry. They exist so ministry can keep going when staff changes, transaction volume rises, or questions come from auditors, regulators, or the board.
The Foundation of Trust A Guide to Internal Controls Assessment
Most CEF leaders don't need a lecture on why controls matter. You've already seen the weak points. A reconciliation gets delayed because one person was out sick. A loan fee gets posted to the wrong account and nobody notices until month-end. An investor note renewal is processed correctly, but the supporting approval trail is thin enough to make an auditor uneasy.
Those issues are rarely about bad intent. They're usually about fragmented systems, small teams, and years of practical workarounds. In ministry finance, workarounds have a way of becoming standard process.
Why formal assessment matters even when no one forces it
A strong control environment is often associated with public companies, but the underlying lesson applies well beyond that world. An extensive study found that publicly traded entities, which operate under stricter requirements such as Sarbanes-Oxley, score significantly higher on internal control effectiveness, reinforcing the value of formal assessment discipline even where it isn't legally mandated in the same way (study on internal control effectiveness).
That should get the attention of any CEF board or finance committee. Your fund may not be a public registrant, but you still steward funds entrusted by church members, congregations, and institutional partners. The expectation is the same. Assets should be protected. Reporting should be reliable. Errors should be detected early. Responsibilities should be clear.
Practical rule: If a control can't be explained simply to the board, it probably isn't documented clearly enough to defend in an audit.
The point of an internal controls assessment isn't to mimic a large corporate SOX program. It's to build a repeatable, defensible process that fits a ministry lender. That includes financial controls, operational discipline, and selected technology controls. If your team is revisiting broader governance questions, CEF leaders often benefit from reviewing practical thinking on governance, risk, and compliance services alongside the financial review itself.
Stewardship includes information lifecycle discipline
CEFs also tend to overlook controls outside the monthly close. Retired servers, decommissioned laptops, old external drives, and archived printed files can create quiet control failures if they still contain borrower, investor, or financial data. That's one reason I recommend finance leaders understand related frameworks such as internal controls for IT asset disposition. It broadens the discussion from accounting controls alone to stewardship of information across its full lifecycle.
An effective internal controls assessment starts when leadership decides this is a trust-building process, not just an audit-season exercise. Once that mindset is in place, scoping becomes much easier, because you stop trying to test everything and start focusing on what could harm the fund.
Defining Your Scope and Identifying Key Risks
The first mistake I see is scoping the assessment around departments. The better approach is to scope around financial cycles and the points where misstatement, loss, or noncompliance could occur.
For a CEF, that usually means starting with a short list:
- Investor note activity including issuance, renewals, redemptions, interest accrual, statement generation, and tax reporting
- Loan operations including origination, boarding, payment processing, accruals, fees, escrow activity, and payoff calculations
- Cash activity covering receipts, disbursements, wire or ACH approvals, and bank reconciliations
- Financial reporting including general ledger posting, subledger tie-outs, close entries, and board reporting
- Regulatory and tax reporting including state securities-related reporting and IRS reporting such as 1099 preparation
This visual can help frame the prioritization discussion with your team and board.

Use a simple likelihood and impact model
You don't need a complicated enterprise risk platform to scope well. A practical matrix works:
| Risk area | Likelihood | Impact | Why it matters in a CEF |
|---|---|---|---|
| Interest accrual and income recognition | High | High | It affects earnings, investor reporting, and loan accounting |
| Cash disbursements | Medium to High | High | Errors or unauthorized payments create immediate exposure |
| Investor renewals and redemptions | Medium | High | Misstatements damage trust quickly |
| Manual journal entries | Medium | Medium to High | They can bypass normal process controls |
| Regulatory filings | Low to Medium | High | A missed or inaccurate filing can trigger board and regulator concern |
This kind of scoring helps smaller teams defend their priorities. If two people can't test every process this quarter, they should test what could materially distort balances, delay reporting, or undermine confidence.
Pay special attention to revenue-related processes
Industry analysis shows that revenue recognition processes and related internal accounting controls are the focus of the majority of SEC enforcement actions, which is a useful warning sign for any finance leader reviewing accrual-based activity (GAO audit guidance reference). In a CEF, the closest parallel is usually loan interest accrual and fee recognition.
That means questions like these belong near the top of your scope:
- Are accrual rules documented and approved?
- Does the system calculate interest consistently with loan terms?
- Are nonstandard fees reviewed before posting?
- Can staff identify and investigate exceptions quickly?
- Do subledgers reconcile cleanly to the general ledger?
If your highest-volume financial process depends on spreadsheet formulas and one reviewer's memory, it belongs in scope.
Scope by failure point, not by tradition
Many funds inherit old audit binders and retest what was tested last year. That's comfortable, but it's not always wise. Scope should change when transaction types change, when a key employee leaves, when a new state filing requirement appears, or when a workaround becomes permanent.
The discipline here is simple. Pick the cycles where a breakdown would hurt the fund most. Then document why those cycles are in scope. Auditors and boards respond well to a process that is selective for a reason, not selective by convenience.
Building Your Control Inventory and Mapping to Risks
Once the risks are clear, the next question is direct. What control addresses each one?
Many CEFs find they have more tribal knowledge than documented control design. People know what they usually do. Fewer can show exactly which approval, reconciliation, report review, or system restriction reduces a specific risk.
Start with preventive and detective controls
A useful control inventory doesn't need to be elegant. It needs to be complete enough that someone outside your department can follow it.
A short mapping table often works well:
| Risk | Control type | Example control | Evidence to retain |
|---|---|---|---|
| Unauthorized cash disbursement | Preventive | Dual approval before release | Approval log or workflow record |
| Misstated investor interest | Detective | Monthly reconciliation of accrued interest to note subledger | Reconciliation with reviewer signoff |
| Incorrect loan setup | Preventive | Independent review of key loan terms before boarding | Setup checklist and approval |
| Missed exception in daily activity | Detective | Daily exception report reviewed by supervisor | Dated report with follow-up notes |
The inventory should identify who performs the control, how often it runs, what evidence exists, and which risk it addresses. If any one of those is missing, testing will be difficult later.
The CEF reality when segregation of duties isn't fully possible
In larger organizations, the clean answer is segregation of duties. One person initiates, another approves, a third reconciles. In many CEFs, that isn't realistic. A team may have one treasury specialist, one controller, and a CFO who is also helping with board materials, banking, and lender relations.
That doesn't mean the control environment is weak by definition. It means the fund must build and document compensating controls carefully.
The right question isn't whether your structure looks like a large bank. It's whether a reasonable person can see how the fund detects errors and misuse despite staffing limits.
Authoritative guidance recognizes that when full segregation of duties isn't feasible, smaller organizations often rely on detective compensating controls such as detailed management review. That same guidance also warns that manual reviews can fail, while automation can offer more reliable and measurable risk reduction (guidance on internal control weaknesses and compensating controls).
What compensating controls actually look like
Compensating controls need to be specific. “Management reviews activity” isn't strong enough. Better examples include:
- Daily cash review: CFO reviews prior-day cash movements, unusual ACH items, and wire support.
- Monthly subledger tie-out: Controller reconciles loans, investor notes, and escrow balances to the general ledger and documents reconciling items.
- Exception-based approval: Any manual rate override, backdated transaction, or off-cycle redemption requires documented secondary review.
- Access review: Finance leadership reviews role assignments periodically so people have only the permissions they need. Practical guidance on role-based access control best practices is especially relevant when one system handles loans, notes, GL, and cash.
What doesn't work is a vague signoff with no evidence of what was checked. An auditor can't place much reliance on initials alone. A board shouldn't either.
For smaller ministry finance teams, the strongest position is honesty and precision. You may not have textbook segregation of duties. You can still show a disciplined control environment if your detective reviews are defined, timely, evidenced, and tied to known risks.
How to Test Your Internal Controls Effectively
Testing is where the assessment moves from policy to proof. A control can sound sensible on paper and still fail in practice. That's why every meaningful review should separate design effectiveness from operating effectiveness.

Test design first
Design testing asks a straightforward question. If the control operates as described, would it prevent or detect the problem?
Examples:
- A dual-approval disbursement control is well designed only if the second approver is independent enough to challenge the payment.
- A monthly reconciliation control is well designed only if it includes investigation of differences, not just matching ending balances.
- A system access control is well designed only if permissions align to job roles and there's a process for removing access when duties change.
Design testing usually relies on walkthroughs, inquiry, and inspection of one or two examples. You're verifying that the control makes sense before spending time on broader sample testing.
Then test whether it really operated
Operating effectiveness is about consistency. Did the control happen throughout the period?
Use a mix of procedures:
Inquiry
Ask the person performing the control to describe it in real terms, not policy language.Observation
Watch the process if it still exists in current workflow, especially around cash movement or setup approvals.Inspection
Review reconciliations, approval records, exception reports, checklists, or system logs.Reperformance
Independently redo part of the control, such as recalculating accrued interest for selected items or verifying that an approval threshold was applied correctly.
A practical audit trail matters here. If evidence is scattered across email, shared drives, and printed folders, testing takes far longer and confidence falls. That's why finance teams often tighten process documentation and review audit trail best practices before the annual cycle begins.
Good testing doesn't ask, “Did someone sign this?” It asks, “What did that person verify, and can I see it?”
Use sampling that matches control frequency
You don't need to guess at sample sizes. Authoritative guidance recommends a minimum sample of 25 to 40 transactions for high-frequency controls such as daily processes, while quarterly controls often require only 2 to 5 samples to support a reasonable assessment approach (internal control testing guidance and sample sizes).
That guidance is especially helpful in CEF settings:
- Daily controls: cash exception review, daily interest accrual validation, ACH approval workflow
- Monthly controls: bank reconciliations, subledger tie-outs, investor interest review
- Quarterly controls: formal board-level review of reserve or policy compliance items
A simple way to organize testing is below:
| Control frequency | Typical CEF example | Testing approach |
|---|---|---|
| Daily or more frequent | ACH release review | Inspect a defined sample across the period |
| Monthly | Bank reconciliation | Review selected months and inspect evidence of follow-up |
| Quarterly | Formal compliance certification | Test a smaller set of instances for completion and support |
Testing becomes manageable when the method is documented upfront. It also becomes easier to explain to your auditor why you selected what you selected.
From Findings to Fixes Developing Your Remediation Plan
A controls assessment doesn't create value when it produces a binder. It creates value when it changes behavior, documentation, or system configuration.
The first discipline is naming the problem correctly. Some findings are design deficiencies. The control itself is poorly constructed. Others are operating deficiencies. The control is fine in theory, but staff didn't perform it consistently or retain evidence.
This visual is a useful reminder of what a complete remediation process should include.

Build the remediation log like a working tool
The best remediation logs are brief and operational. Every line should answer five questions:
- What was found
- Why it matters
- What needs to change
- Who owns the fix
- When it will be complete
For example:
| Finding | Risk | Recommendation | Owner | Due date |
|---|---|---|---|---|
| Bank reconciliation prepared and approved by same person | Errors or irregularities may go undetected | Add CFO review and documented signoff with reconciling item follow-up | Controller | End of next close cycle |
| Manual fee postings lack secondary review | Fee income may be misstated | Require second review for nonstandard fees before posting | Finance Manager | Next month |
| Investor address changes documented inconsistently | Statement and tax reporting errors | Standardize change workflow and retain approval evidence | Investor Services Lead | Within current quarter |
Fix root causes, not symptoms
A recurring issue in ministry finance is backlog. When reconciliations are behind, tax reporting support is incomplete, or investor files need cleanup, the right short-term action may involve extra accounting help before the control can stabilize. In those situations, a service like catchup bookkeeping services can help leadership restore current books and then rebuild controls on top of clean records.
A late reconciliation is not only a timing issue. It's a control failure until the process is current, reviewed, and sustainable.
Board reporting should also improve once findings are translated into action. Don't report vague updates such as “staff is addressing control matters.” Report what was deficient, what was changed, what remains open, and what evidence shows the fix is working.
Beyond the Annual Audit The Move to Continuous Monitoring
Annual testing still has value. It just isn't enough for high-frequency financial activity.
That's the practical weakness in many legacy CEF environments. Loan systems process daily activity. Investor balances change. Cash moves in and out. Interest accrues every day. Yet the control review may still happen through periodic walkthroughs, sampled spreadsheets, and month-end detective work performed after the exposure already existed.

The continuous monitoring gap is real
Guidance on internal controls often treats assessment as a periodic event, but that approach breaks down for high-frequency transactions. Legacy systems without real-time audit trails create a continuous monitoring gap, leaving organizations exposed between formal test periods (discussion of the continuous monitoring gap).
That gap shows up in familiar ways:
- Delayed anomaly detection: unusual postings or overrides aren't spotted until close
- Weak evidence chains: approvals exist in email, but not in a system record tied to the transaction
- Manual exception hunting: staff export data to spreadsheets to find what should have been surfaced automatically
- Control fatigue: reviewers sign off because volume is too high to inspect meaningfully by hand
What modern monitoring changes
Continuous monitoring doesn't mean every control becomes fully automated. It means the fund moves from occasional verification to ongoing visibility.
In practical terms, better environments usually include:
| Capability | Why it matters |
|---|---|
| Immutable audit trails | Show who changed what and when |
| Maker-checker workflows | Enforce approval before completion on sensitive actions |
| Exception dashboards | Surface unusual items quickly instead of waiting for month-end |
| Integrated subledgers and GL | Reduce reconciliation breaks caused by disconnected systems |
For CEFs evaluating tools, purpose-built platforms can make a real difference without turning the article into a software pitch. For example, CEFCore is one option that centralizes loans, investor notes, general ledger, cash activity, approvals, and audit trails in a single environment, which directly supports stronger control execution and review for ministry lenders.
What works and what usually fails
Here's the trade-off plainly.
A periodic model can still work when transaction volume is modest, staff documentation is disciplined, and reconciliations stay current. It usually fails when the fund depends on spreadsheet transfers, duplicated keying, and after-the-fact review of large daily volumes.
The question for leadership isn't whether technology replaces judgment. It doesn't. The question is whether your current environment gives capable people enough visibility to exercise that judgment well.
For most CEFs, the best path is gradual:
- Standardize the highest-risk controls first.
- Require evidence that is easy to retrieve.
- Tighten permissions and approval paths.
- Automate recurring reviews where volume makes manual testing weak.
- Move from annual scramble to routine oversight.
That's what maturity looks like in internal controls assessment. Not perfection. Not a corporate imitation. A disciplined process that fits the mission, the staff structure, and the responsibility of holding other people's money with care.
If your fund is trying to replace spreadsheet-driven reviews with stronger approvals, audit trails, and integrated financial workflows, CEFCore is worth evaluating. It was built for Church Extension Funds, so the conversation starts with loan servicing, investor notes, cash controls, and reporting realities that ministry lenders already know well.