Nonprofit Corporate Card Policy: What to Include and What to Skip

A nonprofit corporate card policy doesn’t need to be 20 pages long. In fact, the longer it is, the less likely it is to be followed.

What an audit-ready policy actually requires is a tight set of rules covering who can use cards, what they can spend, what documentation they must provide, and what happens when they don’t.

Charity Charge works with thousands of nonprofits on card programs and expense management. The policies that hold up under audit aren’t the comprehensive ones. They’re the clear ones.

Quick Summary

• A nonprofit card policy needs six core sections: eligibility, spending limits, approved and prohibited uses, documentation requirements, reconciliation procedures, and enforcement.
• IRS Publication 4221-PC requires original receipts or charge slips for all card transactions, plus documentation of business purpose.
• The policy should be one to three pages max. If it requires a table of contents, it’s too long.
• Every cardholder must sign an acknowledgment before receiving a card.
• The Executive Director’s card activity should be reviewed by the board treasurer or a designated board member, not the ED themselves.

My Nonprofit Corporate Card Policy is Failing. Why?

Most card policies fail for one of three reasons: they’re never communicated to cardholders, they’re written for a compliance box rather than actual use, or they’re so long that nobody reads them.

A policy that lives in a shared drive and gets referenced once at onboarding isn’t a control. It’s a liability. When something goes wrong, an auditor will ask whether staff were trained on it, whether they signed it, and whether it was consistently enforced. If the answer to any of those is no, the policy itself becomes evidence of weak internal controls.

The goal is a policy short enough to read in under five minutes and specific enough to answer the questions staff actually have.

The Six Sections Every Nonprofit Card Policy Needs

1. Eligibility: Who Gets a Card

Define which roles qualify for a card and what the approval process looks like. You don’t need to list every possible scenario. You need a clear default rule.

A reasonable starting point: cards are issued to full-time staff who regularly incur approved business expenses, require written supervisor approval, and must be returned upon separation from the organization.

If your organization uses virtual cards for specific vendors or projects, note that here as well. Virtual cards issued for a single vendor or budget line have a different risk profile than a physical card in someone’s wallet.

2. Spending Limits

Set a per-transaction limit and a monthly limit. These can vary by role, but they should be explicit.

For example:

• Program staff: $500 per transaction, $1,500 per month
• Directors: $1,000 per transaction, $3,500 per month
• Executive Director: $2,500 per transaction, subject to board treasurer review

Any purchase exceeding the limit requires pre-approval in writing from a supervisor before the purchase is made, not after. This single rule prevents most of the awkward situations that come up at audit.

The card platform should enforce these limits technically, not just through policy. If the system can’t block an over-limit transaction, the policy language alone won’t protect you.

3. Approved and Prohibited Uses

List what the card is for. Then list what it’s not for.

Common approved uses:

• Travel and lodging for mission-related activities
• Program supplies and materials
• Online subscriptions and software licenses
• Meals with a documented business purpose (names of attendees and meeting purpose required by IRS standards)

Common prohibited uses:

• Personal expenses of any kind
• Cash advances
• Alcohol (unless explicitly approved for a specific fundraising event with board authorization)
• Gifts for staff unless within a board-approved gift policy
• Any purchase that benefits a private individual rather than the organization’s mission

The prohibited use list doesn’t need to cover every edge case. It needs to cover the categories most likely to cause problems. A footnote stating that unlisted uses require pre-approval handles the rest.

4. Documentation Requirements

Every card transaction requires a receipt. This is not optional, and it’s not a matter of dollar thresholds.

Per IRS Publication 4221-PC, supporting documents for credit card transactions must include the original charge slip or receipt and must show the amount paid and the business purpose of the purchase. For meal expenses, the IRS specifically requires documentation of who attended and the business reason for the meal.

Your policy should specify:

• Receipts must be submitted within five business days of the transaction (or by the end of the statement period at the latest)
• Receipts must be itemized, not just a total
• Missing receipts require a written explanation and supervisor signature
• Repeated missing receipts are treated as a policy violation

If your card platform supports automatic receipt capture via email forwarding or mobile upload, include the instructions in the policy or in a separate one-page guide that’s distributed with the card.

5. Reconciliation Procedures

Define who reconciles transactions, at what frequency, and who approves the reconciliation.

A clean reconciliation workflow looks like this:

1. Cardholder submits receipts and coding within five days of transaction
2. Finance staff reconciles transactions to the card statement at month-end
3. Cardholder’s supervisor reviews and signs off on the reconciled statement
4. Finance director reviews the full card program at close

One critical segregation of duties rule: the person who uses the card should not be the person who approves the reconciliation. If your organization is small and the same person handles both, a board member or external reviewer needs to fill the oversight gap.

For the Executive Director specifically, the board treasurer should review and sign off on card activity monthly. This is a governance requirement, not just a best practice. IRS guidance and most audit standards expect independent oversight of the highest-ranking staff member’s financial activity.

6. Enforcement

A policy without consequences is unenforceable. State clearly what happens when the policy is violated.

A straightforward tiered structure works:

• First violation with minor documentation gap: written warning, additional training required
• Repeated violations or missing receipts: card suspended pending review
• Unauthorized personal use: card revoked, employee responsible for repayment, HR action up to termination
• Suspected fraud: immediate card cancellation, referral to appropriate oversight body

State in the policy that personal charges on an organizational card, even if accidental and promptly repaid, must be documented in writing. This protects the employee as much as it protects the organization.

What You Can Leave Out

A lot of nonprofit card policies include sections that create bureaucratic weight without reducing risk. Here’s what to cut.

Detailed vendor lists. Policies that attempt to pre-approve specific vendors quickly become outdated and create confusion. Define categories instead.

Per diem rate schedules. If your organization follows federal per diem rates (GSA rates are updated annually), reference them by link rather than embedding them in the policy. Embedded rate tables require a policy update every year.

IT and software procurement procedures. If you have a technology committee or separate IT approval process, reference that process in the policy rather than duplicating it. Two policies covering the same purchase creates inconsistency.

Lengthy preambles about the organization’s values. The policy is a procedural document. The values statement belongs in the employee handbook.

How to Roll Out the Policy Effectively

Writing the policy is the easy part. Adoption is harder.

Every cardholder should receive the policy before they receive the card, sign a one-page acknowledgment form, and receive a brief walkthrough of the documentation and reconciliation requirements. The acknowledgment form should be kept in personnel files, not just emailed.

Update the policy at minimum annually, or whenever the card platform, spending limits, or organizational structure changes. Each update requires a new signature from cardholders.

New staff who join with cardholder responsibilities should be onboarded on the policy and sign before the card is activated, even if the policy hasn’t changed recently.

Connecting Your Card Policy to Your Accounting System

A card policy that operates in isolation from your accounting system creates reconciliation problems. The policy should align directly with how transactions are coded in QuickBooks, Sage Intacct, or whatever platform you use.

This means the spending categories in your policy should map to your chart of accounts, your reconciliation deadlines should align with your monthly close schedule, and your fund accounting requirements (restricted vs. unrestricted) should be documented at the transaction level.

Charity Charge integrates directly with QuickBooks Online and other accounting platforms, so transactions are coded and synced automatically. The policy supports the system; the system enforces the policy.

FAQs