Reducing fraud in nonprofits
Fraud activity is a regrettable part of business and nonprofits are not exempt from its challenges.
According to the Association of Certified Fraud Examiners' (ACFE) 2014 Report to the Nations on Occupational Fraud and Abuse, 11 percent of the 1,483 fraud cases examined were committed against nonprofit organizations. While private companies experienced the most fraud–nearly 40 percent–the median loss for nonprofits was a substantial $108,000.
As organizations that often operate with limited resources, nonprofits may feel the adverse effects of fraud more keenly than many for-profit companies. So what can nonprofits do to mitigate the risk of fraud?
The causes of fraud
First, it helps to know why fraud happens at nonprofits. Three factors usually contribute to fraud:
- Internal or external incentive or pressure
- Rationalization that the behavior is justified
- Opportunity or ability to undertake the act
There also is a strong cultural atmosphere of trust in nonprofits that makes them particularly susceptible to fraud. Employees and the volunteers who work for these organizations are usually there for the right reasons. But sometimes circumstances, such as a sudden illness, a child's needs, excessive debt or gambling issues, can create financial pressure. Fraudulent activity can be a way to obtain money to meet their financial obligations.
The most common type of fraud at nonprofits is embezzlement, when a person having rightful control of real or personal property makes unlawful use of it without the owner's consent. The least common is financial statement fraud. So, we are going to focus on embezzlement, which can take a number of forms:
Skimming involves removing cash from an entity prior to its entry into an accounting system. Money is stolen before it is recorded, so there is no direct audit trail. Cash and checks collected at fundraisers and membership events, for example, can be taken right after collection.
Cash larceny is the intentional taking of an employer's cash or checks without consent or against the will of the employer. If someone has access to deposits, for example, they may take cash or checks and deposit them in a personal account instead of the company's account. Alternatively, multiple bank accounts can be set up to divert funds, or to cut a check from one account to another. At the most rudimentary level, cash or checks received for member or user access fees could be removed from a cash register or drawer.
Examples of payroll and billing fraud abound: Perpetrators will replicate an organization's payroll checks and cash them. Others will submit–and be paid for–bogus expense reports through a nonprofit to which they are affiliated.
The importance of cash management internal controls
The best way to confront skimming or cash larceny – and any form of fraud – is to prevent it from happening in the first place and, to this end, internal controls are the chief tools used. Generally, this is a process designed to provide reasonable assurance that an environment will not readily enable fraud. Controls promote efficient operations, ensure reliable financial reporting, and help maintain compliance with laws and regulations.
In the case of skimming, which is the toughest fraud to prevent, controls include procedures dictating a separation of duties between those who receive payments and those who can post ledger entries. In addition, public transparency procedures, such as letting donors know to expect thank you letters and receipts for their contributions, will discourage those who want to take any funds “off the top.” Using multipart, numbered receipts, accepting only checks and credit cards, or making use of a cash register to record transactions are other best practices.
To prevent cash larceny, there are a number of basic controls nonprofits can put in place, including:
- Daily cash reconciliations
- Accountability for cash drawer balances (and consequences if there are continued overages or shortages)
- Assignment rotation and mandatory vacations
- Surprise cash counts
As mentioned above, segregation of duties is another important fraud control. By having several people responsible for different parts of a process, it can be much more difficult for someone to embezzle funds. One person may handle custody (the physical ability to possess assets); another may have authorization (of transactions); and a third may handle recording (tracking payments and entering them in a general ledger).
The benefits of segregation of duties can be overcome through collusion–when more than one party commits fraud together–but this approach makes complicity much more difficult to achieve. In nonprofits, where lean staffing may make it difficult to segregate duties, oversight by someone not directly involved in an activity may be needed instead.
Seeking objective assistance
One of the best ways to prevent fraud from the outset is to have the right controls and processes in place. Specialists from outside the organization knowledgeable in nonprofit fraud prevention can provide advice on the design of controls and review those that are already in place. In addition, they can share leading practices in internal controls from their experience with other nonprofits. This approach can provide an impartial assessment of an organization's fraud risk.
If fraud has already been committed and detected, outside consultants can suggest ways to reduce future risk. They also can lead forensic investigations to determine the fraud's extent, how it was perpetrated and can often find evidence that can be used in prosecution.
Life after fraud
While only 14 percent of organizations recovered all of their losses in the ACFE's report cited above–and a sobering 58 percent recovered nothing–there is still quite a lot to be hopeful about. By educating all employees and volunteers about the potential for fraud and having simple but effective controls in place, nonprofits can feel more confident that the mission they are committed to is the one that they can continue to pursue.
For more information, please contact Jennifer Pauli, director of risk advisory services, at 815.231.7425.