It can happen to your organization: Addressing nonprofit fraud risks

Jul 01, 2019
Business risk consulting Financial investigations Nonprofit

Relationships are built on trust, especially in the nonprofit space. Relationships between grantors and the organization, between associations and their membership, and between organizational leadership and the board of directors must be built on trust. Unfortunately, employees, agents and stakeholders of those organizations sometimes abuse that trust. As fraudsters become more brazen and more difficult to detect, organizations of all sizes and in all industries face varying degrees of occupational fraud risk.

Unfortunately, nonprofit organizations are often at a more acute risk, because of limited resources and a lack of experience identifying and addressing potential areas of concern. The good news, however, is that organizations have opportunities to implement more effective processes and controls to limit fraud risks.

Evaluating the threat

The 2018 Association of Certified Fraud Examiners (ACFE) Report to the Nations recently reported details from nearly 2,700 occupational fraud cases in all industries. The report captured a sample of 60 cases from religious, charitable or social services organizations (the ACFE’s categorization that would include nonprofit organizations). Key facts of this study include:

  • Nonprofit organizations experienced an average loss of $90,000    
  • While the majority (55 percent) of all occupational fraud cases cost companies less than $200,000 to remediate, one out of every five (22 percent) cases caused over $1 million in losses

While the ACFE report further indicated that nonprofit organizations on average experienced occupational fraud losses which were lower than many other industries, it should be noted that the resulting cumulative reputational and financial impact were not measured (highlighting an area in which additional research is necessary). What is clear is that nonprofit fraud can be even more significant to nonprofits’ delivery on their mission.

Speed of detection matters

While fraud prevention is the gold standard for all financial controls, it is clear that not all fraud can be prevented even with the best of controls (e.g., matters involving collusion). The ACFE report found that active fraud detection methods (as opposed to passive detection methods) can help to curb the occurrence of occupational fraud duration and loss amount, thereby reducing the harm to the organization.

For example, AFCE research shows that fraud across all industries that was identified internally by an organization’s IT controls was discovered faster than average (five months) with an average loss of $39,000. Similarly, fraud that was uncovered with surveillance and monitoring cost organizations an average of $50,000 and was found in six months.

Conversely, occupational fraud schemes discovered by external sources or confessed by fraudsters themselves resulted in the most harm. Organizations notified of occupational fraud by law enforcement took two years to detect and created an average of $935,000 in losses. Occupational fraud schemes admitted by the fraudster also averaged 24 months to detect, with $186,000 in damages. In short, being proactive pays when discovering and addressing fraudulent activity.

Nonprofits are not immune to fraud

Ultimately, occupational fraud costs organizations billions of dollars, and while schemes at large, multinational companies tend to make front-page news, the crimes at nonprofit organizations which rely increasingly on public trust may be more harmful. Some major instances of occupational fraud within nonprofits in recent years include:

  • An administrative assistant embezzled $5.1 million from a health care nonprofit based in Washington, D.C., from 2005–20131
  • A communications executive stole more than $545,000 in a variety of ways from an equine trade organization also based in Washington from 2012–20182
  • The executive director and bookkeeper of a California charity for special needs students stole more than $675,000 between 2013–20153
  • An accountant embezzled more than $1 million from a nonprofit independent living facility in Michigan over several years4

The bottom line is that occupational fraud can happen at any organization. By implementing a framework of preventative and detective controls that can identify and mitigate fraud, a nonprofit organization can stop fraud before it occurs or more quickly identify issues before they curtail the progress of mission efforts.

Strategies to mitigate your organization’s fraud risks

A fraud risk assessment is one key mechanism to help understand the specific threats to your organization. This type of assessment, when properly tailored to the risks of your organization, evaluates residual fraud vulnerabilities after evaluating existing controls employed to mitigate those risks.

Further, when such an assessment is planned through a purposeful approach and executed effectively (e.g., facilitated by an experienced, unbiased third party and garnering explicit buy-in from leadership, executives and others involved in its implementation and response) organizations can expect further incremental measured value. When properly planned and executed, an assessment can provide the following:

  • Insight into specific risks across a broader risk landscape via the collection and evaluation of emerging publicly known threats as well as threats based upon your organization’s unique pressures and incentives
  • A ranking of the most pressing fraud risks to your organization
  • An assessment and evaluation of the current control environment
  • A detailed response road map for mitigating vulnerabilities with an unacceptable level of risk

Ultimately, a successful fraud risk assessment will enable employees to concentrate their efforts in the areas that are most susceptible to material fraudulent acts, based on the likelihood and potential significance of each fraud instance. In addition, an organization can focus on the adequacy of internal controls to manage the specific fraud risk. Finally, the assessment can facilitate developing an action plan for the nature, timing and extent of any new mechanisms required to help manage and mitigate fraud risk.

A fraud risk assessment can provide your organization with the most pressing issues facing your organization, department or division, based on the assessed risk and probability of occurrence of fraud. In an environment of limited resources and a focus on budget consciousness, a fraud risk assessment provides a defensible position for organizational effort regarding fraud risk.   

Testing data for indicia of fraud

After a fraud risk assessment is completed, your organization should look for the “low-hanging fruit” to provide further insights into the efficacy and operation of internal controls related to fraud. By identifying elements of an action plan that can quickly utilize existing data and reports for fraud-related analysis, your organization can position itself to respond in a meaningful way to fraud risk in the short term.

Following such consideration, data analytics and aberrant pattern detection is a broad topic that can help your organization quickly cut to insights from your existing data to ferret out potential occupational fraud. By leveraging the concept of empirically measuring items outside expected patterns using existing data, you can gather multiple observations and analyze those observations to identify patterns and deviations from those patterns.  

Similar to a fraud risk assessment, a third-party consultant can implement specific tests and reporting to identify aberrations in normally performing financial results, transaction activity, employee expense reimbursements or other data to highlight potential fraud in several key areas across your organization.

For example, from a quantitative perspective, this strategy can evaluate monthly expense spending by employees over time, or the difference between budgeted versus actual performance of a segment of the organization. From a qualitative perspective, aberrant pattern detection can assess the regularity of an individual employee’s schedule or vacation days, as well as compliance with detailed policies and procedures required of individual employees.

Utilizing the data from such analyses, your organization can monitor potential process inefficiencies and the impact of past strategic decisions, as well as target any potential fraudulent behavior. For instance, if your organization discovers a pattern of employee expenses, transactions at an irregular vendor or a purchase that is larger than usual, these analyses will form the foundation from which a fraud investigation can be conducted.

Monitoring of business activity through the use of data provides your organization with the ability to investigate (e.g., collect source documentation and approvals for testing), or remediate (e.g., consider updating policies to lower related risks) as necessary.   


The common “pay-and-pray” model of chasing fraud after the fact is not worth it for nonprofit organizations. Instead, developing and implementing more proactive programs and policies to prevent and detect fraud while it is happening and before it grows can provide significant value to your organization. Identifying weaknesses in a fraud risk assessment and instituting an aberrant pattern detection program can reduce loss today and into the future.

1. “Prosecutors say Maryland woman embezzled $5.1 million from D.C. nonprofit group,” The Washington Post, accessed May 9, 2019.

2. “American Horse Council accuses former employee of stealing almost $600,000,” The Daily Racing Form, accessed May 9, 2019.

3. “Woman accused of defrauding Salinas schools, embezzling $675K from special needs nonprofit,” The Californian, accessed May 9, 2019.

4. “Man charged with embezzling $1 million from nonprofit bound to circuit court,” The Times Herald, accessed May 9,2019.

Related insights

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.