According to the most recent Fraud study conducted by the Association of Certified Fraud Examiners (ACFE), nonprofits account for 9% of all frauds and reported a median loss of $75,000 (ACFE 2018 RTTN) along with an even greater potential cost for reputational damage. It maybe surprising, but the external audit is only likely to detect fraud 4% of the time. The top detection methods include tips-40%; internal audit-15%; management review-13%; accident-7%; account reconciliation-5%; and document examination-4%. With lack of board and management involvement in finance for nonprofits, it seems like we are relying too heavily tips and accidents to detect fraud.
6 FRAUD RISKS SPECIFIC TO NON-PROFITS
We’ve all heard the myths when it comes to fraud in not-for-profit organizations: “It can’t happen here. All of our volunteers and staff members are honest and committed to our mission, and besides they’ve been with us for years. If someone was stealing from us, we would have found it by now.” But the fact is that not-for-profits account for 10.1% of all frauds (ACFE 2016 RTTN) and face specific risks that make them particularly susceptible.
1. Inadequate resources for financial oversight
Of the roughly 1 million public charities in the United States, about three-quarters have annual expenses of less than $500,000. Small not-for-profits often lack the resources for strong internal controls such as segregation of duties.
2. Excessive control in one person
Especially in small not-for-profits, the founder or executive director may be responsible for almost everything – from writing checks to approving vendors. This lack of segregation of duties creates a seedbed for fraudulent behavior. Tenure and level of authority also positively correlate with the magnitude of the fraud. Executives commit frauds with a median loss almost 10 times those caused by employees, and employees with more than 10 years of tenure are responsible for median losses 2½ times those caused by employees with less than five years of experience, according to ACFE’s 2016 Report to the Nations.
3. All-volunteer boards with little or no financial oversight
The risk of too much control concentrated in the hands of the executive director indicates a need for objective oversight from a financially literate board of directors. To meet their fiduciary duty of care, all board members need to understand how to read financial statements and be alert to warning signs of errors, fraud, or abuse. However, unlike many for-profit corporations and larger not-for-profits, smaller NFPs tend not to recruit board members with experience running organizations and overseeing financial responsibilities.
4. Volunteers privy to confidential information
In addition to the board members, volunteers perform many financial functions in not-for-profits, including collecting donations, rental fees, and other payments. In many cases, these volunteers have not been vetted thoroughly, opening the door to a potential fraudster.
5. Nonreciprocal transactions
A donor typically does not receive anything of value in exchange for the contribution except for a letter acknowledging the transaction. In many cases, that contribution is in cash. Both of these facts make it all too-easy to divert those funds.
6. Susceptible to negative publicity
In the 2016 ACFE study, more than 40% of fraud cases were not reported to the police, and the most commonly cited reason was fear of negative publicity. For many not-for-profits, negative publicity and the subsequent hit to donations could sink the organization. That knowledge exerts pressure on many executive directors to keep the fraud quiet, and the very fact that so many of these cases go unreported is an incentive to fraudsters. Because there is no record of their malfeasance, subsequent employers are none the wiser. Of the repeat offenders who perpetrated major embezzlements in the last five years, about one in six stole from not-for-profits or religious organizations.
REDUCING THE RISK OF FRAUD-IDENTIFY THE TYPES OF FRAUD
Due to these unique risks, if your not-for-profit organization hasn’t already suffered an instance of fraud, then there is a decent chance that you will discover one soon. And, if so, it likely has been going on for months or even years.
But you can change the ending of this story. According to the ACFE, 29.3% of fraud cases are due to a complete lack of internal controls. Choose your own adventure by instilling a strong anti-fraud culture and a set of controls that are targeted to your organization’s unique risks.
Start by identifying the types of fraud that could be perpetrated by your employees, board members, or volunteers. Some of the typical types of fraud experienced by not-for-profits include:
• Billing fraud, including credit card abuse, charge personal items to organization, creation of fictitious vendors, or billing for personal items or marking up goods or services excessively. Frequency: 40% of all fraud cases, according to ACFE.
• Skimming, in which funds are diverted before they are ever recorded on the books. This fraud is most likely to happen when the funds are in the form of cash. Frequency: 17% of fraud cases.
• Expense reimbursement fraud, in which an employee claims reimbursement for fictitious or inflated business expenses to include mischaracterized expenses, fictitious expenses, and multiple reimbursements. Frequency: 29%.
• Check tampering, a scheme in which an employee intercepts, forges or alters a check. Frequency: 19% of fraud cases.
• Payroll manipulation, which includes fraudulent timekeeping, fictitious employees, and continued payment of terminated employees. Frequency: 22%.
• Corruption, in which an employee abuses his or her influence in a business transaction including bribery, kickbacks, illegal gratuities, economic extortion, and collusion. This situation includes board members or executives with conflicts of interest, as well as bribing. Frequency: 34% of fraud cases.
FRAUD RISK ASSESSMENT KEY QUESTIONS TO DETERMINE YOUR RISK
Armed with an understanding of potential types of fraud and the demographics of fraud perpetrators, executive directors and board members should ask and answer some key questions that can illuminate gaps in internal controls. This process is also known as a fraud risk assessment.
The overall question a nonprofit should be asking is:
What are the business processes and controls around functions where money is coming in and going out of the organization?
Specific questions include:
• What is the tone at the top with respect to ethical behavior?
• How often is management reviewing financial transactions?
• Do we have a written conflict of interest policy? Are officers, directors, and key employees required to annually disclose interests that could give rise to conflicts?
• Do we have a written whistleblower policy?
• Do we have a written accounting policy handbook that identifies each significant accounting position and describes job responsibilities?
• Does the accounting policy describe processes and internal controls related to each major transaction cycle? Does it spell out who should have corporate credit cards and who can write and sign checks?
• Do we regularly monitor and enforce compliance with each of the above policies?
IMPLEMENT CONTROLS FOR FRAUD PREVENTION, FRAUD DETECTION, AND FRAUD CORRECTION TO MITIGATE RISKS
With an understanding of areas where fraud is likely to occur, any organization can implement simple controls to mitigate those risks by implementing internal controls that fall in the three primary areas of prevention, detection, and correction.
The first line of defense includes measures that prevent perpetrators from committing an act of fraud.
• Segregation and/or rotation of financial duties. The person who initiates a transaction shouldn’t approve that transaction, and the person who approves the transaction should be different from the person who records it.
• Credit card policies. Credit card accounts are akin to cash and should only be assigned to employees who have a clear need to use them, such as purchasing managers. Bookkeepers, with no need to make purchases, should not have credit cards. When individual cards are required, consider credit purchase contracts for employees outlining utilization responsibilities and rules, and restrict accounts with spending limits and merchant accounting codes.
• Dual signatories. Requiring two signatures on checks above a certain amount (both of which are from individuals who did not write the check) reduces the likelihood of check fraud.
• Access controls, such as strong passwords for accounting systems, restrict access and also increase traceability of actions.
• Background checks. In addition to prospective and current employees, also scrutinize vendors and volunteers who are involved with financial transactions.
Due to their limited resources, many small organizations can’t afford to implement robust preventive controls. Ongoing oversight through detective controls can provide the safety net such organizations need. These controls include:
• Hotline policy. This control is consistently the most common method of initial detection among frauds reported to ACFE. As shown in our symphony example, more than 47% of frauds reported in the 2016 ACFE report were detected initially through a tip from a whistleblower.
• Internal audits of financial statements (comparing actual to budget and investigating any variances), as well as credit card charges, expense reports, payroll records, and petty cash. Internal audits were the second most common method of initial detection (18.4%), according to ACFE.
• Management review of bank statements, credit card statements, canceled checks, and invoices. Management review was the third most common method of initial detection (12.1%)
• External audits of financial statements, as well as of internal controls over financial reporting. These audits may not be cost-effective for many smaller organizations. While an external financial statements audit was the most common anti-fraud control reported by ACFE respondents, only 1.8% of frauds were detected by an external audit. The reason is that financial statement audits are not designed to detect misappropriation of assets, although auditors do assess fraud risks and procedures set-up to mitigate these risks.
Sometimes the best defense is a good offense. If would-be fraudsters know that they will be prosecuted to the full extent of the law, then they will likely think twice about targeting your organization. An effective fraud policy should include the following components:
• Internal investigation. A forensic accounting investigation may be necessary to quantify the loss, determine how it was perpetrated, and track the money. This analysis may be necessary to support a prosecution or insurance claim(s).
• Interviews. In addition to interviewing the suspect, other employees, board members, and volunteers may need to be interviewed.
• External investigation. Pursuing prosecution creates a permanent record that can be discovered by other organizations where the perpetrator may seek employment or volunteer positions in the future.
Be sure to seek legal counsel in establishing any policies, as well as in executing those policies in the case of an actual fraud.
PUTTING POLICY INTO ACTION
We’ve outlined a number of policies that you can use to rewrite your organization’s story.
Here is an action plan that any size organization can use to putting these policies into action:
1. Set the right tone. In addition to creating written conflict-of-interest, whistleblower, code of conduct and accounting policies, distribute hard copies of those policies at least annually. Most importantly, talk about the importance of ethical behavior and the consequences of not living up to the organization’s code of conduct and other policies. Put policies in writing and have all employees sign documents saying they understand and will follow the rules. You should discourage a “win at all costs” attitude so the employees and volunteers aren’t encouraged to bend rules, falsify records, or commit fraud in order to meet expectations.
2. Know your team and hire the right people. Unfortunately, perpetrators of fraud often go on to commit schemes at other organizations, disproportionately at nonprofit and religious organizations. Conduct background checks of all prospective employees and volunteers who will be handling financial transactions to put job applicants on notice that the organization values integrity. Also conduct periodic background checks of current employees and volunteers. A great deal can be learned from a candidate’s references, work history, credentials, pre-employment drug testing, and criminal background checks.
3. Recruit at least one financially savvy board member who is capable of overseeing your organization’s fraud risk. Educate that person regarding risks specific to your organization.
4. Train board members, employees, and volunteers to be aware of and watch for signs of fraud. Pay attention to rumors of changes in an employee’s behavior or lifestyle. Red flags include living beyond one’s means, gambling problems and other evidence of financial difficulties, an unusually close relationship with a vendor, and control issues. You need to educate employees and volunteers to know what to look for to identify fraud and how to report it and provide training as needed.
5. Become involved in the financials, with a focus on anomalies. Frauds discovered by management review and other proactive controls showed the greatest percent reduction in median fraud losses.
6. Create an easy and comfortable method for reporting suspicions. Keep in mind that, while employees are the primary source of tips about fraudulent activity, they may also come from outside sources – such as vendors, customers, competitors, and anonymous sources. Create a mechanism, such as an anonymous hotline, that is accessible by any of these sources. Cost and fear of notoriety keep some organizations from exposing fraud and taking legal action, but lax attitudes make it easier for the next person to commit fraud with the fear of reprisal.
7. Perform a fraud assessment. Consider a review of your fraud risks every three years, or more frequently if your organization does not perform regular internal audits. You need to make sure you have internal controls in place that are preventive and detective for fraud. Mandatory vacations and job rotation make it difficult for an employee to continue to conceal a crime. You need to have appropriate personnel policies and procedures and make sure policies are applied fairly and equally. An employee assistance program can help prevent fraud by providing professional help with personal problems such as alcoholism, drug abuse, marital problems, or gambling.
If you’re looking for help identifying fraud risks and implementing cost-effective internal controls to mitigate those risks, contact us for our free assessment about your current situation and how we can help. But most importantly, don’t wait until a fraudster strikes your organization. We can help you ask the right questions and determine the red flags for fraud. Please contact us to discuss our certified fraud examination services for fraud prevention and forensic accounting which are available as a CFO service.