BoardAndFraud

A Violation of Trust: Fraud Risk in Nonprofit or Not-for Profit Organizations

Trust word written on wooden block. Building trust business concept.

The risk of fraud is a serious concern for all types of enterprises, but fraud can be particularly damaging to a nonprofit organization, for which a damaged reputation can have devastating consequences.

The Costs of Fraud in Nonprofit Organizations

According to the 2020 global fraud study by the Association of Certified Fraud Examiners (ACFE), the typical organization loses an estimated five (5) percent of its annual revenue to fraud. The ACFE reported that public and private companies had a median loss of $150,000; however, nonprofit organizations had the smallest median loss of $75,000, with an average loss of $639,000. For some a $75,000 this may be insignificant, but for many nonprofits, financial resources are extremely limited and a loss of $75,000 can be particularly devastating.

When an Owner/Executive of a nonprofit was involved in the fraud the median loss was 250,000!

Beyond the immediate financial loss, however, an even greater potential cost of fraud to nonprofit organizations is the reputational damage that can occur. Because most nonprofits depend on support from donors, grantors, or other public sources, their reputations are among their most valued assets. In addition, fraud in nonprofit settings often garners unrelenting negative media attention.

Vulnerability to Fraud

Nonprofits can be particularly attractive targets for fraudsters. Executives who are passionate about their agencies and their missions are naturally trusting of others who share their interest- or who pretend to. Moreover, board members and executives who are dedicated and talented in their particular fields may not be well versed in financial issues and internal controls.

In addition, nonprofits of all sizes may have only limited resources available to address internal controls. This makes them vulnerable to an employee who could recognize this lack of controls and use it as an opportunity to override controls, if they even exist, to commit fraud.

As the Center for Audit Quality has noted, “fraud cannot occur unless an opportunity is present. Opportunity has two aspects: the inherent susceptibility of the [organization’s] accounting to manipulation, and the conditions within the [organization] that may allow a fraud to occur.” In addition, the opportunity for fraud is also affected by an organization’s culture, a factor that is often overlooked.

The very nature of some nonprofits also makes them tempting targets. Many nonprofits distribute grants, scholarships, awards, or other types of financial aid to outside agencies or individual recipients. This opens yet another door for potential abuse or misappropriation and requires even more oversight to make sure funds are not being misappropriated. In addition, nonprofits tend to have large amounts of cash and checks coming in from various sources, making them vulnerable to skimming (when an employee accepts payment from an outside party but does not record the sale and instead pockets the money) or cash larceny (when an employee steals cash and checks from daily receipts before they are deposited in the bank).

Struggling agencies also frequently experience relatively high staff turnover, making training and adequate segregation of duties more difficult. Finally, many nonprofits depend heavily on volunteers and other community members, which can further complicate efforts to establish or maintain internal controls. It is important to remember that internal controls provide only reasonable—not absolute—assurance that the objectives of an organization will be met. As a result, no organization, even one with the strongest internal controls, is immune to fraud.

How Fraud Occurs and Why

While nonprofit organizations present particular temptations to fraudsters, the actual fraud schemes they might face are common to all types of organizations. Fraud schemes in nonprofits can include check fraud, embezzlement, ghost employees, expense fraud, misappropriation of funds for personal use, fictitious vendor schemes, kickbacks from unscrupulous vendors, and outright theft of cash or assets—to name a few.

One area in which nonprofit organizations seem particularly vulnerable is billing schemes, in which an employee fraudulently submits invoices to obtain payments he or she is not entitled to receive. According to the most recent ACFE survey, billing schemes were among the most common fraud methods in the cases studied for the 2012 report.

Billing schemes often involve the creation of a shell company. In such a fraud, a dishonest employee sets up a fake identity that bills for good or services the organization does not receive. In some instances, goods or services may be delivered but are marked up excessively, with the proceeds diverted to the employee.

Other scams include pay-and-return schemes that cause overpayments to legitimate vendors. When an overpayment is returned, it is embezzled by the employee. Another favorite is simply ordering personal merchandise that is inappropriately charged to the organization.

Common incidents and warning signals or red flags of potential billing fraud include but are not limited to:

These warnings or red flags can be organized into four general categories (below) and can help in the design of internal controls and monitoring procedures –

Data

Documents

Lack of Controls

Behavior

It is also worth noting that fraud is not about obstruction; rather, it is about deception, deflection, and persuasion. When fraudsters or white-collar criminals are profiled, they often are found to be anxious, secretive, moody, hot-tempered, friendly, outgoing, and passionate. They often are good salespeople and will say what people want to hear in order to build rapport and gain trust. Moreover, often there are other warning signs or red flags hidden in plain sight…such as living beyond one’s means, having financial difficulties, maintaining an unusually close association with vendors, or exhibiting excessive control issues, which generally will not be identified by traditional internal controls. It is important to maintain a healthy level of skepticism and always remember that trust is a professional hazard; if you do not verify information, you could become a victim.

Some Common Frauds Schemes*

Implementing Controls

As with all risk issues, the ultimate responsibility for identifying gaps and developing fraud controls rests with management. To meet this responsibility, management should avoid complacency and not assume that if fraud occurs “the auditors will catch it.” Although having an annual audit is a good anti-fraud control, by the time an audit uncovers a fraud scheme, it is usually too late to prevent the financial and reputational damage that will follow.

Most board members and executives of nonprofits do not think as fraudsters do, which is a good thing. Unfortunately, this can make it difficult for them to develop controls that help reduce their organizations’ exposure to fraud risk. A critical step in the process of developing an effective fraud risk management program is assessing the board’s own skills and capabilities and deciding where professional help is most needed. The board is ultimately responsible for oversight of the organization’s risk management efforts, which senior management is then charged with carrying out.

Anti-Fraud Principles

Here are some important principles to keep in mind as you work to refine the anti-fraud control policies at your organization:

Suspect Fraud, Now What?

When the organizational suspects that fraud is occurring within their organization, they have a number of options. They can choose to do nothing, either to avoid the bad publicity or in the hope that the problem will disappear on its own, they can attempt to handle the issue internally, or they can engage outside investigators and/or forensic accountants to probe the issue more deeply.

The wisest course of action is the last one – to engage a team of forensic experts. These teams consist of a range of professionals such as lawyers and experienced fraud & forensic investigators. These experienced professionals can help identify how the loss occurred, identify “leakage” or others areas not originally thought to be an issue, preserve any available evidence, quantify the loss, control the flow of information and, in many cases, help stem the loss. The forensic team will then be able to aid the board of directors or governing body in enhancing their governance framework and fraud risk management program to help protect and preserve the organization.

Other Possible Issues

Improperly using organizational funds for personal benefit could challenge your tax exempt or 501(c)(3) status. In addition, depending on the circumstances it could trigger a violation under the False Claims Act** (Lincoln Law – 31 U.S.C. §§ 3729 – 3733.).

The above should be discussed with a competent attorney.

A Combination of Deterrence and Detection

It’s important to respond quickly to fraud, avoiding the situation in the first place is the best plan of all. Although it is unrealistic to expect to completely eliminate the risk of fraud, the governing body and executives in a nonprofit organization can take effective steps to minimize the risk.

By establishing an environment in which ethical behavior is expected, closing gaps in internal controls, and developing a proactive fraud identification and response program, nonprofits can hopefully reduce the financial and reputational risks associated with fraud.

Lastly, larger organizations should strongly consider emulating Sarbanes-Oxley or SOx best practices. For example: Require the principal executive and financial officer of the nonprofit organization certify the annual financial statements and Form 990 are complete and accurate, and the organization has maintained adequate internal controls.

Closing

I welcome your thoughts and comments and please realize many of this can be applied to a for profit organization.

Best!

Jonathan T. Marks, CPA, CFE

 

*Not a complete list.

**The Justice Department reported its 2018 fraud statistics showing $2.8 billion in recoveries under the False Claims Act.  While this number is staggering, fiscal year 2018 recoveries were down from than $500 million from fiscal year 2017.  Nonetheless, companies in the healthcare, defense and financial industries continue to face significant False Claims Act risks.

Attribution
ACFE
Baker Tilly
Adapted from an article I wrote at my prior firm, Crowe
Section 302 of the Sarbanes-Oxley Act of 2002
Mike Volkov