Nonprofit 411: Is Fraud Preventable? How to safeguard the nonprofit organization

By John Buckley, CPA, Partner at AAFCPAsjbuckley

When fraud prevention is raised in the public eye, it is often with a focus on for-profit companies.  Nonprofits, however, have just as great a need for transparency and security.  In fact, given the current challenging funding environment for nonprofits, the impact of fraud can be crippling in terms of lost revenue and donor confidence.

Public companies have stringent oversight and protections when it comes to fraud.  When Sarbanes-Oxley passed in 2002, whistle blower protections and audit committees were central pieces of an evolution that upped the ante on transparency.

While the same regulations don’t exist for nonprofits, organizations still have the opportunity to prevent or minimize fraud.  And federal oversight may at some point be approved: U.S. Sen. Sherrod Brown’s (D-OH) proposed Charter School Accountability Act brings to the table steps that would “strengthen charter school accountability and transparency, prevent fraud, and increase community involvement.”  The proposed Act may not span all nonprofits, but with 87 percent of charter schools structured as nonprofits, it would set a precedent for the education sector.

The stakes are high.  It can be very difficult to get back on track once fraud is committed, as noted by the Association of Certified Fraud Examiners. The Association found in a recent survey that “many organizations are never able to fully [recover the money stolen by perpetrators]. At the time of [the] survey, 58% of the victim organizations had not recovered any of their losses due to fraud, and only 14% had made a full recovery.”

Over the past 10 years, technology has evolved to provide a double-edged sword.  Greater levels of security can be achieved, but conveniences presented by software and online banking have opened up easier, faster ways to commit fraud.  Money can be stolen simply by avoiding bank personnel when cashing a check made to the company at an ATM or on a mobile device.  Automated processes run on spot checks, so perpetrators stand a reasonable chance of slipping through the system even if the checks aren’t signed over to them.

What can nonprofits do to limit their exposure? Ask three questions as they assess fraud prevention:

Where should organizations look for fraud?

Traditionally, fraud is perpetrated more when the economy is weak, as many instances are motivated by an individual’s financial challenges.  There are, however, outliers that are spurred to act simply by the opportunity and the thrill of “getting away with it.”

Unfortunately, anyone who has access to points within the cash cycle is a potential threat.  Typically the financial staff is involved, but there is risk wherever transactions are made. Cash can leave the organization through cash disbursement checks, payroll – or before it ever reaches the books.

With that in mind, organizations can set preventative techniques (internal controls) to block or prevent fraud, and “detective techniques” to quickly detect fraud after it has occurred.  Both are necessary to safeguard the organization, catch fraud early, and minimize the damage.

Are there different approaches to fraud prevention?

Every nonprofit board has a fiduciary obligation to uphold, and no organization is too large or too small for fraud.  In fact, the risk for smaller companies is often high, because lost revenue will have a greater immediate impact.

Of course, approaches may vary between nonprofits with one finance professional and those with large finance departments; however, regardless of resources, adequate segregation of duties and internal controls are necessary for safeguarding assets.  Smaller nonprofits, for example, may require that an executive or manager become involved in various touch points of the cash cycle of the business as a way to segregate certain key duties.  In larger organizations, it is important to continuously review the responsibilities of each person involved in the cash cycle to ensure proper checks and balances.

In addition, organizations both large and small should establish a fraud risk assessment plan and perform fraud risk assessment procedures annually in an effort to reduce the risk of theft, fraud, and embezzlement. For small organizations, an audit or finance committee may take the lead and assess one point of the cycle between each Board meeting.  Within one fiscal year, the Board will have a full picture of internal controls.

Large organizations have more employees involved in more transactional points, from customer representatives at the point of sale to administrators in charge of security and privacy (i.e., HIPPA for controls at healthcare organizations).  A broader risk assessment entails bringing employees from all levels of the organization together to conduct a more detailed review, and likely demands help from outside auditors.

Both small and large organizations should be appropriately insured.  Traditional umbrella policies incorporate an employee dishonesty clause, but have low coverage limits.  The risk assessment plan discussed above will help identify who has the access and ability to steal from the organization, and then they can purchase “fidelity bonds” on those specific individuals under a separate insurance policy.

When fraud is discovered, how should organizations respond?

Nonprofit organizations must take immediate action when fraud is uncovered.  In most cases, that begins with firing the person responsible, regardless of how much or how little was stolen. This sets the tone that fraud is not acceptable.

Perhaps more importantly, the incident should trigger an immediate re-assessment of controls to pinpoint changes that must be made to the processes. Top management and Board members should be actively involved in ongoing reassessments of fraud exposures.

In the end, fraud prevention often comes down to a simple cost/benefit analysis.  How many measures can the organization afford to put in place?  How many resources can be devoted to processes and controls that can deter employees from stealing?

However when the risk is contained, those who have the access and the motivation can often find a way.  Nonprofits should put measures in place that will limit opportunities and help get them back on their feet if fraud does occur.

AAFCPAs is an Affiliate Member of the Massachsuetts Nonprofit Network. To learn more about membership click here.