Safeguarding Against Fraud at a Not-for-Profit Organization
By Barbara Andrews, CPA, Senior Audit Manager, Kevin P. Martin & Associates, P.C.
Not everyone believes that fraud can happen at their organization. You know your employees and you have shared professional and personal milestones. However, the reality is that fraud does happen, and it could happen to your organization. A 2016 Global Fraud Study issued by the Association of Certified Fraud Examiners (ACFE) reported that the median loss for a Not-for-Profit organization was $100,000. For a small not-for-profit organization this is a huge hit to the bottom line and most likely a bigger hit to the organization’s reputation. The cost of fraud is much more than stolen money, a stolen identity or the misreporting of financial statement information. It can cost the organization future funding plus the time and effort expended by employees and the Board to repair the organization’s reputation.
An organization’s control environment is the first line of defense against fraud. When developing internal controls, an organization’s policies typically focus on the major transaction cycles and the areas of information technology/general computer controls, compliance and financial close/reporting. The size of an organization doesn’t matter. The effectiveness of the policies in place to mitigate identified risks is what matters.
An organization’s internal control policies and procedures should be written and made available to all employees. A whistleblower policy should be adopted and employees should be provided with clear instructions on how to report suspected fraudulent activity.
Don’t let the internal control policies collect dust! Just as an unsupervised employee has a higher risk of committing fraud, stale internal control procedures minimize an organization’s ability to detect and prevent fraudulent activity. It is essential that the policies and procedures be assessed for risk at a regular basis. The review requirement could be triggered by a change in environment such as a new program, key staffing change or compliance requirements. There should also be an annual review that focuses on the “what could go wrong” scenarios and the determination of whether the controls are adequate to safeguard against fraud.
Is your organization’s technology environment secure or is it vulnerable to a breach? The internal control environment should also consider and address cybersecurity risks. A cyberattack can impact the organization, its employees and the clients that are being served. Identity theft is a legitimate threat that should be assessed and addressed. The Commonwealth of Massachusetts has adopted privacy laws to protect personal information and an organization’s control environment should incorporate the provisions of the privacy laws. A regularly scheduled risk assessment by a qualified IT professional may help to reduce the organization’s exposure to risk in this area.
In summary, as a safeguard against fraud, an organization should design, implement, communicate and monitor its internal control system to determine that the system is functioning as designed. An organization’s internal control system should be thought of as a living breathing document. To be effective, it needs to change with an organization, whether it be due to a change in key personnel, billing system or a merger. The Board should monitor the organization’s internal control procedures and assessments. To assist with its monitoring function, an organization may want to engage a third party to perform a fraud prevention assessment. This assessment includes an assessment of the entity’s information technology/general computer program controls and is designed to highlight possible weaknesses in the internal control structure.