Nonprofit organizations provide needed services to the public while operating under a charitable mission and yet are still at risk for fraud from employees. This risk can be more extensive with nonprofit organizations than with other companies because of limited staffing and the necessity of having employees who perform multiple roles.
The Association of Certified Fraud Examiners (ACFE) prepared a report on occupational fraud and abuse of 2,410 cases of occupational fraud that occurred in 114 countries in calendar year 2016. The results illustrate clearly that nonprofit organizations are not exempt from the risks of fraud. For religious, charitable and social service organizations, the top schemes were related to corruption, billing, expense reimbursement, and check tampering. The median loss from the fraud was $82,000, and the report noted that 60% of fraud victims did not recover any of their losses. For the cases in the United States, the fraud was mainly detected from a tip (from employee or outside party), with detection from management review representing only 14% of the cases. Detection by external audit represented approximately 5% of the cases.
A starting point for a nonprofit to protect itself is to understand the fraud triangle. The fraud triangle explains that the occurrence of fraud relies on three components: 1) financial pressure, 2) opportunity, and 3) rationalization. Financial pressure and rationalization by an employee are generally not controllable by an organization. The best tactic to prevent fraud is reduce the opportunity, which lies in establishing effective internal controls.
Internal controls are the processes in place, including policies and procedures, designed for reliability of information, compliance, effectiveness, and efficiency in operations. The goal is to reduce risk of mismanagement, error or fraud; improve quality of information; protect the organization from risk of loss; and provide consistent practices for personnel to follow.
Some examples of common fraud and the controls an organization can implement to reduce risk of fraud related to them are as follows:
Expense Reimbursement Schemes
Fraud related to expense reimbursement may occur when: 1) an expense is mischaracterized (not actually a business-related expense); 2) expenses are inflated through modification of receipts or over-purchasing of a product, followed by a request of a cash refund from the vendor, without submitting the refund to the company; 3) the expense is wholly fictitious; multiple reimbursements are submitted for the same expense. Fraud can also occur by the employee submitting the expense reimbursement or the employee processing the reimbursement requests.
Preventative and detective controls can help prevent this type of fraud. Examples would include:
- Employees submit detailed expense reports containing receipts, explanations, amounts, etc. A limit on reimbursable expenses is documented (i.e. hotel costs $200/night; meals $40/person; etc.).
- Expenses requests are reviewed and approved by a supervisor with the knowledge to understand whether the expenses are necessary and reasonable.
- The funds are distributed by a separate person from the reviewer/processor to segregate duties and reduce the risk that funds are manipulated in the system.
Check Tampering Schemes
Check tampering can occur when an employee steals company funds by intercepting, forging, or altering a check drawn on one of the organization’s bank accounts. Forgery of checks can occur if checks do not include security features ((high-resolution microprinting, security inks, watermarks, etc.) or from signed or voided checks that are manipulated and then processed by the bank. Fraud can also occur through paying a fictitious vendor or a vendor with a very similar name to a common vendor.
Preventative and detective controls include:
- Limiting access to the checks (and a signature stamp) to those employees with check preparation duties and establishing rules of custody for checks that have been prepared but not signed, and those that are signed but not yet mailed.
- Establishing controls to monitor check sequence, investigate duplicate check numbers, and reconcile bank statements.
- Separating duties of the check preparation, check-signing, and bank reconciliation. Investigate vendor and customer complaints regarding missing payments or receipts.
- Establishing a process for adding new vendors to the system for payments including review by a separate party, and restrict authority to make changes to vendors, vendor records, or the payee on checks; review a list of new vendors or changes to vendors.
- Establishing positive pay controls by supplying the banks with a daily list of checks issued and authorized for payment and identify those who are the authorized positive pay approvals (ensure there is segregation between the individual who approves and the individual who submits the daily list of checks). Consider using electronic payments where possible to limit the number of paper checks issued.
As noted in the ACFE’s report, most fraud is uncovered by an employee tip. As such, establishing a whistle blower policy or hotline and a zero tolerance policy by management and the board is an essential internal control that can address all types of fraud schemes.
While it is difficult to combat corruption and affect the rationalization or financial need of an employee, effective internal controls can reduce the opportunity for fraud as well as provide a set of checks and balances that provide the organization and management with confidence that transactions are recorded properly.
If you have questions or would like more information on internal controls, please contact Kelly Buck at firstname.lastname@example.org or 844.4WINDES.