How to Reduce Fraud Risk for Not-for-Profits

While the not-for-profit (NFP) sector exists to help others, unfortunately, it is not immune to fraud. Some NFPs overlook the importance of prevention and detection until they experience a fraud loss. With the threat of both internal and external fraud, that can be a critical mistake.

According to the Association of Certified Fraud Examiners 2020 study, when fraud happens, NFPs experience a median loss of $75,000. For organizations that often rely on donations and the generosity of others for their survival, a loss of this magnitude could be difficult to recover from. If nothing else, it could make it more difficult for the organization to raise funds in the future.

While NFPs must do what they can to combat fraud, they must be careful to not adopt internal controls that alienate their employees and volunteers. They must learn to strike a balance between combating fraud and deploying processes that are an unsustainable administrative burden.

Nonetheless, when an NFP lacks a fraud prevention plan, the organization's exposure can grow exponentially. In turn, fraudsters can exploit weaknesses in the control environment at a date and time of their choosing. Furthermore, depending on the degree of sophistication of the NFP's internal controls, fraudsters—particularly those with access to the company's financial records—can take steps to hide their malfeasance.

Acknowledging the Possibility for Internal and External Fraud

To fight fraud, decision-makers at NFPs must first acknowledge that it is a possibility within their organization. While the sector typically attracts employees and volunteers committed to helping those in need, unfortunately, that doesn't make them immune to crossing a line into impropriety.

For example, in January 2020, a federal grand jury indicted the former national president of Project Linus, a not-for-profit organization that provides handmade blankets for children in need for allegedly stealing $400,000. Carol Babbit allegedly used the organization's funds to pay credit card charges for personal expenses. She also used her access to the organization's financial records to disguise her personal expenditures.

While this is just one example of fraud at an NFP, it's one of many that provides clear and compelling evidence of what can happen when an individual in a position of trust succumbs to temptation and takes steps to personally enrich themselves at the expense of their NFP employer.

Uncovering Internal Control Gaps Before Fraudsters

According to criminologist Donald Cressey, for occupational fraud to happen, the perpetrator must experience some form of pressure, see an opportunity, and possess the ability to rationalize their actions. If an NFP lacks a robust internal control environment, they unwittingly provide the opportunity a fraudster needs to steal from the organization.

Therefore, minimizing the potential for fraud to happen within an NFP requires a willingness to evaluate the effectiveness of the internal control environment in stopping such activity. To that end, NFPs may want to consider conducting a fraud risk assessment (FRA)—an exercise designed to gather and assess an organization's internal controls and their ability to detect and prevent internal and external fraud. While the process to conduct an FRA varies by organization, it generally includes the following steps:

1. Identify relevant stakeholders in the organization to participate in brainstorming sessions to document the types of fraud schemes currently taking place, as well as identify those that could happen at some point in the future. The team facilitating the discussion should also gather information on the internal controls in place to prevent each fraud from happening.
2. Rank each scheme according to its likelihood and potential magnitude. This produces a risk-based ranking of fraud schemes, which allows the organization to direct its limited resources where they are needed the most.
3. Starting with the schemes that present the greatest degree of risk, the FRA team should analyze the associated internal controls to assess their effectiveness. This can help identify the controls that function as intended as well as those that require remediation to improve their effectiveness. The team should also ascertain whether there's a need to implement additional internal controls to more effectively mitigate the risk associated with each scheme.

To complete the process, an individual or department should assume responsibility for updating and adding the internal controls identified during the exercise. Since internal controls tend to degrade over time, there should also be a timetable created to conduct subsequent FRAs, potentially on at least an annual basis.

Some organizations conduct an FRA using their own personnel, while others engage specialists, such as a team of forensic accountants, to do so. Regardless of who leads the initiative, at the conclusion of the FRA, most organizations uncover areas for improvement.

For example, to prevent paper check and Automated Clearing House (ACH) fraud, which is a perennial problem for the NFP sector, organizations may benefit from adopting fraud tools offered by their financial institution such as positive pay or ACH positive pay. These types of fraud tools scrutinize and validate payments or those authorizing payments presented against a bank account and can play a critical role in detecting fraud schemes long before the losses mushroom.

Furthermore, an organization may uncover evidence of controls that are routinely ignored or overridden. So, in addition to adding new controls in the form of those offered by their financial institution, an organization may also uncover the need to ensure compliance with the controls already in existence.

As long as NFPs employ and interact with human beings, the potential for fraud exists. Therefore, winning the fight against fraud in all its forms requires a sustained, multi-pronged approach, which includes gathering a detailed understanding of an organization's internal control environment. It also requires a commitment to feeding and nurturing an organization's defenses, and a willingness to engage strategic business partners that provide access to the people, processes, and technology to help prevent certain types of risk, such as financial fraud.