How to Deter Fraud in Not-for-Profit Organizations

Published in INSIGHT - Summer 2018
By Jeanette Verrelli, CPA

Any organization can be a victim of fraud. According to the most recent Report to the Nations on Occupational Fraud and Abuse, issued March 30, 2016, by the Association of Certified Fraud Examiners (ACFE), organizations around the world lost an estimated 5 percent of their annual revenues to occupational fraud. More than 75 percent of the occupational fraud reported was committed by individuals working in seven key departments: accounting, operations, sales, executive and upper management, customer service, purchasing and finance.

So what is occupational fraud? Occupational fraud is the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets. Occupational fraud schemes fall into three primary categories:
1. Asset misappropriation schemes, in which an employee steals or misuses the organization’s resources; e.g., theft of company cash, false billing schemes or inflated expense reports.
2. Corruption schemes, in which an employee misuses his/her influence in a business transaction in a way that violates his/her duty to the employer to gain a direct or indirect benefit; e.g., schemes involving bribery or conflicts of interest.
3. Financial statement fraud schemes, in which an employee intentionally causes a misstatement or omission of material information in the organization’s financial reports; e.g., recording fictitious revenues, understating reported expenses or artificially inflating reported assets.

Asset misappropriation is by far the most common form of occupational fraud and among the various forms of asset misappropriation, billing and check tampering schemes pose the greatest risk. Certain schemes tend to be particularly high-risk in specific industries. For example, skimming – when cash is stolen before funds are archived in the accounting records – is a scheme frequently seen in educational organizations, whereas check tampering schemes are often seen in charitable organizations.

Why are these schemes so common, specifically for not-for-profit (NFP) organizations? Unfortunately, most NFP organizations lack strong internal controls and proper segregation of duties. For example, NFPs often place a lot of control – sometimes excessive – in the founder or executive director. The executive director could submit expense reimbursements without the organization requiring someone to review his/her submission. Without that level of review, the executive director can easily take from the organization.

In addition, the NFP usually operates with limited resources that allow the organization to spend funds on its programs and not on overhead expenses. Therefore, some employees could have multiple responsibilities and wear multiple hats. NFPs may also receive a lot of charitable contributions through campaigns or special events; e.g., silent auctions. These transactions make it easier to steal from the organization, since no consideration is exchanged. The NFP might not do an inventory of the silent auction items donated and an employee could easily take various items not sold at the auction that are of substantial value. Strong internal controls and proper segregation of duties help reduce an organization’s vulnerability to fraud.

We all may remember the fraud triangle from our Fraud 101 class in college. The fraud triangle is the model for explaining the factors that cause someone to commit occupational fraud. Factors include pressure, opportunity and rationalization. Unfortunately, organizations have no control regarding the rationalization component. The employee will rationalize inputting a fictitious vendor, falsifying a timesheet or using an organization-issued credit card for personal use for whatever reason. That being said, NFPs can help eliminate the pressure and opportunity components through strong internal controls.

Following are some examples1 of government and NFP organizations that were victims of fraud, due to the organization lacking proper segregation of duties and internal controls to mitigate fraud risk.

Example One

The former treasurer of Healdton, Oklahoma, took advantage of three systematic flaws to steal $80,000 from the city. 

First flaw: Customers who paid their utility bills with cash at the city office received receipts that were not pre-numbered when recorded. This, along with the treasurer being the sole employee responsible for bank deposits and the bank reconciliation, made it easy to skim approximately $43,000 from utility payments.

Second flaw: The treasurer had access to an unsecured vault where the city clerk placed each day’s cash. The treasurer then obtained the cash and reconciled the revenue account with the day’s activity in preparation of the bank deposit. No controls were in place to verify that the cash amount deposited was the same as what the clerk left in the vault.

Third flaw: The treasurer had complete access to the city’s billing system. An investigation discovered the treasurer had manipulated previously recorded activity to show lower amounts received to conceal the fraud. She had the ability to make changes within the system without approval or review.

Example Two

The president and executive director of Discovery Counseling Center, an NFP that provides counseling and other mental health services, was charged with four felony counts of embezzlement for stealing more than $150,000 in funds. The director used a company credit card linked to the organization’s checking account for his own personal expenses.

Example Three

The finance director of Kids House of Seminole, an NFP that supports abused and neglected children, was accused of embezzling $48,000 from the organization by writing checks from the organization to himself and then depositing the money into his personal bank account.

Best Practices and Internal Control

NFPs should consider the following best practices and internal controls to help avoid situations similar to what the above organizations faced:
• Have a board member review and approve the expense reports and reimbursements of the executive director, CEO, etc.
• Have a board member receive the unopened bank statement, review the bank statement for unusual activities and complete the monthly bank reconciliation so one person is not handling an entire business transaction.
• For credit cards, require written approval from a person other than the user in advance for costs estimated to exceed a certain dollar amount.
• Require two signatures, even if the bank does not, for expenditures more than a predetermined amount.
• Regarding the executive director or board member who signs checks, make sure an invoice is attached to the check and an authorization is signed by a designated staff person. Initial the authorization to show that you have seen it, and occasionally pick out a large check and call the designated staff person to make sure the expense was authorized.
• Never pre-sign checks.
• Conduct background checks; they can reveal prior instances of fraud, which allows for the organization to avoid a bad hire.

Fraud Detection

So how do we detect fraud? The ACFE 2016 Report to the Nations presents the top anti-fraud controls reported in fraud cases. The three most common methods of detecting occupational fraud include tips, internal audit and management review. Based on the findings of the study, barely half the entities used a hotline as an anti-fraud control, yet tips are cited as the most common way of preventing fraud.

Do you have a hotline? As most NFP organizations have fewer internal controls and probably have fewer resources dedicated to fraud prevention, a hotline can be a cost-effective method for managing fraud risk. A hotline is more than twice as common as the next most frequent detection method – internal audit. While your current reporting procedures may be effective, implementing an anonymous fraud hotline outside of your organization will supplement and enhance these practices. ACFE research indicates occupational fraud is more likely to be detected through a tip than by any other method.

However, fraud detection methods vary based on the organization’s size. In place of tips, small organizations (those with fewer than 100 employees) tend to detect more fraud through management review, account reconciliation, accident, external audit and document examination. Whatever your organization’s size, hotlines are becoming the most common method of initial fraud detection in the world and there are affordable options for even the smallest organizations.

Fraud detection methods, like hotlines, can be categorized as active or passive detection methods, as illustrated in the ACFE 2016 Report. An active detection method involves a deliberate search for someone within the organization’s misconduct or an internal control or process that is instrumental in searching for fraud. In contrast, passive detection occurs when the organization learns of the fraud by accident, confession or unsolicited notification by another party.

Some detection methods could potentially be active or passive, depending on the circumstances. For example, tips might often be passive, but organizations that effectively promote reporting mechanisms can help with actively cultivating such tips. Additionally, while the typical external audit is not primarily designed to look for fraud, an organization might procure an external audit in response to suspected fraud; so external audits could be considered either active or passive depending on the circumstances.

Based on the data obtained in the 2016 ACFE study, frauds that are detected through active methods tend to be caught sooner and cause smaller losses than frauds that are passively detected. Of the victim organizations in the study, 36.7 percent said they were using proactive data monitoring and analysis techniques as part of their anti-fraud program. These organizations had 54 percent lower fraud and detected the fraud in half the time of other organizations that did not use these proactive techniques. Management review and the presence of a hotline were both similarly correlated with regard to lower losses (50 percent reduction) and decreased time to detect the scheme (50 percent reduction). Thus, organizations might be able to reduce the duration and cost of fraud by implementing controls or processes that will increase the likelihood of active detection, such as active management review, attentive account reconciliation and surveillance or monitoring techniques.

Data monitoring and analytics may sound complicated, but you would be amazed at what you can accomplish using Microsoft Excel. For example, you can potentially identify a fictitious vendor by putting your vendor master file and employee master file in an Excel worksheet, sorting the entries by many types – including addresses, phone numbers and tax ID numbers – and then looking for duplicate entries.

However, strong internal controls, hotlines and other methods aren’t the only ways fraud can be detected. Watch for behavioral red flags among employees that are the most common traits associated with occupational fraud. These behaviors include:
• Living beyond financial means,
• Financial difficulties,
• Unusually close association with a vendor or customer,
• A general “wheeler-dealer” attitude that involves shrewd or unscrupulous behavior,
• Excessive control issues or unwillingness to share duties and
• Recent divorce or family problems.

Almost 80 percent of the fraudsters in the 2016 ACFE study displayedat  least one of these six red flags during their schemes. So if you start seeing an employee drive an expensive new sports car, a bookkeeper refusing to take a vacation or other behaviors indicative of a potential fraudster, you should start a fraud investigation.

However, the most important control to have in your anti-fraud program is the tone at the top. The board of the NFP and management need a zero-tolerance policy to regularly hold everyone accountable for policies implemented and require all personnel to adhere to those policies. The NFP board has a fiduciary duty to ensure all financial decisions are soundly and legally made. Individual directors and management always put the organization’s financial and business interests ahead of any personal interests and manage the organization’s assets in furtherance of its exempt purpose. In addition, the board should ensure the organization has taken steps to identify fraud risks and protect itself against fraud through special reserves, and should oversee senior management’s follow-up actions in response to audit findings.

What Next?

Take time to clearly define your policies and procedures and make sure you have controls in place for the proper checks and balances. While it is understandable small businesses do not have the resources necessary to invest in some of the more expensive internal controls noted, several controls – a code of conduct, management review procedure and fraud training for staff members – can be implemented with minimal investment. Get a hotline, or if you already have one, educate your employees on what occupational fraud might look like in their respective areas of responsibility. Your employees are your eyes and ears when it comes to fraud. Therefore, educate them, because the earlier they recognize a potential fraud, the more quickly it can become subject to investigation.

Finally, and most importantly, ensure the organization is maintaining respect from the general public – its donor base. Fraud not only hurts an NFP financially, but it hurts the people and community it serves. Even the best internal controls can’t be expected to prevent fraud 100 percent of the time, but the slightest change can make a difference. Start revising your anti-fraud program today.

1. Sources: Venable, LLP and BKD Forensics

Jeanette Verrelli, CPA,
is a senior manager at BKD LLP in Dallas, specializing in not-for-profit tax compliance and consulting, and can be
reached at