May 5, 2021
By Lindsay Dean, CPA, Senior Manager, Audit
Like their for-profit counterparts, nonprofits were not spared the complex financial and operational challenges presented by the global COVID-19 pandemic. Many have cut back on programming, reduced staff or been forced to rely on reserves to survive. At the same time, a transition to virtual work has resulted in drastic changes to operating environments. Despite the resulting pressures, nonprofits must not relax their efforts to protect the organization against risks, including the risk of fraud. In fact, fraud prevention is more critical now than ever before.
The Elements of Fraudulent Behavior
The Association of Certified Fraud Examiners (ACFE) publishes a fraud study every two years. The 2020 report estimated that the typical organization loses 5% of annual revenue each year to fraud. As startling as that sounds, a crisis like a pandemic can only increase the likelihood of fraud occurring.
Based on the fraud triangle framework, there are three elements that lead to fraudulent behavior:
- Opportunity – The circumstances that allow the fraud to occur
- Pressure – Motivation or incentive to commit the fraud
- Rationalization – The justification for committing the fraud
Internal Controls Prevent Fraud
Changes in the internal control environment or staff reductions can compromise internal controls that once were sufficiently in place, leading to greater opportunities for fraud. Individuals face an increase in pressure whether on a personal level (i.e. a loss of income) or for the organization to achieve certain financial goals or to remain sustainable. At the same time, conditions may make rationalization easier whether it be on a personal level (such as unhappiness with a salary reduction) or for the greater good of the organization (i.e. minimizing the appearance of losses to ensure the continuity of the nonprofit).
Nonprofits should be particularly alert during such large-scale changes in organizational environments, and there are measures that can be taken to help protect the organization from the risk of fraud.
There is a basic premise that an individual should not have custody/access to assets as well as being responsible for the accounting or reconciliation function. An individual should also not be in a position to initiate and approve an action. As duties and processes have changed over the course of the pandemic it is important to ensure sufficient safeguards are maintained, including segregation of duties so nonprofits have the right internal controls to protect against fraud.
One reaction to a strained financial situation may be to reduce or eliminate non-programmatic staff costs as much as possible. However, staffing changes in the finance department can heighten risk. It may be difficult to keep appropriate segregation of duties intact, and the executive director, treasurer, controller, or other key members of management may need to participate to strengthen controls. Reductions or changes in key finance staff should bear close scrutiny.
Another crucial tool in preventing fraud is education. Staff should understand what constitutes fraud and be aware of the potential costs to the organization when it occurs (including the non-monetary costs). In addition to having an effective system in place for reporting concerns, it is important to have the appropriate policies in place, including those relating to whistle blowers, conflicts of interest, and ethical behavior. Regularly communicating about the topic heightens awareness of abuse or fraudulent activity throughout the organization, and may even discourage potential perpetrators from acting. In addition, the more educated staff about fraud, the more likely they are to report it. A “tip” is the top method of fraud detection.
Regular “check-ups” of processes and documents at the nonprofit must be performed, such as the routine reconciliation of asset and liability accounts and their review and approval by management or supervisors. Employees must be familiar with and comply with organizational policies about document submissions such as requirements to submit cash receipts and disbursements for review by management. Management and those charged with governance must be aware of where potential vulnerabilities exist so decisions can be made to fill those gaps. Credit cards are another source of concern. Charging personal expenses to a nonprofit’s credit card should, as a policy, be restricted with penalties for transgressions such as revoking use of cards. Chain of command warrants that supervisors regularly review employees’ credit card statements with board members responsible for reviewing the charges submitted by executive leadership.
Third-Party Risk Management and Cybersecurity
When under pressure, there may be a push to quickly onboard vendors or rush the procurement process. Nonprofits should ensure their procurement and vetting procedures are not compromised and that expenses are still going through the appropriate review and approval channels. Services should be clearly stated in invoices submitted to management. Vague line items should be researched further.
In addition to internal fraud, nonprofits are facing an onslaught of attempts from outside parties looking to take advantage of vulnerabilities in information technology. Hacking, phishing and data breaches have become even more commonplace with the increased reliance on technology in our day-to-day work. IT department controls should include ensuring computer and network security. Nonprofits should not conduct banking transactions using computers that are socially networked. Regular password changes and dual controls to initiate electronic banking transactions should be a routine part of oversight. An experienced IT professional or consultant can ensure these and other appropriate safeguards are in place. Free tools for assessing privacy, IT asset protection and third-party risk management are also readily available.
Assessing the Risk of Fraud
Identifying all the potential vulnerabilities to fraud should be a part of management’s risk assessment function at every nonprofit organization. Fraud is not just a matter of lost finances (which certainly is the most damaging aspect of fraud), but the damage to reputation can result in a public relations disaster that can last for years, even long after the economic impact of fraud has subsided. Misappropriated assets are publicly disclosed on IRS Form 990, leading to some uncomfortable public disclosures if irregularities are discovered. Management should fully understand the protection available under the nonprofit’s insurance policies so that in the event of fraud, the full extent of the financial damage may be mitigated. With risk to the organization evolving at an accelerating pace, nonprofits of all sizes are now establishing an internal audit function to protect their organization.
Take Action Before It’s Too Late
When there is a breach of integrity in your nonprofit’s finances or when fraud is discovered, management should move immediately for prosecution. It is only through the consistent pursuit of justice from those responsible for organizational oversight that the seriousness of combating fraud is demonstrated. No nonprofit wants to believe that it could be the victim of fraud, whether from an internal or external source. However, ensuring that the proper pieces are in place to prevent, detect and deter fraud is a critical task.
Dealing with the threat of potential fraud before it happens is a proven best practice for nonprofit organizations. For more information about internal controls, enterprise risk management, and preventing or detecting fraud for your nonprofit organization, contact Lindsay Dean, CPA, Senior Manager at ldean@grfcpa.com. More resources on fraud, internal controls, and internal audit can be found at www.grfcpa.com/resources.