Nonprofits work hard every day to carry out their missions, often on tight budgets and with modest-sized staff. Many nonprofits – and their donors – are surprised to learn that the challenges they face include not just operating with limited resources but also guarding against a more unfortunate danger: fraud committed by their own executives, employees or volunteers.
The cost of such fraud can be substantial. In a 2016 report drawing data from for-profit businesses and government entities, as well as from nonprofits, the Association of Certified Fraud Examiners (ACFE) determined that the median loss from all cases in the study was $150,000. This figure, while staggering as it exceeds the budget of many nonprofits, does not begin to account for the reputational injury and chilling effect on donations that fraud may cause.
Fraud occurs in nonprofits with varying missions and budgets – from little leagues to health care organizations. Thankfully, whether your nonprofit organization is large or small, there are steps you can take to reduce the risk of fraud and to detect it if it occurs. In fact, some of the most effective anti-fraud controls are the least expensive to implement. Many organizations find that these measures foster a culture of courage and compassion that not only prevents fraud but also create new pathways to successfully achieving their philanthropic mission.
Fraud committed within nonprofit organizations and for-profit businesses alike often follows predictable patterns. According to the ACFE, typical schemes include:
- Check tampering: A fraudulent disbursement scheme in which the perpetrator steals the nonprofit’s funds by intercepting, forging or altering a check drawn on one of the organization’s bank accounts. For example, an employee who steals blank company checks and makes them out to himself or herself, or who steals an outgoing check to a vendor and deposits it into his or her bank account.
- Billing: A fraudulent disbursement scheme in which the perpetrator causes the nonprofit to issue a payment by submitting invoices for fictitious goods or services, inflated invoices or invoices for personal purchases. For example, an employee creates a shell company and bills the nonprofit for services not actually rendered. Or the employee buys personal items and submits an invoice to the nonprofit for payment.
- Expense reimbursement: A fraudulent disbursement scheme in which the perpetrator seeks reimbursement of fictitious or inflated business expenses from the nonprofit. For example, an employee files a fraudulent expense report claiming personal travel, nonexistent meals or other expenses that are not reimbursable.
- Corruption: A fraud scheme in which the perpetrator misuses his or her influence in a business transaction in a way that violates duties owed to the nonprofit in order to gain a direct or indirect benefit. For example, an employee solicits or accepts a bribe or acts while under an undisclosed, impermissible conflict of interest.
- Payroll: A fraudulent disbursement scheme in which the perpetrator causes the nonprofit to issue payment by making false claims for compensation. For example, an employee claims overtime for hours not worked, or adds ghost employees to the payroll.
Knowing that fraud often takes the form of one or more of the above schemes can help your organization implement effective safeguards as discussed below.
A person may commit fraud regardless of his or her job title or seniority, whether the person is a volunteer, employee, manager or executive of a nonprofit. Most fraud is committed below the executive level, but fraud committed by executives has historically resulted in significantly higher losses and has taken longer to detect.
You might think perpetrators tend to be people with histories of fraud-related conduct who commit fraud shortly after joining the nonprofit organization. But data suggests otherwise. A 2016 study by the ACFE found that only 5.2% of perpetrators had been convicted of a fraud-related offense prior to committing the fraud reported in the study, about 8.3% had been previously terminated for fraud-related conduct, and 8.7% had been previously punished for such conduct. The same study found that perpetrators were usually veterans of their organizations: Little more than 8% of perpetrators committed fraud within their first year of employment, though these perpetrators were significantly more likely to have been convicted or charged with fraud in the past.
In most cases of fraud, the perpetrator displays one or more “behavioral red flags.” The most common red flag is a person living beyond his or her means. Other red flags include a person experiencing financial difficulties; having an unusually close association with a vendor or customer; displaying control issues and/or an unwillingness to share duties (including, for example, not taking vacation time); having a “wheeler-dealer” attitude; experiencing divorce or family problems; displaying irritability, suspiciousness or defensiveness; or suffering from addiction.
Knowing the red flags to watch for can help you spot fraud before it occurs.
Pathways Forward – Effective Safeguards
Your organization doesn’t need a multimillion-dollar budget or full-time risk management staff to take practical and generally effective measures to help prevent and detect fraud. In fact, many of the measures below are relatively inexpensive and can be quickly implemented. Others go to the heart of your organization – the required cultural seismic shifts may be difficult and disruptive but ultimately are well worth the effort. You can tailor these measures to the size, complexity and resources of your organization.
- Create an anonymous reporting mechanism. Tips are far and away the most common method by which fraud is detected, so it’s critical to allow people to report suspected fraud anonymously. You can do so by purchasing a third-party hotline. If that is beyond your organization’s budget, you can create a dedicated email account or a space on your organization’s website for fraud reports.
- Create a culture of compliance. Develop a written code of conduct and foster a culture that has zero tolerance for fraud in any form—there is no “innocent fraud.” Educate individuals – from the boardroom to the newest employee or volunteer – about common fraud schemes and the harm fraud can cause to your organization’s finances, reputation and mission. Regularly train staff and volunteers where and how they can report fraud. Make clear that people should promptly raise concerns of fraud – and that they can do so without fear of reprisal – by adopting a written whistleblower policy and displaying it prominently.
- Segregate financial duties. Divide important financial responsibilities among more than one person. For example, the person who receives or deposits funds should not be in charge of reconciling accounts later on, and the person who approves a transaction or disbursement should not have responsibility for cutting the check.
- Require backup documentation. Before reimbursing an expense, paying a vendor or making other cash disbursements, require individuals to provide receipts, invoices or other appropriate documentation. Don’t cut corners. For transactions over a certain amount, consider requiring checks to be signed by two individuals.
- Rotate employees and mandate vacation time. If an individual stays in the same position, or has the same responsibilities, for too long, it may be harder for the nonprofit to detect that person’s fraud. Rotating people allows a nonprofit to see if account information or other financial data changes once the new person takes over responsibility, which may indicate fraud (by either person). A similar precautionary measure is to require employees to take vacation time and to assign the vacationing employee’s responsibilities temporarily to another individual in his or her absence.
- Audit committees. At least annually, your organization’s audit committee should evaluate safeguards against fraud, including staying up-to-date on the latest fraud schemes. Review your “cybersecurity hygiene” and whether there are additional protections you can and should pursue—especially if your organization maintains sensitive information, such as personal identifying information of employees, volunteers, or members, credit numbers, etc. Ideally, at least one member of the audit committee will have experience managing risk associated with fraud, including, for example, by implementing internal controls, obtaining external audits, performing background checks on new employees and procuring employee dishonesty coverage (i.e., a fidelity bond).
None of these measures can guarantee that your organization will be immune from fraud. But these relatively simple steps can help your organization to reduce the risk of fraud and detect it if it occurs.
The post was co-authored by my Robinson Bradshaw colleague, Mark Hiller. He joins me in thanking Stephanie Nance and Carson Rogers, both of Robinson Bradshaw, and the GreerWalker team for their assistance with the preparation of this post. For updates on nonprofit law and trends in philanthropy, please follow me on Twitter at @Dianne_C_Bailey.