- Nonprofits of all types are susceptible to fraud, especially those with limited resources and internal controls.
- Assess your organization’s internal processes and controls and work to resolve vulnerabilities.
- Conduct regular, detailed inspections of financial data.
- Review users of software and other applications to verify they have an appropriate level of access.
- Empower employees with anonymous methods for reporting irregularities.
- Establish a fraud risk tolerance level to help balance internal controls with efficiency.
Want to discuss strategies for fraud prevention?
November 14 was International Fraud Awareness Week. Observed globally, the goal is to raise awareness of fraud — and the importance of fraud prevention — to reduce the impact it has on our countries, communities, and organizations.
Our analysis of the 2020 Report to the Nations, copyright 2020 by the Association of Certified Fraud Examiners, Inc. (ACFE), indicates nonprofits of all segments and sizes are susceptible to fraud, especially those with limited resources and internal controls.
Fraud perpetrated through cyberattacks and social engineering has increased significantly over the past couple of years. Forensic services teams are busy helping clients navigate the negative impacts of fraud, whether caused by an internal rogue employee or an outside attack by a third party. In the present-day fraud landscape, it is crucial for organizations of all types to take steps to help reduce the risks of fraudulent activity.
Internal process and control review
It is difficult to know what anti-fraud measures your organization needs if you don’t know where your risk areas are. First, assess your organization’s current internal processes and controls. Walk through transactions from start to finish, taking detailed notes on vulnerabilities such as inadequate segregation of duties (e.g., an accountant who deposits and posts cash receipts and processes accounts payable). Once the assessment is complete, management and those charged with governance can work collaboratively to resolve the most concerning vulnerabilities.
Just as the fraud landscape is always changing, so does an organization’s processes and procedures. Complete an assessment at least annually to help keep internal processes and controls effective as employees, operations, and technology change. A more frequent assessment should be performed if there are significant changes to operations or technology Annual reviews can expose areas of fraud risk and give you time to implement corrective action to help prevent fraud from occurring.
Cross-train and cross-utilize employees, and inject automation, technology, and banking tools into your operating environment to help combat fraudulent activities. Incorporating regular monitoring activities, such as having someone in management review a monthly payroll change report, can help quickly identify potential inappropriate activities within the organization.
Perform spontaneous spot checks of internal processes and controls to verify they are operating according to established policies and manuals. Involve more than one employee in each transaction cycle, and include oversight and monitoring by management or those charged with governance to help reduce the opportunity for fraud — or detect it sooner when fraud does occur.
Internal financial data inspections
Many nonprofits task management officials and governing bodies with overseeing the financial health of the organization they serve. Typically, they review the annual budget, interim financial trends (i.e., comparing prior to current year and budget to actual performances), and other high-level financial data to understand the well-being of their organization. As members with a fiduciary responsibility toward the organization, consider taking a closer look at the underlying financial data — don’t just settle for the high-level financial overview.
When performing a regular review for reasonableness or concerning activities, a checklist like the following may be useful:
- Review check images for appropriate signers
- Review a detailed listing of disbursements that includes vendor names, dates, and amounts
- Review a disbursement summary by vendor
- Review a vendor change report that includes the vendor name, the old and new data for any changes made to the vendor information, and the credentials of the employee making the change
- Review a deposit listing that includes customer/donor names, dates, and amounts
- Review a deposit summary by customer/donor
- If housed separately, review the reconciliation of the donor and customer management software financial data to the financial accounting software data
- Review banking activity for all bank accounts, including transfers, electronic fund transfers (EFTs/ACHs), other wire transfers, and withdrawals
- Review payroll activity and summary reports that include employee names and dates of hire and termination
- Review a payroll change report that includes the employee name, the old and new data for any changes made to the employee file, and the credentials of the employee making the change (include any new employees added to payroll)
These reviews should be performed by someone in management or governance who is not responsible for handling or recording the respective transactions but has sufficient knowledge of the organization’s activities to know if the data looks suspect. Have the reviewing party sign and date a summary report or other appropriate document to demonstrate the review has taken place.
Follow up on any unusual activity with an appropriate inquiry, and promptly correct any identified vulnerabilities. In smaller nonprofits, some of these procedures may fall on a member of management outside of the accounting/finance department or someone within governance. If so, set aside sufficient time in governance meetings to complete these reviews.
Internal software and application inspections
Perform a thorough review of users and their related access rights to software and applications on a regular basis to verify employees have the appropriate level of access for their roles and responsibilities. Restricting employee access to only their immediate needs can help mitigate fraud. Remove termed users promptly to prevent their potential use of software or applications.
Additionally, when reviewing your software and applications, review and clean up underlying data to help mitigate fraud opportunities. A few common examples include:
- Review a vendor and customer/donor list for duplicates, inactivity, unusual spelling/capitalization/punctuations, and those that may include employee addresses. A duplicate vendor in the master list could present an employee the opportunity to misuse that vendor account without putting the actual vendor on notice. Or it could be an indication of possible historical misuse or abuse.
- Review an employee payroll list for duplicate, inactive, retired, and termed employees or employees with duplicate addresses or personal identification information. A retired or termed employee who is still included on an active employee list could indicate possible misuse or abuse. Employee names with duplicate addresses, personal identification information, or banking information could indicate a possible ghost employee.
Similar to the financial data review, perform these internal software and application inspections regularly and document them when completed. Follow up on any unusual activity with an appropriate inquiry, and promptly correct any identified vulnerabilities.
Fraud awareness training
Enroll management and governing bodies in continuing education that focuses on fraud trends and prevention. Hold brainstorming sessions immediately after and think of ways to put what was learned into practice. Consult regularly with professional service firms, legal counsel, and software providers to identify trends, common practices, and recommendations to help navigate the changing fraud landscape.
People can be a nonprofit’s greatest asset. Empowering employees to be the watchdogs for your organization is a good way to help mitigate fraud. Create a fraud hotline so employees can report irregularities or wrongdoing anonymously, or encourage them to write an anonymous letter to the appropriate management official, governing body, or internal audit or anti-fraud team. If allegations involve top management officials, educate employees on where to report those matters.
Develop a fraud risk tolerance
To help avoid significant negative impact on the efficiency and effectiveness of operations, carefully balance and think through the internal controls and anti-fraud measures implemented by your organization. Management and those charged with governance should establish a fraud risk tolerance level, meaning how much fraud risk the organization is willing to assume to meet the desired efficiency level for operations. The lower the organization’s fraud risk tolerance, the more processes and procedures must be put in place to help prevent and detect fraud.
How we can help
Fraud can damage a nonprofit’s reputation or even its existence. At CLA, our professionals can come alongside your organization to help create a safer and more secure environment in a number of ways: