Study Shows Continued Fraud Risk — 6 Steps Can Help Protect Your Nonprofit

  • Preventing Cybercrime
  • 7/7/2022
Business team working together

Key insights

  • In a recent occupational fraud study by the Association of Certified Fraud Examiners, a downward trend of median losses and durations suggestions organizations are doing more to prevent fraud.
  • Strong internal controls are still necessary to reduce risk, such as segregation of duties between key job functions and secondary reviews and approvals for paying vendors.
  • For nonprofit organizations in particular, the theft of incoming cash (skimming) can present a significant risk.
  • The services of a third-party hotline can provide an easy and anonymous way for employees to report fraud.

How much is fraud costing your organization?

Talk to an Advisor

A surprising number of organizations have been impacted by occupational fraud, which is fraud committed by an employee against their employer. Now, a recent study goes deep to better understand the risk across industries. How does your organization measure up?

Occupational Fraud 2022: A Report to the Nations, copyright 2022 by the Association of Certified Fraud Examiners, Inc. (ACFE), is a biennial study examining more than 2,100 occupational fraud cases investigated between January 2020 and September 2021. This study — spanning 133 countries and 23 distinct industries — was designed to examine the costs, methods, victims, and perpetrators of occupational fraud.

Study shows good news, but there’s still room for improvement

Compared to 10 years ago, frauds are being caught faster (median duration went down 33%, from 18 months to 12) and have smaller losses (median losses went down 16%, from $140,000 to $117,000). For nonprofits in particular, representing 9% of the study’s analyzed fraud cases, median loss is down to $60,000 — compared to $75,000 from the 2020 study.

This downward trend suggests organizations are doing more to prevent fraud or detect it sooner. Of the 18 anti-fraud controls analyzed in the study, 17 showed an increased rate of implementation. For example, only 47% of organizations provided anti-fraud training to employees in 2012, whereas 61% provided this training in 2022.

Organizations still need to remain vigilant

The study continues to show that, on average, organizations lose 5% of revenue to fraud each year. Occupational fraud spans across industries, departments, and employee types. Get to know the greatest fraud risks for your nonprofit and how you can help prevent them.

A strong internal control environment is critical

Nearly half of all fraud analyzed in the study occurred due to a lack of internal controls (29% of cases) or an override of existing controls (20% of cases). Along with the study’s details on 6 top categories of fraud for nonprofits, review corresponding tips for strengthening internal controls in your organization.

1. Asset misappropriation

The theft of money or physical assets is the most common form of fraud and was present in 86% of cases with a median loss of $100,000.

Tip: Establish adequate segregation of duties between key job functions

For example, the accounts payable and accounts receivable (cash collections) functions should be separated between two employees. If you are operating with only one accountant, try engaging operational staff in your financial functions. Use administrative staff to log and prepare deposits. With proper training, such tasks usually performed by an accountant can be delegated to administrative or managerial staff. Two people in your organization should be involved with each transaction, incoming or outgoing.

2. Billing schemes

These represent the greatest risk — frauds perpetrated through a billing scheme were present in 20% of all cases and lasted 18 months before being detected. Billing schemes include frauds such as paying a fictitious vendor, paying for personal expenses, or disguising personal payments under a legitimate vendor name.

Review your payment process and bank reconciliation

When paying vendors, require a secondary review and approval by someone with adequate authority who is familiar with your operations. This individual should receive documentation (e.g., invoices) that shows each payment is adequately supported and relates to the operations of your organization.

Have someone other than the person processing disbursements or with access to the bank account perform bank reconciliations. Include a review of cleared checks as part of the process to help identify unusual payments. Then, identify someone in management to review and approve the bank reconciliation to verify it is being completed timely and there are no unusual reconciling items.

3. Theft of incoming cash (skimming)

Nonprofit organizations often rely heavily on fundraising activities, and the theft of incoming cash (skimming) can present a significant risk. According to the ACFE study, 9% of cases included skimming with a median loss of $50,000.

Share receipts with donors

Skimming schemes can be difficult to prevent and detect when funds are coming in through unexpected sources (e.g., fundraising and donation activities). Communicate with your donors to provide specific instructions for where to send donation payments, and use your donors’ egos as a check and balance. Recognize each donor through an email, letter, or other communication to notify them of the receipt of their donation. This communication should be created and sent by someone other than the individual(s) collecting and depositing donations and should include the date and amount of donation.

4. Lack of fraud detection

The longer a fraud scheme continues, the larger the loss to the organization. A typical fraud case lasts 12 months before being detected and causes a loss of $8,300 per month.

Make active detective controls part of your process

Depending on the size and structure of your organization, it may be difficult to implement sufficient preventive controls. Therefore, active detective controls become an important part of your internal control environment to help identify fraud if it occurs.

Active detective controls include activities such as document examination, management review, account reconciliation, and surveillance or monitoring. Frauds detected through these methods have a shorter life span and median loss than frauds detected by accident.

Implement management review over all major financial functions, particularly in any areas where there is not adequate segregation of duties. For example, if the person processing payroll can modify employee pay rates, perform a regular review of employee pay rates to identify possible unapproved pay increases.

5. Perpetration at high levels

More fraud perpetrators are in roles with higher levels of authority. The study shows that 65% of fraud cases were perpetrated by a manager, executive, or owner; up from 56% in 2012.

Standardize review and oversight protocols

Hold all employees, from entry level staff to senior leadership, to the same review and oversight standards. Consistently enforce policies by training staff on the requirements, and provide a mechanism to report any concerns.

Require detailed supporting documentation for all transactions and payment requests, regardless of who is requesting the transaction. The expense reimbursements and credit card activity of the executive director should be reviewed and approved by the board of directors rather than a subordinate level employee, who may be less likely to question unusual or inappropriate transactions.

6. Fraudster collaboration

From 2012 to 2022, the number of cases involving two or more employees in a fraud scheme (collusion) rose from 42% to 58%. Collusion between two employees makes internal frauds harder to detect through traditional methods. Therefore, it’s important to have a mechanism to report suspicions or knowledge of possible fraud.

Make reporting easy

The most common way frauds are identified is through a tip. According to the ACFE study, 42% of cases are detected this way. If a potential fraud scheme is uncovered by an employee, customer, or vendor, they should have an easy and anonymous way to report the information to the organization.

Consider procuring the services of a third-party hotline, and provide at least three individuals who should be notified when a tip comes through. Having numerous tip recipients can help your organization provide appropriate and timely follow-up, especially if a tip happens to be about one of the individuals listed. Vary the recipients of incoming tips among roles and departments, such as a board member, the executive director, human resources, and legal counsel.

How we can help

Developing a robust control environment to manage your risk takes time and resources. CLA provides services that can help you mitigate and deter fraud from occurring at your organization. And in the event your organization is the victim of fraud, our forensic accountants can help you tailor a response plan to suit your situation, including assistance in recovery efforts.

Experience the CLA Promise