Nonprofit Fraud: It’s a People Problem, So Combat It with Governance

Print Share on LinkedIn More

Dominoes-falling

Skimming cash, purchasing schemes, and financial statement fraud—three very different types of fraud that nonprofits must prevent, detect, and insure against. Still, behind each of them—and every variety of deliberate, deceptive acts against nonprofits—there’s a fundamental and shared dynamic at play.

Fraud isn’t just an operational or financial risk. It’s inherently a human risk, meaning it often crosscuts numerous functions and departments within a nonprofit organization. Not only that, but the people behind these acts are complex. They are pressured by varying circumstances, motivated by different opportunities and self-assured by their own unique rationales. Making matters more complicated, fraud is not always a solo act. In fact, a 2014 ACFE report found that 46 percent of fraud cases involve multiple perpetrators, meaning that when fraud does occur, the web of nefarious activity often extends to surprising depths within an organization.

To combat this complex threat, nonprofits face a critical need to address fraud from the top—starting with more guidance and engagement from leaders and boards to create an anti-fraud environment and oversee a fraud risk management function. Realistically, though, due to their mission-driven focus and more limited operating budgets, nonprofit leaders are often left with less time and fewer resources at their disposal to proactively develop anti-fraud governance measures. One of the most important deterrents of fraud is knowing that the organization has no tolerance for it and will act accordingly to detect it and take appropriate action if identified.

Given these challenges, how can nonprofits’ leaders and boards better mitigate their fraud risks? First and foremost, they should focus on governance, including these four key areas:

  • Catalyst required: Nonprofits need a high-ranking sponsor to get fraud risk management off the ground. This leader and his/her team’s first order of business should be deciding whether their organization’s fraud risk management will be integrated into the existing risk management function (which typically focuses on strategic, operational, reporting and compliance risks)—or whether it will be separate. Either way, the goal is the same: embed a risk management element into the daily activities of all your personnel.
  • Responsibilities and structures: With your management process in place, establish a governance structure for it, including designated oversight responsibilities at the board level, such as an audit committee. Keep in mind, this framework and the tools your organization uses should be scaled to fit both your size and your available resources. It’s impossible to completely “fraud-proof” any organization, so understand the weak points in your infrastructure and organization, and then work backwards to execute. Also, while fraud prevention is ideal, many nonprofits have to weigh the costs and practicality of preventive processes versus detective measures.
  • Engage and educate: Especially when faced with resource constraints, nonprofits should utilize all their personnel in an ongoing system of fraud deterrence. Above all, engage with your employees through workshops and trainings in which you educate them on why people perpetrate fraud, which red flags to watch for, and what resources are available to them, such as whistleblower policies, reporting systems, and hotlines. Awareness throughout your organization can be the single most effective fraud deterrent and vehicle for detection, but it has to start from the top.
  • Dynamic risk assessments: People are dynamic, so your risk assessments must keep pace. With roles and responsibilities identified, use your team to pinpoint which inherent risks exist and then prioritize them based on their impact, likelihood, and the speed at which they occur. Finally, use those priority rankings to map the risks to the best preventive and detective controls.

For many nonprofit organizations, risk assessments often identify the three categories of fraud this article began with—skimming, purchasing, and financial reporting frauds—along with other schemes as risks that must be addressed.

Skimming involves the intercepting of incoming funds intended for an organization. It is referred to as an “off-book” fraud because the money is stolen prior to it ever being deposited or recorded on the organization’s books. While cash is the first thing that comes to mind with skimming, checks and even credit card payments can be targets for this type of fraud, as fraudsters can often convert these forms of payment into cash rather easily.

In one case, a bookkeeper for a mid-sized organization was in a position to gain access to incoming checks made payable to the organization. He intercepted the checks, opened a bank account in the name of the organization at a bank separate from the one the organization primarily used, and deposited the checks into that account, later withdrawing the funds to support his extravagant lifestyle.

In another instance, incoming checks were often made payable to an acronym since the organization’s name was rather lengthy. In this case, the perpetrator, the organization’s receptionist, carried out the fraud by opening a bank account in the name of a different (and phony) organization whose name matched the acronym.

Skimmed funds are most difficult to detect when one or both of these characteristics are present:

  1. There is no receivable recorded on the books to which the payment is expected to be offset
  2. There is little to no tangible exchange of goods or services with the payor, such as with incoming contribution income, dues revenue, etc.

For example, a recent case illustrates the ease with which funds can be skimmed when both of these characteristics are present. The president of an organization personally solicited and collected contributions from donors. He skimmed more than $4 million of contribution income over a 15-year period before being detected. He was only detected once his successor solicited one of the donors who had contributed, under the impression that the individual had never made a contribution to the organization. When the donor indicated he had been a significant supporter of the organization for several years, the fraud was then uncovered.

The purchasing function is the most common target for fraud. Some of the most frequent schemes that should be considered in any fraud risk assessment include:

  1. Abuse of a corporate credit or debit card for personal purchases
  2. Expense reimbursement schemes (similar to the preceding in that personal expenses are misrepresented as being legitimate business expenditures)
  3. Writing organizational checks to pay personal bills
  4. Shell company schemes

The final category, shell company schemes, can be particularly difficult to detect. A shell company is an entity formed solely for fraudulent purposes. These companies often exist in name only, but some are actually registered as businesses with the state. Shell company schemes are most likely to exist in cases where services, rather than goods, are purportedly provided to the organization.

Recently, for example, the director of information technology for one organization set up a shell company to provide various IT services. Due to the highly technical nature of the services (another red flag), he was in the unique position of being the only person who could claim to understand the organization’s needs and the nature of the services supposedly being provided by the vendor. The vendor, of course, did not even exist. The IT director simply approved the fraudulent invoices for payment and waited for the payments to be mailed to a post office box to which the fake invoice requested all payments to be sent. He also set up a bank account in the name of the shell company so that he could easily receive the funds and spend them for personal purchases.

Financial statement fraud is not a risk that is unique to big businesses. While the Enrons and WorldComs of the world first come to mind when this risk is discussed, nonprofit organizations can engage in this type of fraud as well.

Unlike big businesses, where the primary factor leading to financial statement fraud is revenue, profits or financial health, the pressure behind nonprofit financial statement fraud often involves other issues. The most common nonprofit financial statement frauds are:

  1. Misclassifying expenses as program expenses when they should more accurately be classified as management and general or fundraising expenses
  2. Inflating the fair value of donated goods and services received by the organization
  3. Grossing up certain fundraising activities that generally accepted accounting principles would require to be reported at net.

These categories are just three of the dozens of other fraud risks that an organization should consider as they perform and update their fraud risk assessment.

  • Kevin Walters

    It is absolutely inexcusable to offer executives “a pass” due to their mission-driven focus, and doing more with less time with fewer resources at their disposal to proactively develop anti-fraud governance measures. Nonprofit financial fraud goes against the nature of the human ecosystem of individuals that are employed in nonprofits. Unfortunately, fraud and the deliberate misuse of financial resources exists more than what the public knows; most fraud is NOT REPORTED! As a financial consultant and professor to the nonprofit industry, I reviewed and studied the financials and tax returns of nonprofits holding revenues within a certain range, mission, and annual periods of the nonprofits studied constant. What I discovered is that the conformity, comparability, and consistency of recording and reporting financial information DO NOT EXIST. The variance of how the financial information is reported and recorded concludes that there is a lack of financial controls and a high level of financial ignorance in the C-level of nonprofit organizations. Responsibility and accountability are critical in managing and operating nonprofits. Many of the drivers of nonprofits, the board of directors and the executives, are sleep at the financial guidance of the operations. So, if there is no accountability, then fraud will grow as the sector becomes more complex.

    • Katie

      I’ve just posted a separate comment on this, but do you have any info on how to report a US non-profit for fraud? I recently resigned from because the known level of skimming, account/card abuse and honestly just straight embezzlement was so egregious I couldn’t have my name attached to it. I reported it to the IRS, but the actions were fully illegal (which the exec knows, as I was vocal about fixing the issue). The IRS, to my knowledge, does not deal with the legalities, simply the tax implications, correct?

      • ruth

        Many states have active charity desks at the attorney general’s office and that is a good place to start. We assume you have already communicated with the board on this. Its a good question though and maybe we will pull an article together on it

  • Katie

    Do you have any suggestions on how to report fraud (in the form of skimming, abuse of company card, cash withdrawals from the bank account and embezzlement) for a non-profit that works nationally (internationally, really, but it’s registered in several states in the US). I used to co-run (key word is “co” here) a non-profit that I recently resigned from because the level of fraud was so high, and I couldn’t stop it after seven months of trying (coincidentally we didn’t have a board set up yet, so I could do nothing with my one officer vote). The executive in question is well aware of what she’s doing (since I spoke openly and aggressively about fixing it). I have reported the finances to the IRS, but there were real, illegal actions going on and I was wondering if there’s something else I should be doing.

  • Stephen Mersereau

    Katie – there is very good advice at http://www.idealist.org/info/Nonprofits/Wrong1#help. You should act with care so as to avoid unnecessary legal hassles. Prepare information on the fraud, then contact the Attorney General’s office in the states where the nonprofit operates. Enforcement varies by state, and their focus is typically on fraud impacting donors in their particular state. They rely on information from insiders like yourself, and need facts and details to pursue the case.

    Because nonprofits tend to not invest in a strong internal accounting control function, they are easy prey for criminals. When the criminals are insiders, it is very difficult to detect. But whatever their rationale, they are stealing from the beneficiaries. I wish you every success.

  • jeffery kivine

    I know someone who works for the March of Dimes. And he is in the IT department. He tells me that the director of the organization makes over $500,000 a year. He makes $150,000 a year. There are people in the same field for profit making companies that make like $100,000 to $120,000 a year. I mean this is not a charity. They run the organization like a fortune 500 company.