Nonprofit Fraud: It’s a People Problem, So Combat It with Governance

Dominoes-falling

Skimming cash, purchasing schemes, and financial statement fraud—three very different types of fraud that nonprofits must prevent, detect, and insure against. Still, behind each of them—and every variety of deliberate, deceptive acts against nonprofits—there’s a fundamental and shared dynamic at play.

Fraud isn’t just an operational or financial risk. It’s inherently a human risk, meaning it often crosscuts numerous functions and departments within a nonprofit organization. Not only that, but the people behind these acts are complex. They are pressured by varying circumstances, motivated by different opportunities and self-assured by their own unique rationales. Making matters more complicated, fraud is not always a solo act. In fact, a 2014 ACFE report found that 46 percent of fraud cases involve multiple perpetrators, meaning that when fraud does occur, the web of nefarious activity often extends to surprising depths within an organization.

To combat this complex threat, nonprofits face a critical need to address fraud from the top—starting with more guidance and engagement from leaders and boards to create an anti-fraud environment and oversee a fraud risk management function. Realistically, though, due to their mission-driven focus and more limited operating budgets, nonprofit leaders are often left with less time and fewer resources at their disposal to proactively develop anti-fraud governance measures. One of the most important deterrents of fraud is knowing that the organization has no tolerance for it and will act accordingly to detect it and take appropriate action if identified.

Given these challenges, how can nonprofits’ leaders and boards better mitigate their fraud risks? First and foremost, they should focus on governance, including these four key areas:

  • Catalyst required: Nonprofits need a high-ranking sponsor to get fraud risk management off the ground. This leader and his/her team’s first order of business should be deciding whether their organization’s fraud risk management will be integrated into the existing risk management function (which typically focuses on strategic, operational, reporting and compliance risks)—or whether it will be separate. Either way, the goal is the same: embed a risk management element into the daily activities of all your personnel.
  • Responsibilities and structures: With your management process in place, establish a governance structure for it, including designated oversight responsibilities at the board level, such as an audit committee. Keep in mind, this framework and the tools your organization uses should be scaled to fit both your size and your available resources. It’s impossible to completely “fraud-proof” any organization, so understand the weak points in your infrastructure and organization, and then work backwards to execute. Also, while fraud prevention is ideal, many nonprofits have to weigh the costs and practicality of preventive processes versus detective measures.
  • Engage and educate: Especially when faced with resource constraints, nonprofits should utilize all their personnel in an ongoing system of fraud deterrence. Above all, engage with your employees through workshops and trainings in which you educate them on why people perpetrate fraud, which red flags to watch for, and what resources are available to them, such as whistleblower policies, reporting systems, and hotlines. Awareness throughout your organization can be the single most effective fraud deterrent and vehicle for detection, but it has to start from the top.
  • Dynamic risk assessments: People are dynamic, so your risk assessments must keep pace. With roles and responsibilities identified, use your team to pinpoint which inherent risks exist and then prioritize them based on their impact, likelihood, and the speed at which they occur. Finally, use those priority rankings to map the risks to the best preventive and detective controls.

For many nonprofit organizations, risk assessments often identify the three categories of fraud this article began with—skimming, purchasing, and financial reporting frauds—along with other schemes as risks that must be addressed.

Skimming involves the intercepting of incoming funds intended for an organization. It is referred to as an “off-book” fraud because the money is stolen prior to it ever being deposited or recorded on the organization’s books. While cash is the first thing that comes to mind with skimming, checks and even credit card payments can be targets for this type of fraud, as fraudsters can often convert these forms of payment into cash rather easily.

In one case, a bookkeeper for a mid-sized organization was in a position to gain access to incoming checks made payable to the organization. He intercepted the checks, opened a bank account in the name of the organization at a bank separate from the one the organization primarily used, and deposited the checks into that account, later withdrawing the funds to support his extravagant lifestyle.

In another instance, incoming checks were often made payable to an acronym since the organization’s name was rather lengthy. In this case, the perpetrator, the organization’s receptionist, carried out the fraud by opening a bank account in the name of a different (and phony) organization whose name matched the acronym.

Skimmed funds are most difficult to detect when one or both of these characteristics are present:

  1. There is no receivable recorded on the books to which the payment is expected to be offset
  2. There is little to no tangible exchange of goods or services with the payor, such as with incoming contribution income, dues revenue, etc.

For example, a recent case illustrates the ease with which funds can be skimmed when both of these characteristics are present. The president of an organization personally solicited and collected contributions from donors. He skimmed more than $4 million of contribution income over a 15-year period before being detected. He was only detected once his successor solicited one of the donors who had contributed, under the impression that the individual had never made a contribution to the organization. When the donor indicated he had been a significant supporter of the organization for several years, the fraud was then uncovered.

The purchasing function is the most common target for fraud. Some of the most frequent schemes that should be considered in any fraud risk assessment include:

  1. Abuse of a corporate credit or debit card for personal purchases
  2. Expense reimbursement schemes (similar to the preceding in that personal expenses are misrepresented as being legitimate business expenditures)
  3. Writing organizational checks to pay personal bills
  4. Shell company schemes

The final category, shell company schemes, can be particularly difficult to detect. A shell company is an entity formed solely for fraudulent purposes. These companies often exist in name only, but some are actually registered as businesses with the state. Shell company schemes are most likely to exist in cases where services, rather than goods, are purportedly provided to the organization.

Recently, for example, the director of information technology for one organization set up a shell company to provide various IT services. Due to the highly technical nature of the services (another red flag), he was in the unique position of being the only person who could claim to understand the organization’s needs and the nature of the services supposedly being provided by the vendor. The vendor, of course, did not even exist. The IT director simply approved the fraudulent invoices for payment and waited for the payments to be mailed to a post office box to which the fake invoice requested all payments to be sent. He also set up a bank account in the name of the shell company so that he could easily receive the funds and spend them for personal purchases.

Financial statement fraud is not a risk that is unique to big businesses. While the Enrons and WorldComs of the world first come to mind when this risk is discussed, nonprofit organizations can engage in this type of fraud as well.

Unlike big businesses, where the primary factor leading to financial statement fraud is revenue, profits or financial health, the pressure behind nonprofit financial statement fraud often involves other issues. The most common nonprofit financial statement frauds are:

  1. Misclassifying expenses as program expenses when they should more accurately be classified as management and general or fundraising expenses
  2. Inflating the fair value of donated goods and services received by the organization
  3. Grossing up certain fundraising activities that generally accepted accounting principles would require to be reported at net.

These categories are just three of the dozens of other fraud risks that an organization should consider as they perform and update their fraud risk assessment.