There have been stories on nonprofit fraud in the corporate office, and indeed that does happen. But there’s perhaps a bigger fraud risk to your decentralized environment, particularly if it consists of a number of dispersed programs or operations. This is commonly true in human services with many field locations and employees, for example.
These programs are typically structured with field managers who spend program funds, but also manage client funds for vulnerable populations for everyday living expenses (e.g., as representative payees for SSI distributions, or as a designated banking assistant by guardians/family to help them manage their funds).
It’s well known that the industry is subject to high employee turnover and staff vacancy rates, leading to increased opportunities for fraud. This compromises the ability to have adequate segregation of duties over the management of these funds, oversight, and strong internal controls.
Inexperienced staff may not understand or follow internal control practices, if they exist at all. Or management override of controls takes place when reviews that one expects to be conducted are not! When occupational theft takes place, it can go undetected for long durations—the median for all occupational fraud is 18 months, based on the most recent 2012 ACFE Occupational Fraud Study. There are numerous stories in the news of nonprofit fraud occurring for periods of up to 20 years or longer!
The findings in a 2011 Kroll/Economist Intelligence Unit report on global corporate fraud found that the biggest drivers of increased exposure to fraud were “higher staff turnover” and “weaker internal controls.” I believe this is even truer for nonprofits, which see higher levels of these fraud drivers in direct field and “client service” facing roles.
Here are a couple of actual cases I investigated:
- A well respected, geographically dispersed human services organization experienced several thousand dollars of fraudulent use of company and client funds!
The implicated employee, a trusted manager, was with the organization for many years. With the need to backfill key activities as a result of staff turnover at programs, adequate segregation of duties was compromised. The individual stole client funds, and the required review of records by supervisors—as per company policy—was lacking. The crime targeted the most vulnerable clients with developmental disabilities, as they would be unlikely to detect that they were being taken advantage of.
Utilizing a company supermarket credit card, the individual also stole goods over many months that should have been used for the clients’ daily living needs. Transaction review of suspicious purchase locations and timing would have been a tip off.
Although there were red flags earlier that were never followed up, it was only once the individual resigned and the records were later reviewed that the incident came to light.
- Another incident involved a food cafeteria run by large clubhouse program serving psychologically and behaviorally challenged individuals. The Program Director was terminated for unrelated reasons. Only after dismissal was it discovered that receipts for meals sold over the course of at least several months were stolen.
There were no documented cash handling policies or procedures in place! Cash received was recorded on a desk pad—no cash registers! There were no controls or checks and balances to process and monitor the cash received. No internal audits were ever contemplated to assess the existence, design, and effectiveness of any controls. This could have prevented the loss.
The reputation risk, especially in the first case, may have greater impact than just the dollars stolen, as funders and families or guardians had to be notified. Since public tax monies were also involved, news outlets could have gotten wind of the story, causing further embarrassment or, likely, loss of confidence by various stakeholders.
My belief is that organizations don’t know or understand the exposures in their field programs or client funds management. Due to their geographical distances from corporate, high employee turnover/vacancies, and poor oversight, the control consciousness is low, and the internal control structure breaks down. Indeed, the activities described are not prevented, and due to the serial nature of these acts, go undetected for an extended duration!
Policies are vital. Well designed controls are essential. However, nonprofits subject to these exposures must monitor field activities through proactive control reviews and internal audits. This is to verify that things work as they should. The consequences are too great not to!
Alan Goldberg (Twitter: @alan_j_goldberg) of Triplet Advisory Services is a practicing Risk Advisory and Internal Audit professional. His experience also includes risk advisory and consulting roles with Control Solution International, Experis, BDO Seidman and KPMG LLP. He is a Certified Internal Auditor (CIA), holds certification in Risk Management Assurance (CRMA), and is an MBA.