Tackling Nonprofit Fraud: Awareness and Prevention

Fraud perpetrated through cyberattacks and social engineering has increased significantly over the past few years. Forensic services teams are busy helping clients navigate the negative impacts of fraud, whether caused by an internal rogue employee or an outside attack by a third party. In the present-day fraud landscape, organizations of all types must take steps to help reduce the risks of fraudulent activity.

Internal process and control review

It is difficult to know what anti-fraud measures your organization needs if you don't know where your risk areas are. First, assess your organization's current internal processes and controls. Walk through transactions from start to finish, taking detailed notes on vulnerabilities such as inadequate segregation of duties (e.g., an accountant who deposits and posts cash receipts and processes accounts payable). Once the assessment is complete, management and those charged with governance can work collaboratively to resolve the most concerning vulnerabilities.

Just as the fraud landscape constantly changes, so does an organization's processes and procedures. Complete an annual assessment to help keep internal processes and controls effective as employees, operations, and technology change. A more frequent evaluation should be performed if there are significant changes to procedures or technology. Annual reviews can expose fraud risk areas and give you time to implement corrective action to help prevent fraud from occurring.

Cross-train and cross-utilize employees, and inject automation, technology, and banking tools into your operating environment to help combat fraudulent activities. Incorporating regular monitoring activities, such as having someone in management review a monthly payroll change report, can help quickly identify inappropriate organizational activities.

Perform spontaneous spot checks of internal processes and controls to verify they operate according to established policies and manuals. Involve more than one employee in each transaction cycle, and include oversight and monitoring by management or those charged with governance to help reduce the opportunity for fraud — or detect it sooner when fraud does occur.

Internal financial data inspections

Many nonprofits task management officials and governing bodies with overseeing the organization's financial health. Typically, they review the annual budget, interim economic trends (i.e., comparing prior to current year and budget to actual performances), and other high-level financial data to understand the well-being of their organization. As members with a fiduciary responsibility toward the organization, consider taking a closer look at the underlying financial data — don't just settle for the high-level financial overview.

When performing a regular review for reasonableness or concerning activities, a checklist like the following may be helpful:

• Review check images for appropriate signers
• Review a detailed listing of disbursements that includes vendor names, dates, and amounts
• Review a disbursement summary by vendor
• Review a vendor change report that includes the vendor name, the old and new data for any changes made to the vendor information, and the credentials of the employee making the change
• Review a deposit listing that includes customer/donor names, dates, and amounts
• Review a deposit summary by customer/donor
• If housed separately, review the reconciliation of the donor and customer management software financial data to the financial accounting software data
• Review banking activity for all bank accounts, including transfers, electronic fund transfers (EFTs/ACHs), other wire transfers, and withdrawals
• Review payroll activity and summary reports that include employee names and dates of hire and termination
• Review a payroll change report that includes the employee name, the old and new data for any changes made to the employee file, and the credentials of the employee making the change (include any new employees added to payroll)

These reviews should be performed by someone in management or governance who is not responsible for handling or recording the respective transactions but has sufficient knowledge of the organization's activities to know if the data looks suspect. Have the reviewing party sign and date a summary report or other appropriate document to demonstrate the review has taken place.

Follow up on any unusual activity with an appropriate inquiry and promptly correct any identified vulnerabilities. In smaller nonprofits, some of these procedures may fall on a member of management outside of the accounting/finance department or someone within governance. If so, set aside sufficient time in governance meetings to complete these reviews.

Internal software and application inspections

Perform a thorough review of users and their related access rights to software and applications regularly to verify employees have the appropriate level of access for their roles and responsibilities. Restricting employee access to only their immediate needs can help mitigate fraud. Remove termed users promptly to prevent their potential use of software or applications.

Additionally, inspect and clean up underlying data when reviewing your software and applications to help mitigate fraud opportunities. A few common examples include:

• Review a vendor and customer/donor list for duplicates, inactivity, unusual spelling/capitalization/punctuations, and those that may include employee addresses. A duplicate vendor in the master list could allow an employee to misuse that vendor account without putting the actual vendor on notice. Or it could be an indication of possible historical misuse or abuse.
• Review an employee payroll list for duplicate, inactive, retired, and termed employees or employees with the same addresses or personal identification information. A retired or termed employee still on an active employee list could indicate possible misuse or abuse. Employee names with duplicate addresses, personal identification information, or banking information could indicate a potential ghost employee.

Similar to the financial data review, perform these internal software and application inspections regularly and document them when completed. Follow up on any unusual activity with an appropriate inquiry and promptly correct any identified vulnerabilities.

Fraud awareness training

Enroll management and governing bodies in continuing education focusing on fraud trends and prevention. Hold brainstorming sessions immediately after and think of ways to put what was learned into practice. Consult regularly with professional service firms, legal counsel, and software providers to identify trends, standard practices, and recommendations to help navigate the changing fraud landscape.

Report irregularities

People can be a nonprofit's greatest asset. Empowering employees to be the watchdogs for your organization is an excellent way to help mitigate fraud. Create a fraud hotline so employees can report irregularities or wrongdoing anonymously, or encourage them to write an anonymous letter to the appropriate management official, governing body, or internal audit or anti-fraud team. If allegations involve top management officials, educate employees on where to report those matters.

Develop a fraud risk tolerance

To help avoid a significant negative impact on the efficiency and effectiveness of operations, carefully balance and think through your organization's internal controls and anti-fraud measures. Management and those charged with governance should establish a fraud risk tolerance level, meaning how much fraud risk the organization is willing to assume to meet the desired efficiency level for operations. The lower the organization's fraud risk tolerance, the more processes and procedures must be implemented to help prevent and detect fraud.

How we can help

Fraud can damage a nonprofit's reputation or even its existence. At Brinker Simpson, our professionals can come alongside your organization to help create a safer and more secure environment in several ways:

• Nonprofit outsourced finance and accounting services
• Business opportunity assessments
• Forensic data analysis
• Forensic accounting and investigations