Preventing and Detecting Fraud in Not-for-Profit Organizations
By Brenda DeCosta, Partner, Assurance Services
The Association of Certified Fraud Examiners’ (“ACFE”) 2020 Global Study on Occupational Fraud and Abuse Report to the Nations is a case study in fraud prevention and detection. The report is based on a study of more than 2500 fraud cases from 125 countries, resulting in total losses in excess of $3.6 billion (895 of the cases were from the United States).
The study found that the most common, but least costly, form of fraud was asset misappropriation (e.g., fraudulent disbursements), while the least common, but most costly, fraud was intentionally causing a material misstatement in a financial statement. On average, 43% of schemes were uncovered by tips, and, it was not uncommon for a scheme to have been going on for more than a year before such detection.
While the 2500 cases investigated for the study represent only a small fraction of the number of frauds committed annually, much can be learned from them about ways to prevent and detect fraud. As many not-for-profit organizations have had to adjust for remote work environments, alternating employee teams on-site, funding challenges and reduction in work force, it has never been more apparent that a strong system of internal controls remains essential.
The Fraud Triangle
For a fraud to occur, three elements must exist. These elements, referred to as the fraud triangle, are opportunity, pressure (incentive or motivation) and rationalization (attitude or justification). Although an organization may be somewhat challenged to influence an individual’s behaviors (the pressure and/or rationalization elements), it can take notice of certain red flags such as living beyond one’s means, unwillingness to share duties or take vacation time, and/or unusual or questionable actions.
An organization can minimize fraud opportunities through internal controls and oversight.
Internal controls can be implemented in various ways, depending on the size and structure of the organization. Larger organizations may be able to more easily develop processes that allow for segregation of duties, review and oversight, while smaller organizations may be more challenged to do so.
Common internal controls
- Bank statements should be reviewed and approved by an individual other than the one who enters transactions into the general ledger system or performs the account reconciliation;
- The payroll register should be reviewed and approved by someone other than the individual responsible for reporting hours and wages to the payroll company (or the individual processing payroll, if performed in-house). Consideration should be given to fictitious employees, reasonableness of wages, and authorized and approved time sheets. Time sheets should be approved by an employee’s supervisor.
- Journal entries should be reviewed and approved by an individual other than the one preparing them.
- Blank checks should be stored in a secure location, with access restricted to authorized personnel.
- Checks written for amounts in excess of a determined threshold should require dual signatures. Periodically, an individual (other than the preparer or the approver) should review cash disbursements for unusual transactions such as multiple checks in a disbursement cycle to a single payee that, in aggregate, exceed the threshold for the dual signature requirement. In addition, consideration should be given to frequent, non-payroll related disbursements to employees, to ensure that proper documentation exists to support the amounts.
- A member of the board should review and approve the executive director’s expense report prior to reimbursement.
- Individuals responsible for review and approval of transactions and reconciliations should not have the ability to post transactions or edit information in the payroll or accounting software.
In some cases, a board member may need to take on the role of review and oversight. Regardless of the procedures in place, it is important to maintain documentation of review and approval by a second individual. If manual sign-offs are not possible due to remote working conditions, email could serve as support for review and approval by attaching the email correspondence to the particular transaction, reconciliation, etc.
Fraud can occur in many ways and when least expected. The current pandemic has forced organizations to quickly alter the way they operate. Some of these changes will be here to stay when the pandemic ends. Evaluating the impact these changes have had on internal controls now and taking actions to strengthen internal controls in the new environment is the best defense against becoming a victim of fraud.
Contact your Marcum professional for additional information or assistance on ways to strengthen internal controls within your organization.