How Nonprofits Can Avoid the Risk of Fraud

These days many nonprofit executives are grappling with reduced donations, higher demand for services and staff reductions. But the one challenge nonprofit executives may overlook is fraud.

In November 2020, the Association of Certified Fraud Examiners (ACFE) reported that 79% of their members reported seeing an increase in fraud. PricewaterhouseCoopers, one of the Big Four accounting firms, published a 2020 Global Economic Crime and Fraud Survey, reporting that 47% of respondents were fraud victims in the prior two years. This is the second highest rate in the 20 years since the survey had been conducted, with fraud losses totaling $42 billion.

Because nonprofit organizations often have limited staff, informal financial processes, and rely heavily on volunteers, they can be easy prey for fraudsters. And the biggest risk may be reputational, not financial, as few donors want to support organizations that are easy targets for criminals.

Here are several steps nonprofits can take to avoid fraud:

Set the Tone from the Top – The Executive Director should clearly and consistently communicate their vigilance in fighting fraud in periodic communications to staff, the board, volunteers, vendors, and external stakeholders. This should be done on the organization’s intranet, in newsletters and in statements on the website. Fraudsters may look at the website as a starting point to determine if the organization is vulnerable. In the same way as homeowners post signs declaring they are protected by a home security system, the organization can prevent fraud by persuading criminals to move on to an easier target.

Whistleblower Policy – Back up your commitment to fraud prevention by implementing a company policy that protects good faith tips of potential fraud. According to ACFE, 43% of fraud is identified by tips, with half coming from employees. If employees know they are protected, they will have the confidence to come forward with information.

Blocking Unauthorized Checking Account Debits – Sophisticated fraudsters use checking account numbers and bank routing numbers to make unauthorized electronic debits from your account. But there are steps you can take to stop them. When it’s necessary to provide payment instructions by email, use a password protected document and send the password in a separate email. For a fee, your bank can provide “debit block” protection which prevents all electronic debits from your account for parties who are not authorized by you.

Verbal Confirmation of Payment Instructions – Our new remote working environment presents fraudsters with additional opportunities to use email to trick us into handing them our money. One ploy is sending an email, disguised to look like it’s from the Executive Director or another authorized person, directing an urgent money transfer to a new payee. Staffers eager to please the boss, often respond by making the payment and the funds are lost. Another technique is to intercept unprotected emailed invoices and change the payment instructions to their own bank account. Once the invoice is paid, the funds go into the fraudster's account, not your vendor’s.

An easy way to prevent these risks is to implement a policy of verbal confirmation. Call the internal senior executive directing the payment to ensure the request is legitimate. Likewise, all payment instructions from new vendors and changes to payment instructions from existing vendors should be confirmed over the phone.

Strong Accounting Procedures – These new threats reinforce the importance of resilient accounting processes. Completing monthly account reconciliations shortly after month end can catch fraud early enough to gain partial or complete reimbursement. Segregation of duties is essential to preventing internal fraud by staff. The person approving invoices should be separate from the one paying them, and account reconciliations should be reviewed and approved by a different person than the one preparing the reconciliation. Significant budget variances should be investigated as they could be red flags for fraud. With limited staff, it can be difficult to implement and maintain these checks and balances, so it may make sense to have an independent outside professional perform these steps.

Be Vigilant - Sadly, the person no one suspects of fraud – the well liked, long serving bookkeeper or accountant is frequently the one committing the fraud. Watch out for extreme changes in life style by anyone with authority over financial activities, as it may indicate a criminal act.

Take a Vacation! – For years, banks have required employees to take an uninterrupted two week vacation each year. This not only helps to maintain mental health, but banks know (from being on the front lines of fraud prevention) that having someone fill in for a vacationing employee can reveal ongoing fraud. This can be challenging for nonprofits with stretched staff and a 24/7 work ethic, but it will also reduce the risk of fraud and re-fresh your staff.

When fraud does occur, people frequently ask, “Where were the auditors? Why didn’t they catch it?” If you review your auditors’ engagement agreement and the financial statement opinion letter, you’ll see auditors are required to review internal control procedures, but fraud prevention is outside of their purview. Instead, its squarely on the shoulders of management, so this is an issue all nonprofits and their outside consultants need to take seriously. What steps is your organization taking to prevent fraud?