Nonprofit Fraud: Tips for Spotting and Preventing It

Nonprofits work hard every day to carry out their missions, often on tight budgets and with modest-sized staff. Many nonprofits are surprised to learn that the challenges they face include not just operating with limited resources, but guarding against a more unfortunate danger: fraud committed by their own executives, employees or volunteers.

The cost of such fraud is substantial. In 2013, for example, the Washington Post found that more than 1,000 nonprofits had disclosed a “significant diversion” of assets since 2008 due to theft, investment fraud, embezzlement and other unauthorized uses of funds.[1] In 2014, the median loss from fraud committed by a nonprofit’s own personnel was $108,000.[2] That figure not only exceeds the budgets of many nonprofits, but also does not account for the reputational injury and chilling effect on donations that fraud may cause.

Thankfully, whether your nonprofit organization is large or small, there are steps you can take to reduce the risk of fraud and to detect it if it occurs. In fact, some of the most effective anti-fraud controls are the least expensive to implement. Using these measures does not guarantee your organization will be immune from fraud, but they can help reduce the risk.

Common Schemes

Fraud committed by a nonprofit’s staff often follows predictable patterns. According to the Association of Certified Fraud Examiners, typical schemes include:

• Check tampering: A fraudulent disbursement scheme in which the perpetrator steals the nonprofit’s funds by intercepting, forging or altering a check drawn on one of the organization’s bank accounts. For example, an employee who steals blank company checks and makes them out to himself or herself, or who steals an outgoing check to a vendor and deposits it into his or her bank account.
• Billing: A fraudulent disbursement scheme in which the perpetrator causes the nonprofit to issue a payment by submitting invoices for fictitious goods or services, inflated invoices or invoices for personal purchases. For example, an employee creates a shell company and bills the nonprofit for services not actually rendered. Or the employee buys personal items and submits an invoice to the nonprofit for payment.
• Expense reimbursement: A fraudulent disbursement scheme in which the perpetrator seeks reimbursement of fictitious or inflated business expenses from the nonprofit. For example, an employee files a fraudulent expense report claiming personal travel, nonexistent meals or other expenses that are not reimbursable.
• Corruption: A fraud scheme in which the perpetrator misuses his or her influence in a business transaction in a way that violates his or her duty to the nonprofit in order to gain a direct or indirect benefit. For example, an employee solicits or accepts a bribe or acts while under an impermissible conflict of interest.
• Payroll: A fraudulent disbursement scheme in which the perpetrator causes the nonprofit to issue payment by making false claims for compensation. For example, an employee claims overtime for hours not worked, or adds ghost employees to the payroll.[3]

Knowing that fraud often takes the form of one or more of the above schemes can help your organization implement effective safeguards (discussed below).

Characteristics Of The Perpetrator

A person may commit fraud regardless of his or her job title or seniority, whether the person is a volunteer, employee, manager or executive of a nonprofit. Most fraud is committed below the executive level, but fraud committed by executives has historically resulted in significantly higher losses and has taken longer to detect.[4]

You might think perpetrators tend to be people with histories of fraud-related conduct who commit fraud shortly after joining the nonprofit organization. But data suggests otherwise. A 2014 study by ACFE found that only 5 percent of perpetrators had been convicted of a fraud-related offense prior to committing the fraud reported in the study, about 9 percent had been previously terminated for fraud-related conduct, and 8 percent had been previously punished for such conduct.[5] The same study found that perpetrators were usually veterans of their organizations: Less than 7 percent of perpetrators committed fraud within their first year of employment, though these perpetrators were significantly more likely to have been convicted or charged with fraud in the past.[6]

In most cases of fraud, the perpetrator displays one or more “behavioral red flags.” The most common red flag is a person living beyond his or her means. Other red flags include a person experiencing financial difficulties; having an unusually close association with a vendor or customer; displaying control issues and/or an unwillingness to share duties (including, for example, not taking vacation time); having a “wheeler-dealer” attitude; experiencing divorce or family problems; displaying irritability, suspiciousness or defensiveness; or suffering from addiction.[7] 

Knowing the red flags to watch for can help you spot fraud before it occurs.

Recommended Safeguards

Your organization doesn’t need a multimillion-dollar budget or full-time risk management staff to take some common-sense measures to help prevent or detect fraud. In fact, many of the measures below are relatively inexpensive and can be quickly implemented. You can tailor these measures to the size, complexity and resources of your organization.   

• Create an anonymous reporting mechanism. Tips are far and away the most common method by which fraud is detected, so it’s critical to allow people to report suspected fraud anonymously.[8] You can do so by purchasing a third-party hotline. If that is beyond your organization’s budget, you can create a dedicated email account or a space on your organization’s website for people to report fraud. 
• Foster a culture of honesty. Create a written code of conduct and zero-tolerance policy making clear that fraud in any form is unacceptable. Educate individuals—from the boardroom to the newest employee or volunteer—about common fraud schemes and the harm fraud can cause to your organization’s finances, reputation and mission. Teach individuals where and how they can report fraud, and adopt a written whistleblower policy to encourage people to talk about fraud openly, without fear of retaliation. Provide these trainings on a regular basis.   
• Segregate financial duties. Adopt a system of checks and balances so that no single individual has control over all aspects of an important responsibility. For example, the person who receives or deposits funds should not be in charge of reconciling accounts later on, and the person who approves a transaction or disbursement should not have responsibility for cutting the check. 
• Require backup documentation. Before reimbursing an expense, paying a vendor or making other cash disbursements, require individuals to provide receipts, invoices or other appropriate documentation. For transactions over a certain amount, consider requiring checks to be signed by two individuals.
• Rotate employees and have mandatory vacation time. If an individual stays in the same position, or has the same responsibilities, for too long a period of time, it may be harder for the nonprofit to detect that person’s fraud. Rotating people allows a nonprofit to see if account information or other financial data changes once the new person takes over responsibility, which may indicate fraud. Requiring employees to take vacation time is also a preventive measure, so long as the vacationing employee’s responsibilities are performed by another person in his or her absence. 
• Additional safeguards. Depending on your organization’s resources, additional measures you should consider to prevent fraud include: forming an audit committee within your board or ensuring that at least one board member has relevant experience implementing internal controls; performing internal audits and requesting external ones; performing background checks on new employees; and purchasing employee dishonesty coverage (i.e., a fidelity bond).

None of the above measures can guarantee that your organization will be immune from fraud. But they are relatively simple steps you can implement to reduce the risk of fraud and to catch it if it occurs.

If you have questions, comments or issues you would like to discuss, please feel free to contact either of the authors. You can reach Mark Hiller at 704.377.8361. 

[1] Stephens, Joe and Mary Pat Flaherty, “Inside the hidden world of thefts, scams and phantom purchases at the nation’s nonprofits.” The Washington Post (Oct. 26, 2013). This study examined federal tax filings from 2008 through 2012. The reported diversions of assets include fraud committed not only by a nonprofit’s own executives or employees, but also by third parties such as investment managers.    

[2] 2014 Report to the Nations on Occupational Fraud and Abuse, p. 24. Copyright 2014 by the Association of Certified Fraud Examiners, Inc. (hereinafter ACFE Report). Except where noted in this article, the ACFE Report is based on data from for-profit businesses and government entities, as well as from nonprofits. 

[3] ACFE Report, pp. 26, 71.

[4] ACFE Report, p. 40. 

[5] ACFE Report, p. 58.

[6] ACFE Report, p. 52.

[7] ACFE Report, p. 59.

[8] ACFE Report, pp. 19, 21. The ACFE found that in 42.2 percent of cases, fraud within a company was initially detected by a tip. Employees were the source of the tips in 49 percent of the cases. In comparison, the next most common initial detection mechanism after tips was management review (16 percent), followed by an internal audit (14.1 percent), accidental discovery (6.8 percent), account reconciliation (6.6 percent), document examination (4.2 percent), external audit (3 percent), surveillance/monitoring (2.6 percent), notification from law enforcement (2.2 percent), IT controls (1.1 percent), confession (0.8 percent) and other (0.5 percent).