A group getting ready to high-five

Unfortunately, fraud in nonprofit organizations—or any organization for that matter—is not going away. Despite a growing awareness among leaders of organizations of the frequency and severity of fraud outbreaks in recent decades, fraud losses are only increasing. Prior to examining how an organization can help protect itself from fraud, let’s dive into some facts about just how badly fraud is impacting organizations.

The following statistics from the Association of Certified Fraud Examiners’ (ACFE) report, “Occupational Fraud 2022: A Report to the Nations” (ACFE, 2022, p. 4), are astonishing:

  • In the past year alone, there were 2,110 cases of fraud, spanning 133 countries, causing total losses of more than $3.6 billion. This results in an average loss per case of more than $1.7 million.
  • 5% of revenue each year is lost to fraud.  
  • The median case of lost revenue for organizations because of fraud was 9%.
  • 21% of reported fraud cases caused losses of more than $1 million.
  • A typical fraud case causes a loss of $8,300 per month and lasts 12 months prior to detection.

These are just a select few of the troubling facts documented in the ACFE’s report. So, what are the best ways for an organization to help protect itself against this growing problem? Here are a few suggestions to consider:

  1. Implement a fraud hotline if you don’t already have one. While helping ensure that your internal control structure is sound, as will be examined later in this article, it’s important to note that many fraud cases and the vast majority of fraud losses to organizations involve fraud committed by upper management, which includes managerial-level employees and even the organization’s owners or executives. Oftentimes, higher-ups can circumvent even the best of internal control environments by using their stature in the organization to coerce lower-level employees to allow them access to systems they may not otherwise have access to. In this scenario, if an organization implemented an anonymous fraud hotline, an employee would have the ability to report the fraud with a reduced risk of the perpetrator detecting who made the report. A fraud hotline is a simple and pretty cost-effective approach to helping reduce occupational fraud.
  2. Brush up on fraud tendencies. According to the ACFE’s report, 85% of fraudsters displayed behavioral red flags of fraud. This means that if you’re paying close enough attention, 85% of the time you can pick up on suspicious behavior. The most prevalent fraud behavioral signs detected in employees who committed fraud were:
    1. 39% of employees caught committing fraud were noticed to have been living beyond their means. Perhaps they purchased a nicer car than one would expect, relative to their salary. In many cases, fraudsters were witnessed taking more extravagant vacations than the typical individual would with the same salary.
    2. 25% of employees caught committing fraud complained about financial difficulties they were facing prior to committing fraud.
    3. 20% of employees caught committing fraud were reported to have an unusually close association with a vendor or customer who ultimately assisted in the fraud.
    4. 13% of employees caught committing fraud were said to have control issues or were unwilling to share duties.
    5. 12% of employees caught committing fraud were said to be very defensive at work. The common denominator in these five examples are that most fraudsters give hints of their activity based on their behavior. Focusing just a little bit on an employee’s unusual tendencies can go a long way.
  3. Focus on high-risk fraud areas. While incurring any fraud is traumatic, given the difficulty of catching fraud, it behooves your organization to focus most of its efforts on the higher-risk areas, such as the area that most fraud cases are found and/or where the largest fraud dollars are lost.
    1. 49% of all fraud was committed by operations, accounting, upper management, and sales departments.
    2. 86% of fraud cases pertain to asset misappropriation.
    3. Financial statement fraud schemes, although found much less commonly, are the costliest.
    4. Only 8% of fraud cases currently involve the use of cryptocurrency, but this number has grown over the last few years and fraud examiners anticipate it will continue to grow. Among these cases, cryptocurrency was most commonly used for making bribery and kickback payments, as well as converting misappropriated assets.
    5. The top five concealment methods of fraud according to the ACFE are: 39% of fraud cases were performed by creating physical fraudulent documents, 32% by altering physical documents, 28% by creating fraudulent electronic documents, 25% by altering electronic documents, and 23% by destroying physical documents.

    It’s important to exhaust the majority of your efforts on these key high-risk areas and not use resources focusing on lower-risk fraud areas.
  4. Understand the motives for committing fraud. This task is very organizational dependent, but for nonprofit organizations, typical reasons why employees would commit fraud include: On an individual level, obtaining a bonus, raise, promotion, or positive performance evaluation by fraudulently boosting performance, and on a global organizational level, cooking the books to help obtain a grant or to meet a debt covenant. Understanding why one would commit fraud goes a long way in helping to identify and catch fraud.
  5. Improving your internal control structure. While continually keying in on the first four items mentioned above, you can complement that improved focus and awareness of fraud by implementing better internal controls in your organization. The ACFE reported that nearly half of fraud cases occurred due to lack of internal controls (29%) or an override of existing controls (20%), so obviously there’s a lot of opportunity for organizations to improve in this area.

    Before diving in deeper as to how you can improve your organization’s internal control structure, it’s important to make sure you understand what a control is. A control is what prevents, detects, and corrects errors. Oftentimes, a control will get confused with a process. Preparing a bank reconciliation to ensure that the cash balance per the books matches the cash balance per the bank is a process. Ensuring an employee, a level up from the preparer, reviews the bank reconciliation prior to the information being posted to the general ledger is a control. Some key words that define a process are: To post, payment, compile, and prepare, while your classic control words are: Agree, match, approve, review, double-check, safeguard, and authorize. In addition, another important point to understand as it relates to internal controls are the two types of controls that sound similar and are often confused but are very different: A complementary control versus a compensating control. A complementary control can eliminate a matter from being a potential control deficiency. It’s a preventive control. A compensating control, on the other hand, is a detective control. It does not prevent fraud or error from occurring but can catch a matter once it has already occurred. They are both very different types of controls but are both essential to all organizations’ internal control structures.

    Now that we’ve gone through what a control is and the difference between a process and a control, we can look at the ins and outs of internal controls and conclude with some of the most important cycles within the organization that can help ensure proper internal controls exist. While an examination of internal control implementation can go on for numerous pages, the easiest and most terse way to look at it is to try to separate those individuals who have access responsibilities from those who have recording and monitoring responsibilities.  

    Let’s illustrate what access responsibilities, recording responsibilities, and monitoring responsibilities look like through a cycle that all organizations have, the cash disbursement cycle. Access abilities include issuing a purchase order to a vendor, approving invoices for payment, making a computer entry to generate a payment, signing checks, accessing a mechanical signature device, accessing signed checks, and mailing checks. Recording abilities include making a journal entry to expenses, inventory, accounts payable, and cash; changing computer master files; changing computer entries; and recording accounts payable. Finally, monitoring abilities include reconciling cash and accounts payable and reviewing these reconciliations. If an employee can both reconcile the bank and make a journal entry but has no access to any of the items in the cash disbursement cycle, that is OK, because even though they have both recording and monitoring responsibilities, they don’t have access and, therefore, cannot commit fraud or errors. If, however, the employee can access an invoice and then is responsible to record journal entries regarding disbursements, that is where it is easy to circumvent controls because there is not a proper segregation of duties. This same process is true for all other cycles within the organization as well.

    In addition to the aforementioned cash disbursement cycles, some of the other key high-risk areas where an organization should check that proper internal controls are in place are cash receipts, payroll, credit cards, information technology (IT), and expense reimbursements. Ideally, proper controls and segregation of duties will exist for all cycles, but absolutely in these higher-risk areas.

Fraud is an issue and there is no foolproof way to completely rid its potential in your organization. However, by implementing these suggestions, you can help mitigate the likelihood of its occurrence and the impact if it does occur. That may just save your organization from a catastrophe.

For more information, contact one of our professionals or submit the Contact Us form below.

Related FORsights

We want to work with you

Contact Us

Get more information about our services, submit a request for proposal, or get in touch with us today!

Let's Connect