Mitigating Fraud at Not-for-Profit Organizations
December 18, 2018
David Sumner, a director in EisnerAmper’s Financial Advisory Services Group talks about detecting and responding to fraud at not-for-profits. Useful advice for any type of organization, David discusses the factors that can set the stage for fraud, along with best practices to be proactive as well as how to respond to incidents of fraud should they occur.
DP: When we're talking about the areas of fraud in not for profits, which type of not for profits are most at risk?
DS: Most nonprofits, or any company, are at risk. Fraud does not discriminate on size or type of industry. It happens everywhere, unfortunately. What makes smaller organizations, especially nonprofits, a little bit more vulnerable is they generally have a smaller accounting staff. They have less regulation from supervisory authority like the SEC. When you look at the Association of Certified Fraud Examiners, they issue a report every year and the latest one showed that the smaller companies, less than 100 employees, experienced fraud about twice as much as at those larger companies.
DP: Do a little bit of a deeper dive into smaller organizations. We know that they have less resources to work with, but expand on that if you could.
DS:First of all, one of the major factors with nonprofits is that they depend a lot on volunteers. Volunteers may or may not be highly skilled in their areas, but a nonprofit is always looking for help. They're focused on their mission, and sometimes some of the employees in some critical areas may or may not have the appropriate skills. They also have limited headcount. Those limited headcounts result in a lack of opportunity to perhaps segregate critical key functions that involve cash or revenue or other important areas that are susceptible to fraud. One of the other things that I've experienced and seen in a lot of the nonprofits that I've done investigations at is they have limited written procedures. They're just not as sophisticated overall when compared to for-profit companies.
DP: If fraud is suspected at a not for profit, David, tell us what are barriers, roadblocks, things that might get in the way of detecting and preventing future fraud.
DS: That's a great question and that's something that when I'm talking to individuals at these nonprofits, when they have these allegations, some of these things come to light. That is one—they don't have much experience in the area of fraud detection, which is a good/bad thing. But on the flip side, they are a little bit of a novice when dealing with an allegation of fraud because they have a lot of dedicated people that may have been there for a long time. Sometimes there's a reluctance to ask the tough questions of their employees or volunteers to make sure that perhaps things are going the way in which they're intended. The last thing, which is quite important with nonprofits, is there's the risk of the word getting out there that perhaps money was stolen or misplaced, and that has an impact on their donors.
DP: Bad PR.
DS: Yes. Bad PR.
DP:Having said that, give our listeners some best practices, whether the not for profit is small or large. What are some things that they can do to mitigate fraud?
DS:One of the best things that they can do is take a look at the allegation, the whistleblower letter (however they received it) with a clear and independent mindset. Sometimes that may be asking an external advisor, perhaps someone who's not involved in the area or someone on the board of directors, to help you evaluate these allegations. Someone that's going to give you a fresh point of view. Make sure you understand what your insurance coverage is. Sometimes your insurance coverage may cover the investigation and may help cover those losses. Don't leave that off the table. Consider hiring an independent forensic investigator. Sometimes you can go to your auditor, they may be all to help you. But if it is a significant area, this goes along the lines of are you engaging someone with an independent voice, an independent investigator will get you an independent, unbiased view of what happened. Also consider how quickly you respond. Don't sit on it for a month or two. Try to address it quickly because sometimes the rumor mill can get started. You may lose the PR battle. Somehow things can get out there. You want to stay ahead of this.
DP: Don't count on it to fix itself. You gave us some good advice there. What are some don'ts? What shouldn't nonprofits do?
DS:When someone thinks they know who the whistleblower is and they go talk to them or they confront the alleged perpetrator immediately. You're probably not a professional investigator trained in asking the right questions. You're not a cop. It’s best to leave something this important to someone who knows what they're doing, someone who is trained for doing this the right way. Another thing that you should not do is just dismiss it or think that that person couldn't possibly have done it. “It's not in their nature. I've known them forever.” That's often the person who is committing the fraud because someone needs to be in a position of trust in order to perpetuate a fraud. Lastly, don't go through the employee's computer and files yourself. You may not get what you're looking for, and you may actually harm your ability to use that evidence if you file a police report or try to get money back from the insurance.
DP: It may negatively impact the chain of evidence. What can smaller nonprofits do to mitigate fraud without having a big budget?
DS:That's important. Not everyone can afford an internal audit department with hundreds of people helping to enforce your controls processes. So the tone at the top is one of the most important things that can help deter fraud. If the employees and volunteers know that management and the board are serious about making sure that fraud doesn't occur, that that goes along way. Let your employees know that they also have the ability to come forward with their concerns. Make sure that the often-talked-about open door policy is actually a real thing. Let them know that you really do welcome their input. One of the things you can do is to have your auditor or perhaps another accounting firm look over your critical controls and perform a fraud risk assessment. They might be able to identify a weakness that you could stop ahead of time. Remember, fraud prevention is a lot cheaper than fraud investigation! Rotating job responsibilities is one of my favorites. Make sure that the same person hasn't been doing the cash reconciliations for the last 25 years. Have somebody else do that. In addition to its being a very strong anti-fraud control, this helps to give your employees a little bit more experience throughout the organization. You have better coverage during vacations or an illness. Things of that nature make your organization better, even if unrelated to fraud events. Make sure you also have written procedures. Identifying key controls, write them down, and make sure people are executing those controls, cash reconciliations, accounts payable approvals, and so forth. With the written policy, have some degree of monitoring as to whether staff/volunteers are adhering to the policies. Do unannounced audits on some of those key functions. Take a small sample and just walk it through. It doesn't have to be an anti-fraud audit. It can just be taking a look at them to see how the policy is working, and listen to your employees when they give you feedback. That could make the entire process more efficient.
DP: The employees definitely have to be integrated into the process. They have to know what the ground rules are and what's happening.
DS: One of the last things that I'd like to mention is make sure that you have an independent evaluation of some of your longer-time or family employees. Sometimes you might have someone that's been in that role for a long time, but they’re just not the right fit for the job responsibilities. Give your organization a greater chance to succeed by evaluating certain key functions and making sure that people are in the right jobs.
DP: Any final thoughts?
DS: Fraud hits everywhere. We hear about it, whether it's the largest companies or the smallest company. They often make the news. But the way you respond to it can help make it much worse or much better.
DP: David, for someone like myself who had worked at not for profits for 20+ years, these are definitely words of wisdom to live by. And I recommend that all not for profits really look into these techniques and suggestions. I thank you for your insight and your time.
DS:Thank you. I've enjoyed it.
DP:Thank you for listening to the EisnerAmper's podcast series. Visit eisneramper.com for more information on this and a host of other topics, and join us for our next EisnerAmper podcast when we get down to business.