Five Realistic Control Measures for Smaller Nonprofits to Avoid Fraud
Fraud is a damaging and disturbing event in any organization, but its impact on nonprofit organizations can be devastating. With limited staff and resources for internal controls, executives and Boards of small nonprofits struggle with how to protect their organizations from fraud. At the same time, given their more limited resource bandwidths, smaller nonprofits generally cannot afford to have any of their assets diverted from helping the causes they support.
Common types of fraud in the nonprofit industry can include employee embezzlement (such as payments to fictitious vendors and/or theft of the organization’s checks), related party transactions and abuse of travel and expenditure/corporate credit privileges. An atmosphere of trust, lack of segregation of duties, weaker internal controls, limited resources and significant control by executive members of the organization are some of the factors that can increase the risk of fraud in a small nonprofit organization.
Still, the line between responsible fraud prevention and the realistic allocation of resources can be daunting for smaller nonprofits. With that in mind, here are five practical ways that these organizations can help reduce the risk of fraud:
1. Establish appropriate tone at the top: Executive members of the organization should be required to abide by the same rules and processes that apply to other employees of the organization. All nonprofits should implement procedures to obtain additional authorizations when transactions are processed outside of the established controls. In addition, organizations should establish a venue, such as a hotline or specific email account, that employees can use to raise concerns anonymously.
2. Implement compensating controls: To reduce the risk of payments to fictitious vendors and/or unauthorized payments from the organization’s bank account, management should consider implementation of:
A. Positive pay. This service requires that the organization provide the bank a list of checks issued by the organization. When checks are presented for payment at the bank, they are compared to the list of issued checks, and exceptions are then communicated back to the organization. The individual responsible for the positive pay function should not be involved in the cash disbursement process.
B. Independent receipt and review of bank statements. An executive member of the organization, such as the Executive Director or a Board member, should receive bank statements. These individuals generally do not have access to the organization’s bank account or blank check stock, nor do they play any role in the cash disbursement process. They should perform a cursory review of the bank statement, including copies of the cancelled checks, to identify any suspicious or unusual transactions prior to giving the bank statement to the accounting staff to prepare the bank reconciliation.
3. Generate exception reports within the accounting system: Management should determine if the accounting system is able to generate a Vendor Master File change report. This report will identify any additions or changes made to the organization’s vendors. An individual not involved in the cash disbursement process should perform a periodic review of this report and ensure that all changes noted in the report appear reasonable and have been properly authorized.
4. Perform due diligence on new vendors: For new vendors identified in the Vendor Master File change report, management should determine how the vendor was selected and if the selection process was in accordance with the organization’s policies. For significant vendors, management may also want to perform a due diligence check.
5. Perform a periodic independent review of expense reports and corporate credit card statements: An individual who is not involved in processing expense reports or an independent third party should perform a periodic or annual audit of expense reports and credit card statements. The purpose of this review is to ensure that expenses submitted for reimbursement appear to be legitimate business expenses and follow the organization’s policies and procedures.
It’s important to remember that nonprofits of all sizes are vulnerable to fraud, and that only through a diligent and proactive approach can this risk be mitigated. A self-audit of your organization’s controls and procedures can be a helpful starting point.