Case Study: Fraud Prevention at INGOs and Other Nonprofits

Background

Fraud is a threat that can impact any organization – often when they least expect it. Fraud poses a particular risk for International Non-governmental Organizations (“INGOs”), as not only are the misappropriated funds lost, but the perception that fraud creates threatens future revenue from donors as well. According to the Association of Fraud Examiners, organizations lose 5% of their revenue annually to fraud – an average of $1.5 million per case.

BDO investigated one such case where an accountant at an INGO was abusing gaps in payroll controls to make fraudulent payments to themselves, along with members of their family. The scheme was perpetrated for several years before detection; however, by that point, the damage had already been done, resulting in a loss of more than one million dollars USD ($1,000,000).

About the Client

BDO conducted an expansive investigation for a major international INGO. The INGO in question receives a majority of their funding from the United States government, namely USAID.

Challenge

A 2020 ACFE report indicates that 43% of fraud is detected through employee tips; those providing the tips are known as whistleblowers. In this instance, a whistleblower discovered irregularities in their payroll and bank reconciliation processes. The organization initially tasked their Internal Audit team with investigating the discrepancies; however, after an initial investigation was conducted, it became clear that external professional help was needed to fully assess the scope and value of the fraud. The client had already engaged outside counsel to advise them and then sought out several bids with expertise in forensic analysis. The client selected BDO to take on the project based on their highly qualified team of consultants, CPAs, CFEs and expertise in forensic investigations for nonprofit organizations.

The Approach

Together with the client, BDO developed a comprehensive workplan based on industry best practice and the client’s specific needs. In this case, the client desired to understand the full scope of the fraud. Additionally, the client required special attention to identify potential misappropriation of government funding.

Below, BDO describes the process followed to obtain the facts in this matter, which included uncovering the fraud scheme and then reporting back to the client.

Data Information and Gathering

• BDO met with the client to discuss their preliminary findings and aimed to understand the extent of the allegations.
• BDO collected and conducted a comprehensive review of the organization’s policies and procedures to identify gaps in process.
• BDO conducted more than 30 interviews with members of staff to understand key events and processes.

Data Analysis and Quantifying Fraudulent Activity

BDO conducted a comprehensive forensic review of more than a dozen email accounts which were of interest to the allegations. This involved assessing upward of 10,000 emails through steps including:

• Developing a methodology for identifying “high interest” emails based on key search terms, such as the name of the subject’s family or businesses. High interest emails were triaged and given an additional level of scrutiny.
• Reviewing all remaining emails for the names of the suspected fraudster’s known associates and relatives, which he was suspected of paying with organization funds.
• Analyzing communication between the suspected fraudster and other finance staff to determine if other conspirators were involved.

In addition to completing a robust email review, BDO took measures such as:

• Conducting eDiscovery searches of key personnel’s files on company laptops.
• Reviewing thousands of contracts and timesheets for employees (past and present) to determine if any erroneous payments were made at unauthorized pay rates or to undocumented personnel.
• Assessing the existing control environment and identifying any potential gaps. The primary gap was identified as no review of payroll payments prior to disbursement. Additionally, there was a severe lack of segregation of duties within this specific office, with one employee performing the majority of tasks.
• Analyzing “approved” payroll against what was paid out and noting any variances. BDO found clear instances in which individuals who were not on the authorized payroll list were being paid each month. BDO confirmed this scheme, which dated back years, by reviewing the general ledger and observing a pattern of booked entries intended to conceal the fraudulent activity.

Assessment

The main strategy of the fraud scheme was as follows:

The subject of the investigation created several “ghost” employees under the names of members of their family. The subject would then process payroll, with little oversight, and pay salaries to members of their family. These fraudulent payments were concealed via fraudulent journal entries.

Reporting

BDO developed a comprehensive report on the nature of the scheme.

• In total, BDO identified and reported on 182 fraudulent payroll transactions.
• In total, BDO uncovered more than one million dollars USD ($1,000,000) in fraudulent transactions spanning several years.
• BDO observed that one suspect likely acted on their own to execute the scheme.
• BDO developed a list of recommendations to mitigate control failures identified during the investigation and improve organizational policies related to the organization’s control environment.

Lessons Learned

Clearly Established Roles and Segregation of Duties

Organizations must work to ensure that there is a clearly established segregation of duties that are clearly enumerated in job descriptions. In this case, the subject was preparing, posting, paying payroll and benefits transactions, and conducting bank reconciliations with an inadequate level of review or oversight.

Management Oversight

In this case, the organization’s most senior finance personnel assumed that an adequate level of review was occurring without verifying that such reviews were taking place. Both individuals failed to ensure that adequate mitigating controls were in place, a requirement enumerated in their job descriptions. This lack of oversight led to the subject’s actions going unchecked. Organizations must ensure that leadership is conducting thorough reviews of financial transactions and journal entries.

Adherence to Policies and Internal Controls

BDO observed that although headquarters (HQ) did have established policies regarding the implementation of certain key controls, operations in the country office were not in compliance with documented policy. Organizations should ensure that there is an effective mechanism to enforce general policies in-country. To this end:

• HQ should perform more regular monitoring of country office operations to ensure compliance with general policies.
• HQ should conduct regular internal audits and desk reviews of country office practices.
• A culture socializing the importance of adherence to standard procedures should be socialized among staff at both the country office and HQ levels.

Additional Support

BDO has expertise in identifying and addressing fraud at nonprofit organizations. Furthermore, BDO can offer proactive support to mitigate fraud risks, including internal controls reviews, audits and policy development. If you would like assistance in any of these areas, please contact us.