The Association of Certified Fraud Examiners (ACFE) reported the median loss for any single fraud in a not-for-profit organization (NFP) was approximately $100,000 in 2016. This amount was less than the median losses from frauds committed in governmental entities ( $109,000), public companies ($178,000) and public companies ($180,000) during the same time period. Sadly, NFP fraud constituted approximately 20% of all the reported cases. Putting the median loss number in perspective, a $100,000 loss would have been devastating to the NFP I served as board chair. On top of this, the $100,000 loss was the median loss, meaning one-half of the losses were larger than $100,000 so the pain could even be more acute. Why are the median losses in the NFP sector smaller than in other organizations? My guess is that there is simply less cash available for conversion in the NFP than in the other entities, but more research will be needed to support my supposition. The ACFE also reports the average fraud in an NFP organization will last two years as opposed to eighteen months in public companies.
That is not all the bad news though. In a recent report, ACFE expects the amount of fraud will increase after the pandemic. Many small NFP entities are chronically short staffed so there is often a lack of segregation of duties, a key element of internal control. This is compounded by the pandemic as skilled labor is often in short supply. One executive director I worked with joked she would need to sweep up on the way home because the NFP couldn’t afford janitorial services. Being underfunded as most small NFP organizations are also means a lack of software that supports good internal controls as well.
Is the situation hopeless then? No. There are some cost effective compensating controls the ACFE has found to be effective and they are relatively cost efficient as well. Here are a few suggestions:
- Management review of the financial data and performance indicators. An involved upper management regularly reviewing financial information and performance indicators is often an effective fraud deterrent. No one knows the company better than the senior management. Getting in the habit of reviewing operating data on a regular basis is one cost effective way to combat fraud.
- Fraud training for managers and executives. Training courses are relatively inexpensive, especially compared to the pain an organization will feel from a major fraud. Training heightens management and employees’ awareness of fraud possibilities.
- Fraud assessments. These can be undertaken annually as a joint venture among board members, management, and the external auditors. Knowing the weaknesses in internal controls can often focus management’s attention on them and lead to future mitigation.
- Employee assistance programs (EAPs). Many of you are familiar with the fraud triangle. This relatively simple theoretical construct says fraud is most likely to occur when there is pressure (financial, psychological, etc.) on an employee, the opportunity for the employee to commit fraud (due to a lack of internal control) and rationalization of the action by the employee (“I don’t get paid enough for what I do!”). Organizations can deter fraud by addressing any and all of these root causes. Fraudsters often succumb to psychological pressure because they feel isolated and believe they have to deal with their personal problems themselves. They may be overwhelmed by the situations they find themselve in. An EAP gives employees an opportunity to get counseling help on an anonymous basis. Many benefit plans contain an EAP feature. It is cheap compared to a fraud loss.
- An anti-fraud policy and a code of conduct. The existence of these documents and their annual review also deters fraud. They should contain a clear policy about who whistleblowers should speak to when they suspect fraud and an anti-retaliation policy against whistleblowers. Anonymous tips are still one of the most significant ways frauds are uncovered. Employees and clients should not be afraid of retaliation from making a legitimate whistleblower complaint.
These suggestions are not in and of themselves sufficient as a system of internal controls. General, application, processing and reconciliation internal controls should be used wherever possible. This list is just a few recommendations for compensating internal controls when the organization lacks the time, talent, and treasure to implement a more functional, effective system of internal controls.