Not for profit’s susceptibility to fraud
21 January 2020
“Inside a $3 Million fraud and bribery scheme at the national charity”
“Charity CEO will pay $500K to settle a fraud probe”
“How an accounts payable officer rigged the charity and stole millions of dollars”
Unfortunately, all of us would have seen such headlines relating to financial scams in charitable institutions at some point in time. The immediate reaction to such headlines is a sense of negativity and a breakdown of trust in governance, charitable institutions and philanthropy.
Fundamental to any not-for-profit organisation (NFP), there is a need for public trust. NFPs are commonly established and managed by philanthropists who have a deep sense of responsibility to give something back to society, and this underlying objective is what inspires a high level of public trust and confidence. It is not just the quantum of the fraud that affects the NFP, but it is the consequent breakdown of public trust and reputation damage that impacts the most. After a fraud is discovered, a NFP would risk losing support from not just its existing patrons, but would also lose out on potential new donors due to lack of continuing trust in the institution, which may take many years for the NFP to rebuild again.
What is a Fraud?
A fraud occurs when someone conducts a dishonest act, with an intention to benefit themselves or to cause a loss to someone in the process. As reported by the Association of Certified Fraud Examiners (ACFE) in its 2018 Report to the Nations, NFPs suffer a median loss of USD 75,000 from fraud, which can be particularly devastating considering the limited financial resources of a NFP.
Why NFPs are more susceptible to fraud?
NFPs are established to benefit society at large. Needless to say, the presumption is such that every person who is associated with the NFP shares the same objective, including volunteers of the NFP, its employees and the senior management. It is expected that an NFP uses its funds to meet its objectives, rather than on its working capital requirements. Consequently, NFPs can be understaffed and rely on their limited workforce. There may be minimal segregation of duties or financial controls, thus creating an opportunity for an occurrence of fraud.
NFPs often engage volunteers without performing detailed background checks and the nature of the role may give them easy access to siphon cash. Minimal segregation of duties, and/or dependence on a few individual members can result in ineffective oversight of funds and assets, particularly in smaller charities. One executive may have the authority to enter into transactions, sign cheques and undertake reconciliation of bank statements and accounts –giving them an opportunity to commit fraud.
Charities may also tend to place undue powers in the hands of its founder, CEO or a senior executive, giving them unquestionable authority to enter into transactions, which may personally benefit them rather than the charity.
What are the different types of fraud risk faced by a NFP?
Fraud against NFPs can be split into two categories – Internal and External fraud. Internal frauds refer to frauds that are committed by someone within the NFP such as volunteers, employees, senior management or the board. External frauds refer to frauds that are committed by someone outside the NFP, such as suppliers, program participants or beneficiaries, or anyone who is not associated with the NFP.
Common Internal Fraud Schemes:
Siphoning off cash donations
Using the charities funds for personal expenses (e.g. using a credit card of the charitable institution for personal food, clothing, travel etc.) or claiming reimbursement of personal expenses
Creating fake or inflating invoices to receive payments for good or services that were never actually received by the institution
Theft of donated merchandise
Using charities assets for personal purposes (e.g. mobile, car, property)
Kickbacks – using the charities’ service provider to obtain services for self and family such as construction of property, landscaping of a property, free travel, etc.
Employing family and friends for roles they are not eligible for or paying them a higher salary
Awarding contracts to family and friends at a higher value without disclosing a conflict of interest
Common External Fraud Schemes:
Organising a fund-raising event using a well-known charity’s name and brand (setting up a booth, collecting cash donations at public places or even setting up a fraudulent website)
Setting up a charity with a name which is very similar to an existing well-known charity
Vendors creating fake or inflated invoices to obtain payments for goods or services that were never supplied
Frauds conducted by outsiders to obtain financial assistance for which they were not eligible
Cyber security threats
Fraud is a significant potential problem for all organisations. While there is no foolproof method of preventing fraud, based on our experience working with a wide variety of NFP organisations, we’ve pulled together certain strategies your organisation can adopt to help to prevent fraud, including specific controls that should be in place at every not-for-profit, regardless of its size.
1. Conduct a risk assessment:
A risk assessment assists an organisation to gain a reasonable understanding of its vulnerabilities. The organisation should collaborate with staff from various functions such as finance, accounts, human resources, information technology, etc. to determine the key risk areas of the organisation and their likely impact if the risks do materialise.
Once the organisation has identified its high-risk areas, it may consider designing a prevention/mitgation strategy to minimise the impact of those risks.
2. Effective internal controls:
The organisation should ensure it has effective internal controls in place to mitigate the identified risks and any gaps in internal control which should be addressed. Segregation of duties is often a problem area for NFPs as they have limited resources and NFPs often channel funds towards meeting its core objectives, rather than on salaries and administrative costs. In such scenarios, the organisation may consider implementing internal reviews by managers, who were not involved in undertaking the specified task and ensure an audit trail is maintained to show the review of documents. There should also be a regular practice to reconcile the organisation’s bank statements against its accounts, to identify any abnormal expenses.
3. Documented policies and procedures:
As with any organisation, the importance of ethical behaviour flows from the top, and the board and senior management need to “practice what they preach”. They should ensure employees are aware that dishonest or unethical behaviour will not be tolerated. The organisation should have documented policies and procedures in place to assist employees to understand their responsibilities and tasks. A conflict of interest policy can also be included, detailing the instances that are considered as conflicts and the necessary steps to be undertaken in such a scenario.
The organisation should also define financial delegations which restricts an employee to approve transactions above a threshold. Approval for expenses incurred by senior management may be approved by the board, so that no single person has the authority to approve their own expenses. The organisation should also have pre-numbered receipts to assist the organisation in having an audit trail and ensure no receipt goes missing.
4. Anti-Fraud and whistleblower policies:
Every organisation should develop a fraud prevention policy, to communicate that frauds will not be tolerated and any event of fraud shall be dealt with seriously. The fraud policy should ideally include the definition of fraud along with a few instances which may be deemed to be fraudulent activity. It should include the overall responsibility of management, instructions and procedures to prevent, detect and deal with fraud, procedures to be followed by a whistleblower when fraud is suspected, and protection of the whistleblower.
As per the 2018 ACFE report, 40% of fraud schemes were discovered by a tip (whistleblowing) and the majority of those tips came from employees through a hotline. Every organisation should design and implement a whistleblower policy and encourage its employees to report any suspicion of fraud. The organisation can consider informing their employees about their protection and rights under the Public Interest Disclosure Act 2013 to instil a higher level of confidence.
5. Take steps to mitigate Cyber security threats:
With the increasing use of and dependence on technology, the occurrence of Cyber security threats is also increasing. Every organisation should initiate steps to mitigate or reduce its Cyber security risks. Simple measures such as ensuring its operating system is up-to date, installing anti-virus software, ensuring passwords are changed on a regular basis, frequently backing up critical data and implementing multi-factor authentication especially in the case of online banking will assist the organisation in reducing the impact of a cyber threat.
6. Updated website:
The organisation should ensure that its website is regularly updated especially in regards to donations to the charity and the list of bank accounts held. It should also provide a list of its fund-raising events to inform its patrons on their activities. This would assist as a safeguard for probable donors to refer to and not to donate to someone who has fraudulently set up a booth in the name of the organisation.
The organisation may consider creating awareness about such fraudulent activities which are being conducted using their name and encourage people to donate using their website or refer to the website for the list of fund-raising events before donating any money.
Findex specialises in helping to prevent and detect risks in the NFP sector. To have a detailed discussion on risks facing the NFP sector or learn how Findex specialists can be of any help, contact us here.