2. OBJECTIVES
Understand what fraud might look like in nonprofits.
Understand why fraud prevention matters for nonprofits.
Understand financial controls.
Understand how to assess financial controls and fraud risk for
nonprofits.
Understand the role of this assessment in alerting organizations
to fraud risk.
3. FRAUD IN NONPROFITS: ISSUES
Informality
Lack of Knowledge and Awareness
Undue Levels of Trust
Unwillingness to Discuss Fraud Risks
Complex Revenue Streams
Highly Susceptible to Negative Publicity
4. SKIMMING
Taking a little (or a lot of) money for one’s self
- Checking Fraud
- Grant Embezzlement
- Cash Skimming
5. SKIMMING
Difficult to detect when:
No receivable is recorded on the books
No tangible exchange of goods or services with
the payer
Cash is used as payment (especially when the
two circumstances above are present)
6. PURCHASING FRAUD
The most common (and easily perpetrated)
fraud:
Abuse of a corporate credit card for personal
purchases
Expense reimbursement schemes
Exaggerating or fabricating mileage expenses
Writing organizational checks to pay personal
bills
Shell company schemes
7. FINANCIAL REPORTING FRAUD
Typically designed to conceal problems
that would otherwise be noticed on the
balance sheet:
Misclassifying expenses as program to
minimize overhead
Inflating the value of donated goods and
services
Grossing up certain fundraising activities
(events)
8. A FEW EXAMPLES
The Sweatpants Executive
The Great Escape
One for You, Two for Me
11. PRESSURE
Expensive Habits
Loss of Job in the Family
Excessive Debt
Never Takes a Vacation (may be hiding
something!)
Unwillingness to Share Duties
Complaints About Pay, Autonomy or Authority
13. FRAUD MATTERS
Consequences of Fraud in Nonprofits:
Loss of Public Support
Closure
Litigation
Criminal Charges
Board Liability and Reputation
14. FINANCIAL CONTROLS
“Internal control is a process, effected by an
entity’s board of directors, management and
other personnel, designed to provide
reasonable assurance regarding the
achievement of objectives relating to
operations, reporting and compliance.”
– COSO (Committee of Sponsoring
Organizations of the Treadway Commission)
Framework
15. THE FIVE COMPONENTS OF
INTERNAL CONTROL
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities
16. CONTROL ENVIRONMENT
1. Commitment to integrity and ethical values
2. Independent board of directors oversees
development and performance
3. Structures, reporting lines, authorities and
responsibilities
4. Attract, develop, and retain staff
5. Individual accountability for internal control
responsibilities
17. RISK ASSESSMENT
6. Clearly specify organizational objectives
7. Identify and analyze risks
8. Consider potential for fraud
9. Identify and assess significant changes
internal and external to the organization that
may pose risk
18. CONTROL ACTIVITIES
10. Select and develop control activities that
mitigate risks 11. Select and develop general
control over technology to support achievement
of objectives
12. Deploy control activities with policies and
procedures
20. MONITORING ACTIVITIES
16. Select, develop and perform evaluations
17. Evaluate and communicate deficiencies to
parties responsible for taking corrective action
21. LIMITATIONS OF INTERNAL
CONTROLS
Suitability of objectives
Human judgement and decision making is faulty
and subject to bias
Errors and other human failures
Ability of management to override internal control
Ability of management or other personnel to
circumvent controls through collusion
External events
22. YOUR ROLE AS AN ASSESSOR
Start with this question:
“Do you undergo a GAAP (Generally Accepted
Accounting Principals) compliant audit annually
or on a regular basis?”
If YES: review their policies and look for gaps,
but don’t get in the weeds about it
23. YOUR ROLE AS AN ASSESSOR
If NO:
Review their policies and procedures (if extant)
and look for gaps
Ask questions to assess their awareness of risk
If awareness is low, ask further questions to
address any symptoms of fraud potential
24. YOUR ROLE AS AN ASSESSOR
Artisanal Question Tip:
When you see a doctor because you’re sick, the
doctor doesn’t ask you, “Do you have
pneumonia?” Rather they ask you about your
symptoms. Focus on symptoms, ask questions
there.
To mix metaphors, you’re a detective, not an
interrogator.
25. YOUR ROLE AS AN ASSESSOR
Corporate Lingo Pro Tip:
Policies: What is expected by way of behavioral
or performance standards.
Procedures: How to appropriately achieve the
expected outcome defined in the policies.
26. RESOURCES:
“Nonprofit Fraud is a People Problem so Combat it with Governance.”
Gerry Zack and Laurie De Armond, Nonprofit Quarterly, June 14, 2015
“Internal Control – Integrated Framework, Executive Summary.” COSO,
May 2013
“How to Spot Financial Fraud in a Nonprofit: 2 Warning Signs.” Steve
Mariotti, Huffington Post, August 15, 2014
“Violation of Trust: Fraud Risk in Nonprofit Organizations.” Jonathan
T. Marks and Pete A. Ugo, Nonprofit Risk Management Center, August
2012
“Nonprofit Embezzlement: More Common and More Preventable Than
You Think.” Jan Masaoka, Blue Avocado, November 14, 2008
Editor's Notes
The Framework defines three categories of objectives to focus on different areas of financial control.
Operations Objectives cover the effectiveness and efficiency of operations and financial performance – and safeguards assets against loss.
Reporting Objectives have to do with internal and external financial and other reporting, as determined by regulators, third party standards or organizational policies and goals. In the case of nonprofits, this also includes funders.
Compliance Objectives ensure adherence to laws and regulations the organization must follow.
The control environment is the set of standards, processes and structures that provide the basis for carrying out internal controls across the organization.
The board of directors and senior management establish the culture of integrity regarding internal control and clearly communicate standards of conduct.
Management continuously reinforces ethical expectations at the various levels of the organization.
The control environment comprises:
the integrity and ethical values of the organization;
the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility;
the process for attracting, developing and retaining competent individuals;
and the rigor around performance measures, incentives and rewards to drive accountability for performance.
The resulting control environment has a pervasive impact on the overall system of internal control.
The organization demonstrates a commitment to integrity and ethical values.
Every entity faces a variety of risks from external and internal sources.
Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives.
Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of organizational objectives.
Every organization must establish an internal risk tolerance level for itself. Is the board and management willing to take more risks in order to achieve a potentially major impact, for the organization’s mission and/or financial standing? Or is it more conservative, preferring to take fewer risks in exchange for more stability, but with fewer big payoffs for the organization and its beneficiaries?
Risks to the achievement of organizational objectives are considered relative to established risk tolerances. Thus, risk assessment forms the basis for determining how risks will be managed.
Before risk assessment can commence, objectives at all levels of the organization must be established.
Management specifies objectives relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives.
Management also considers the suitability of the objectives for the entity. This requires that management have a clear and accurate understanding of the organization as a whole.
Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render an internal control ineffective.
The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.