Fraud Prevention at Your Nonprofit
How well have you protected your nonprofit from fraud?
While you can’t have perfect protection, some basic safeguards can significantly reduce your risk while ensuring that you can detect fraud early if it occurs.
Nonprofits have extra vulnerabilities
The trust, good will, and optimistic spirit you get with so many nonprofits feel great. And, without proper safeguards, they can become the nonprofit’s greatest liability.
The nonprofit “vibe” represents a key ingredient for most successful nonprofits. It includes trust, optimism, friendliness, and genuine warmth towards other people that you rarely find outside the sector. This allows us to attract people with a higher level of loyalty, commitment, and skills than we probably could on the paycheck alone.
These same strengths can also become a dangerous trap that too many good organizations fall into. An excess of trust in particular, without any checks and balances, can lead to situations that create moral, financial, and sometimes even physical jeopardy.
What is fraud ?
Fraud is deception used to commit a criminal act to deprive someone, or an organization, of their money, property, or legal rights.
Almost anyone could become a fraudster
Very few among us make the right choices all the time. When presented with less-than-ideal circumstances, even those with a life-long history of angelic behavior may give into temptation and do something we normally wouldn’t do.
Unconvinced?
Consider this: while you may have never stolen anything, ever in your life, are you 100% certain you wouldn’t steal a little food if that were the only way to save the life of a starving child?
Very often, the road to full blown fraud begins with baby steps and noble sentiments. Many of the biggest fraudsters in history began with just a small, nearly imperceptible, act of fraud.
What causes fraud
Digging deeper, fraud detection specialists will tell you that fraud can happen when three elements combine to form the fraud triangle:
Pressure. Something happens in a person’s life to create economic pressure. Maybe, for example, a loved one’s medical bills have multiplied out of control or maybe they have a secret gambling addiction.
Rationalization. The fraudster tells themselves a story to justify their behavior, like “I’ll pay it all back next month” or “I deserve this because I work so hard.”
Opportunity. They need to believe that they can get away with it. Banks rarely get robbed because they have strong security to prevent the theft and catch any thieves quickly. Loose cash in an empty, abandoned building though, certainly looks like a bigger opportunity.
You can’t do much about pressure
Financial pressure can come from many sources, including divorce, a loved one’s misfortunes, addictions, and more.
Even if you have a close relationship with staff, you will rarely have a perfect view into the financial pressures they feel. After all, more than 60% of Americans live paycheck to paycheck.
To be clear, you shouldn’t pry into staff’s personal lives. This will not endear you to staff and it could cross legal and ethical boundaries.
In any case, you’re not going to fire someone because their life has become challenging, right?
Pro Tip: you ideally have your fraud protection measures in place before someone’s life becomes challenging. That’s a much less awkward conversation than, “well, you’re getting a divorce so we’re going to put these new measures in place so you don’t start making bad decisions.”
You can’t do much about rationalization
We rarely know everything that goes on in peoples’ heads and science has confirmed that humans have a tremendous capacity to rationalize all sorts of behaviors.
In the case of fraud, the rationalization often begins innocently. They may tell themselves, “I’ll pay back the money after my next paycheck and nobody will ever notice.”
Over time, that can evolve into, “I deserve this extra money. I’m underpaid for all the hard work I do for this organization.”
Sometimes, the rationalization can even extend to, “my boss is a jerk and gave me the stink-eye last week. This helps to make up for my pain and suffering.”
Bottom line: you’ll rarely detect or have the opportunity to prevent this kind of rationalization once it happens.
You can do plenty about opportunity
The one thing we can control: opportunity.
That’s why we lock the door when we leave the house and definitely don’t leave the car alone with the keys in it, right?
If you want good fraud prevention and detection, you can start by reducing opportunities. Most nonprofits can implement dozens of basic measures, AKA internal controls, including:
Bank access. The person who does your bookkeeping should not have more than “view only” access to the bank account. No money transfers. No credit card. No check signing. Why? Because when one person controls all those functions, fraud can go undetected for years.
Vacation for the payroll processor. Whoever processes payroll should take a break at least a couple of times per year. Having another set of hands do this will help detect and prevent any monkey business. (Having someone else in the organization who can process payroll will also provide increased resiliency should your default person ever be unable to do the job unexpectedly.)
Criminal background checks. Do you run a criminal background check on everyone in the organization who will handle money? Certain crimes, like a DWI conviction 20 years ago, have little bearing on someone’s trustworthiness around money. But a recent fraud conviction, as some nonprofits have learned the hard way, should disqualify someone from any role requiring financial responsibility.
Your best protection: A whistleblower protection policy
Want to know the single best way to detect fraud? It’s a strong, active whistleblower protection policy. When staff witness inappropriate financial behavior and trust that they will not face retaliation for reporting it, they give you the best kind of protection by speaking up.
Note: the exact right policies and processes will look different for each organization, so please treat the above as general information rather than as a precise prescription for your nonprofit.
PS, an external audit provides a poor defense
You may get an audit to meet funder criteria or because your state requires it by law, but don’t look to the audit to provide good fraud protection or detection. An alert fraudster knows how to evade an external audit’s probing. Your auditor knows this too: that’s why the engagement letter explicitly says that the audit is not designed to detect fraud. You can read more about that here.
What’s next?
Make sure your nonprofit has robust internal controls. Your auditor can often help you identify weaknesses and suggest improvements.
Alternatively, a good Fractional CFO can help you thoroughly review your defenses, draft new policies, implement the changes you need, and help you maintain them.
Additional Resources