The risk of fraud is a serious concern for all types of organizations, for which a damaged reputation can have devastating consequences.
It is important to appreciate the gift of trust and also have strategies in place that provide strong internal controls.
As with all risk issues, the ultimate responsibility for identifying gaps and developing fraud controls rests with management. To meet this responsibility, management should avoid complacency and not assume that if fraud occurs “the auditors will catch it.” Although having an annual audit is a good anti-fraud control, by the time an audit uncovers a fraud scheme, it is usually too late to prevent the financial and reputational damage that will follow.
Most board members and executives of organizations do not think as fraudsters do, which is a good thing. Unfortunately, this can make it difficult for them to develop controls that help reduce their organizations’ exposure to fraud risk. A critical step in the process of developing an effective fraud risk management program is assessing management or the board’s own skills and capabilities. The board is ultimately responsible for oversight of the organization’s risk management efforts, which senior management is then charged with carrying out.
Here are some important principles to keep in mind as you work to refine the anti-fraud control policies at your nonprofit:
- Form an effective and empowered audit committee or equivalent. One of the most important attributes of the audit committee is complete independence from management. In addition, the committee should be authorized to hire outside counsel and other advisers to assist it in discharging its responsibilities. Although your circumstances may warrant a larger committee, a committee of three to five members is generally workable and optimal for most nonprofits. At least one audit committee member should be a financial expert, but individuals with nonfinancial skills and expertise are also needed to provide additional perspective.
- Establish and enforce a system of effective controls. Combinations of internal and cultural controls form the core of an anti-fraud program. Internal controls limit opportunities to hide the fraud trail and can discourage all but the most arrogant fraudsters. Common tools include security and access controls, such as dual authority or monetary authorization limits, as well as audits, inspections, and transaction monitoring. The recent ACFE survey pointed out that the presence of anti-fraud controls is notably correlated with significant decreases in the cost and duration of occupational fraud schemes.
- Establish the right tone from the top. Mere mechanical compliance with internal controls can still leave the organization vulnerable, which is why the attitude and actions of management are so important. Actively and visibly promoting a culture of integrity and ethics will embolden honest employees to put a stop to fraud. Most organizations find that a strong ethical environment encourages self-policing, thereby increasing the level of oversight far beyond what internal control methods alone provide.
- Provide a clear process for reporting suspicious behavior. Over the years in which the ACFE has been conducting its global fraud studies, the most effective means of detecting fraud has always been tips. In the most recent study, tips were responsible for uncovering nearly three times as many frauds as any other form of detection such as management reviews, surprise inspections, audits, or surveillance devices. While some nonprofits use a third-party hotline service for reporting suspicions about fraud, creating a culture where employees know that the nonprofit’s reputation and mission depend on their willingness to report suspicions of fraud is less costly and may be equally effective.
- Develop a response plan in case deterrence fails. In spite of everyone’s best efforts, fraud still can occur. In many cases, the initial reaction of executives or board members is to confront the suspected fraudster outright or, if there is doubt, to begin collecting paper or electronic evidence. All too often, these are exactly the wrong things to do and could compromise an organization’s ability to prosecute. Confronting a suspected fraudster without adequate evidence is not only awkward and legally dangerous; it can also alert the suspect to cover his or her tracks. On the other hand, surreptitiously examining computer links and email archives could compromise the evidence and imperil the integrity of a formal investigation, making conviction and recovery more difficult. To avoid these various unintended consequences, nonprofit organizations should develop appropriate strategies in advance to deal with specific types of fraud or other misconduct. The protocol for dealing with an employee suspected of cheating on an expense report is different from that for an executive involved in a conflict of interest.
- Confront the issue openly and directly. Perhaps the most common impulse when fraud is detected is to dismiss the offender, limit the damage, and hope the story can be kept quiet. This too is likely to fail. Eventually, word of the fraud gets out and the associated rumors are likely to be exaggerated, causing even more reputational damage than would have been done if the board had simply been forthright.
A Combination of Deterrence and Detection
As important as it is to respond quickly to fraud, avoiding the situation in the first place is the best plan of all. Although it is unrealistic to expect to completely eliminate the risk of fraud, the governing board and executives in a nonprofit organization can take effective steps to minimize the risk.
By establishing an environment in which ethical behavior is expected, closing gaps in internal controls, and developing a proactive fraud identification and response program, nonprofits can significantly reduce the financial and reputational risks associated with fraud.
This article was excerpted from an article published by Crowe Horwath in August 2012.
What Is CFTEA Doing?
As a non-profit, it is important to have key strategies to protect against fraud or the appearance of fraud.
- The board of directors takes responsibility for financial reporting and accountability at each quarterly board meeting.
- Financial numbers are taken directly from the accounting system and key data is provided on spending and status of lines of credit.
- The VP of Finance is a member of the board of directors and independently has full online access to all accounting transactions.
- An outside contractor serves as the CFTEA bookkeeper resulting in checks and balances for all new vendors, expenses, documentation and payments (including credit card) within payroll and the accounting system.
- All ACH debits/credits as well as monthly financial accounts are reconciled by our external bookkeeper.
- CFTEA participates in an annual financial review and reporting for 990 purposes with a local, highly reputable accounting firm that has no ties to CFTEA, its employees or board members.
- All new board members complete Board Onboarding upon joining the board which details the fiscal responsibilities of board members.
- Board Self-Assessment was recently completed in partnership with the Maine Association of Non-Profits to identify strengths and weaknesses in governance.
- Governance training was completed with the board of directors detailing the responsibility board members have to ensure financial stability and risk.
- The annual budget is reviewed and agreed on at the Executive Committee and then presented to the board of directors for additional questions and approval.
- CFTEA By-Laws outline financial spending limits requiring secondary approval.
- Dual control is provided for all enrollments and accounts receivable. This allows for enrollments to be put in by one person and invoicing to be completed by a second person.