On October 26, 2013, the Washington Post reported that from 2008 to 2012, more than 1,000 nonprofit organizations disclosed hundreds of millions in losses attributed to theft, fraud, embezzlement, and other unauthorized uses of funds and organizational assets. According to a study cited by the Post, nonprofits and religious organizations suffer one-sixth of all major embezzlements, second only to the financial services industry.
While the numbers are shocking, this trend will not surprise those in the nonprofit world, who have long known that nonprofits are highly susceptible to fraud and embezzlement. Nonprofits are generally established for beneficial purposes and assume that their employees, especially senior management, share the organization’s philanthropic mission. As such, nonprofits tend to be more trusting of their employees and have less stringent financial controls than their for-profit counterparts. Thus, they fall prey to embezzlement and other forms of employee fraud at an alarming rate. By way of recent example, as reported by the Washington Post:
- From 1999 to 2007, the American Legacy Foundation, a nonprofit dedicated to educating the public about the dangers of smoking, suffered an estimated $3.4 million loss as a result of alleged embezzlement by a former employee.
- In 2012, the Global Fund to Fight Aids, Tuberculosis and Malaria reported to the federal government a misuse of funds or unsubstantiated spending of $43 million.
- In 2011, the Vassar Brothers Medical Center in Poughkeepsie, New York reported a loss of $8.6 million through the "theft" of certain medical devices.
In addition to those incidents reported by the Washington Post, a few other recent examples include:
- On February 27, 2013, a former financial director for a New York chapter of the American Red Cross was sentenced to two to seven years in prison for grand larceny. The former director embezzled over $274,000 between 2005 and 2009, using the money to pay for clothing, her children’s tuition, and other personal expenses.
- On November 8, 2012, the former executive director of the H.O.W. Foundation, a nonprofit alcohol and drug treatment center in Tulsa, Oklahoma, was sentenced to 15 months’ imprisonment and ordered to pay over $1.5 million in restitution for defrauding H.O.W. over the course of eight years. The former executive director wrote himself 213 unauthorized checks for a total of more than $1.35 million and embezzled more than $200,000 from a thrift store operated by the nonprofit.
- On October 12, 2013, the former CFO of Project Genesis, a Connecticut nonprofit organization that serves adults and children with disabilities, was sentenced to 33 months’ imprisonment after embezzling more than $348,000 from the organization over a three-year period. The former CFO stole the organization’s funds by keeping terminated employees on the payroll and then transferring their salaries to his personal bank account.
While external audits are necessary and helpful in ensuring that financial controls and fraud prevention measures are being followed and are effective, the standard audit is not designed and should not be relied upon to detect fraud. The Association of Certified Fraud Examiners reports that less than 4% of frauds are discovered as a result of an audit of external financial statements by an independent accounting firm.
Many nonprofits had previously elected to handle instances of fraud or embezzlement quietly in order to avoid unwanted attention and embarrassment. That is no longer an option. In 2008, the Internal Revenue Service implemented additional regulations designed to enable the public to more easily evaluate how effectively larger nonprofits manage their money. Tax-exempt organizations whose gross receipts are greater than or equal to $200,000, or whose assets are greater than or equal to $500,000, are subject to additional disclosure requirements on their IRS Form 990 concerning embezzlement or theft. Specifically, these organizations are now required to publicly disclose any embezzlement or theft that exceeds $250,000, 5% of the organization’s gross receipts, or 5% of its total assets.
Additionally, in light of the disturbing numbers reported by the Washington Post, both Congress and numerous state attorneys general have pledged to launch investigations. This will inevitably lead to even greater scrutiny.
This newly found focus on fraud and embezzlement strikes at the heart of an organization’s ability to raise funds and affect its mission. As one nonprofit official quoted by the Washington Post explained, "[p]eople give their money and expect integrity. And when the integrity goes out the window, it just hurts everybody. It hurts the community, it hurts the organization, everything. It’s just tragic."
Nonprofits are not defenseless, however, and there are several proactive steps organizations can and should take immediately (if they are not doing so already) to prevent and detect employee fraud and embezzlement:
Double Signatures, Authorizations and Back-up Documentation
Multiple layers of approval will make it far more difficult for embezzlers to steal from the organization. For expenditures over a predetermined amount, require two signatories on every check and two different signatories on every authorization or payment. Where the professional staff of a nonprofit is too small to effectively implement a double signatory/authorization policy, consider having a (volunteer) officer or director be the second signatory. Similarly, all check requests and requests for cash disbursements should be accompanied by an invoice or other document showing that the payment or disbursement is appropriate. Never pre-sign checks. With credit cards, require prior written approval, again from two individuals, for costs estimated to exceed a certain amount. Require back-up documentation demonstrating the bona fides of the expense. And again, the person using the card should not be the same person authorizing its use.
Segregation of Duties
Hand-in-hand with multiple authorizations goes the segregation of duties. At a minimum, different employees should be responsible for authorizing payments, disbursing funds, and reconciling bank statements and reviewing credit card statements. If the nonprofit does not have enough professional staff to effectively segregate duties, a (volunteer) officer or director should be tasked with reconciling the bank statements and reviewing credit card statements. Because embezzlement also can occur when funds are coming into an organization, no single individual should be responsible for receiving, depositing, recording, and reconciling the receipt of funds. By the same token, all contracts should be approved by a manager uninvolved and personally uninterested in the transaction and, wherever possible, larger contracts should be the product of competitive and transparent bidding.
Fixed Asset Inventories
At least annually, the organization should perform a fixed asset inventory to ensure that no equipment or other goods are missing.
Use electronic notifications to alert more than one senior member of the organization of bank account activity, balance thresholds, positive pay exceptions, and wire notifications.
Background checks on new employees and volunteer leaders can unearth things such as undisclosed criminal records, prior instances of fraud, and heavy debt loads that can make it more likely that an employee or volunteer leader might succumb to fraud. The Association of Certified Fraud Examiners reports that 6% of embezzlers have been convicted of a previous fraud-related offense.
Audits and Board-Level Oversight
The control measures discussed above only work if someone is checking. In addition to management, who should be ensuring that the measures discussed above are followed, nonprofits also should undertake regular external audits to ensure that these measures are effective. Organizations should establish audit committees on their boards of directors, containing at least one person familiar with finance and accounting, who would serve as the primary monitor of these anti-fraud measures. In lieu of an audit committee, smaller nonprofit organizations should consider putting a CPA or other financially knowledgeable person on the board of directors to serve a similar function.
While nonprofits should encourage the reporting of suspected wrongdoing to management or a designated board member, employees must have a means of anonymous communication if they do not feel comfortable reporting to their supervisor or management. Employees may not report theft or mismanagement if they believe that their job is in jeopardy. The board of directors must ensure that these reports are taken seriously, that the reporting employee is protected, and that outside legal counsel is brought in as appropriate.
Strong Compliance Program
The best way to prevent fraud and embezzlement and to protect nonprofits is a comprehensive and vigorous compliance program that must be more than a "mere paper program." An effective compliance program must be tailored to the specific organization, include a written code of ethics, be effectively implemented through periodic training, have real consequences for violations of the policy, have an effective reporting mechanism, and be periodically audited to ensure its effectiveness.
Bringing in outside expertise – such as CPAs experienced in conducting fraud audits (different from the standard annual financial statement audit) and attorneys experienced in evaluating and enhancing internal controls as well as training staff on best practices – can be a critical tool in both identifying fraud and embezzlement that may be occurring and in shoring up weak controls and other process deficiencies that may make the organization more susceptible to theft.
While there will always be instances where a determined thief manages to beat an organization's controls, the steps suggested above will go a long way toward deterring and preventing embezzlement and other types of fraud at nonprofit organizations.
* * * * *
This article is not intended to provide legal advice or opinion and should not be relied on as such. Legal advice can only be provided in response to a specific fact situation.