Part 1 in a two-part series on preventing, detecting, and addressing fraud, theft, and embezzlement in nonprofit organizations.
A high-profile enforcement action initiated by the New York attorney general against the National Rifle Association recently entered its second year of litigation. The suit, which concerns, among other things, the NRA's alleged misuse of charitable funds, is a recent example of the state-level consequences that might result from allegations of nonprofit fraud. New York's amended complaint against the NRA, filed August 16, 2021, asks a New York trial court to order the dissolution of the NRA and further, to prohibit certain NRA officers and directors from serving as officers or directors of any nonprofit incorporated in New York or soliciting donations in New York, among other things. It is unclear whether any of these requested remedies will be granted, but regardless, the NRA litigation provides an interesting case study of the possible legal consequences that can follow allegations of high-level nonprofit fraud.
That said, for many of our nonprofit clients, the possible reputational harm associated with fraud allegations is its own cause for concern, no matter what regulators or courts decide. Further, economic pressures and remote work environments caused by the COVID-19 pandemic have made fraud in the nonprofit sector both more tempting and harder to keep in check. This alert presents recent research on the causes of fraud and lists perennial best practices for safeguarding against organizational fraud.
Nonprofit fraud is an evergreen concern that organizations grappled with before the pandemic. Last year, the Association of Certified Fraud Examiners released the 2020 update to its biennial Report to the Nations, which examines the costs and effects of workplace fraud. The 2020 edition of the Report included a spotlight on fraud in nonprofits, utilizing pre-pandemic data. ACFE found that a staggering combined 74% of nonprofit fraud was perpetrated by individuals at the officer and management levels. According to ACFE, the top three causes of nonprofit fraud were a lack of internal controls, a lack of management review of existing internal controls, and override of existing internal controls. ACFE found that, on average, nonprofit organizations utilized recommended fraud controls at far lower rates than did other organizations:
- 21% of nonprofits conducted surprise audits, whereas 40% of other organizations did;
- 24% of nonprofits conducted formal fraud risk assessments, whereas 43% of other organizations did;
- 44% of nonprofits instituted management review of internal controls, whereas 68% of other organizations did; and
- 57% of nonprofits utilized an internal audit department, whereas 76% of other organizations did.
Recommended Preventive Measures
Taking the time to set up robust internal controls is an indispensable step that nonprofit organizations can take toward avoiding allegations of fraud and the costly enforcement actions that might follow. However, as previously noted, ACFE found that nonprofits, on average, lag behind other organizations with respect to the implementation of fraud controls. Below is a list of internal fraud controls that our clients have found success in implementing.
Require Double Signatures/Authorizations and Back-Up Documentation
Nonprofits can reduce rogue embezzlement and theft by requiring multiple levels of approval for transfers and transactions and requiring that certain transactions be accompanied by back-up documentation. Organizations can require that checks over a certain amount be signed by two authorized individuals to increase organizational visibility for spending. An organization need not have a large finance staff to implement this control—for organizations with smaller staffs, an officer serving on a volunteer basis could be designated as the second signatory. If organizations are unwilling to implement multiple steps of authorization, they should at the very least make sure that checks are not being pre-signed. These controls can also be modified to apply to credit card transactions over a certain amount—organizations can require certain credit card transactions to be accompanied by written approval from one or more individuals other than the person using the credit card. All disbursements should be accompanied by an invoice or other documentation proving that the disbursement was appropriately approved.
Segregate Financial Duties
Financial duties in a nonprofit should be appropriately siloed—no single person should be responsible for reconciling the nonprofit's finances if that person is also tasked with receiving, depositing, and recording the nonprofit's funds. Organizations with large finance teams should consider tasking different employees with the responsibilities of preparing payment records, authorizing payments, disbursing funds, reconciling bank statements, and reviewing credit card statements. Smaller organizations with little or no staff should at least give an officer the task of reconciling bank statements and reviewing credit card statements to create insulation between this oversight role and the execution of financial transactions. The decision to approve large expenditures should also be siloed; contracts should be approved by an uninvolved and disinterested manager, and large contracts should be the product of competitive and transparent bidding.
Conduct Fixed-Asset Inventories
Organizations that have inventory, such as that associated with a museum gift shop or online sales of publications, should perform a fixed-asset inventory on at least an annual basis to ensure that no equipment or other goods are missing. The contents of inventory are more difficult to verify in a remote work environment, but it can be done.
Implement Automated Controls
Organizations can set up internal tracking, resulting in automatic notifications that alert managers and officers of bank account activity, balance thresholds, positive pay exceptions, and wire notifications.
Establish Audits and Board-Level Oversight
For larger organizations, regular external audits are a necessary complement to the recordkeeping controls discussed above. Larger organizations should consider establishing an audit committee, with at least one member having familiarity with finance and accounting to serve as the primary monitor of the organization's anti-fraud controls. Smaller nonprofits that cannot support an audit committee should consider including a CPA or other financially knowledgeable person on its board of directors to advise the board in its anti-fraud oversight role.
All nonprofits, no matter the size, should establish policies that encourage and protect whistleblowers and clearly lay out the steps that volunteers and employees can take to anonymously report suspected wrongdoing or mismanagement. It is important not only to carefully craft and adhere to these whistleblower policies, but also to make sure that employees and volunteers understand them. Nonprofits should foster an environment in which employees understand that (1) they will not be the subject of retaliation as a result of their complaint, and (2) all complaints will be taken seriously by the organization. To this end, organizations should consider bringing in outside legal counsel where warranted to ensure that these policies are faithfully carried out.
Construct a Strong Compliance Program
Nonprofits should consider establishing a comprehensive set of policies and procedures that set and enforce the organization's expectations for ethical conduct. A nonprofit's expectations for ethical behavior and professional conduct should be clearly and concisely communicated to the board, officers, management, and employees, and all personnel should be required to affirm their understanding of the organization's policies on a periodic and ongoing basis.
Communicate with Donors
Donor correspondence can provide early warnings of potential wrongdoing. Donors can become aware of abnormalities with their donations that might not be obvious to management, such as checks being cashed without record from the organization, or donor contributions that are not properly recorded and acknowledged. Mishandling of government grants can create opportunities for enforcement actions, and careful review of all correspondence from government agencies can ensure that the organization is kept apprised of any grantmaking agency concerns.
Acquire Insurance Coverage
Nonprofits can seek insurance to help mitigate the damage resulting from fraud. Fidelity insurance protects a nonprofit from theft of an organization's property by "covered individuals," who generally include the insured's employees and, in some cases, certain of the organization's volunteers. Organizations should carefully review insurance policies to determine whether an insurance policy protects the organization against theft by any of the people who might be handling the organization's assets, and should consult an insurance broker familiar with the nonprofit sector and, if necessary, legal counsel, to determine whether an insurance policy is sufficient to cover the possible risks.
* * *
Nonprofit organizations should consider implementing these and other fraud controls and appropriately tailoring these recommendations to meet organizational needs and resources. Stay tuned for Part 2 of this alert series, in which we will discuss best practices for detecting and investigating nonprofit fraud, as well as steps that nonprofits can take if they uncover fraud.
 Conducting criminal background checks on nonprofit employees who are entrusted with financial responsibilities is another step that is sometimes recommended. However, ACFE's Report notes that only 4% of the perpetrators in its study had previously been convicted of a fraud-related offense. Moreover, ACFE notes that, because many incidents of fraud are never reported to law enforcement, criminal background checks will not necessarily identify repeat offenders.