Part 2 in a two-part series on preventing, detecting, and addressing fraud, theft, and embezzlement in nonprofit organizations. You can read Part 1 here.
Part 1 of this alert series reported on the New York attorney general's action against the National Rifle Association for alleged misuse of charitable funds, and detailed top preventive measures that nonprofit organizations can take to prevent organizational fraud, theft, and embezzlement before they occur. In Part 2, we discuss concrete steps that nonprofits can take to investigate and address allegations of fraud, theft, and embezzlement once they arise.
Steps for Investigating Allegations of Fraud and Embezzlement
The risks of fraud and embezzlement extend beyond the loss of an organization's funds—even a single instance of fraud or embezzlement can undermine a nonprofit's mission by damaging the organization's public reputation, alienating donors, and potentially even calling into question an organization's tax-exempt status. Thus, every nonprofit should create a plan for addressing suspected fraud or embezzlement before the organization has a need for it. In crafting a plan of action, nonprofits should consider the following.
In planning for an investigation of suspected embezzlement or other charitable asset diversion, members of nonprofit boards should keep in mind the fiduciary duties that they owe to the organization. To satisfy these duties, directors should:
- exercise independent and informed judgment;
- act in the nonprofit's best interest (rather than the interests of any other entities or individuals with whom a director might have some affiliation or to whom a director might otherwise be sympathetic or feel like something is "owed"); and
- exercise due diligence to ensure the adequacy and clarity of any information used to make a decision.
Directors may satisfy their fiduciary duties by relying on information, opinions, reports, or statements that are prepared or presented by others whom the director reasonably believes are reliable and competent with respect to the matters presented. To this end, directors may satisfy their fiduciary duties by entrusting investigative tasks to a small subcommittee, an individual, or an attorney or auditor experienced in handling internal investigations. For sophisticated or long-standing embezzlement schemes, nonprofits may consider contacting a forensic accountant or certified fraud examiner to aid in the investigation.
Evaluate the Need to Retain Outside Counsel
If a nonprofit board suspects embezzlement or charitable asset diversion, a speedy but careful investigation must be initiated. At the outset, the board should evaluate whether the organization should retain outside counsel to help with the investigation. In making this determination, the board should consider, at a minimum, the following factors:
- Whether the organization is likely to want to rely on attorney-client privilege to protect itself from subsequent disclosure in the event of a future government investigation or any litigation;
- Whether any board members or staff have sufficient investigative experience or skills to lead the investigation;
- Whether employees with first-hand knowledge of the alleged fraud or embezzlement are likely to be honest and forthright with an internal investigation lead, or whether they would likely be more candid with a third party;
- The severity of the suspected misconduct, and the management level of the person or persons implicated;
- The board members' relationships and personal history with any implicated person(s) or whistleblower(s);
- Whether the organization's insurance policy will cover the costs of the internal investigation, including the costs of outside counsel, or, in the absence of such coverage, whether the organization's resources can support the retention of outside counsel.1
Anticipate Employment Law Ramifications
Employees' legal rights should be a paramount concern in any nonprofit investigation. Investigations involving employees must be prompt, thorough, and fair to the investigated parties. An employee accused of misconduct should always be apprised of the allegations and given a fair opportunity to respond to allegations. A nonprofit should consult with employment counsel if a preliminary investigation establishes credible evidence of embezzlement involving a current employee, even if the facts may seem to constitute grounds for immediate termination.
Secure Relevant Records and Files
If the allegations merit a full internal investigation, the nonprofit should develop a process for preserving relevant records and evidence, including emails, handwritten notes, files, calendar entries, checks, financial statements, and related documents. A notice (often referred to as a "litigation hold" notice) should be circulated to persons with access to the above documents, requesting that these persons maintain existing documents and provide copies to the investigator. At this stage, access to these documents should be carefully evaluated. Consider restricting employee access to document repositories, especially repositories containing back-up copies. These measures should always be taken in accordance with the organization's policies and governing documents.
Recover Funds or AssetsThe board has a fiduciary duty to try to recover embezzled assets and will need to explain its recovery efforts to the IRS if the amount is significant, and, where applicable, to state regulators. Insurance can make a nonprofit whole, but if no insurance is available in a given situation, affected organizations should consult with an attorney to determine the appropriate path to recovery. For instance, seeking recovery through litigation against the wrongdoer may involve significant costs, often with a low likelihood of ultimate recovery. Nonprofits should consult with counsel before attempting to negotiate a resignation/restitution arrangement or attempting to recover funds from an embezzler's paycheck or vacation time. Finally, nonprofits should never threaten criminal prosecution as a negotiation tactic to attempt to force recovery, as a court may construe such threats as improper.
Consider Referring the Matter to Law Enforcement Authorities
Some states require directors to refer the matter to local authorities for possible criminal prosecution. Many nonprofits struggle with this expectation because they fear bad publicity or sympathize with the embezzler. Instead, a nonprofit may accept restitution and keep the fraud quiet for fear of losing donors. This may seem to be in the best interest of the nonprofit, but failure to prosecute means the perpetrator can steal from another nonprofit when subsequently employed. In addition, a criminal prosecution of the wrongdoer could result in the court ordering the individual to pay restitution to the organization. This may be the easiest, most cost-effective way for an organization to recover embezzled funds, particularly in the case of smaller thefts. An organization's board or audit committee should consult with outside counsel to evaluate whether a situation calls for a criminal referral to law enforcement authorities.
Manage Public and Internal Disclosure
Nonprofits should carefully consider how much information should be disclosed, and to whom, in developing a communication plan to reassure key stakeholders of the organization. Such a plan may include descriptions of how a nonprofit has recovered or will recover stolen assets and the steps the organization is taking to prevent future theft. Organizations should carefully consider the contents of public disclosures—a public accusation linking a specific individual to a theft could lead to a defamation action if the accusation is shown to be false. Affected staff should be provided with "need-to-know" details to prevent rumors from spreading.
Government Enforcement Risks
Reporting to the Internal Revenue Service and Related Penalties
Tax-exempt organizations are required to file information returns annually with the IRS on series 990 forms. Organizations with annual gross receipts of $50,000 or less may file a 990-N "e-Postcard," which requires only very basic contact and operational information. Organizations that normally have less than $200,000 in gross receipts and less than $500,000 in total assets may file a simplified return, the 990-EZ. Larger organizations must file the longer and more complex Form 990 return.
The amount of information that will need to be disclosed to the IRS will depend on the type of form that an organization is required to file. Form 990 filers must disclose significant diversions of assets (defined as the lesser of (i) 5% of the organization's gross receipts for its tax year, (ii) 5% of the organization's total assets as of the end of its tax year, or (iii) $250,000). If an organization discloses a significant diversion of assets, it must explain the nature of the diversion, the dollar amount and/or other property involved, the corrective action taken to address the matter, and other pertinent circumstances.
Certain organizations (including 501(c)(3) and 501(c)(4) organizations) that file either Form 990 or Form 990-EZ must disclose "excess benefit transactions," which are transactions that confer an economic benefit on a "disqualified person" (generally, organization insiders) in excess of the consideration received in exchange for the benefit. If the embezzler is a "disqualified person" under the Internal Revenue Code, that embezzler, having received an excess benefit, is subject to excise taxes, as are any organization managers—including officers and directors—who participated in the excess benefit transaction.2
A disqualified person who receives an excess benefit (here, the embezzler) must make a correction payment in cash or cash equivalents that is equal to the sum of the excess benefit, plus interest. The interest rate must equal or exceed the applicable federal interest rate. As discussed above, the embezzler is also personally liable for a tax equal to 25% of the excess benefit. Failure to make the correction payment or pay the applicable excise tax by the due date will result in an additional excise tax equal to 200% of the excise benefit.
A nonprofit that is the victim of fraud or embezzlement will not owe a tax in connection with this embezzlement. However, as previously discussed, any officers or directors who willfully participated in the excess benefit transaction, knowing that it was an excess benefit transaction, may be personally liable for an excise tax equal to 10% of the excess benefit transaction, up to a total of $20,000 per transaction.
Enforcement by Other Government Actors
Nonprofit fraud may catch the eye of other regulators at both the state and federal levels, depending on the scope of the nonprofit's activities. As illustrated in Part 1 of this alert, state attorneys general have a wide array of resources at their disposal to respond to fraud; the resulting enforcement actions can extend beyond the individuals who committed the fraud and carry consequences for the affected organizations.
Additionally, organizations that receive federal funding may also become the target of federal fraud investigations. Grantmaking agencies have dedicated investigative departments—called Offices of Inspector General—that investigate fraud concerning agency funds. Federal OIGs can work with the FBI and federal prosecutors to pursue criminal prosecution for fraud involving government grants.
* * *
Every nonprofit should carefully consider its strategy for investigating and addressing allegations of fraud, theft, and embezzlement. As detailed above, corporate directors have a fiduciary duty to be aware of the operations of the corporation, and this duty includes prudent attention to, and inquiry into, possible sources of asset diversion. A nonprofit board should be vigilant and, when in doubt, seek out the advice of auditors, attorneys, and investigators.
 A nonprofit's insurance policy should be carefully reviewed at the outset of any investigation. Insurance policies may require prompt notice to the insurer, and the insurer may have advice or required procedures for the conduct of an investigation.
 Of course, if an embezzlement is the result of a single rogue embezzler, the organization's uninvolved directors are unlikely to be personally liable for this excise tax. Nevertheless, the board is obligated by its fiduciary duties to take steps to prevent and rectify fraud, so the board must remain vigilant before and after fraud or embezzlement occurs.