Many nonprofits are mistakenly under the belief that if they have good internal controls and regular audits, that they could not fall victim to a fraud scheme. This is far from the truth! While audits serve a very important purpose and can go a long way in helping to uncover fraud, they should not be relied on for that purpose. It is reported that audits only uncover a small percentage of fraud cases and that most fraud is uncovered from tips from employees within the organization. As for internal controls – these can be circumvented if there is collusion within the organization. Statistics show that smaller organizations are the most vulnerable and that if the fraud involves someone with a higher level of authority, the losses will be much greater.
So what do you do? A start would be to periodically conduct a fraud risk assessment of your organization. This should involve a team of various individuals throughout the organization. A fraud risk assessment usually contains three elements:
- Identify the inherent risk
- Assess the likelihood and significance
- Decide how to respond to the risk
Identify the inherent risk
The activities of each area of the organization should be reviewed to determine where the possibility of fraud could occur. Keep in mind that fraud does not always happen on the inside. Fraud could come from outside the organization by way of fraudulent billings from vendors, or fraudulent reporting from sub recipients of grants.
When trying to identify the areas at risk, you should look at incentive programs and metrics that are used and how they could affect how an employee behaves, how internal controls can be overridden, and the possibility of collusion. Information technology (IT) has its own inherit risks as it relates to data integrity, viruses, or authorized access to data.
All areas of the organization, not just finance, should be reviewed for inherit risks.
Assess the likelihood and significance
Once the areas are identified, you need to then assess how likely, or unlikely, that fraud could occur and if it did, how significant the impact would be. Again, the impact could be financial and well as non-financial such as lost reputation. When looking at the likelihood of an incident, you want to determine if there is a remote possibility, a probable possibility, or if the chance is somewhere in between. When looking at the significance, you want to determine if the impact of the fraudulent act would be material or immaterial or again, somewhere in the middle. This assessment will help to prepare you for the next step.
Decide how to respond
Based on your assessment of the likelihood that fraud could occur, controls should be developed and put in place to address and mitigate the risk. Make sure this includes a means to report violations such as a whistleblower policy and meaningful discipline for violations. A reputation for aggressively and continuously investigating the possibility and the likelihood of fraud will go a long way.
Once the fraud risk assessment has been completed, it should be documented, reviewed, and updated on a regular basis. Significant changes in the organization’s structure and activities could result in changes to any of the areas reference above.
What are some small measures that should be considered?
- Strong tone at the top promoting ethical behavior
- Segregation of duties
- Job rotations/mandatory vacations
- Proper levels of authorizations
- Review of unusual financial adjustments
- Background checks
- Procurement polices
- Monitor the adequacy of the organization’s information management systems/controls
- Train employees on the warning signs of fraud
- Encourage/support whistleblowers
- Conduct exit interviews
When an incident of fraud hits, it can hit hard! Therefore the time you put in to properly develop a risk assessment analysis will be well worth it. Furthermore, from an auditor’s perspective, Tate & Tryon audit manager, John Kubichek, notes that, “consideration of an organization’s significant fraud risks is mandatory when planning and performing the audit. Organizations that do not have a fraud risk management program are at a higher risk for fraud, which may be considered a control deficiency by the external auditors.” John Kubichek is a certified fraud examiner and a member of the Association of Certified Fraud Examiners.