Not-for-profits fulfill an essential role in society, from an economic standpoint as well as a program services standpoint. While they each have unique missions and deliver valuable program services to communities, their members, and other stakeholders, they are still at their core, business entities. And like any business, they need to have good internal controls to safeguard assets and to provide reliable, accurate, and timely financial reporting. Like most businesses there is the potential (some would say likelihood) of a significant fraud being perpetuated against the organization. 

Vulnerabilities for not-for-profits

In the 35 years I have worked with not-for-profits, including associations, public charities, independent schools, foundations, and many others, one thing that stands out to me in addition to the great work that they do – many have fewer internal controls, invest fewer dollars in technology and organizational infrastructure, have less knowledge about fraud risk at the board and C-Suite level, and in general are considered more trusting by nature. This can make them particularly susceptible to fraud.

Here in the Greater Washington, D.C. region, we have all heard the stories about the founder of a D.C. charity stealing pandemic relief funds, or the national association CEO lavishly spending and paying bonuses and compensation allegedly without the approval of the board. These are the highlights that make the news, but numerous other not-for-profit frauds occur each year and do not make the news. In some cases, not-for-profits do not report the fraud to authorities at all.

Statistics indicate that the number of fraud occurrences continue to increase, as does the magnitude of the losses incurred. The numbers on fraud are staggering. The Association of Certified Fraud Examiners Occupational Fraud 2024: A Report to the Nations estimates the annual losses from fraud were $3.1 billion.  Not-for-profits are considered more vulnerable than many other entities for reasons I mentioned above. Frauds against not-for-profits not only involve financial loss but can threaten the organization’s sustainability as a viable entity.

Fraud can happen in different ways, but it always involves intentional deceit for personal gain. Often fraud takes the form of misappropriation of assets for financial gain, but it can also involve theft of data. For not-for-profits, this could involve donor data, member data, research data, student data, or employee data. As you can imagine, these events involve not only financial loss but also reputational loss. For these and other reasons, not-for-profits have often been reluctant to report fraud to the authorities or to prosecute the individuals involved. They simply do not want to be the story in the headlines, or in some cases, spend the dollars on a PR agency to manage the fallout. 

Fraud can be committed by someone inside the organization like an employee or a volunteer, or by someone outside the organization, with or without a previous connection to the organization. Whether not-for-profits are specifically targeted, or in the case of cyber fraud, just get caught in the wide net that fraudsters cast, the reality is that fraud often is committed over an extended period before it is identified.

Basic steps to reduce risk

There are basic steps all not-for-profits should take to reduce the risk of fraud. It starts with understanding the importance of internal controls at the organization. If we think of internal controls in terms of a home security system, like a security system, it can only work properly if the design is correct and it operates as designed. Similarly, like a security system, internal controls can be preventive and/or detective in nature. 

Internal controls involve people, processes, and technology. Therefore, even the best designed internal control system can fail due to human or technology errors. Focusing on people, processes, and technology, the following are some baseline best practices (not intended to be all-inclusive) that organizations can implement to strengthen internal controls. 

Lingering impacts of fraud

Preventing fraud is important for any business, but not-for-profits can be more severely impacted. A significant financial loss due to fraud can deplete net assets and jeopardize the ability to deliver programs. In addition to financial loss, reputational loss is also a possibility. Not-for-profits may find donors no longer wishing to support the organization, or board members no longer wishing to serve the organization. If the not-for-profit is an association or other membership organization, it may find members not renewing their memberships in the event proprietary membership information was compromised. 

Large not-for-profits may be able to withstand the financial and reputational effects of a fraud, including the negative press that can come with it. However, small not-for-profits may not have the financial resources or cachet to recover from the event quickly, if at all. As a result, the viability of the organization and those served by the organization are both put at risk.

It is imperative that boards of directors of not-for-profits as well as members of management understand these threats. Additionally, they should understand the organization’s security posture. They should review the adequacy of the not-for-profit’s insurance coverage, especially the cyber and business crime coverages.

Stay vigilant

This article has just touched the surface on the importance of internal controls and the prevention and detection of fraud. It is not intended to be all-inclusive but promote awareness and baseline protections to consider. With fraud on the rise, not-for-profits need to stay informed about threats and be constantly vigilant.