The Importance of Assessing Fraud Risk for Nonprofits
By Matt Duvall, Partner, Assurance Services
Those who work for nonprofit organizations are used to being asked by their auditors what processes they have in place for identifying, responding to, and monitoring fraud risks. Often, the response describes an informal process that includes a description of the segregation of duties and review procedures in place.
Given that nonprofit-focused fraud schemes aren’t going out of style anytime soon, organizations must have an operational, concrete fraud risk assessment process in place.
A tarnished reputation is one of the most damaging effects a fraudulent act can have, especially on a nonprofit organization. Sure, fraud resulting from an employee skimming funds, creating fake vendors, and using corporate credit cards for unauthorized purchases all have immediate financial consequences. However, the resulting blemish on an organization’s reputation can have long-lasting repercussions that severely outweigh the financial impact of what was stolen.
The goal of a fraud risk assessment is to identify and rectify the vulnerabilities and gaps in internal control systems that could leave the organization exposed to both financial and reputational damage. Developing a proper fraud risk assessment requires input from all members who have a hand in managing the organization’s finances, from the board of directors to the staff accountant.
An organization can implement procedures to strengthen internal controls and ultimately help reduce the risk of fraud. However, that risk will never be entirely eradicated because once a new control is implemented, someone out there will start crafting a way to sidestep it.
The following is an overview of the steps to consider when an organization sets out to develop a fraud risk assessment.
The first step is to consider the types of fraud schemes that could potentially occur, as well as the concealment strategies that could be used by a potential fraudster to avoid, or at least delay, being caught. In more practical terms, this means stepping back and asking yourself, “What could go wrong?” A thorough step-by-step “walkthrough” of the organization’s internal control procedures is a good way for the organization to identify possible scenarios of what could go wrong, when, where, and how. This is also a great opportunity to formally document those internal control procedures or update what has already been documented; trust me, your auditor will thank you.
The next step is to think about the positions within the organization that pose the highest risk of committing fraud and what controls the organization currently has to deter, prevent, and detect fraud. Remember that fraud can occur at any level, but a good starting place for this exercise is with the person or persons responsible for and involved in the cash disbursement process, whether by check, wire, ACH, digital payment, etc. Another approach in determining the positions or persons within the organization that pose the highest risk of committing fraud would be to consider the three points of the reliable fraud triangle – incentive, pressure, and opportunity. Those positions with one or more of these points should receive an extra dose of scrutiny during your evaluation.
At this point, you’ve done your fact-finding. Now, it is time to determine the organization’s risk response. Once you’ve created your “What could go wrong?” list and have a detailed understanding of the internal control procedures currently in place, determine whether those current controls effectively address each item on your “What could go wrong” list. If any current controls are insufficient to deter, prevent, and/or detect fraud, it is time for a change.
Changing internal controls, however, involves multiple considerations, including the likelihood of the risk and the significance of the risk. Sometimes, designing and implementing an additional control may be the best solution, but other times, tweaking or replacing a current one may be the better approach. You want to be mindful that you are not simply adding a control on top of one or more existing controls that are no longer relevant. That could lead to ineffective controls and one that may be unnecessarily burdensome.
The results of your fraud risk assessment should be distributed and discussed with the organization’s employees and members of the governing body. The more people actively engage in an organization’s internal controls decreases the opportunities for fraud to be committed.
This comprehensive assessment is not a one-and-done effort. As systems, processes, positions, and responsibilities change within an organization, so should the assessment of fraud risk. This type of assessment should be performed on a consistent and timely basis. Just because there may not have been any changes made to the systems, processes, positions, and responsibilities doesn’t mean that someone hasn’t been hard at work finding a way around them to commit fraud.