Don't Get Robbed by Internal Fraud: Protecting Your Mission With Internal Controls

Don't Get Robbed by Internal Fraud: Protecting Your Mission With Internal Controls

As much as we want to believe that everyone in the not-for-profit field is altruistic and passionate about their organization's mission, the reality can be more complicated. The hard truth is that internal fraud is a genuine risk and a difficult reality to accept, especially for those whose organizations might be dedicated to community betterment or noble social causes.

While fraud is a risk in all sectors, not-for-profits sometimes face added risk by their nature. For example, smaller business entities benefit from an owner directly impacted by spending. So there might be more scrutiny when any outflow directly impacts the owner’s profits. While not-for-profit managers are motivated to be efficient and dedicate resources to organizational missions, owners may have a higher vested interest, given the direct impact spending has on them. Therefore, not-for-profits may benefit from some special consideration regarding fraud, given that the power of the ownership interest is not present.  

What Causes Internal Fraud?

The recent cases of fraud of late may be due to changing ways vendors are paid, which represents a change in traditional processing methods for invoices and payments. Many organizations now get invoiced electronically, and those invoices get approved and produced similarly. As a result, several organizations have been scammed by third parties who have figured out who their vendors are and asked that those payments be deposited to fraudulent accounts.

This is paired with the long-acknowledged risk associated with decentralized authority working with vendors and suppliers on procuring goods and services. The power to purchase and approve payment for goods or services rendered has long created a challenge in how accounting or other approvers authenticate receipt of goods or services from outside power centers, sometimes leading to considerable gaps in control.     

One striking example of internal fraud based on decentralization was recently discovered at an east coast university. There, an administrator was authorized to make purchases under $10,000 for her department; she exploited this power by ordering millions of dollars worth of hardware from different vendors starting in 2013. She then sold the items through an out-of-state entity, resulting in a total loss of $40 million. Other fraud cases have occurred within information technology over the years on a smaller scale, making this a risk area worthy of consideration.

Fraud can also occur within facilities in that those parties often have a lot of power to decide whom to hire, along with the approval of payment. Kickbacks, excess gratuities and other improper benefits to employees in this area can occur.   

While your organization may not have tens of millions of dollars that can be easily stolen under the radar, these situations highlight the vulnerability many organizations may have on a smaller scale. And for not-for-profits, every single one of those dollars is precious.

Importance of Internal Controls

Not-for-profit organizations face a range of unique challenges that can make it difficult to establish and maintain centralized internal controls. These challenges may include limited resources, reliance on volunteers and lack of awareness about financial best practices. However, while decentralization may seem practical, it can make not-for-profits more vulnerable to internal fraud.

Without a structured and cohesive system of checks and balances, decentralized controls can lead to weak oversight, a lack of accountability and increased opportunities for fraudulent activities.

Some examples of internal fraud opportunities include:

  • A volunteer skimming cash donations or event proceeds before they're recorded
  • An employee making an unauthorized payment to a fictitious vendor or transferring funds for personal use
  • An employee forging or altering a check for personal gain
  • Employees manipulating the organization's financial statements to cover up fraudulent activities or present a more favorable financial picture.

Implementing robust internal controls requires time and effort but can yield invaluable results. Your organization's journey towards strengthened internal controls will be as unique as your organization itself, tailored to address your specific vulnerabilities and processes. Using their collective wisdom and expertise, your organization's leadership team and board of directors can craft a strategic roadmap to help keep your organization's finances, resources and reputation safe from harm.

Knowing the Signs of Internal Fraud

Strengthening internal controls is a crucial step toward combating fraudulent activity. However, before implementing these controls, it's essential to know the signs indicating something is amiss. Internal fraud can take various forms, and spotting them is not always easy.

Some of the most common signs include:

  • Missing or altered financial records
  • Unexplained or excessive expenses
  • Unusual bank activity
  • Lack of documentation for expenses or transactions.

Implementing Internal Controls

Identifying and implementing more robust internal controls can be daunting when you are unsure where to start. The first step should be to evaluate the knowledge level of everyone involved in your organization when it comes to understanding how money flows through your organization. This includes board members, employees and volunteers. Creating a roadmap that outlines each department or team member's responsibilities at each stage can help identify areas of weakness.

Here are other examples of steps your organization may want to take when strengthening internal controls:

  • Segregate Duties with Disbursements:  While many organizations do well with this element of internal controls, it is no less fundamental.
  • Assess Your Procurement Practices:  Many not-for-profits do not have centralized procurement or practices to ensure independent checks and balances, or group decision-making over primary vendor selection. No one person should dominate or control the vendor engagement process, particularly in facilities and information technology, which tend to have the most significant spending power.  
  • Verify the Existence of Outside Vendors: Knowing that new and continuing vendors exist and are understood goes a long way. Do not accept things at face value, and ensure that accounting has policies and procedures concerning verification.   
  • Regularly Review Financial Records: Ensure timely reconciliation and review of financial records and bank statements to ensure that all transactions are legitimate and accurate.
  • Conduct Internal Audits: While many organizations do not have internal audit teams, there are third parties that can provide audits, often at far lower costs than having your own group. Consider if spending in this area would provide more monitoring value and assurance regarding fraud protection. Avoid using a heat map of risks to get the most value from this activity. Alternatively, create a mindset within the accounting of verification, just as with the vendor process.
  • Encourage Reporting: Create an environment where employees and volunteers feel comfortable reporting suspicious behavior. Whistleblower policies should be in place to protect employees who report fraudulent activities.
  • Hire Outside Auditors: Not-for-profits should hire external auditors to conduct regular audits. This can help identify internal control weaknesses and provide improvement recommendations.

Next Steps

Every organization has specific vulnerabilities and processes which require customized internal controls. Contact our not-for-profit accounting experts at CBIZ to discuss your needs.


Copyright © 2023, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).


© Copyright CBIZ, Inc. and CBIZ CPAs P.C. (together, “CBIZ”). All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ is the brand name for CBIZ CPAs P.C. and CBIZ Advisors, LLC (together), a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of growth-oriented companies. CBIZ Advisors, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). CBIZ CPAs P.C. is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and CBIZ CPAs P.C. are members of Kreston Global, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.

Don't Get Robbed by Internal Fraud: Protecting Your Mission With Internal Controlshttps://www.cbiz.com/Portals/0/Images/Hero-DontGetRobbedByInternalFraud.jpg?ver=Qtdnord3T5vUu2acgWVSZQ%3d%3dhttps://www.cbiz.com/Portals/0/Images/Thumbnail-DontGetRobbedByInternalFraud.jpg?ver=9gU4CHwOy7qZ5qQTgi6sqw%3d%3dAs much as we want to believe that everyone in the not-for-profit field is altruistic and passionate about their organization's mission, the reality can be more complicated. 2023-04-24T17:00:00-05:00

As much as we want tobelieve that everyone in the not-for-profit field is altruistic and passionateabout their organization's mission, the reality can be more complicated.

Risk MitigationNot-for-Profit & EducationRisk Advisory ServicesAccelerated RecoveryYes