October 5, 2021

The Association of Certified Fraud Examiners (ACFE) publishes a bi-annual, Report to the Nations (the Report) providing detailed statistics and key findings related to fraudulent activity by industry throughout the world. The 11th study of occupational fraud, the publication serves as one of the best sources of fraud-related data and information the globe over. GRF’s team of risk advisory specialists reviewed the report in-depth, including the Nonprofit Spotlight, to help nonprofit organizations proactively address the methods, perpetrators, impacts, and weaknesses specific to the industry.

The Impact of Fraud on Nonprofit Organizations 

The Report notes that 41% of nonprofit schemes involved Corruption as well as Billing and Expense Reimbursement, the two internal processes most likely to be manipulated. Additionally, in 74% of cases, the perpetrator was a member of management (owner/executive or manager/supervisor). With fewer resources and staffing constraints, nonprofit organizations, are less likely to maintain strict oversight and may lack critical internal control mechanisms. This increases the opportunity for those with decision-making ability to commit and conceal fraud. When compared to other organizations, nonprofits are 19% to 24% less likely to perform internal audits, fraud assessments or surprise audits periodically. As a result, nonprofits are heavily reliant on tips or complaints to identify fraudulent activity., This underscores the importance of developing, formalizing, and distributing, a detailed whistle-blower policy. Additionally, larger nonprofits and INGOs with operations spread throughout the world should develop and implement a detailed internal audit plan to address high-risk areas and continuously improve global operations. A detailed internal audit plan also serves as a natural deterrent against fraud. A fraudster is more likely to fear being discovered if they know regular assessments are performed.

Anti-Fraud Controls 

The Report notes that victim organizations with anti-fraud controls suffered 20-51% less median loss than organizations without implemented controls. Anti-fraud controls are an essential aspect of proactively securing an organization’s assets and data. Some of the most common anti-fraud controls include:

One of the most effective anti-fraud controls is internal audit, including regular assessments of key business processes. Development of a strategic internal audit plan allows organizations to strengthen and improve operations on an ongoing basis without overburdening employees by spreading the work out over a multi-year timeline.

Leveraging Next Generation Internal Audit

Internal audit accounts for the second most prevalent method of detection of fraud (behind tips). Unfortunately, the Report found that almost a quarter of organizations don’t have an internal audit function, and only 40% of organizations perform surprise audits. With the increasing volume and complexity of fraud attacks, proactive organizations have switched from defensive tactics to a more offensive mindset to stay ahead of perpetrators. For this reason, the Institute of Internal Auditors (IIA) updated the Three Lines of Defense Model to the new Three Lines Model:

One of the most effective anti-fraud controls is internal audit, including regular assessments of key business processes. Development of a strategic internal audit plan allows organizations to strengthen and improve operations on an ongoing basis without overburdening employees by spreading the work out over a multi-year timeline.

Leveraging Next Generation Internal Audit 

Internal audit accounts for the second most prevalent method of detection of fraud (behind tips). Unfortunately, the Report found that almost a quarter of organizations don’t have an internal audit function, and only 40% of organizations perform surprise audits. With the increasing volume and complexity of fraud attacks, proactive organizations have switched from defensive tactics to a more offensive mindset to stay ahead of perpetrators. For this reason, the Institute of Internal Auditors (IIA) updated the Three Lines of Defense Model to the new Three Lines Model:

As demonstrated in the model, the risk management and internal audit processes are exchanging information back and forth. An effective internal audit plan will both address the most significant risks to an organization’s strategic objectives and strengthen the critical business processes identified by management.

The continuing evolution of technology has produced significant advancements in data processing, computer assisted audit techniques (CAATs) and Artificial Intelligence (AI) tools that allow for affordable, efficient, and effective internal audit processes. Organizations of all sizes can now implement highly effective, low-cost internal audit strategies by leveraging these technologies through in-house, outsourced, or co-sourced internal audit functions.

Value of an Enterprise Risk Assessment in Developing Internal Audit Plan

An enterprise risk assessment is a valuable exercise that serves as the basis for the internal audit plan by identifying the organization’s most significant high-risk areas. One of the critical aspects of an effective risk assessment is ensuring that it incorporates all key business processes, as well as those that may be susceptible to vulnerability and/or fraudulent activity. The organization will define its risk universe by identifying the risks that could affect all aspects of operations, from finance and accounting to IT and cybersecurity to strategic planning and business continuity. This holistic approach requires collaboration between all departments and ensures the risk management process does not become siloed within the organization rending the risk management program less effective. The assessment helps organizations identify appropriate resources during the budgeting process and allows them to determine the most suitable arrangement (in-house, co-sourced, outsourced) for the administration of the internal audit plan.

When performing a risk assessment and developing an internal audit plan, these factors, at a minimum, should be considered.

In addition to an enterprise risk assessment, organizations with significant fraud concerns should seriously consider a fraud risk assessment specifically designed to identify business processes, internal controls, policies and procedures, and other aspects of operations that are susceptible to fraud. The Report notes that only 41% of victim organizations performed a formal fraud assessment as an anti-fraud control.

Final Thoughts 

The ACFE paints a dire picture of possible fraudulent activities at nonprofit organizations. And while designing and implementing a complex internal control structure with robust ongoing internal audit procedures may seem like a daunting task, it is both achievable and affordable for even small organizations. Emerging technologies provide easy, cost-effective mechanisms that perform ongoing auditing of key processes and high-risk areas to reduce the likelihood of fraudulent activity. Proactive organizations will immediately recognize the advantages of continuously monitoring and improving processes across all facets of the nonprofit. Finally, organizations that need assistance with implementation should contact an experienced outside consultant to provide guidance and subject matter expertise to achieve the best possible results.

For more information, visit GRF’s Risk & Advisory Service page and read the first article in the Fraud Control and Prevention series.

Contact 

Mac Lillard, CPA, CFE, CISA, CRISC, CITP, PCIP
Manager, Risk & Advisory Services
mlillard@grfcpa.com
LinkedInCalendly