top of page

The Risks and

Realities of Nonprofit


 by Bruce W. Tucker



"With more than 1.7 million nonprofit organizations registered in the United States, it was a statistical certainty that fraud and misappropriation were going to infect the philanthropic community". - Bruce Tucker, Founder

The risk of fraud is a serious concern for all types of enterprises. Fraud, however, can be particularly damaging to nonprofit organizations, where a damaged reputation can be devastating. There has been an increase in financial fraud incidents every year, which is a growing concern for law enforcement agencies. Corruption tends to spread like a virus, infecting all areas of an organization once it begins. In dealing with the crime internally, the Board of Directors has suddenly morphed from guardians of trust to conspirators in a cover-up by obstructing justice with lies, falsifying, and overall betrayal of the general public. As a result, they suddenly become accomplices. What started as an ethical and worthwhile charity soon morphs into a sham. 

The Cost of Fraud in Nonprofit Organizations

An estimated 5 percent of an organization's annual revenue is lost to fraud, according to the most recent global fraud study conducted by the Association of Certified Fraud Examiners (ACFE). While fraud in nonprofit organizations resulted, on average, in a smaller net loss than fraud in commercial enterprises, the nonprofits in the study reported a median loss of $100,000. This is a significant loss for any charitable organization. This is an increase of 11 percent from the previous study.

The reputational damage that fraud can cause to nonprofits is even more devastating than financial loss. Most nonprofits rely on donations, grants, or other public support, so their reputations are important. Additionally, nonprofit fraud gets unrelenting negative media attention.

Vulnerability to Fraud

There's no doubt that nonprofits are attractive targets for fraudsters. Those who are passionate about their agencies and missions are naturally trusting of others who share their interest. Moreover, board members and executives who are dedicated and talented in their particular fields may not be well-versed in financial issues and internal controls. Identifying fraud is a complicated and thorough process not to be taken lightly.

Nonprofits of all sizes may also have limited resources to handle internal controls. This makes them vulnerable to an employee who recognizes this lack of controls and uses it as an opportunity to commit fraud. One thing is certain: fraud cannot happen without the opportunity to commit it. 

Nonprofits are also tempting targets because of their nature. Grants, scholarships, awards, and other types of financial aid are distributed by nonprofits to outside agencies or individuals. It opens another door for abuse or misappropriation, so even more oversight is needed to make sure funds aren't abused. Furthermore, nonprofits tend to receive a lot of cash and checks from a variety of sources, so they're vulnerable to skimming (when employees take money from outside, but don't record the sale, and instead pocket it) or cash larceny (when employees steal cash and checks from their daily receipts) before they go to the bank.

Also, struggling agencies have high staff turnover, which makes training and separating duties harder. Lastly, many nonprofits rely heavily on volunteers and other members of the community, which complicates internal controls. It's important to remember that internal controls don't guarantee that a company's objectives will be met, just reasonable assurance. Fraud can happen to any organization, even one with the strongest internal controls.

How Fraud Occurs and Why


Although nonprofits present a special temptation to fraudsters, fraud schemes are common to all kinds of organizations. For nonprofits, fraud schemes include check fraud, embezzlement, ghost employees, expense fraud, misappropriation of funds for personal use, fictitious vendor schemes, kickbacks from unscrupulous vendors, and outright theft.

One area where nonprofit organizations seem particularly vulnerable is billing schemes, where employees submit fake invoices to get payments they're not entitled to. A recent ACFE survey found billing schemes among the most common fraud methods.

Shell companies are often used in billing schemes. In such a fraud, a dishonest employee sets up a fake identity that bills for goods or services the organization does not receive. In some instances, goods or services may be delivered but are marked up excessively, with the proceeds diverted to the employee.

Pay-and-return scams cause overpayments to legitimate vendors. The employee embezzles the overpayment when it's returned. Ordering personal merchandise that is inappropriately charged to the organization is another popular practice.

There are several warning signs or red flags that indicate potential billing fraud, including, but not limited to:

  • Unspecified or poorly defined invoices

  • Unfamiliar vendors

  • A vendor with only a post-office box address

  • A vendor whose company name consists solely of initials (many of such companies are legitimate, but fraudsters often use this naming convention)

  • Increases in purchases from one vendor over a short period

  • Frequently issued vendor billings

  • Addresses of vendors that match those of employees

  • Billings that are broken down into smaller invoices that do not attract attention

  • Deficiencies in internal controls, such as the approval of new vendors by someone who processes payments


Red flags or warnings can be categorized into four general categories:


  • Transactions conducted at unusual times of the day, on weekends or holidays, or during a season in which such transactions are not common

  • Transactions that occur more frequently than expected - or not often enough

  • Large, round numbers or unusually large or small transactions on an account

  • Transactions involving questionable parties, such as related parties or unrecognized suppliers



  • Documents that are missing or altered

  • Documents that are backdated

  • Originals that are missing or unavailable

  • Inconsistencies between documents

  • Signatures that are questionable or missing


Lack of Controls

  • Gaps that cannot be remedied

  • The "tone from the top" is poor

  • Monitoring controls that are inconsistent or nonexistent

  • A lack of adequate separation of duties

  • Transaction authorization rules are lax

  • Accounts are not reconciled in a timely manner



  • Living beyond one's means or experiencing financial difficulties

  • Problems related to divorce, family, or addiction

  • A history of employment-related or legal problems

  • An unusually close relationship with vendors or recipients of grants or services

  • Control issues and a general unwillingness to share responsibilities

  • Refusal to take a vacation

  • Defensiveness or irritability

  • Inadequate compensation complaints

  • Dissatisfaction with the level of autonomy or authority of an organization


It is also important to note that fraud is not about obstruction, but rather about deception, deflection, and persuasion. Fraudsters and white-collar criminals who are profiled are often found to be anxious, secretive, moody, hot-tempered, friendly, outgoing, and passionate. Often, they are good salespeople and will say what people want to hear in order to build rapport and gain trust. It is important to maintain a healthy level of skepticism and always remember that trust is a professional hazard; if you do not verify information, you could be a victim.

Implementing Controls

As with all risk issues, management is ultimately responsible for identifying gaps and developing fraud controls. To meet this responsibility, management should avoid complacency and avoid assuming that if fraud occurs “the auditors will catch it.” Even though an annual audit is an effective anti-fraud control, it is usually too late to prevent financial and reputational damage when an audit uncovers a fraud scheme. Audits generally select very few samples to test. In an organization with thousands of transactions, the odds of an auditor selecting a fraudulent example are very small. Also know, auditors are not there to find fraud specifically, and most lack the advanced training and expertise to do so effectively.  

Nonprofit board members and executives do not think like fraudsters, which is a good thing. Unfortunately, this can make it difficult for them to develop controls that can reduce their organizations' exposure to fraud risk. To develop an effective fraud risk management program, it is important to assess the board's skills and capabilities and determine where professional assistance is needed. Ultimately, the board is responsible for overseeing the organization's risk management efforts, which are then carried out by senior management.

Anti-Fraud Principles

As you work to refine the anti-fraud control policies at your nonprofit, you should keep in mind the following principles:


  • Establish an effective and empowered audit committee. The independence of the audit committee from management is one of its most important characteristics. Additionally, the committee should be authorized to hire outside counsel and other advisers to fulfill its responsibilities. Even though your circumstances may necessitate a larger committee, three to five members is generally sufficient and optimal for most nonprofit organizations. It is recommended that at least one member of the audit committee be an expert in financial matters; however, individuals with non-financial skills and expertise are also needed to provide a broader perspective.


  • A system of effective controls should be established and enforced. The core of an anti-fraud program consists of a combination of internal and cultural controls. All except the most arrogant fraudsters will be discouraged by internal controls as they limit the possibility of hiding the fraud trail. These tools include security and access controls, such as dual authority or monetary authorization limits, as well as audits, inspections, and transaction monitoring. A recent ACFE survey indicated that the presence of anti-fraud controls is significantly associated with a decrease in the cost and duration of occupational fraud schemes.


  • The tone should be set from top management. The mere mechanical compliance with internal controls can still leave the organization vulnerable, which is why management's attitude and actions are so important. Promoting integrity and ethics actively and visibly will encourage honest employees to resist fraud. An ethical environment encourages self-policing, leading to a much higher level of oversight than can be provided by internal control methods alone in most organizations. If upper management is acting unethically or complacent, so will those working beneath them. Set a positive example.


  • Establish a clear process for reporting suspicious behavior. The ACFE has conducted its global fraud studies for many years and has consistently found that tips are the most effective means of detecting fraud. A recent study found that tips were responsible for uncovering nearly three times as many frauds as management reviews, surprise inspections, audits, or surveillance devices. While some nonprofits use a third-party hotline service for reporting suspicions about fraud, creating a culture where employees know that the nonprofit’s reputation and mission depend on their willingness to report suspicions of fraud is less costly and may be equally effective.


  • Prepare a response plan in the event that deterrence fails. Despite everyone's best efforts, fraud can still occur. In many cases, the initial reaction of executives or board members is to confront the suspected fraudster outright or, if there is doubt, to begin collecting paper or electronic evidence. Most often, these are exactly the wrong things to do and may compromise an organization's ability to prosecute. Without adequate evidence, confronting a suspected fraudster is not only awkward and legally hazardous, but it can also alert the suspect to cover their tracks. Conversely, surreptitiously reviewing computer links and email archives could undermine the integrity of a formal investigation, making conviction and recovery more difficult. For nonprofit organizations to avoid these unintended consequences, appropriate strategies should be developed in advance to address specific types of fraud or misconduct. An employee suspected of cheating on an expense report follows a different protocol from an executive involved in a conflict of interest.


  • Address the issue directly and openly. It is perhaps the most common impulse when fraud is detected to terminate the offender, limit the damage, and hope the story can be kept quiet. There is also a high probability that this will fail. Eventually, word of the fraud gets out and rumors are likely to be exaggerated, resulting in even greater reputational damage than if the board had simply been forthright.


A Combination of Deterrence and Detection

As important as it is to respond immediately to fraud, preventing the situation in the first place is the best course of action. It is unrealistic to expect that a nonprofit organization can eliminate all fraud risks, but the governing board and executives can take effective steps to reduce them.

Nonprofit organizations can significantly reduce financial and reputational risks associated with fraud by creating an environment where ethical behavior is expected, closing gaps in internal controls, and developing a proactive fraud identification and response program.



bottom of page