The median loss for nonprofits that fell victim to fraud was $60,000, according to the Association of Certified Fraud Examiners’ (ACFE) Occupational Fraud 2022: A Report to the Nations. The average loss for nonprofits was $851,000. Such losses could prove devastating for many organizations. But with strong internal controls to prevent and detect fraudulent activity, organizations can reduce this risk.

The ACFE report found that almost 30% of the victim organizations lacked adequate internal controls to prevent fraud from occurring. In addition to minimizing fraud, comprehensive internal controls also help ensure accurate accounting records and financial statements. And strong internal controls are essential for compliance with relevant laws, regulations and grant requirements.

4 critical measures

Your organization should have a mix of preventative and detective controls. The most effective internal controls include:

1. Segregation of duties. No individual should have control over more than one phase of a financial transaction or function. That means individuals with access to assets shouldn’t be responsible for accounting for those assets. Nor should an individual have the ability to both initiate and approve a transaction, such as paying a vendor invoice. Don’t let staff members who receive checks also deposit them. Finally, don’t allow employees who write checks then also be responsible for reconciling monthly bank statements.

Segregation of duties is among the most vital of internal controls. But it can be challenging to segregate duties for nonprofits with few staff or that have shifted to remote work arrangements.
Consider assigning some duties to board members and trusted volunteers and/or consider outsourcing functions such as payroll and accounts payable. Also consider using cloud solutions to overcome hurdles related to employees working remotely.

2. Controls over credit cards. Credit cards have become increasingly common in nonprofits, but they come with the risk of unauthorized usage. If you find it necessary to give credit cards to employees, board members or volunteers, take steps to reduce related risks. Start by limiting the number of cards in use.

Require a receipt for each purchase, along with documentation of the business purpose. Require someone who isn’t an authorized card user to scrutinize card statements and supporting documentation every month for unusual or questionable activity. Depending on the issuer, you may be able to set limits on the types or amounts of purchases. It’s also advisable to enforce real consequences for unauthorized usage, such as revoking card privileges or termination.

3. Regular financial statement reviews. It’s customary for nonprofit boards or audit committees to review financial statements annually or semi-annually. But the ACFE study confirms that the longer fraud goes undetected, the greater the financial loss for the victim organization.

Your organization’s leaders should review financial statements at least quarterly, if not monthly. They should also receive regular budget reports, showing variances between budget and actual figures, as significant variations can indicate potential fraud.

4. Job rotation/mandatory vacation. According to the ACFE study, job rotation/mandatory vacation is associated with at least a 50% reduction in the median loss and median duration of fraud schemes. Not surprisingly, unwillingness to share duties and refusal to take vacation are some of the red flags for fraud schemes.

For example, scams involving receivables often require perpetrators to be in the office to cover their tracks. So rotating job duties and requiring employees to take regular vacations can act as
both a preventative and a detective control.

Level of internal controls may vary. Controls such as segregation of duties are advisable for every organization, but additional policies may be more or less appropriate depending on your nonprofit’s particular risks and circumstances. We can help you determine and establish the right internal controls to
reduce fraud risk.