Assessing Fraud Risk

One question I frequently ask nonprofit organizations I speak to is, “What processes are in place for identifying, responding to, and monitoring fraud risks?” Most times, the response describes an informal process including a description of the segregation of duties and review procedures in place. Given that nonprofit frauds aren’t going out of style anytime soon, it is important that nonprofits have a concrete fraud risk assessment process.

One of the most damaging effects a fraud can have on a nonprofit organization is a tarnished reputation. Sure, fraud resulting from an employee skimming funds certainly has an immediate financial impact, but the blemish on an organization’s reputation can have long-term consequences.

Procedures can be implemented by an organization to strengthen internal controls and ultimately contribute to a decreased risk of fraud… The risk of fraud will never be eradicated, however, because as soon as a new control is implemented, someone, somewhere will start crafting a way to sidestep it.

The goal of a fraud risk assessment is to identify the vulnerabilities and gaps in internal control that could leave the organization exposed to both financial and reputational damage. Developing a proper fraud risk assessment should involve input from all members who have their hand in the finances of the organization, from the board of directors to the staff accountant.

The AICPA has offered some considerations when developing a fraud risk assessment. First, consider the types of fraud schemes that have potential to occur. Second, consider concealment strategies that could be used by a fraudster to avoid being caught. Third, consider the positions which pose the highest risk of committing fraud. Fourth, consider what controls are already in place to deter, prevent, and detect fraud.  Fifth, create a list of red flags that board members and employees can use to be on the lookout.

It is important to remember this is not a once-and-done effort. As systems, processes, positions and responsibilities change within an organization, so should the assessment of risk.