Audits won’t protect you
An audit will not protect your nonprofit from fraud.
It provides weak protection, at best, against fraud.
Too many nonprofits spend $5k, $10k, or more every year for something that does not deliver what they think.
A typical audit is not designed to find fraud
A typical nonprofit audit simply:
Takes the bookkeeping data and presents it according to GAAP (Generally Accepted Accounting Principles)
Certifies that the auditor’s financial reports are presented according to GAAP
Reviews some large transactions to confirm they have documentation
With restricted grants, the audit samples expense documentation to confirm that grants were spent according to the grant agreement
A typical nonprofit audit certainly has value. It’s just that the limited scope of the typical audit leaves a fraudster plenty of opportunity to hide their activity.
External audits rarely bring fraud to light
When fraud comes to light, credit goes to the external auditor in less than 1 out of 20 cases. Whistleblowers and good internal controls are much better for detection, per the Association of Certified Fraud Examiners (ACFE).
The auditor even tells you this
Auditors, to their credit, do not claim that a standard audit guarantees no fraud has occurred.
Unfortunately, the way they say it isn’t always clear to a layperson.
For example, “Because of the inherent limitations of an audit, combined with the inherent limitations of internal control, and because we will not perform a detailed examination of all transactions, there is a risk that material misstatements may exist and not be detected by us, even though the audit is properly planned and performed in accordance with U. S. generally accepted accounting standards.”
Audits are predictable. That makes them easy to evade
After going through one or two audits, an attentive fraudster can learn where the auditor will and won’t look.
For example:
Smaller transactions, for example, rarely receive any scrutiny.
Inventory (like computers) rarely gets reviewed. That provides an opportunity for theft or to purchase then return equipment to the store for credit or cash.
Documentation authenticity, because electronic receipts are easy to falsify and auditors rarely contact the vendor to confirm their validity.
Instead, implement strong internal controls
Strong internal controls don’t require a rocket scientist to create or implement. If designed well, implementation and regular verification will require a relatively small amount of time.
Good internal controls will include such things as:
Levels of access to the accounting system for each role in the organization (who has read only access, who can add/change/delete records, etc.)
Levels of access to the bank account
Credit card access
Who opens the mail
Who can sign checks
Who reconciles the bank account every month
Designed properly, good internal controls will make it more difficult for someone to commit fraud and much more likely that any fraud gets detected early.
Involve a third party to lend a hand designing your processes (staff should be involved, but they’re not neutral third parties). If your board or circle of volunteers doesn’t include someone with the necessary skills and background, an accounting or finance professional with nonprofit experience can.
Pro Tip: Follow through
Even the best-designed plans amount to little without strong follow through. Even strong implementation on day 1 will grow weak without a check in from time to time. Be sure that your internal controls include regular third-party verification that the controls are still being followed.
Trust and internal controls go together
Nonprofits have trust and goodwill as part of the “secret sauce.” Without them baked into the culture, many great organizations would simply stop functioning.
Trust without verification (and internal controls), however, amounts to little more than blind faith. Fraudsters count on this blind faith to keep their criminal activities hidden. It makes the nonprofit a more attractive target and more vulnerable.
Case in point: if you are the lead accountant at a nonprofit without good internal controls, and something weird happens with the accounting, where will fingers point? If you’re the executive director in that scenario, how long will you put your reputation on the line for that employee?
Pro Tip: Prevent a good person from going bad
Although serial fraudsters do exist, in many cases a truly good, trustworthy employee can turn bad through a combination of opportunity and misfortune.
Personal tragedy can hit anyone. Even the most responsible among us, for example, can end up with massive medical bills that exceed our ability to pay. The trusted employee in those circumstances, combined with loose internal controls, can feel tempted to give themselves a loan for a few months with every intention of paying it back before anyone even knows it happened. Then a few months go a little longer. Then the loan gets a little bigger. Then the loan becomes “I deserve this money.”
Why create unnecessary temptation? Why tempt fate?
Everyone who has seen the movie A Christmas Story knows that what happens when you leave a hungry dog alone with a freshly-cooked turkey. They can’t resist the temptation.
In the case of your nonprofit though, you might never know when your employee suddenly feels strong temptation. The internal controls help prevent that temptation, and that fraud, because the employee knows that if they give themselves a quick loan, there’s a good chance it will get detected.
Thus, good internal controls protect both your nonprofit and your trustworthy employee’s integrity.
Inspiration and further reading
I remember a board member asking me early in my career, “if you wanted to steal from this organization how would you do it?”
I gave him a good list just off the top of my head because the audit was our main internal control.
Tiffany Couch’s book The Thief in Your Company validated the concerns I’ve had all these years around the value of typical audits for fraud prevention.
Tiffany, a forensic auditor and public speaker, wrote her book with the non-expert in mind. It combines good story-telling with accounting concepts that she translates into regular English. No legalese. No accountant-speak. This makes the book an easy, pleasant, and informative read. Nonprofit leaders who want to understand basic accounting and the value of internal controls should add it to their reading list.