Back to Newsletter

By Jack Murray, HoganTaylor Assurance Partner and Nonprofit Practice Lead

Theft of assets, payroll and purchasing schemes and financial statement fraud – three very different types of fraud that nonprofits must have the internal controls to prevent, or detect and correct. Behind each of these types of fraud, there is a human element.

Most have heard, or experienced, the fraud triangle. The three legs of the fraud triangle are need, opportunity and rationalization.


Need can result from an overwhelming debt situation or an addiction that the employee has limited means to feed. Many times the incentive to steal comes from not wanting family or friends to know about the problem. The employee resorts to self-help rather than risk being embarrassed by admitting their personal financial situation is out of control.

Some red flags to consider when looking for fraud are:

  • The employee’s spouse has lost a job
  • The employee is divorced and has child or spousal support obligations
  • The employee has a drug, alcohol or gambling problem
  • The employee never takes a vacation

To identify at-risk employees, consider whose paychecks are being garnished by the courts or see who has accrued substantial vacation or sick time.


Regardless of the need, fraud can only take place when opportunity is present. The opportunity for fraud can come from many different directions:

  • Weak internal controls – A strong internal control system is a business’s first line of defense
  • Little or no segregation of duties – When the same employee opens the mail, logs in payments and prepares and takes the deposit to the bank and then records the activity in the general ledger, you have a lack of segregation of duties.
  • Indifferent management – Sometimes management does not enforce existing internal controls or is more concerned with generating revenue.
  • Ineffective monitoring – Policies or procedures may be in place but are not operating effectively due to turnover or prioritization of duties

Most frauds we have discovered or been notified of, could have been prevented or detected with very little effort by recognizing risks and addressing them timely.


When the first two legs of the triangle are present, it takes an individual making a conscious decision that it is ok for me to steal in order for a fraud to occur. Some of the common rationalizations are:

  • I’ll pay the money back – Employees often start out with the best of intentions to pay back the stolen funds. However, the longer the employee gets away with the fraud, the more casual they become about the situation. The fraud usually escalates to the point where the employee is unable to replace the stolen funds.
  • I haven’t been treated right – Some event or situation, such as being passed over for a promotion or pay raise, or a perception that I work harder or contribute more to the organization, leads the employee to feel that taking company assets will make it right for them

To combat this threat, nonprofits face a critical need to address fraud from the top. Leaders and Boards have a responsibility to set the tone that fraud will not be tolerated by creating an anti-fraud culture and making combating fraud part of the risk management function. Realistically, due to their mission-driven focus and limited operating budgets, nonprofit leaders are often left with less time and fewer resources to proactively develop anti-fraud governance measures. One of the most important deterrents of fraud is knowing the organization will not tolerate fraud and will act accordingly to prevent and detect fraud and take appropriate action if identified.

Nonprofits need a champion to ensure fraud risk is a part of an organizations risk management function. It is impossible to completely eliminate the possibility fraud can occur in an organization, so understand the exposure in your organization and focus the efforts on those areas. While fraud prevention is ideal, all nonprofits must weigh the costs and practicality of preventive versus detective measures. The best deterrent is simply knowing your people.

I truly hope none of you ever have to deal with the violation of having a trusted employee steal from your organization. Unfortunately, we must know this is a reality in today’s society and taking the time to assess where opportunities exist within your organization and taking steps to minimize the threat may prevent you from having a difficult situation to address.

Back to Newsletter