Is It Enough? Fraud Prevention and Risk Management Considerations

It's a story that fraud examiners know all too well: a small non-profit organization or government agency ruled by one or two people, with little oversight and even less controls. Funds, either donated or paid by tax dollars, are siphoned off with ease, often for years, until the house of cards fall. But the damage is extensive—not only in wasted time, effort and lost money, but also trust in the organization, the agency and the people involved. 

But what does it mean to have an organization that has a culture that ensures a massive theft does not occur—or if someone does attempt a fraud, it is caught early? 

Recently, this question was posed to me by a fellow Certified Fraud Examiner (CFE). I have written extensively on the issues of fraud, theft and embezzlement from these non-profits and small agencies. In fact, one story in Fraud Magazine detailed the years-long theft by the Fire Chief of a small town in New Hampshire and another described a healthcare scheme perpetrated by leaders of a non-profit ambulance squad in rural Virginia. 

The Culture Matters 

Tone at the top is critical in ensuring that an organization’s leaders model a positive and affirming culture that has zero tolerance for fraud and misconduct. But beyond the tone at the top, it must seep into the bones, so that everyone understands the expectations. Culture refers to the shared values, beliefs, norms and practices that shape the behavior and interactions of an organization and its staff, vendors, suppliers, contractors and other stakeholders.  

Anti-fraud culture can be integrated in three ways: what I call the 3C’s of organizational culture.  

• First, there must be a culture of compliance—compliance often gets an unnecessary stigma, but it is essential to ensure that rules, laws and policies are followed. Otherwise, it becomes a “free-for-all” environment where norms and rules do not matter. We want people to understand why these exist and how they protect the organization, the employees, stakeholders, customers and the public. 
• Second, there must be a culture of competence—staff must know their roles, duties and responsibilities. Competence means that cross-training, mandatory vacations, routine and non-routine (or “surprise” reviews) are conducted. People appreciate that training, education, learning and development enable them to be good at their jobs and have the ability to move forward in their careers. 
• Finally, the third “C” is culture of commitment—this starts with the leaders but must encompass everyone involved. It is not only about the commitment to anti-fraud, but about the organization’s values, mission, processes and people. How committed are the staff? How accessible and committed are leaders at every level? How committed is the organization to robust fraud and enterprise risk management, prevention, detection and mitigation? 

Growth Can Be a Problem 

Rapid and extensive expansion of an organization can be both a blessing and a curse; it also poses significant challenges for fraud prevention and risk management. As new employees join quickly, it can be challenging to communicate the core values and commitments that define the organization.  

While a large influx of new perspectives and talent can be important, it can also dilute the established culture, especially if it previously had strong anti-fraud policies. Communication can also be problematic, as more people causes the organization to be less personal, more bureaucratic and stiffer. Dynamics can shift, leadership can become overwhelmed and key priorities (such as fiscal management and stewardship) can become lost. 

Take, for example, a governmental entity that suddenly finds itself expanding beyond its initial geographic footprint. Although the name and some details have been changed, the facts are accurate and illustrative of the challenges leadership faces.  

Assessing The Issues 

The Hamish Firefighting Division encompasses a large, multi-county territory with more than 100,000 residents. Over the last five years, they have expanded their operation to merge or contract with additional municipalities and unincorporated townships. The budget expanded from $3.7 million in 2020 to a proposed budget of nearly $17 million in 2025.  

Hamish is overseen by a board of trustees, has an outside legal counsel and is headed by a fire chief, along with multiple deputy chiefs and administrative staff. One of the trustees is appointed as the Financial Officer, like a treasurer of a non-profit organization. It is also subject to financial compliance examinations by the state auditor, which has conducted eight audits since 2018 (all of which are publicly available). The meetings of the board are public, conducted in person and accessible via online video conferencing. In addition, on its website, Hamish posts the detailed meeting minutes of the board of trustees, along with the financial information, statements and budgets. 

While these are all good things, it is essential to dive deeper into three areas: 

• Does the Board of Trustees have the requisite financial and managerial knowledge to effectively oversee the division? 
• Does the division have a comprehensive fraud and enterprise risk management plan in place that identifies, mitigates and controls for these occurrences? 
• Does the division have policies, procedures, monitoring, training, reporting mechanisms and awareness to ensure prompt attention to these issues? 

While many small organizations cannot afford to pay salaries for experienced fraud examiners and financial managers to ensure proper documentation, organization and oversight, the risk for fraud and exploitation always exists. Controls need to be in place, the tone at the top needs to be set and driven home throughout the organization and there must be competent staff and volunteers (including the oversight authority) who understand how and why fraud is committed and what can be done to prevent and mitigate it. Not having those will be very costly, possibly resulting in the demise of the organization. 

We will never fully prevent all fraud, but fraud prevention and risk management are crucial for smaller organizations. Leaders must ensure—and the taxpayers and stakeholders must demand—that there are adequate resources to incorporate risk management and anti-fraud policies and processes into their work.  

By conducting regular fraud risk assessments, leaders and the board can identify the potential areas that are most vulnerable to fraud, waste, abuse and misconduct. Through effective implementation of controls, policies and procedures, the organization will be better positioned to prevent and detect fraud.  Through the strategies and considerations outlined above, small organizations can significantly reduce the risk of fraud and ensure their operations remain transparent and accountable, ultimately serving the mission and people who need it the most.