By Sly Atayee, BDO USA, and Cynthia Rowland, Farella Braun + Martel

Fraud prevention is a critical issue for nonprofit organizations. Without the right safeguards, fraud can severely damage an organization’s reputation and financial health. Nonprofits, particularly those that grow rapidly or manage a variety of operations, can face unique challenges in fraud risk management. By establishing a strong internal control framework, organizations can reduce vulnerabilities and ensure their long-term success.

This article explores best practices for nonprofits in building an effective system of internal controls which works as a fraud prevention framework. In particular, we look at how to design a comprehensive system of internal controls using the widely recognized COSO framework.

Understanding the COSO Framework

The COSO framework, developed by the Committee of Sponsoring Organizations of the Treadway Commission, is one of the most commonly used internal control frameworks in both nonprofit and for-profit organizations. It was designed to provide organizations with a structured approach to preventing and detecting fraud, as well as mitigating other risks. While it was originally developed in 1992, it gained renewed prominence in the early 2000s after the Enron scandal and the passage of the Sarbanes-Oxley Act (SOX).

For nonprofit organizations, COSO is especially valuable because it provides a systematic approach to managing risks—including fraud risk—without the need for complicated, resource-heavy oversight. At its core, COSO helps organizations identify and mitigate risks, enforce accountability, and foster a culture of integrity.

The Five Components of the COSO Framework

The COSO framework is divided into five key components that nonprofits can use to build a strong system of internal controls. These are the control environment, risk assessment, control activities, information and communication, and monitoring. Below, we explore each component and how it applies to fraud prevention in nonprofit organizations.

1. Control Environment: Establishing Ethical Leadership

The control environment is the foundation of any effective fraud prevention strategy. It encompasses the ethical culture, integrity, and behavioral standards within an organization—what is often referred to as the "tone at the top." Leaders and board members set the standard for ethical behavior, which trickles down to all employees. In nonprofits, where fraud prevention resources can be limited, it is crucial that leadership fosters a culture of transparency and accountability.

A strong control environment discourages fraud by promoting a culture where ethical behavior is expected, and employees feel comfortable reporting any red flags. For example, having a clear code of conduct and a robust whistleblower policy signals to employees that the organization takes fraud and ethical breaches seriously. However, it is essential to ensure that these policies are not just words on paper but are actively enforced and communicated across the organization.

The control environment also ties into the fraud triangle, which comprises three elements: motive, opportunity, and rationalization. While organizations have limited control over employees' motives and rationalizations, they can significantly influence the opportunity for fraud by developing a robust control environment.

2. Risk Assessment: Identifying Specific Fraud Risks

Risk assessment involves identifying and evaluating potential risks, including fraud risks, unique to the organization. For nonprofits, these risks can vary depending on factors such as the size of the organization, its funding sources, and the nature of its operations. For example, a nonprofit that handles large amounts of cash may face a higher risk of embezzlement compared to one that primarily deals with electronic transactions.

Risk assessments should be conducted regularly, and organizations should tailor their fraud prevention strategies to address their specific risk profile. For instance, a nonprofit working internationally might face different risks in each country, such as theft of relief aid or difficulties in managing vendors. By identifying these risks early on, nonprofits can design effective control measures to mitigate them.

3. Control Activities: Implementing Fraud Prevention Procedures

Control activities are the specific actions an organization takes to mitigate identified risks. These may include segregation of duties, approval processes, and reconciliations. For example, ensuring that no single employee is responsible for both collecting and depositing donations can reduce the risk of misappropriation.

One useful tool in managing control activities is a Risk and Control Matrix (RACM), which links specific risks to corresponding control measures. This organized approach helps nonprofits prioritize their most significant risks and ensure they have assigned specific controls to mitigate them.

4. Information and Communication: Enhancing Fraud Detection

Information and communication are critical for detecting fraud early. Fraud detection involves monitoring an organization’s financial activities and internal processes for any signs of irregularity. Timely, accurate reporting and open lines of communication can help ensure that any red flags are spotted before they escalate into larger problems.

Nonprofits should ensure that financial reports are regularly reviewed and that any key performance indicators (KPIs) related to potential fraud, such as unpaid invoices or unusual travel reimbursements, are flagged for management review. Additionally, having a whistleblower system in place, where employees can anonymously report suspicious activities, is an essential component of effective fraud detection.

The importance of document retention also cannot be overstated. By maintaining detailed records of financial transactions, nonprofits can create an audit trail that helps investigators verify the legitimacy of expenses and detect any fraudulent behavior.

5. Monitoring: Ensuring Compliance and Continuous Improvement

Monitoring is the final piece of the COSO framework and is essential for ensuring that internal controls are functioning as intended. This involves regular assessments of the control system to ensure it is up-to-date and effective. Monitoring can include activities such as internal audits, spot checks, and regular reviews of financial reports.

For smaller organizations that may not have dedicated internal audit teams, spot-checking key transactions or conducting periodic reviews of high-risk areas can be a cost-effective way to ensure compliance. Monitoring also helps organizations identify any areas where internal controls may need to be strengthened or updated.

Lessons from Real-World Fraud Cases

Nonprofit organizations that fail to implement the COSO framework or neglect to monitor their internal controls can find themselves vulnerable to fraud. In one case study discussed in our article “Fraud Risks in Nonprofit Organizations: Learning From Real-Life Case Studies,” a nonprofit lacked proper segregation of duties and a single employee was able to misappropriate millions of dollars over several years before the fraud was detected.

Sly Atayee is a director at the national accounting firm BDO USA and a certified fraud examiner. He can be reached at [email protected]. Cynthia Rowland is a partner at Farella Braun + Martel and chair of its Exempt Organization Group. She can be reached at [email protected]. Learn more about financial fraud at nonprofit organizations by listening to the EO Radio Show nonprofit fraud prevention podcast series.

Fraud Risks in Nonprofit Organizations: Building an Effective Framework of Internal Controls, Sly Atayee and Cynthia Rowland, Board and Administrator for Administrators Only, Volume 41/No. 11, Copyright © 2025, copyright owner as specified in the Newsmagazine, Wiley Periodicals Inc.