Not-for-profit organizations (NFPs) can be particularly vulnerable to fraud because they commonly operate with limited resources and prioritize meaningful outcomes over administrative processes and internal controls.

It is not uncommon for a single individual to hold significant control over operations and financial functions within an NFP. This concentration of authority, combined with a culture of trust — which is fostered by a strong sense of purpose among the board, management, and employees — can increase hidden opportunities for fraud. And when fraud is discovered (often by accident), it typically comes as a shock that the person or people responsible could deceive the organization and violate its core values.

NFPs accounted for 10% of the fraud cases studied and had a median loss of $76,000, according to the 2024 occupational fraud report by the Association of Certified Fraud Examiners. While this figure may seem modest compared with losses in other sectors, fraud can have a disproportionately severe impact on NFPs. Beyond the immediate financial loss, reputational damage can undermine donor confidence, damage the public image, and jeopardize the organization’s ability to fulfill its mission.

FRAUD SCHEMES BECOME SOPHISTICATED

Fraud in NFPs has evolved in recent years from relatively straightforward theft to more sophisticated schemes involving billing, vendor collusion, and digital platforms. Like other sectors, NFPs now also face cybersecurity risks and scams driven by artificial intelligence (AI), including business email compromise, phishing attempts, and fake fundraising campaigns. But asset misappropriation and corruption remain the most common risks. (See, “AI-Powered Hacking in Accounting: ‘No One Is Safe’,” JofA, Oct. 1, 2025.)

There is no shortage of recent headlines involving NFPs and fraud. From relatively small dollar losses affecting a single organization to losses in the millions of dollars where multiple individuals and organizations colluded to misuse funds, the media coverage and donor backlash from these frauds often result in lasting impacts to the entire sector far greater than the financial loss itself, as public trust is eroded.

One of the most egregious NFP fraud cases in recent years involved the founder of Minnesota-based Feeding Our Future and the owner of a Minneapolis restaurant, who worked together to steal about $250 million from a federally funded child nutrition program during the COVID-19 pandemic. While this matter has been widely publicized and the fallout continues, the magnitude and scale of the fraud scheme is not typical for the NFP sector.

Another egregious case that did not receive the same level of media attention resulted in losses exceeding $100 million over 15 years. It involved the Center for Special Needs Trust Administration (CSNT), a Florida NFP that managed funds for individuals with disabilities and special needs and was one of the largest administrators of special needs trusts in the United States.

In June 2025, the founder of CSNT and its accountant were indicted for allegedly misappropriating client-beneficiary funds from June 2009 through May 2025 to enrich themselves. They concealed their activities through complex financial transactions and by issuing false account statements with fabricated balances to disabled beneficiaries. CSNT filed for bankruptcy in February 2025, reporting more than $100 million in client-beneficiary funds missing from its trust accounts.

Litigation has ensued from this matter, alleging that the founder “loaned” over $100 million in trust assets to a separate for-profit company that he controlled.

While a few outsized schemes attract a lot of attention, many smaller cases go unreported in the media.

There are instances where the board or counsel investigates allegations of fraud, but no public action or litigation follows. Management or certain employees may be let go without other consequences, perhaps to keep things quiet and mitigate the risk of reputational harm.

In many NFP fraud cases, the board (typically with guidance from counsel) faces the difficult task of assessing the potential costs and benefits of reporting suspected fraud to an external party. Leaders weigh whether reporting the alleged fraud to law enforcement or pursuing legal action is worth the potential risk of reputational damage and the loss of donor confidence if the allegations become public.

And, in at least some of these cases, the board may feel some level of responsibility that lax oversight allowed the fraud to be perpetuated or go unnoticed for a significant period. (See the sidebar, “Behavioral and Procedural Red Flags.”)

Other examples of recent NFP fraud cases include:

• The former COO of the not-for-profit fundraising arm of the Jackson Health System in Florida misappropriated about $7 million over a decade by submitting fraudulent invoices and accepting kickbacks from a vendor. In December 2025, she was sentenced to six years and eight months in federal prison and ordered to pay back the stolen money. The scheme went undetected for years due to concentrated authority in the COO position, lack of substantive controls over vendor management, and a lack of segregation of duties between finance functions.
• The former executive director of the Carroll County Court Appointed Special Advocates (CASA) in Georgia was arrested in January 2025 and charged with using Venmo to transfer at least $7,000 donated to the NFP to her own Venmo account and then to her personal bank account. An audit identified “unusual” and “excessive” spending and that the executive director had received extra paychecks.
• A Maryland man fraudulently obtained a $305,854 loan under the Paycheck Protection Program (PPP) in June 2020 by falsifying the PPP loan application on behalf of his nonoperational NFP, the Coalition for Social Justice and Reform Inc. In December 2021, the man pleaded guilty and was sentenced to three years in prison. The PPP program was a COVID-19 relief program established in 2020 by Congress. A major source of abuse involved payroll fraud, where companies made up fictitious employees to inflate their loan amounts. (See, “Bills Extend Statute of Limitation for Prosecuting PPP, EIDL Fraud,” JofA, Aug. 10, 2022.)

UNIQUE FRAUD RISKS

NFPs face unique fraud risks that can affect both the likelihood of fraud occurring and, if it does, how quickly it is detected and how extensive the damage becomes.

• Limited resources and staffing can result in less sophisticated financial processes and weak internal controls. Limited staffing makes it challenging to implement proper segregation of duties, and key financial and approval functions may be concentrated in a single individual instead of distributed among multiple people to provide necessary checks and balances.
• Unsophisticated systems can make it harder to spot red flags and provide greater opportunities for individuals to manipulate records and go undetected. Unlike larger organizations that tend to invest in advanced accounting and technology platforms, NFPs often delay or forgo these upgrades due to high upfront costs and the necessity for more technical training and specialized expertise to utilize these platforms.
• Heavy reliance on outsourcing functions can create a false sense of assurance that financial controls are operating effectively. Because many NFPs delegate bookkeeping and financial reporting to third-party providers, there is often a misconception that outsourcing inherently guarantees accuracy.
• Weak or inadequate governance can be problematic, especially for small organizations where the board of directors plays the critical role of monitoring the organization’s financial health and ensuring that the executive director does not exercise unchecked authority over operations and funds.

PREVALENT NFP FRAUD SCHEMES

Several fraud schemes are prevalent within NFPs. A few are described, as follows:

Misappropriation and embezzlement

Perpetrators use a variety of fraudulent schemes to illicitly obtain and misappropriate funds. In expense fraud, an individual may submit expenses for reimbursement that are not related to the operation of the NFP but rather are related to their own personal expenses, or for fictitious expenses. Payroll fraud may occur where fake employees are created and paid, but the funds go to the fraudsters themselves; or changes in the rate of pay or salary are inappropriately made such that an employee is paid at higher rates or salaries than what was agreed upon and/or approved by management.

Other misappropriation and embezzlement schemes may misuse company assets and corporate funds. The risk of these types of frauds occurring increases substantially when inadequate segregation of duties allows an employee to access funds or assets without appropriate restrictions or oversight.

In December 2025, the former CEO of a not-for-profit insurance statistical agent was sentenced to 33 months in federal prison, followed by two years of supervised release, and ordered to pay fines and restitution after pleading guilty to wire fraud. She embezzled more than $2 million from the NFP over 17 years, fraudulently wiring funds and writing checks to herself to pay for personal expenses and luxury travel. To conceal her illicit activity, the former CEO falsified audit reports and presented the fabricated financial statements to the board of directors.

Procurement or vendor fraud

Procurement or vendor-related fraud is one of the more significant fraud risks faced by NFPs. These schemes often involve creating fictitious vendors or customers, collusion among parties, overbilling, and kickbacks.

In November 2025, two former CEOs and a former facility manager of Primary Health Network (PHN) in Sharon, Pa., pleaded guilty to defrauding the NFP. According to the U.S. Attorney’s Office in the Western District of Pennsylvania, the trio used a company they owned, TopCoat, as a passthrough between PHN and a legitimate third party that provided services to PHN. TopCoat paid the vendor for providing services to PHN and then billed PHN at inflated rates, thereby profiting from the difference. Fraudulent invoices were issued from TopCoat to PHN, and the trio split the profit. In another related scheme, they caused PHN to enter into contracts with a separate third-party vendor in which 50% of the fees paid by PHN were then paid in kickbacks to another entity controlled by the perpetrators.

Manipulation of financial results

An NFP’s leaders may feel pressure to manipulate financial results to procure additional funds for the organization and present a financial picture that attracts more funds or grants. This manipulation can also be done to increase bonuses and/or supplement the usually lower income paid to employees of NFPs.

Financials may also be manipulated to hide other theft or misuse of assets. Common techniques of manipulating financial results include creating fake revenue or understating expenses. In other instances, costs may be erroneously allocated to other programs to present a certain program in a better financial light.

In some instances, the underlying financial data may be recorded accurately but is manipulated after reports are drafted. In cases where accountants or auditors provide reports to leaders, instead of directly to the board of directors, it provides the opportunity for data to be manipulated to present a more favorable picture of the organization’s financial health to the board or public, allowing the true financial condition to be masked.

CYBERFRAUD ALSO A THREAT

A rising area of potential fraud where NFPs are victims involves various computer schemes, including cyberattacks, phishing, and email compromise. Cyberfraud tends to involve external fraudsters. For example, in a business email compromise scheme, cybercriminals trick employees into sending money or important data, such as donors’ Social Security numbers or other personal data, using emails that appear legitimate. NFPs are ripe targets for these types of schemes because of the donor information they retain, the organization’s smaller employee size, and oftentimes the outdated technology they use.

In some instances, these attacks include external bad actors impersonating executives asking for wire transfers to be initiated.

In ransomware attacks, “phishing” emails are sent that could result in the nonprofit’s systems being shut down or rendered inoperable.

HOW TO ADDRESS THE VULNERABILITIES

Accountants should consider familiarizing themselves with any risk assessments performed and form an understanding of the internal controls in place at the NFP, the relevant policies and procedures, and how material assets are safeguarded.

Effective internal controls require a deliberate approach: conducting fraud risk assessments, identifying specific risks, and designing internal controls tailored to those risks identified (such as requiring secondary approvals for expenses over specific thresholds, requiring board approval prior to entering certain types of contracts, performing surprise internal audits, segregating duties in major transaction cycles, or partnering with banks that use the latest anti-fraud tools). Regardless of whether a fraud scheme is large or small, or in the case of the Feeding Our Future fraud, an extreme outlier, NFPs can take discrete and effective steps to protect themselves (see “An Ounce of Prevention: Combatting Fraud in Not-For-Profits,” AICPA and CIMA, Aug. 1, 2025).

Internal controls must be continually evaluated and updated. This process should involve leaders and employees at different levels within the organization who may have unique perspectives and experience.

Vulnerabilities can also be addressed in the following ways:

• Establish an independent committee of the board to oversee the NFP’s governance, risk management, and internal control processes.
• Automate processes with technology that uses built-in validation and accountability routines. For example, NFPs should consider accounting software that provides an audit trail of entries that have been changed or deleted.
• Document key financial cycle processes and address segregation of duties in major transaction cycles. No single person should have the ability to complete an entire financial process.
• Perform monthly closings of the books, including reconciliations. The full board or the board’s finance committee should review financial reports on a defined, regular basis. Financial reports should be provided directly to the board by the accountant, bookkeeper, or auditor and not be passed on through other executives or leaders.
• Adopt a code of ethics as a leading practice to promote ethical behavior within the organization, financial reporting fairness and accuracy, compliance with laws and regulations, and the ethical handling of conflicts and complaints. A robust and enforced code of ethics is a key indicator of a tone at the top that signifies a strong control environment.
• Put in place effective conflict–of–interest and whistleblower policies and processes to address unethical or illegal activity and to respond to reports of possible fraud. The independent committee should monitor compliance with these policies.
• Provide annual anti–fraud training for executives and employees.
• Require mandatory vacations with somebody else performing the functions of the absent employee.
• Establish enterprise risk management safeguards such as multifactor authentication, endpoint detection and response, advanced email filtering, employee information privacy training, vulnerability scanning, segmented data backups, and closed ports for remote access tools. Have a written incident response plan in place and be sure your insurance coverage keeps up with your changing needs.
• Implement IT controls and provide staff training to protect against cyber threats. Also, the organization should approve an AI policy for staff outlining how and when AI may be used in daily operations.
• Establish regular outside oversight in the case of entities receiving public funds and monitor the organization, whether through financial audits or other means.

Accountants play diverse roles in supporting nonprofits, but all employees contribute to the organization’s financial health and integrity.

---

Behavioral and procedural red flags

There are certain behavioral and procedural indicators and red flags for potential fraud. They include:

• Reluctance of an employee to take time off.
• An employee living beyond their means.
• Poor tone from the top.
• Dissatisfied employees.
• No defined board oversight responsibilities.
• Overreliance on one (or two) individuals at the organization.
• Inadequate segregation of duties (especially around financial duties and access to organizational funds).
• Lack of documented policies and procedures (or a history of not following those that are documented).
• Lack of vendor management controls.
• Unfamiliar vendors or vendors with a P.O. Box only.
• Vendor addresses that match employee addresses.

---

About the authors

Amy Yurish, CPA/CFF, is managing director in the Reston, Va., office of global consulting firm J.S. Held LLC. Tamara Thomas, CPA/CFF, CGMA, is a director in the forensic consulting group at professional business services provider CBIZ in the Atlanta metro area. Both authors are members of the AICPA Forensic and Litigation Services (FLS) Fraud Task Force. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.

---

LEARNING RESOURCES

Not-for-Profit Certificate 1

This course covers the essentials of not-for-profit financial management, including accounting and financial reporting, tax compliance, governance, and assurance. 

CPE SELF-STUDY

Not-for-Profit Certificate 2

The complexities of not-for-profit accounting and financial reporting, governance and assurance, and tax are decoded to help exhibit your leadership and bolster your skills in the field.

CPE SELF-STUDY

CFF Learning Pathway

This course covers essential topics that will help you on your journey to earn the Certified in Financial Forensics (CFF) credential.

CPE SELF-STUDY

AICPA Forensic & Valuation Services Conference

Get timely updates on trends, issues, and cutting-edge technology while enjoying quality networking with other forensic accounting and valuation professionals at the AICPA Forensic & Valuation Services Conference, to be held at the Gaylord National Resort & Convention Center in National Harbor, Md. For more information or to register, click on the headline above.

Nov. 4–6

CONFERENCE

Certified in Financial Forensics

Financial forensics is one of the fastest-growing specialty areas for accounting and finance professionals — and credentialed forensic practitioners are in demand. The Certified in Financial Forensics (CFF®) credential is a strategic way to distinguish yourself as an expert in bankruptcy, insolvency, litigation support, family law support services, and more. For more information, click on the headline above.

CONFERENCE

For more information or to make a purchase, go to aicpa-cima.com/cpe-learning or call 888-777-7077.

---

MEMBER RESOURCES

Online resources

“Common Controls for Smaller Entities, Not-for-Profit Segregation of Duties Reference Chart for NFPs With Two People,” NFP Section, Sept. 5, 2025

“An Ounce of Prevention: Combatting Fraud in Not-for-Profits,” NFP Section, Aug. 1, 2025

“FVS Quick Reference Guide: Top Misappropriation Schemes,” FVS Section, Oct. 1, 2023

“Business Fraud Risk Framework,” FVS Section, Aug. 20, 2020

Publication

Fraud Risk Management Guide, Second Edition

Website

FVS Eye on Fraud