Grant Fraud Prevention: Internal Controls for Nonprofits

Grant fraud is a silent crisis in the nonprofit sector. The Government Accountability Office estimates federal fraud losses between $233 billion and $521 billion annually across all government programs. For nonprofits managing grants, this reality hits differently: a single fraud case can devastate your organization's reputation, drain resources, and jeopardize future funding.

But here's the good news: most grant fraud is preventable. Not through paranoia or excessive bureaucracy, but through thoughtful internal controls that work within your organization's reality—whether you have 50 staff members or 5.

This guide walks you through the fraud prevention framework required by federal regulations (2 CFR 200.303), examines real fraud cases that should keep you awake, and gives you practical tools to strengthen your organization's defenses starting today.

$233B–$521B

Annual Federal Fraud Losses (Government-Wide)

What Grant Fraud Actually Looks Like in Nonprofits

Grant fraud isn't always a dramatic heist. Most internal fraud happens quietly—padded timesheets, inflated invoices, personal purchases hidden in grants, fake employees on payroll.

Here are the fraud schemes auditors and regulators see most often:

Payroll Fraud: The Easiest Scheme

An employee in an unmonitored position claims 10 hours per week on grant time when they're actually working 2 hours. Or worse: a "ghost employee" exists on payroll, receiving paychecks that never arrive at a real person's bank account.

Real Case: A nonprofit in the Midwest added a fictional staff member to its federal grant payroll for 18 months. Monthly timesheets were falsified, and grant reimbursements totaled $87,000 before an external auditor asked to interview the "employee."

Red Flag: Timesheets that are approved by the same person who enters them. Salary records that don't match actual hire dates.

Procurement Fraud: Inflated Invoices and Kickbacks

A vendor submits inflated invoices to a grant-funded project. The nonprofit's grants manager approves the invoice without competitive bidding. The vendor then kicks back part of the overcharge to the nonprofit employee who approved it.

Real Case: An HHS Office of Inspector General investigation in 2023–2024 uncovered a nonprofit organization that paid $7.8 million to a single vendor for equipment purchases. The vendor was owned by the nonprofit's finance director. Items were invoiced at 3–4 times market value, and competitive bidding requirements were completely bypassed.

Red Flag: Sole-source contracts (one vendor always gets the work). Invoices approved by the person who selected the vendor. Unusually high unit prices compared to market rates.

Travel Reimbursement Fraud

Staff members claim mileage for personal trips. Hotel receipts are submitted for conferences they didn't attend. Meal reimbursements are inflated or submitted without supporting documentation.

Red Flag: Travel claims submitted without receipts. Unusual clusters of mileage claims. Same employee always approving their colleague's travel.

Grant Diversion: Charging Personal Expenses to Grants

An organization receives a grant for Program X. Staff charge unrelated expenses—office supplies, staff training, meals—to Program X's account to free up unrestricted dollars.

Red Flag: Expenses that don't align with grant scope. Misaligned grant budgets vs. actual spending. No one regularly comparing actual spending to approved grant budgets.

Warning: Grant fraud isn't just internal. It can also involve collusion with external vendors, contractors, or consultants. This is why segregation of duties is critical.

What 2 CFR 200.303 Actually Requires (And Why It Matters)

Federal regulation 2 CFR 200.303 requires that organizations receiving federal funds implement internal controls designed to, among other things, detect and prevent fraud, waste, and abuse.

The regulation requires controls that:

Prevent unauthorized transactions. Not every staff member should be able to approve payments, hire vendors, or authorize grant charges.
Detect fraud and waste quickly. Controls should catch problems before they become large.
Are documented. Your auditors need to see evidence of your controls, not just hear about them verbally.
Are tested regularly. Controls only work if people actually follow them, and you periodically verify they do.

The good news: 2 CFR 200.303 doesn't require byzantine bureaucracy. It requires a framework appropriate to your organization's size and risk profile. A 5-person nonprofit doesn't need the same controls as a 500-person organization.

$7.8M

HHS Fraud Case (2023–2024) Involving Nonprofit

How to Implement Segregation of Duties in Small Nonprofits

Segregation of duties is the backbone of fraud prevention. The principle: no single person should be able to authorize a transaction, execute it, and then approve it. Smaller organizations often say "we can't do this—we're too small." That's a myth.

Here's how to implement meaningful segregation of duties even with 3–5 staff:

For Procurement (Purchasing Goods and Services)

Step 1—Authorization: Someone requests the purchase (e.g., Program Manager requests office supplies for grant project).
Step 2—Approver (Different Person): A supervisor or finance person approves the request and budget allocation (e.g., Finance Director confirms grant has available funds and approves the purchase).
Step 3—Execution (Different Person): A third person (if possible) places the actual order.
Step 4—Receipt & Reconciliation (Auditor): When the invoice arrives, someone other than the approver verifies the goods/services were received and the invoice matches the order.

In a small nonprofit: Executive Director might handle approvals, Program Manager requests, a Board member or volunteer might spot-check receipts monthly.

For Payroll

Step 1—Timesheet Entry: Employees submit timesheets to their direct supervisor.
Step 2—Approval (Different Person): A supervisor other than their direct manager approves timesheets, at least quarterly. For very small organizations: the Board Treasurer.
Step 3—Processing (Different Person): A third person (Finance or accountant) actually enters timesheets into payroll and processes paychecks.
Step 4—Review (Different Person): Board members or a Finance Committee member spot-checks payroll monthly against timesheets and grant records.

Critical: If you have only 3 staff, the owner/ED shouldn't be approving their own timesheets or their own expense reimbursements. The Board handles this.

For Grant Charges and Reimbursements

Step 1—Approval Before Expense: Before an expense is incurred (especially large travel, equipment, or contractor work), someone approves it against the grant budget and scope. This prevents "charging it to the grant later" thinking.
Step 2—Documentation: Receipts, timesheets, vendor invoices must be collected and filed with the expense claim.
Step 3—Second Review (Different Person): Someone independent of the person incurring the expense reviews the documentation and the grant scope before reimbursing.
Step 4—Regular Reconciliation: Monthly, reconcile actual grant spending to the grant budget. Look for anomalies.

Segregation of Duties Checklist

Does anyone approve their own expense reimbursements? (If yes: fix this.)

Does the same person approve vendor invoices and select vendors? (If yes: add a second approver.)

Can employees change their own timesheets? (If yes: move to supervisor approval.)

Does someone reconcile payroll to timesheets monthly? (If no: add this control.)

Does a Board member or Committee member spot-check grant charges quarterly? (If no: establish this practice.)

Board Oversight: What Board Members Actually Need to Do

Many nonprofits delegate all financial oversight to the Executive Director and Finance Manager. This is the setup that allows fraud to flourish. Boards have a legal fiduciary duty to oversee finances, and this means more than approving an annual budget.

The Audit Committee Structure

Ideally, your Board has an Audit Committee (or Finance & Audit Committee). This doesn't need to be expensive or complex:

Membership: 2–3 Board members, ideally with accounting or finance experience. At least one should understand grants.
Frequency: Meet quarterly, or at minimum, every 6 months.
Responsibilities:
- Review internal control policies quarterly.
- Spot-check transactions (payroll, procurement, grant charges) monthly or quarterly.
- Review and approve the annual external audit.
- Investigate any suspicious transactions or staff concerns.

Monthly Financial Reviews

The Board (or Audit Committee) should review financial statements monthly. This doesn't mean auditing every transaction—it means looking at patterns:

Is grant spending on track with budgets?
Are there unusual or large transactions?
Have any grant compliance issues been flagged?
Are payroll and benefits expenses normal?

Grant Compliance Monitoring

Designate a Board member or volunteer to:

Track grant requirements (reporting deadlines, budget limits, allowable expenses).
Spot-check grant spending against budgets quarterly.
Attend grant monitoring visits or reviews, if applicable.
Review grant audit findings or compliance questions from funders.

Pro Tip: If your Board doesn't have finance expertise, hire a part-time bookkeeper or accountant to support the Audit Committee's oversight. This often costs less than dealing with fraud.

Red Flags That Should Trigger Investigation

Effective fraud prevention means knowing what to look for. Some red flags are subtle; others are obvious. Train your Board and staff to escalate any of these:

Red Flag	What It Means	Action
Timesheets Submitted Late or Retroactively	Employee didn't track time as worked; fabricated later	Request detail; require prospective tracking for 1 month
Same Employee Always Approves Purchases from One Vendor	Possible kickback arrangement or personal relationship	Require competitive bids; rotate approvers
No Supporting Documentation for Expenses	Money being hidden or allocated retroactively	Require receipts before reimbursement; refuse reimbursement without docs
Travel Expenses Significantly Higher Than Budgeted	Possible inflated claims or personal travel charged to grants	Review supporting documents; require pre-approval for future travel
Employee Has Unrestricted Access to Check Stock or Accounting System	Could forge checks, alter records, or hide transactions	Immediately restrict access; implement approval workflows
Reconciliation Issues: Checks Written But Unaccounted For	Possible fraudulent checks or missing documentation	Investigate immediately; freeze check writing authority
Grant Budget Variances: Actual Spending Doesn't Match Approval	Unauthorized charges to grants or misallocated costs	Investigate with grant manager; review supporting documentation
Employee Resistive to Taking Vacation or Time Off	Fraud often collapses when perpetrator isn't present to manage it	Mandate vacation; require someone else to handle duties while gone

Critical Red Flag: The "Trusted" Long-Term Employee

Most internal fraud is committed by long-tenured, trusted staff. They exploit trust and informal processes. Don't let longevity override controls. In fact, long-term employees should be subject to the same segregation of duties as everyone else.

Building a Whistleblower Protection Program That Works

Fraud is often reported by employees, Board members, or program participants—not caught by controls. But people only report if they believe they're protected from retaliation.

Elements of an Effective Program

Clear Reporting Channel: Don't make someone report fraud to their boss. Establish a dedicated email or phone line (even if it's a Board member's email marked "Confidential"). Many small nonprofits use a third-party hotline service (often ~$500/year).
Anonymity Option: Allow anonymous reports. Some fraudsters are only revealed when someone can report without fear of identification.
Retaliation Policy: Document a formal policy that prohibits retaliation against anyone who reports suspected fraud in good faith.
Investigate Promptly: Don't sit on reports. Assign investigation to someone independent of management (often a Board member or outside attorney).
Documentation: Document your investigation, findings, and corrective actions. This protects you if the report involves a terminated employee.

Communication

Annually, communicate your whistleblower policy to all staff. Include it in employee handbooks and orientation materials. The act of communication signals that your organization takes fraud seriously.

Legal Note: Certain federal grants (HHS, DOJ, etc.) require specific whistleblower protections and hotlines. Check your grant terms.

What to Do If You Discover Fraud

You've discovered suspicious transactions, an employee confessed, or an auditor flagged something. Here's the sequence:

Step 1: Don't Panic or Confront Alone

If you suspect fraud, don't immediately accuse the employee or demand explanations. You may misunderstand; you may contaminate evidence; you may expose your organization to a wrongful termination lawsuit.

Step 2: Document Everything

Write down:

What you observed (suspicious transactions, discrepancies, etc.)
When you observed it
Who else knows
Any supporting documents (invoices, timesheets, emails, etc.)

Step 3: Report to Leadership and Board

Immediately notify your Executive Director (if you're not the ED) and Board Chair or Audit Committee Chair. Don't discuss with other staff or post about it internally. Information spreads, and the alleged perpetrator may destroy evidence or flee.

Step 4: Consider Legal/Investigative Support

Depending on the severity, consider:

Internal Investigation: A Board member or Finance Committee member conducts interviews and reviews documents.
External Investigation: Hire a CPA, attorney, or investigator (especially if the fraud is large or involves leadership). This costs money but protects you legally.

Step 5: Preserve Evidence

Do not delete emails, alter documents, or remove bank statements. Forensic analysis may be needed, and destruction of evidence is itself illegal.

Step 6: Notify Your Grant Funders

Most federal grants require you to notify the funder if fraud is discovered. The notification requirement is usually in the grant's terms and conditions. Waiting or hiding fraud will only make things worse when discovered later.

What to tell the funder: A clear, factual report: what happened, when you discovered it, how much money is involved, what you're doing about it, and whether restitution is being sought.

Step 7: Take Corrective Action

Whether the investigation confirms fraud or clears the person, implement corrective actions:

Strengthen controls (e.g., add another approver for large transactions).
If fraud occurred: recover funds, terminate or pursue legal action against the employee, and review related transactions to find other fraud.
If controls failed: document what went wrong and how you're fixing it.

Step 8: Report to Auditors

Inform your external auditors of suspected or confirmed fraud. They need to know, and the audit process will often investigate further.

Recovery Matters

Don't assume you'll never recover fraudulent funds. Many organizations have successfully recovered money through restitution agreements, civil suits, or insurance claims. Consult an attorney about your options.

Building a Culture of Ethical Financial Management

Controls and policies are only as strong as the culture that supports them. Organizations with strong ethical cultures have less fraud because:

Leadership demonstrates integrity in their own financial practices.
Employees understand fraud harms the mission they care about.
Questions and concerns are welcomed, not punished.
Accountability is consistent, not selective.

Practical Steps

Lead by Example: If you're leadership, follow the same controls you require of others. No one approving their own expenses, no shortcuts for "trusted" people.
Make the Mission Clear: Remind staff why fraud matters. Embezzled funds are resources stolen from the people you serve.
Train Staff: Annual training on grant compliance, allowable expenses, and proper procedures. Make it interactive and relevant, not a boring checklist.
Ask Questions: Create a culture where staff can ask "Is this allowed?" without fear. An employee asking questions is preventing fraud, not creating it.
Celebrate Accountability: When an employee reports a concern or identifies a control weakness, treat it as a gift. Thank them, investigate, and follow up on corrective actions.

Low-Cost Fraud Prevention for Small Nonprofits

Resources are limited in small nonprofits. Fraud prevention doesn't require expensive software or consultants. Here are high-impact, low-cost strategies:

Under $500 to Get Started

Policy Templates: Adapt existing nonprofit policies (many are freely available from local nonprofit associations or law foundations).
Control Documentation: Use a simple spreadsheet to document your controls, who's responsible, and testing frequency.
Board Training: Host a 2-hour Board training on fraud risks and oversight responsibilities. Find a volunteer CPA or local nonprofit consultant to lead it.

Under $2,000 per Year

Part-Time Bookkeeper: Hire a bookkeeper 10 hours/week to reconcile accounts, review invoices, and prepare financial reports for Board review. This often costs $300–800/month.
Whistleblower Hotline: Contract with a third-party service to provide an anonymous fraud reporting hotline (~$500/year).
QuickBooks or Similar Accounting Software: ~$20–50/month. Enables audit trails, permission controls, and better segregation of duties than manual bookkeeping.

What NOT to Cheap Out On

External audits. Your funders likely require them, and they catch fraud.
Legal review of fraud policies and grant compliance requirements. One consultation with a nonprofit attorney (~$500–1,500) can save thousands in compliance problems.
Investigation of suspected fraud. Cutting corners on investigation makes things worse, not better.

How to Create Your Fraud Prevention Action Plan

Don't try to overhaul everything at once. Here's a phased approach:

Month 1: Assessment

Board meeting: Discuss current fraud risks and control gaps.
Document existing controls.
Identify the biggest risks in your organization (e.g., procurement, payroll, grant charges).

Months 2–3: Foundation

Draft and adopt fraud prevention policy and whistleblower policy.
Establish segregation of duties for the highest-risk areas.
Set up a Board Audit Committee or assign audit responsibilities to Finance Committee.

Months 4–6: Build

Implement monthly Board financial reviews.
Train staff on grant compliance and fraud prevention policies.
Set up a quarterly spot-check process (e.g., Audit Committee reviews 5–10 transactions monthly).

Months 7–12: Monitor and Test

Test controls quarterly to ensure people are following them.
Review for red flags.
Update policies based on lessons learned.

Key Takeaways

Grant fraud is more common than most nonprofits want to admit, but it's largely preventable through thoughtful controls.
2 CFR 200.303 requires controls appropriate to your organization's size and risk—not a one-size-fits-all bureaucracy.
Segregation of duties is the foundation. Start with the highest-risk areas: procurement, payroll, and grant charges.
Board oversight transforms controls from paper into practice. An active Audit Committee or Finance Committee multiplies your fraud prevention power.
Whistleblower protections work. Employees often spot fraud first.
If fraud is discovered, act promptly and transparently. Notify your funder, investigate, recover funds, and learn from what went wrong.
Culture matters as much as controls. An organization with strong ethical leadership has less fraud.
You don't need unlimited resources. Start with free or low-cost tools, and focus on the highest-risk areas.

Bottom Line

Fraud prevention is a continuous commitment, not a one-time fix. But the investment in controls, Board oversight, and ethical culture pays dividends in protected finances, reduced audit risk, and preserved funder relationships.

Frequently Asked Questions

Can we really implement segregation of duties with only 3 staff members? ▼

Yes, absolutely. With 3 staff, segregation means: Employee 1 requests a purchase, Employee 2 (or a Board member) approves it, and Employee 3 (or the accountant/bookkeeper) processes it. For very small operations, bring Board members or volunteers into the approval loop. The key principle is preventing one person from controlling the entire transaction.

What should we do if we find fraud but can't afford an investigation? ▼

Start with an internal investigation led by a Board member or Finance Committee member. Document everything: the discrepancy, transactions involved, and interviews with relevant staff. If the fraud is large or involves complex accounting, consult a nonprofit attorney for guidance. Many communities have legal aid organizations or local universities with nonprofit clinics that offer reduced-cost legal reviews.

How do we notify a funder if we discover fraud? ▼

Contact your grants officer at the funder first, by phone if possible. Explain: what happened, when you discovered it, how much money is involved, what immediate steps you've taken, and your plan for investigation and corrective action. Follow up with a written report within 5 business days. Most funders appreciate transparency and proactive notification. Hiding fraud, when later discovered, damages trust irreparably.

Is a whistleblower hotline really necessary for a small nonprofit? ▼

Not required, but valuable. A simple anonymous reporting option (an email to the Board Chair marked confidential, or a Google Form linked from your staff portal) costs nothing. A third-party hotline service costs ~$500/year and provides professional handling and documentation, which is worthwhile if you have significant grant obligations or Board members comfortable with the investment.