In 2017, a man posing as an Atlanta-based tax consultant was sentenced to 27 months in prison for fraud and money laundering that impacted one of the largest health care organizations based in Louisville. The scheme involved tax credits falsely obtained through the Kentucky Department of Revenue.
Could this situation have been avoided? It’s hard to say without more detail. But after working with numerous businesses and organizations over the years, I find that many of the simple things that can help leaders manage the top fraud risks for not-for-profit organizations are overlooked or assumed for one simple reason. Trust.
If a large, for-profit organization like the one mentioned here can experience fraud, imagine the challenges for small not-for-profit organizations that have fewer staff and resources. Too often, leaders trust that vendors are carefully vetted and that financials and systems are accurate — managed with the proper controls. The organization may have part-time staff with limited hours and volunteer board members. Even with the best intentions and focus, they may have limited capacity to explore improved processes and systems.
Too much trust can impact more than the organization. You may risk the reputations and personal finances of leaders and volunteers who pledge to take fiduciary responsibility.
It is okay to trust people, but let’s add some facts and risk management by taking a look at the top fraud risks for not-for-profit organizations. The tips that follow can help staff and fiduciary leaders improve and monitor internal controls to support a healthier organization.
Top Areas of Fraud Risk
While fraud risk is not limited to these, here are some common areas for risk exposure that we’ve seen in not-for-profit organizations:
Payroll – Common fraud scenarios in payroll include fictitious employee accounts, padded timesheets or unapproved pay raises. The person in charge of payroll internally may have too much access to payroll systems and timecards and not enough oversight by other people.
Cash Receipts – The person who opens the mail or records the accounts receivables can sideline money coming into the organization. Donations, grants, bequests, and payments for services may be skimmed and not recorded. Special accounts may be set up that show funds that don’t exist, especially if those accounts are not used very often. They may become a slush fund from which someone personally borrows and re-deposits the funds. Another form of fraud called lapping is when someone steals funds and applies other money to the receivable to cover up the initial theft.
Cash Disbursements – Funds flowing out of the organization may go to fictitious vendors or organizations that are supposedly affiliated with the not-for-profit organization. The person in charge of disbursements may set up these accounts in the system for seemingly legitimate products or services. Accounts may also show payments that are more than the actual invoices, allowing someone to skim cash off the top.
Top Internal Controls
When considering the internal controls of organizations to manage risk, one of the top ways to manage risk is through segregation of duties. Even if you have a small staff, you can draw upon board or committee members to manage roles that increase oversight of financial duties. For example, the personnel committee can review timesheets for accurate reporting before they are passed on to the payroll processor. Background checks and regular performance reviews of personnel are also important steps to manage risk.
In one case, a controller was hired by a not-for-profit organization, and it was later learned that the controller had an unfavorable discharge from previous employment. This kind of news can impact the reputation of the organization, even if the new hire doesn’t have any recently reported issues.
The board should also review all new vendor contracts and may require estimates from more than one vendor before approving products or services. A regular review of the approved vendor list and use of Better Business Bureau resources are simple ways to mitigate fraud risk from fictitious or unscrupulous vendors.
[Want to be listed with the Better Business Bureau’s Wise Giving Alliance? Check out this article]
Check writing privileges and reviews of bank statements are two other important areas of financial oversight. Board or financial committee members can review bank statements and reconciliations to support accuracy. Checks over a certain amount should be approved and require two signatures. The name on the check and address it is mailed to should match the name and address on the invoice being paid.
The lack of internal controls can lead to inaccurate financial reporting. One of the common management issues we see among not-for-profits is when people involved with raising funds for the organization do not always communicate consistently with the people in charge of financial reporting. It is not always an issue of fraud, but lack of communication that is creating risk for the organization. For example, bequests and pledges received by the development department are not always communicated on a timely or consistent basis to those in the finance department, leading to inaccurate ledgers.
How to Manage Risk
Not every not-for-profit organization requires a formal audit from a CPA firm. And this level of engagement may be financially challenging for the budgets of smaller organizations. However, organizations may consider working with a CPA to conduct agreed upon procedures every few years. Essentially, this engagement can test selected internal controls and make recommendations for improvement. This third-party validation from a knowledgeable CPA or Certified Fraud Examiner (CFE) can support strong fiduciary oversight and management, but also demonstrate this fact to donors and other stakeholders. In addition, knowledge of this engagement may deter “sticky” fingers in the organization if people know that an outside party will be involved.
Agreed upon procedures can be arranged to fit your organization’s needs, looking at areas such as internal controls surrounding payroll, cash receipts or cash disbursements. They could also include looking at various policies and procedures surrounding fixed assets (capitalization and depreciation), in-kind contributions or financial reporting.
Don’t let fear of surprises or too much trust in your organization’s management result in the wrong kind of oversight — the oversight that misses areas of risk. At the least, a third-party agreed upon procedures engagement can help improve accuracy in reporting. At best, you may mitigate the risk of fraud and reputation damage. Contact us with your questions about internal controls and risk management support for not-for-profits.
Sarah Antle, CPA, CFE, is a Certified Fraud Examiner and Senior Manager with DMLO CPAs. For full bio and contact info, click here.