August 2016, Joan M. Renner, CPA, CGMA, Director, 501(c)(fit!)®
An association loses $900k from unauthorized disbursements…a housing agency loses $30k from diverted income…another association loses $5 million in fake vendor scheme… These news stories about nonprofits victimized by embezzlement are enough to cause a nonprofit Executive or Board member to lose sleep. No nonprofit leader ever wants to read that their organization has become the next victim. Sadly, the typical organization loses 5% of revenues each year to fraud. If you’re a $1 million nonprofit, that’s an estimated $50,000 each year. The sad news is:
- The average fraud loss is $145,000,
- the fraud usually lasts 18 months,
- it’s usually an embezzlement, and
- the smallest organizations suffer disproportionately large losses from embezzlement.
The good news is: anti-fraud controls can reduce fraud losses.
Can you believe these fraud headlines?
$900k lost from unauthorized disbursements: In November 2014, a former association CFO pleaded guilty to embezzling more than $928,000 from a San Francisco trade association from 2007 to 2014.
How did he do it? As CFO, he had complete control over all aspects of the association’s finance function including keeping the books, authorizing payroll, and paying bills. He wrote checks payable to himself and payable to “cash” totaling more than $550,000. He made unauthorized purchases of more than $250,000 on the association’s credit cards, and he put an overpaid acquaintance on the payroll.
How did he conceal it? He just omitted the fraudulent transactions from the books and the financial statements he sent to the Board. He made false entries on the books to cover up his personal charges.
$30k lost from diverted income: In December 2011, a former director of a nonprofit housing agency pleaded guilty to diverting more than $30,000 of rent money from tenants of the nonprofit into his own bank account during 2008 and 2009.
How did he do it?As director of property management, he collected rent money from tenants, but instead of handing it in to the agency, he deposited it into his personal bank account. He even moved an unauthorized tenant into a vacant unit and set up a post office box to collect that rent as well.
$5 million lost in fake vendor scheme: In November 2013, a former administrative assistant pleaded guilty to embezzling more than $5 million from her association employer from 2005 through 2013.
How did she do it? The administrative assistant’s duties included processing vendor invoices, even approving some invoices. In addition to the valid invoices she processed, she submitted false invoices from real organizations. Because signed checks were returned to her after signing, the administrative assistant made sure that the checks from the fake invoices went to her own bank accounts that she had set up using names similar to the real vendors.
She also submitted invoices to the organization from her own business,which did no work for the organization. She left these payments off her budget reports.
Eventually, after a call from the perpetrator’s bank, her employer discovered her fraud. The association said they were “truly stunned” and referred to the perpetrator as a “long-time, trusted employee” who had “exploited every gap in their system” using “deception and coverup”. The association further said they would “apply the lessons we have learned from this experienced, as well as share them with others in the nonprofit community.”
Developing Anti-Fraud Controls
Anti-fraud controls are procedures an organization implements to prevent or find and correct fraudulent transactions. Anti-fraud procedures are not one-size-fits-all. In designing the right policy, management and Board members must balance the cost and restrictions related to internal controls with the protection and accountability they offer.
Here are some concepts and steps that will help nonprofit managers and Board members design and evaluate anti-fraud procedures that are right for an organization:
- Understand that anti-fraud controls are the responsibility of management and the Board. It is their fiduciary duty to safeguard the assets of their organization.
- Understand that anti-fraud controls may be more important in the nonprofit environment than they are in a Board member’s own business. Business owners may take risks with their own money, but in the nonprofit environment, the general public expects a high degree of accountability.
- Make controls a Board priority. Some Boards dismiss anti-fraud procedures as unattainable or inefficient, presuming that organizations should just do the best they can when it comes to internal control. This approach can leave the organization open to fraud. Remember that all Boards are expected to carry out their fiduciary duty, even in situations where resources and/or staffing is limited.
- Implement an annual assessment of anti-fraud controls. Management will inspect the organization’s transaction processes annually, identifying any new risks and updating anti-fraud controls. Read and update your policies and procedures document for each area such as disbursements, receipts and payroll. Ask “how could someone steal money in this area, and if they did, how would we find out?”Enlist the assistance of outside accountants to help with this review as needed. Management will report the results of this process to the Board.
- Look for new ways of doing things that offer increased anti-fraud controls. For example, instead of allowing someone to pay bills electronically on a system that requires no further approval to release disbursements, switch to paying bills using an online banking platform that requires a second level of approval.
- Small organizations may need to enlist Board members to help with anti-fraud controls. If a second employee is not available to review and approve a transaction, a Board member may need to step in to review and approve. Online processes make it easier to log in and oversee transactions.
With frauds like these in the headlines, nonprofit leaders are aware that no organization is immune. Smaller organizations may not know how to address the risk of fraud given their limited resources. Using the points above, nonprofit managers and Board members can develop anti-fraud controls that address fraud risks in a way that is best for the organization.