Internal Controls To Prevent and Detect Fraud at Small To Medium-Sized Not-for-Profits
The F word: Fraud. It is infamous in the accounting world and important that it is an “intentional” act. But why does it happen? How does it happen?
The fraud triangle is a famous model in the fraud investigation world and states that fraud can occur when the following 3 elements are present: Pressure, opportunity, and rationalization. The Association of Certified Fraud Examiners releases a report annually entitled “A Report to the Nations”, which can be accessed on their website: ACFE Report.The following are some examples of the findings from the report based on 2,110 cases of occupational fraud examined:
- Certified fraud examiners estimate that organizations lose 5% of their revenue annually
- The median loss per case is $117,000, and the average loss per case is $1,783,000
- 42% of frauds were detected by tips (that’s right, the number one-way fraud was identified was from whistleblower tips), with more than half of all tips coming from employees
- Asset misappropriation schemes were detected in 86% of cases (which means that, by volume, people want to steal assets); however, the losses incurred by financial statement fraud are much higher
- A typical fraud case lasts approximately 12 months before detection
Why Does This Affect Your Not-for-Profit?
Most not-for-profit organizations have budgetary constraints and lack the ability to pay for full-time and robust accounting departments. This creates a strain to implement strong internal controls. Many frauds occur when there are conflicts of interest, lack of segregation of duties, lack of monitoring, and poor control environments. These are often prevalent in small to medium-sized not-for-profit organizations due to a lack of resources. Based on these facts, it is imperative to implement certain layers of internal control to detect and prevent fraud from occurring. We have heard several stories and seen many frauds occur/investigated, especially at smaller to medium-sized organizations, and there are always common themes, the main one being a lack of internal controls.
What Are Some Internal Controls To Think About Implementing?
Although not an all-inclusive list, the following are common internal controls at not-for-profits that can be a low-cost/time investment but also highly effective in detecting and preventing fraud:
Cash Controls
- Use a lockbox; checks go directly to the lockbox as opposed to being handled internally
- Reconciliation of revenue report/cash receipts to cash deposited in bank/revenue recognized (third-party CRM, credit card reports, billing systems, etc.)
- Implementation of a dual signature on checks and bank signatory limits
- Subscription to ACH filter and Positive Pay through the banking institution, if those services are offered
- Independent review of bank reconciliations by someone not involved in the process of recording transactions
- Provide an individual outside the accounting department (for example, the Executive Director) access to view the online bank account to validate the bank statements are not altered when reconciliations are performed
- Provide the check run report to the Board for review and designate someone to verify the listing provided to the actual cleared check images to validate that checks were not altered after they were written
- Implementation of a third-party service, such as Bill.com, to perform the administrative functions and have the system document approvals
Payroll Controls
- Implementation of a change management control whereby a report of changes made is sent to an independent person outside the person who processes payroll
- Add a layer of review between the payroll posting in the general ledger and how it is coded to the general ledger by department
- Perform an analytic at the end of the year comparing W-2s by employee to the authorized salary for the year for reasonableness
Reconciliation Controls
- Independent review of bank reconciliations
- Independent review of general ledger account balances at interim dates (monthly, quarterly, etc.)
- Reconciliation of subsidiary systems to general ledger
- Reconciliation of third-party systems, such as donation portals and platforms, to the general ledger revenue accounts
Service Organization Controls
- Obtain service organization control (SOC) reports from the most common technology platforms used (for example, payroll processor) and review and validate complimentary user entity control considerations identified in the SOC reports are in place
- Identify areas where the service organization has findings noted in the report and identify controls internally that can address them
Board Governance and Monitoring
- Review of budget to actual reports
- Set up a tip line to report fraud
- Initiate a surprise internal audit on the bank reconciliation process or other areas, as needed
- Compare expectations to actual at the Board level – is the donation amount reasonable?
Other
- Chart out bank balances daily over the year and look for unusual trends
- Perform a proof of cash by adding up deposits in the bank and comparing them to revenue for a period of time to detect if items are being netted down, indicating potential theft
In addition to the above, many not-for-profit organizations outsource certain functions.Outsourcing functions can effectively reduce costs while adding strong segregation of duties and internal controls. If the above is not possible to implement with internal staffing, it is important to consider outsourcing as an option and compare the cost vs. benefit of this route.
Lastly, it is imperative that you perform some layer of fraud risk assessment at least annually and continuously update your internal controls at the Board level.The control environment (tone at the top) is important and if monitoring is taking place, fraud risk will most likely be reduced due to knowing someone is watching.With all internal controls, there is a cost-benefit associated with implementation, but the cost of having no internal controls is much higher than spending time and resources to implement effective internal controls within your organization.