I consider myself a positive person. I focus on the good in people. I trust people, perhaps too much, some would say. This is true in many areas of my life, including my accounting practice, and especially true when it comes to my many nonprofit clients.
I have always felt that anyone working for a nonprofit is doing so because he or she cares about the organizations mission. It certainly can’t be about the money. People don’t venture into the world of nonprofits to strike it rich. Like others, I have, therefore, naively assumed that nonprofit staff can always be trusted … for they are inherently good, right?
This is why I have been so surprised at what is by far the most striking trend I have noticed in the nonprofit community: Fraud!!!
Apparently, even the “good” can stray. Such is the human condition I suppose, especially when you consider the economic crisis under which we have been living for the past few years. No matter what the reason is, fraud in the nonprofit world is definitely on the rise. I have worked with nonprofits for almost 25 years. The first 21 years passed without even one case of employee corruption, yet in the last four years, I have discovered fraud five times.
Although I’d love to get into a discussion about why otherwise good people sometimes do bad things, it’s probably more helpful to explore how fraud happens in the nonprofit world and which internal controls can help prevent it from occurring in the first place. Here are four actual cases of fraud I discovered, along with some suggestions for simple internal controls that can help keep these things from happening.
CASE 1: THE SECRET BANK ACCOUNT
This one is actually my personal favorite because of how innovative it was. The executive director (ED) of a large neighborhood association opened up a second bank account without the knowledge of the board, putting only himself as the signer on checks. He then began funneling donations to this bank account.
Making this even sadder, the neighborhood had just been hit by a tornado and residents whose homes had been spared were donating money to help other residents whose homes were damaged. Many of these donations ended up in this secret bank account. Periodically, the ED would write himself a check depleting the bank account. Eventually the board discovered what was happening, but not before the perpetrator had fled the state. The total amount taken was over $35,000.
Preventive Internal Controls:
1.) Proper Organization Setup: Most banks require that someone opening a bank account be an officer of the organization, and will check with the Secretary of State to see if this is the case. Therefore, it is vital that no matter how small the organization is, no employee, including the executive director, is listed as an officer. In addition, many banks will ask for a copy of the bylaws and look for a section indicating who can be a signer on accounts. It is, therefore, a good idea to put verbiage in the bylaws addressing this issue. For example, you should insert a policy that no employee can be a signer. Alternatively, there should be a statement that there must be at least two people listed as signers – one of which is an officer – when opening an account and those signatures must be obtained in person at the bank.
2.) Proper Board Oversight: Since some banks may not check things out, especially small community banks who may know the nonprofit staff personally, it’s very important that at least two people on the board review, on a monthly basis, bank statements, bank reconciliations and financial statements with comparisons to a budget. By segregating these restricted donations from the rest of the organization’s income on the financials and checking the reported numbers out with people involved with soliciting these restricted donations, it would have been obvious that actual donations collected were much higher than those reported on the financials.
CASE 2: CREDIT/DEBIT CARD USED FOR PERSONAL CHARGES
Not the most exciting choice for fraud, but very effective! In this case, the organization’s ED was charging her personal expenses on the company credit card. Not to draw too much suspicion, the individual charges weren’t large and were at stores where business purchases were already being made. $30 dollars here, $40 dollars there; over time, the money added up. Since no one was checking, she got bolder until finally a charge at a department store for over $300 was discovered during an annual audit we were performing. Personal charges ended up totaling over $25,000 during a 3-year period.
Preventive Internal Controls:
1.) Reimbursement for Expenses in lieu of company credit/debit cards: Require staff to use a personal card for business charges and then be reimbursed after presentation of an expense report with attached receipts. The expense report and receipts should be reviewed and signed off on by the ED for a staff member request, and a board member for an ED’s request, before a check is created. Finally, all checks written to the ED and other staff should be copied and sent to a board member with a copy of the expense report and receipts attached.
2.) Detailed board member review of credit/debit card charges: Sometimes, operations require the use of a credit/debit card often – and it may not be feasible for an employee to qualify for a card with the needed credit limit. Furthermore, some boards may not like the idea of forcing staff to incur a personal liability for business expenses and wait for reimbursement before paying their bill. However the reward points that many cards carry may offset any ill will this may cause. Nevertheless, some organizations may prefer to issue credit/debit cards to employees. Just make sure at least two board members get a copy of the credit card statement (or bank statement in the case of debit cards) for review each month. I know of one organization that even includes the credit card statement as part of the board’s financial packet each month. Even though not everyone looks through every charge, just the knowledge that this is happening is enough to scare would-be perpetrators from trying anything.
3.) Use P-Cards (Purchasing Cards): Used by many larger entities, these cards function like credit cards, but also come with the ability to limit total charges per month per card holder. In addition, they provide more detailed reports on charges that can be sent directly to those reviewing charges. Nonprofits can make use of the P-Card to control amounts charged and thereby discourage personal use. Just as with regular credit/debit cards, board members should be given a report to review charges.
CASE 3: FICTITIOUS VENDORS ON CHECKS AND CHARGES
In this case, the board of a large condominium building contracted with an outside management company to handle the operations of the building, including selecting vendors when repairs were needed as well as paying those vendors. The board received reports and statements showing who got paid for what and when.
Everything seemed fine until I was contracted to perform an annual audit, during which I asked for copies of invoices detailing what made up the repairs’ expense. The resident manager, who worked for the management company, seemed annoyed and unresponsive to my request. I finally decided to leave the field and explained to the client that I couldn’t complete my work until I received this documentation.
I never heard anything more from the client until a year later when it was discovered that this manager had opened up a bank account in the name of a fictitious repair company, with him as the owner. He routinely wrote checks to this “company,” depositing the checks into this account. In this case, he had dummied up invoices for the board to see, but no one ever questioned who this company was. I think he knew better than to give them to me. I found out what had been happening when the association called me to testify in court against the man. He had taken over $60,000 using this method.
Preventive Internal Controls:
1.) Segregation of Duties: Having a board member sign all checks for expenses other than repeating ones such as the water bill can help discourage this behavior. Invoices should be reviewed before the check is signed. In this case, since the board member lived in the building, implementing this control would be easy, but this may not always be a practical solution.
2.) Board Review of Vendors: Have someone on the board review a list of bills paid, organized by vendor. This report is actually already in QuickBooks: “Expenses by Vendor Summary Report,” and can be found in the reports menu. The board member should live in the same city as the nonprofit in order to be familiar with the major vendors in the area. A quick check online should be made for any vendor the board member doesn’t recognize, and if the result doesn’t satisfy the board member, a call should be made to the vendor. The only issue this problem wouldn’t address is if the actual check wasn’t written to the vendor name listed in the vendor report. This brings me to my last case.
CASE 4: CHANGING THE PAYEE ON CHECKS
Sometimes, it’s the most obvious of fraudulent acts can elude even the best of internal controls. In this instance, an organization engaged a bookkeeper to track and pay all bills, which he did meticulously. There was a copy of a bill, and all documents were reviewed and signed by the ED before a check was issued. Financials were reviewed regularly by the board, as well as the expenses by vendor report I discussed earlier. There was even a board member who reconciled the bank accounts monthly.
The only problem was that periodically, the bookkeeper would enter the check as being paid to one person in the accounting system, but would actually write the check to himself. When it was finally caught, the ED felt embarrassed that she hadn’t caught it earlier. However, it hadn’t occurred to her that someone would actually fraudulently write a check to themselves. After all, this leaves a paper trail of the offense. Yet, unless someone looks at the copies of processed checks from the bank, the fraud can go undetected for quite awhile. This is especially true if the perpetrator opens, and tosses, the past due notices from the actual vendors.
Preventive Internal Controls:
1.) Review processed checks: One obvious answer is to have someone who is not paying bills review processed checks from the bank. Most banks these days keep the actual checks, but provide images of the checks as part of the bank statement. Some will charge a fee for this service but it is well worth it.
2.) Segregation of Duties: An equally obvious answer is to not have the same person who creates checks for payment also be a signer on the account. If a signature stamp is used, make sure the person creating the checks has no access to it.
There are many other examples of fraud, from employees stealing inventory or office supplies to management staff with payroll service access giving themselves unauthorized raises. The list goes on and on. The point is that unfortunate as it may be, fraud is on the rise in the nonprofit world, and being good stewards of your organization means addressing the issue, no matter how uncomfortable it may be.