The St. Louis Division of the Federal Bureau of Investigation recently announced that the former Chief Financial Officer of a well-respected worldwide charitable organization plead guilty to a scheme to defraud the organization of more than $800,000. In light of this news, it is instructive and timely to address the important role the Board of Directors of not-for-profit organizations have in strengthening internal controls.
How prevalent is fraud?
According to a 2008 study by the Association of Certified Fraud Examiners (ACFE), U.S. businesses and organizations lose, on average, 7% of their annual revenue to fraud. The ACFE report indicates that the median fraud loss of a not-for-profit (NFP) organization is approximately $100,000 per incident, with the average fraud scheme occurring over a period of two years before being detected.
While there has been increased attention given to fraud in NFP organizations lately, we no not believe fraud is necessarily any more prevalent. Rather, the increased awareness appears to indicate that NFPs and their board members are working to identify fraud risk factors and implement the internal controls necessary to help prevent and detect fraud.
What makes an organization vulnerable to fraud?
Despite the type of fraud committed, there are some common threads within a victim organization that make it susceptible to fraud including:
- Weak internal controls
- Too much trust given to certain individuals
- Poor management oversight
- Poor board oversight
- Lack of financial audit
- No background checks
- Lack of independent checks on bank/credit card statements
- Failure to use a bank’s fraud prevention tools
How can my organization limit its exposure to fraud?
There are no guarantees that any of the measures your organization take will make it “fraud-proof.” However, by assessing your organization’s fraud risk profile and implementing strengthened internal controls over key areas, an organization can mitigate the likelihood of fraud occurring and remaining undetected.
What are some things to consider when evaluating my organization’s internal controls?
We appreciate that there is not a “one size fits all” answer to what is appropriate or necessary for each organization. Certainly the size of your organization, and other factors, will impact the level and types of controls you can practically and reasonably implement and monitor.
Following are some questions you should consider when evaluating your organization’s internal controls:
- Does my organization have an Audit Committee with at least one “financial expert” serving on the committee?
- If no Audit Committee, has the organization’s Board of Directors created a Finance Committee whose members are independent of financial reporting?
- Does my organization have a hotline or other anonymous reporting mechanism that has been clearly communicated to all employees, vendors, volunteers, and donors?
- Does my organization have a Code of Ethics?
- Does my organization have a Conflict of Interest policy?
- Does my organization have formal internal controls in place? Are they documented? Do we periodically address these controls to see where we can improve?
- Has my organization segregated duties to the best of its ability including:
- Separating check signature authority from check requests/printing ability
- Separating bank reconciliation duty from depositing cash
- Logging checks received, endorsing them and depositing them
- Maintaining an approved Vendor File with complete contact information.
- Does my organization have sufficient insurance coverage?
- Do we protect our Board of Directors with a Directors and Officers (D&O) Liability policy?
- Do we protect our organization with adequate general and professional liability policies?
- Do we protect our organization against theft by obtaining Fidelity Bonds on key employees and any employees handing cash?
- Does a senior level employee, preferably the CEO, receive, open, and review the bank statements? Are reconciliations performed and reviewed timely?
- Does a member of the Board of Directors or Audit Committee receive and review the investment statements?
- Does my organization have an individual or department responsible for analyzing the financial statements on a regular basis for irregularities and reporting those findings to the Board of Directors or Audit Committee?
- Does the CFO or member of the Board of Directors or Audit Committee review the organization’s adjusting journal entries periodically?
- Do the individual members of the Audit Committee carefully read the periodic financial statements? Do they understand the correct key performance indicators?
- Does the Audit Committee evaluate whether there are oversight mechanisms in place and functioning that will prevent, deter, or detect management override of internal controls?
- Does my organization train its employees on fraud risk factors and their role in preventing, detecting, and reporting fraud?
- Does my organization have a fraud risk management policy?
- Does my organization require individuals to take vacations?
- Does management oversee those areas in my organization that might be susceptible to fraud, such as cash receipts and cash disbursements?
- Does my organization carefully consider “insider transactions”? Do you consider whether you or the organization would be embarrassed to read the details of such a transaction in the newspaper?
- Does my organization train individuals to observe significant changes in the lifestyle or behavior of its employees? Does my organization consider whether significant changes in an employee’s lifestyles or behavior could be an indicator of employee misconduct?
- Does my organization have a policy or procedure to monitor computer use?
- Does my organization have a specific expense reimbursement policy?
- Does my organization use fraud prevention tools, such as positive pay, call back features on wire transfers, ACH blocks and filters, and a lockbox to collect receipts?
What if my organization is a victim of fraud?
If you suspect fraud within your organization, the Board has a fiduciary responsibility to properly investigate. Here are some tips on handling the investigation of fraud:
- Get the facts
- Keep documentation
- Contact an employment law attorney
- Contact your CPA
- Read your insurance policies
- Consider filing a police report
- Consider prosecuting the fraudster
Find Out More
Join us for our annual Not-For-Profit seminars in January 2009. Sessions will be held in Kansas City and St. Louis. A number of topics will be addressed including fraud, risk management, an update on Form 990, and other current topics.
Under U.S. Treasury Department guidelines, we hereby inform you that any tax advice contained in this communication is not intended or written to be used, and cannot be used by you for the purpose of avoiding penalties that may be imposed on you by the Internal Revenue Service, or for the purpose of promoting, marketing or recommending to another party any transaction or matter addressed within this tax advice. Further, RubinBrown LLP imposes no limitation on any recipient of this tax advice on the disclosure of the tax treatment or tax strategies or tax structuring described herein.
All Not-For-Profit News Not-For-Profit Overview