Nonprofits may be more susceptible to fraud than many other organizations. With their missions of helping others and serving the public at large, most people think that no one would steal from a nonprofit organization. The bad news is that nonprofits' often limited budgets and staff can lead to inadequate or nonexistent internal controls, making nonprofits a tempting target for fraud. The good news is that even with a limited workforce and a small budget, there are steps that can be taken to provide for additional protection. Following are five internal controls that organizations of any size can implement:
1. Segregate duties. This may be the most important control a nonprofit can implement. In its most basic form, segregation of duties simply means that more than one individual is responsible for initiating, approving and recording every disbursement or receivable transaction. When one person is responsible for each of these activities, it presents the opportunity to perpetrate and conceal fraud. For instance, a woman recently stole more than half a million dollars from a small nonprofit over the course of several years by using the company credit card* to pay personal bills and make personal purchases. This woman paid the credit card bills, was not required to obtain authorization before using the company credit card, recorded expenses in the general ledger, and reconciled the bank statements. Her fraud was not detected until the organization began to experience significant financial difficulties.
Segregating duties does not necessarily require a large staff. For example, involving board members may be an option. The treasurer of the board can be designated as a check signer. An employee not involved in the accounting function or a long-serving, trusted volunteer can help open the mail, prepare a check log and take deposits to the bank. Simply allowing one person to handle all of the financial and accounting duties creates an opportunity that may prove too tempting to resist.
*WBL recommends against the use of company credit cards, as their use is difficult to control and they increase the allure and opportunity for fraud.
2. Review financial information, such as budget-to-actual comparisons, each month. Another key oversight control is a monthly review of financial information by management and the Board. At a worldwide charitable organization with a home in Nashville, a woman stole nearly $60,000 by writing checks to herself, signing the checks and forging the second signature. When recording the checks in the organization's books, she would change the payee to a regular vendor, so when the system reports were reviewed, only legitimate vendors were listed. Had the Board been reviewing the monthly financial statements along with budget-to-actual reports, they would have noticed that expenses were exceeding expectations, and could have uncovered this fraud sooner.
3. Review third-party reports, such as bank statements, each month. Reports received from third parties, including bank statements, should also be received and reviewed carefully on a monthly basis by someone other than the individual reconciling these statements. Similarly, monthly payroll reports should be received and reviewed by someone other than the individual submitting payroll to the payroll provider and monthly credit card statements should be received and reviewed by an individual who does not use the organization's credit card. In smaller organizations, where management may be the same individuals in charge of the accounting function, these reports could be received and reviewed by a member of the Board, especially if the organization still receives paper bank statements. This practice would have prevented the fraud that occurred at a nonprofit that provides counseling and other mental health services. The president and executive director of the organization was charged with four felony counts of grand theft embezzlement for stealing more than $150,000 in funds by using a company credit/debit card linked to the center's checking account for his own daily expenses. Had a member of management or the Board been receiving and reviewing monthly bank statements, they would have been able to detect this fraudulent activity. Review of these financial reports requires some additional time each month, but no additional investment in resources or personnel is needed. Members of the Board can volunteer their time to provide this oversight, allowing the organization to implement this control without increasing its staff or payroll.
4. Segregate responsibilities for large disbursements. A best practice in a good system of internal controls is to require authorization by two employees for larger disbursements, such as approval of salaries, cash outlays and investments. For example, salaries should be approved by the President or Executive Director, and the President's salary should be approved by the Board. As noted in example #2, above, it is still possible to forge a second authorization, so this control cannot stand alone, but should be part of an overall system of internal controls. Again, there may be an additional time commitment required, but it shouldn't require the hiring of additional staff.
5. Set the tone with a code of ethics. It is important that strong controls fit into an overall culture of ethics within an organization. Creating and communicating a code of ethics that all the organization's staff and volunteers, including management and Board members, are required to follow helps set an ethical tone for the organization. The "tone at the top" trickles down to the rest of the organization. It should include a whistleblower policy that allows employees to report suspected fraud anonymously. More than half of all fraud cases are brought to light through tips.
A limited budget or small staff should not stand in the way of effective business practices that protect against fraud. Leverage the generous donations of time and energy already offered by the Board and other volunteers to augment what management and staff do to run the organization. The system of controls outlined above can go a long way toward protecting an organization's mission and its most valuable asset, its reputation.
Call or email Patricia Yeager, WBL's Nonprofit Practice leader and assurance partner, today to discuss fraud protection strategies for your nonprofit.