Monday, February 23, 2009

Reduced cash receipts = reduced cash theft

According to the BDO Not-for-Profit Fraud Surveys cash theft is the most prevelant form of fraud.

Risk

Cash is an easier target to defraud than funds that have been deposited into a bank account.

Methods to Mitigate the Risk

Many organisations accept cash donations, membership fees or other income. Cash can easily be taken, is difficult to trace and is therefore a significant risk to fraud. To reduce the risk of cash theft, encourage deposits directly into the organisations bank account as first preference, or otherwise donate or pay by credit card (of course credit card fees will need to be considered).

Of course, controls must then be maintained over the relevant bank accounts to ensure cheque fraud or online payment fraud does not occur.

Monday, February 16, 2009

Do your employees and volunteers know your policies?

It is surprising the number of times when undertaking a fraud investigation and the person being investigated says “I didn’t know I couldn’t do that”. It’s hard to understand how someone could think that doing such things as fuelling their private car with the organisation’s fuel card or paying for a family dinner on the organisation’s credit card is not acceptable. However, it is regularly an excuse that is heard.
Risk
The risk is that an employee or volunteer, when being investigated for fraud, will use excuses such as:
  • "I didn't know I couldn't do that"; or
  • "No one told me that wasn't acceptable".

Methods to Mitigate the Risk

It is important that employees and volunteers understand the organisations policies. Firstly, it is important that the organisation has appropriate policies in place. No matter what the size of the organisation, policies should be in place – policies suitable to the size of the organisation that is.

Once appropriate policies are in place, there are a number of ways an organisation can make sure employees and volunteers understand their policies. Examples include:

  • Develop a training program that employees and volunteers are required to attend. When attending, the employees and volunteers are required to sign an attendance sheet confirming their attendance at the training and a declaration of their understanding of the policies.
  • Provide online training on the organisation’s intranet whereby employees and volunteers are ‘tested’ as to their understanding of policies and test results are maintained for future reference.
  • Have employees and volunteers sign a declaration on a yearly basis (at the time of an annual performance appraisal or similar is an appropriate time) declaring that they have read and understood the organisation’s policies. Policies will need to be readily available to employees and volunteers so that they can have appropriate time to familiarise themselves with the policies.
  • All new employees and volunteers should also receive training on the organisation’s policies and sign an appropriate declaration of their understanding of the policies.

Sunday, February 8, 2009

Using Internet Banking

Online banking is a convenient and cost effective method of paying creditors and employees. However, online banking fraud is on the increase. The BDO Not-for-Profit Fraud Survey 2008 found that online banking fraud had increased to 8% of all fraud reported from 3% in 2006. This is in contrast to the decrease in cheque fraud from 10% of all fraud reported in 2006 to 5% in 2008.

Risk


Organisations do not take appropriate controls over their online banking facilities and leave themselves open to not only internal fraud but also external risks such as having the facility hacked.

Methods to Mitigate the Risk

As more and more organisations embrace the use of online banking rather than using cheques, it is understandable that online banking fraud will also be on the rise. Some of the issues to be considered in relation to online banking fraud are as follows:

  • Many organisations have long had a requirement that two signatures were required on cheques. However, when transferring to online banking they only set up one password or if there are two passwords, both password holders know both passwords. An organisation should consider the use of a password for online banking in the same light as they do a signature on a cheque. A cheque signatory would not allow another person to sign a cheque using their signature (this is forgery), so why would they give their password to another person? Unfortunately it happens. At all times, a person having a password to online banking should never give that password to anyone else. An Online Banking Policy should clearly set out that the holder of a password will not provide that password to another person.
  • The use of security tokens should be introduced. Security tokens are provided by financial institutions as a second security step or second level of authorisation. When a person logs onto online banking they will enter their user name and password. The number that is showing on the security token is then required. Even if someone discovered the password to the account, the security token number is constantly changing.
  • Only ever log onto internet banking on a familiar computer (ie. One that you know is appropriately protected with firewalls and anti-virus software). Online banking has made it easier for organisations, as a person authorising the online banking payments can log in from any location to do so. However, the password holder needs to be confident that the computer he or she is using does not have a virus that could jeopardisea the security of their internet banking.

Monday, February 2, 2009

Never forget the Mission of the Organsation

A not-for-profit organisation’s mission is the reason for its existence. Funds are raised to ensure it can undertake its mission. When funds are lost to fraud, the organisation is unable to undertake its mission to the organisations fullest potential.

Risk

The organisation’s funds are not able to be utilised in meeting the mission of the organisation as they are taken by the person defrauding the organisation. Also, a subsidiary risk is that when an organisation discovers a person (be it a paid employee or a volunteer) commits fraud against the organisation, the organisation takes pity on the person and does not take appropriate action, to the detriment of the organisation.

Methods to Mitigate the Risk

The charitable nature of not-for-profit organisations can mean that they sometimes will take pity on a person who commits fraud (especially if that person has some form of problem such as a gambling addiction or serious illness). The concern is that when it is discovered that a person has committed a fraud, the person does not have their employment terminated, but is shifted to a different position within the organisation so that they will not be tempted to commit the same fraud again. It is interesting to note that the BDO Not-for-Profit Fraud Survey 2008 found that 20% of organisations did not terminate the employment of the person who committed the fraud.

It is not only the fraud that takes much needed funds away from the mission of an organisation. It must also be remembered that there are a number of additional costs to the organisation as a result of fraud. For example, the time it takes someone internally to investigate the fraud or the physical cost to bring external expertise into the organisation to conduct the investigation, time taken during the court process, an increase in insurance costs as a result of a claim being made and the potential loss of funding (eg. donations or grants). It is difficult to put a dollar value on these additional costs but they all take funds and time away from the mission of the organisation. However, a significant issue to consider is how the reputation of the organisation will be affected as a result of the fraud.

Whenever an organisation considers the issue of fraud and what actions should be taken as a result of fraud occurring, the mission of the organisation should be front of mind. By not terminating the employment of a person who has committed fraud (even if they show remorse and repay the money) there is an opportunity for the person to reoffend. It also sends the wrong message to other employees and volunteers, which may result in more fraud being committed. Once again this takes funds away from the mission of the organisation.

To protect its mission statement, an organisation should include the following statements in its Fraud Control Policy:

  • The mission of the organisation is the reason for its existence, therefore fraud will not be tolerated as it takes much needed funds away from its mission;
  • An employee who commits fraud will have their employment terminated;
  • The organisation will take all actions possible (if it is economically viable to do so) to recover funds from the perpetrator of the fraud.