Sunday, October 10, 2010

How Up to Date Are Your Policies?

One problem I see on a regular basis when I am conducting fraud investigations is the lack of policies or that policies are out of date. Let me give you an example. I regularly see employees using credit cards issued for organisation use for personal use.

When conducting these types of investigations, employees make comments such as “I didn’t know I couldn’t use it like that” or “Everyone else uses the card to buy personal things, why can’t I?”. If there is an up-to-date policy that employees are required to be aware of, these types of issues should not arise.

So what should an organisation do? Here are some suggestions:
  • Make sure policies are reviewed on a regular basis. What is a regular basis? That is dependent on individual organisations – yearly is common.
  • Do policies clearly set out what is and is not acceptable behaviour of your employees and volunteers?
  • Have policies that are in plain language and are straight to the point. There is no need to have “long winded” policies that are difficult to read.
  • Make sure employees and volunteers are aware of and understand policies. This can be done by having policies available on the organisation’s intranet, having employees sign off each year to say they have read and understand the policies (this can be done at the induction when they are first employed and at their yearly performance appraisal).
  • If an event triggers a potential issue with a policy, update it when the issue arises – don’t leave it until another problem arises.

Sunday, August 29, 2010

How Important is Your Information?

Every nonprofit organisation maintains a significant amount of information. How much is that information worth to your organisation – donor lists, methods of preparing sponsorship proposals or grant proposals.

It is difficult, if not impossible to place a value on these, but if someone was to takes copies, the future reduction in income could be significant. So how do you protect your information? Some examples include:
  • Do not allow staff to use external devices such as external hard drives on their computers;
  • Only allow those staff who need access to the documents to have access;
  • If a staff member resigns, review what they send through their work email;
  • When the staff member leaves, if you are concerned, have their computer reviewed for such things as the use of personal emails (eg Hotmail).

Monday, July 26, 2010

Is Fraud Really a Risk?

Respondents to our new PPB Not-for-Profit Risk Survey were asked if their organisation takes into account a number of different risks, including fraud.  Where did fraud rank?

58% of organisations stated that they considered fraud was a risk to their organisation.  However, fraud ranked 7th.  The order of risks was as follows:

Financial Risk - 89%
Compliance Risk - 77%
Public Liability Risk - 71%
Human Risks - 69%
Security Risk - 65%
Project Risk - 64%
Fraud Risk - 58%
Technological Risk - 56%
Financial literacy of key staff - 46%
Natural hazard / disaster risks - 46%
Risk of Insolvency - 43%

While 58% of respondents take into account fraud as a risk, it was interesting to note that while 89% of organisations consider financial risk, just under half (43%) consider the risk of insolvency.

Sunday, July 11, 2010

Protecting sensitive information

All organisations will, over time, hold information that is considered sensitive (eg. Information about clients or students, information about donors, grant information). This information needs to be protected. Examples of ways to protect sensitive information include:
  • Personal data of employees, volunteers, clients etc should be held in accordance with relevant data protection legislation that is relevant to the organisation’s jurisdiction.
  • All data should be stored securely and adequately backed up.
  • Audit logs should be maintained so as to know who accessed data and when it occurred. These audit logs needs to be maintained and backed up appropriately also.
  • Spot checks should be undertaken to confirm that access to the records were for legitimate reasons.
  • Determine who should have access to the data and ensure they are the only ones who have access.

Monday, June 28, 2010

What is Financial Statement Fraud?

The financial statements of an organisation explain what the organisation has done during the last 12 months so when financial statement fraud occurs, the financial statements do not tell the true or actual picture.

Both the Profit and Loss Statement and the Balance Sheet can be manipulated.

The Profit and Loss Statement can be misstated in the following ways:

Overstated revenue

By overstating revenue, the profit is improved or loss is reduced.

Understated expenses

By understating expenses, the same effect as overstating revenue is achieved.

However, the opposite may also be possible in a nonprofit. For example, if an organisation is required to expend all of a grant and has not done so, increasing expenses would enable the grant to be acquitted as required by the grant provider.

The Balance Sheet can be misstated in the following ways:

Overstated assets

Generally an organisation will want to overstate assets to show the organisation in a better position than it is actually in (for example to ensure the bank is happy with lending criteria). However, again the opposite may occur in a nonprofit organisation as the organisation may want to be seen to have fewer assets to ensure the continued receipt of grants.

Understated liabilities

It is normal in financial statement fraud that liabilities are understated.

Ultimately someone in the organisation has to undertake the falsified transactions and the accounts are then approved with or without knowledge of the fraud. However, if the accounts are then used, significant problems could arise, from fraud charges against an employee, management or a member of the board, reputation risk or loss of funding.

Monday, June 14, 2010

Changing Treasurers = Loss of Accounting Records?

One of the questions I am regularly asked about is how smaller nonprofits keep control of their accounting records when treasurers change so regularly – usually every year.

Issues I have been asked about include:
  • The Treasurer uses his/her own accounting software on his/her home computer. In this case how does the board control the security of the information (eg. viruses on the computer), loss of the information (eg. damage to the computer hard drive) or the computer being stolen if the house was broken into? There is also the issue of the organisation potentially not using licensed software.
  • The Treasurer does not hand back the accounting records when ceasing in the position. If the only records available are those held by the accountant / auditor it can be difficult to budget for the next year.
  • The Treasurer does not give the rest of the board access to the accounting records. This can mean a number of problems from the Treasurer wanting absolute control, to fraud.
How do you resolve a situation like this? The organisation should consider and investigate online accounting software. Some accounting software (some of which is well known and widely used) is now available online. This means that as one Treasurer leaves and a new Treasurer takes over, the data is available. It also mean that it can be accessed (even if it is read only) by other members of the board, the external accountant / auditor and is backed up properly by the software provider.

Sunday, May 30, 2010

Employment difficulties

Have you ever had difficulty finding a new staff member and had another staff member recommend a family member? There are a number of issues that should seriously be considered.

Firstly, the relationship may cause tension in the workplace – either between the two or between them and other employees / volunteers. The other issue is that it potentially makes is easier for them to collude to commit fraud as a result of the close family relationship.

So how can you deal with this issue? A decision needs to be made whether it is appropriate to employ relatives of current employees. The employment policy should clearly set out that family members will not be employed at least, in the same area or allowing one family member to supervise the other family member.

Sunday, May 16, 2010

Front page of the Newspaper Test

When management or the board of any non profit makes a decision, they need to consider a number of issues - eg. what will it cost the organisation, what benefits will the organisation receive.

However, another issue needs to be considered when making decisions - how would others view your decision if it made the front page of the newspaper?  Would you lose donations?  Would there be agreement with your decision?  Every decision should be considered to this extent.  Those decision can very from how do you spend funds raised to should you report fraud to the police.

Of course, some non profits are at greater risk of hitting the front page of a newspaper than other non profits (eg. a charity would be a reasonably high risk as a significant portion of funds are publically raised).  However, this one question is a good test of if the decision is in the best interests of the organisation.

Sunday, May 2, 2010

Educating Donors

How many times have you had questions raised about what percentage of funds donated actually goes directly to the mission of the organisation? It is difficult to achieve and then maintain an appropriate balance between the expectations of donors of funds where they want every cent of every dollar donated to go to the mission of the organisation and having sufficient funds to be able to develop and maintain appropriate controls.

With demands from donors wanting all funds donated going to the mission, how does the organisation pay expenses, such as market rates of salary / wages to employees and having the resources to maintain controls.

If an employee is not paid at market rates and controls are not maintained appropriately, the risk of fraud will increase.

So what is the answer? It is not an easy question to answer considering the amount of media that is regularly given to the percentage of donated funds that are used for the organisation’s mission. Ultimately it is a longer term education process so that donors of funds understand that a reasonable percentage of funds are needed to administer the organisation.

Friday, April 2, 2010

Auditor Management Letters

In a previous fraud tip we discussed how it is not the primary role of the auditor to detect fraud. They are engaged to provide an opinion as to the reasonableness of the financial statements. To be able to provide that opinion, one thing that the auditor needs to do is to consider the reasonableness of internal controls.

Issues that the auditor finds, such as weaknesses in internal controls, are provided to the organisation by way of a management letter. The following should be considered in relation to the management letter:
  • If there are a number of issues or if the issues are complex in nature, the auditor should meet with the board to discuss the issues;
  • The board needs to understand the issues raised;
  • The board should consider each of the issues and prioritise the list in order of importance so as to ensure the issues raised are corrected;
  • The board should work with management to ensure issues raised are corrected within a reasonable time frame.
It should also be noted by correcting issues raised in the management letter, problems with internal controls can be corrected which should result in a reduced risk of fraud. Correcting the issues may also save funds by reducing the time needed by the auditor to undertake the audit, thus reducing the audit fee.

Sunday, March 21, 2010

Bad Debt Policy

Policies are an important part of any organisation. One of the policies needed is a Bad Debt Policy which provides details of when a debt should be written off. It also provides details of how the write off process needs to be authorised. So how does this help with fraud prevention?

A common method to hide a fraud is to take funds as they are received and to record them in the accounts as a debtor. As the debtor gets larger and is seen not to be being collected, it is written off, thereby reducing the risk of the fraud being discovered. This is especially a problem for organisations that are regularly owed funds from clients or other customers which do not pay and there is a history of writing off the debt.

When preparing a Bad Debt Policy, you need to clearly set out the criteria of when a debt is to be written off as well as how the write off is to be authorised. It is the authorisation process that should pick up potential fraud.

Sunday, March 7, 2010

Budgeting as a tool to reduce fraud

Budgets should be a part of any organisations.  What a lot of people do not realise is that the budgeting process is a useful tool in the fight against fraud.  For example, the comparison of actual results to budgets may show discrepancies in spending which when investigated may show significant over spending which has not been approved.
But to enable reliable comparisons of actual results to budgets, the preparation of budgets need to be undertaken with care. Hints on developing budgets are:
  • It doesn’t matter how big or small your organisation is. It should still have a budget;
  • Go back to last year’s budget (if there is one) and see how accurate it was compared to actual results;
  • Go back to last year’s actual results and determine when income was received (eg. was it seasonal) and when expenses were incurred (eg. are there a number of expenses that are paid once a year?);
  • If there are new programs or expenditures that are to be included, have that relevant person or department prepare a detailed “mini budget” to be included in the budget;
  • Determine if there are new events that may affect the budget (eg. capital expenditure);
  • Make sure the board sign off on the budget after having thoroughly reviewed the budget.
To reduce fraud, the budget needs to be accurate. If you find that the budget is starting to have significant variances from the budget, it may be necessary to restate the budget. It is these variances that may show fraud is occurring and if variances are common place, fraud may be missed.

Sunday, February 21, 2010

Good Culture = Reduced Fraud

An organisation can never underestimate the value a good culture within the organisation plays in reducing the risk of fraud. Having a good culture includes management and the board leading by example as well as employees and volunteers enjoying working for the organisation and believing in the organisation’s mission.

A poor culture where employees and volunteers feel that they are not part of the organisation, feel ignored and have low morale have less loyalty to the organisation and do not have the same, if any, feel of guilt at committing fraud against the organisation.

But how do you know if you have a good culture within your organisation. Using employee/volunteer surveys is one way to determine if the organisation has a good culture. Another way is to review retention rates and sick leave rates. If rates are increasing it may indicate a slide in the organisation’s culture.

The following are some issues that may detract from the culture within the organisation and therefore lead to an increase in fraud:
  • Management and the Board not leading by example, being autocratic, do not take action against inappropriate action and do not reward good behaviour;
  • Actual or perceived inequalities in the way staff and volunteers and managed;
  • Not being recognised either with appropriate promotion and/or market rates of pay;
  • Unrealistic budget expectations, both reducing costs and increasing funding or a combination of both; and
  • Poor training and lack of other employee benefits.

Sunday, February 7, 2010


Something that I hear all the time when I talk to nonprofit organisations is that they trust their employees. It is also interesting that in many instances, the organisation trusts employees more than volunteers.
While the majority of employees and volunteers are honest, there will always be some that are not. So what do you do? Here are some tips to help:
  • Don’t be concerned about implementing new controls. You are doing this for two reasons. Firstly to protect the organisation from fraud and secondly to protect employees and volunteers that do follow the rules.
  • If you can’t segregate duties, put other controls in place that will act as detection controls.
  • If someone has been doing the same role for a long time and it is difficult to suggest you need to change the way it is done, explain the risks – for example an employee would regularly take the cash takings to the bank in their her car every day. She was not concerned when we suggested a change to make sure the organisation was covered by insurance and she would not at risk of potentially being robbed.
While all organisations will ultimately have to place some level of trust in employees and volunteers, don’t ever be afraid to implement new controls or change controls already in place. You can’t put all of your trust in a person without the back up of some form of control. This is simply not acceptable.

Sunday, January 31, 2010

What is the true cost of fraud?

The following, while not an exhaustive list, need to be considered:
  • Of course the actual value of the fraud needs to be taken into account.
  • How much does it cost to investigate the fraud? This could be the cost to bring in someone externally to conduct the investigation or the time cost of people within the organisation to investigate the fraud.
  • Who will liaise with law enforcement and take the necessary time to work with them and potentially ultimately attend court to give evidence?
  • Fraud comes straight off the bottom line – consider this: if your organisation runs with a 1% surplus, a $50,000 (off the bottom line) fraud means that you need to raise $5,000,000 (top line) to replace that $50,000. This is a very difficult task to do.
  • Would the fraud mean your organisation would need to either need to arrange an overdraft or extend the overdraft to maintain the cashflow? The additional interest becomes a cost of the fraud for the length of time it takes to no longer need the overdraft or extended overdraft.
  • It is very difficult if not impossible to determine the cost of the fraud on the reputation of the organisation. What effect would the fraud have if it made the front page of the newspaper?
  • Could the organisation be at risk of losing funding such as grants?
  • Losses can be offset by any insurance, but it needs to be remembered that an insurance payout is “after the fact” and cashflow can be significantly affected before the payout is received.

Sunday, January 24, 2010

Does Your Board Hinder Your Fraud Prevention?

I am often asked the question of how does the person charged with fraud prevention in an organisation, get buy in from the board and in some instances from management.

There is no easy answer, but the following are some ideas that may help:
  • Remind the board of their duties to the organisation – eg. duty of care;
  • Have the board consider what they organisation could do with an amount that could easily be lost to fraud, say $50,000 (eg. run a specific program, provide a service to 250 clients);
  • Step the board through the true cost of fraud (eg. the loss of funds to the fraud, extra interest on an increased overdraft facility, cost to investigate the fraud, legal costs);
  • Explain that employees and volunteers should not be concerned with the introduction of a fraud control program – the program is important to protect those employees and volunteers that are honest and find those that are not.

Sunday, January 17, 2010

How do you deal with the media?

There are a number of issues you need to deal with when fraud is discovered. One of those is how do you deal with the media. The following are suggestions on issues that need to be considered:

  • The first thing you need to consider, and pre-plan for, is the potential risk to your organisation of media attention, should it become publich that it has suffered a fraud. For example, a charity is likely to be at a higher risk as funds it relies on are from public donations and it would therefore potentially make newsworthy reading.
  • The organisation then needs to be prepared. Does the organisation have a media policy? If yes, part of that policy should be who has authority to speak to the media. This person should be the person authorised to speak to the media if enquiries are made about the fraud. It also needs to be determined who authorises what can be said to the media.
  • The organisation needs to consider how they will address the issue if they are contacted by the media. It is the reputation of the organisation that is at risk if a report that is not favourable to the organisation is published.