Fraud in NFP

Invoice Fraud

2011-01-30T14:10:00.000+10:00

Many organisations at some time will receive an invoice for goods or services that the organisation did not receive. These may be opportunistic fraud from someone external to the organisation that will be sending small dollar value invoices to a large number of businesses in the hope that due to the small amount, the invoice would not be investigated further and simply paid. These could be created by employees who are aware of a lack of controls internally that allows the employee to create false invoices and have them put through the approval process and then be paid.

So how can an organisation make sure that they are not allowing for a false creditor to be set up on the system thereby allowing false invoices to be paid? Here are some points that may assist in the approval process for new creditors:

A free ASIC search can show if the company is actually registered and confirm the ACN – for those not in Australia, a confirmation that the company has officially been registered with the appropriate government authority;
Verify the personal details of the directors – this can be done by checking the telephone directory, a Google search or other similar search;
Determine if the company has a credit rating;
Search for any legal proceedings against the company – many courts have an online system of checking matters currently before the court as well as those that had been finalised;
Check the telephone directory to determine if the company is listed; and
Confirm the trading address through means such as Google Maps.

How Up to Date Are Your Policies?

2010-10-10T20:17:00.000+10:00

One problem I see on a regular basis when I am conducting fraud investigations is the lack of policies or that policies are out of date. Let me give you an example. I regularly see employees using credit cards issued for organisation use for personal use.

When conducting these types of investigations, employees make comments such as “I didn’t know I couldn’t use it like that” or “Everyone else uses the card to buy personal things, why can’t I?”. If there is an up-to-date policy that employees are required to be aware of, these types of issues should not arise.

So what should an organisation do? Here are some suggestions:

Make sure policies are reviewed on a regular basis. What is a regular basis? That is dependent on individual organisations – yearly is common.
Do policies clearly set out what is and is not acceptable behaviour of your employees and volunteers?
Have policies that are in plain language and are straight to the point. There is no need to have “long winded” policies that are difficult to read.
Make sure employees and volunteers are aware of and understand policies. This can be done by having policies available on the organisation’s intranet, having employees sign off each year to say they have read and understand the policies (this can be done at the induction when they are first employed and at their yearly performance appraisal).
If an event triggers a potential issue with a policy, update it when the issue arises – don’t leave it until another problem arises.

How Important is Your Information?

2010-08-29T20:37:00.000+10:00

Every nonprofit organisation maintains a significant amount of information. How much is that information worth to your organisation – donor lists, methods of preparing sponsorship proposals or grant proposals.

It is difficult, if not impossible to place a value on these, but if someone was to takes copies, the future reduction in income could be significant. So how do you protect your information? Some examples include:

Do not allow staff to use external devices such as external hard drives on their computers;
Only allow those staff who need access to the documents to have access;
If a staff member resigns, review what they send through their work email;
When the staff member leaves, if you are concerned, have their computer reviewed for such things as the use of personal emails (eg Hotmail).

Is Fraud Really a Risk?

2010-07-26T21:37:00.000+10:00

Respondents to our new PPB Not-for-Profit Risk Survey were asked if their organisation takes into account a number of different risks, including fraud. Where did fraud rank?

58% of organisations stated that they considered fraud was a risk to their organisation. However, fraud ranked 7th. The order of risks was as follows:

Financial Risk - 89%
Compliance Risk - 77%
Public Liability Risk - 71%
Human Risks - 69%
Security Risk - 65%
Project Risk - 64%
Fraud Risk - 58%
Technological Risk - 56%
Financial literacy of key staff - 46%
Natural hazard / disaster risks - 46%
Risk of Insolvency - 43%

While 58% of respondents take into account fraud as a risk, it was interesting to note that while 89% of organisations consider financial risk, just under half (43%) consider the risk of insolvency.

Protecting sensitive information

2010-07-11T21:56:00.000+10:00

All organisations will, over time, hold information that is considered sensitive (eg. Information about clients or students, information about donors, grant information). This information needs to be protected. Examples of ways to protect sensitive information include:

Personal data of employees, volunteers, clients etc should be held in accordance with relevant data protection legislation that is relevant to the organisation’s jurisdiction.
All data should be stored securely and adequately backed up.
Audit logs should be maintained so as to know who accessed data and when it occurred. These audit logs needs to be maintained and backed up appropriately also.
Spot checks should be undertaken to confirm that access to the records were for legitimate reasons.
Determine who should have access to the data and ensure they are the only ones who have access.

What is Financial Statement Fraud?

2010-06-28T21:56:00.001+10:00

The financial statements of an organisation explain what the organisation has done during the last 12 months so when financial statement fraud occurs, the financial statements do not tell the true or actual picture.

Both the Profit and Loss Statement and the Balance Sheet can be manipulated.

The Profit and Loss Statement can be misstated in the following ways:

Overstated revenue

By overstating revenue, the profit is improved or loss is reduced.

Understated expenses

By understating expenses, the same effect as overstating revenue is achieved.

However, the opposite may also be possible in a nonprofit. For example, if an organisation is required to expend all of a grant and has not done so, increasing expenses would enable the grant to be acquitted as required by the grant provider.

The Balance Sheet can be misstated in the following ways:

Overstated assets

Generally an organisation will want to overstate assets to show the organisation in a better position than it is actually in (for example to ensure the bank is happy with lending criteria). However, again the opposite may occur in a nonprofit organisation as the organisation may want to be seen to have fewer assets to ensure the continued receipt of grants.

Understated liabilities

It is normal in financial statement fraud that liabilities are understated.

Ultimately someone in the organisation has to undertake the falsified transactions and the accounts are then approved with or without knowledge of the fraud. However, if the accounts are then used, significant problems could arise, from fraud charges against an employee, management or a member of the board, reputation risk or loss of funding.

Changing Treasurers = Loss of Accounting Records?

2010-06-14T16:40:00.000+10:00

One of the questions I am regularly asked about is how smaller nonprofits keep control of their accounting records when treasurers change so regularly – usually every year.

Issues I have been asked about include:

The Treasurer uses his/her own accounting software on his/her home computer. In this case how does the board control the security of the information (eg. viruses on the computer), loss of the information (eg. damage to the computer hard drive) or the computer being stolen if the house was broken into? There is also the issue of the organisation potentially not using licensed software.
The Treasurer does not hand back the accounting records when ceasing in the position. If the only records available are those held by the accountant / auditor it can be difficult to budget for the next year.
The Treasurer does not give the rest of the board access to the accounting records. This can mean a number of problems from the Treasurer wanting absolute control, to fraud.

How do you resolve a situation like this? The organisation should consider and investigate online accounting software. Some accounting software (some of which is well known and widely used) is now available online. This means that as one Treasurer leaves and a new Treasurer takes over, the data is available. It also mean that it can be accessed (even if it is read only) by other members of the board, the external accountant / auditor and is backed up properly by the software provider.

Employment difficulties

2010-05-30T19:58:00.000+10:00

Have you ever had difficulty finding a new staff member and had another staff member recommend a family member? There are a number of issues that should seriously be considered.

Firstly, the relationship may cause tension in the workplace – either between the two or between them and other employees / volunteers. The other issue is that it potentially makes is easier for them to collude to commit fraud as a result of the close family relationship.

So how can you deal with this issue? A decision needs to be made whether it is appropriate to employ relatives of current employees. The employment policy should clearly set out that family members will not be employed at least, in the same area or allowing one family member to supervise the other family member.

Front page of the Newspaper Test

2010-05-16T20:42:00.000+10:00

When management or the board of any non profit makes a decision, they need to consider a number of issues - eg. what will it cost the organisation, what benefits will the organisation receive.

However, another issue needs to be considered when making decisions - how would others view your decision if it made the front page of the newspaper? Would you lose donations? Would there be agreement with your decision? Every decision should be considered to this extent. Those decision can very from how do you spend funds raised to should you report fraud to the police.

Of course, some non profits are at greater risk of hitting the front page of a newspaper than other non profits (eg. a charity would be a reasonably high risk as a significant portion of funds are publically raised). However, this one question is a good test of if the decision is in the best interests of the organisation.

Educating Donors

2010-05-02T20:50:00.000+10:00

How many times have you had questions raised about what percentage of funds donated actually goes directly to the mission of the organisation? It is difficult to achieve and then maintain an appropriate balance between the expectations of donors of funds where they want every cent of every dollar donated to go to the mission of the organisation and having sufficient funds to be able to develop and maintain appropriate controls.

With demands from donors wanting all funds donated going to the mission, how does the organisation pay expenses, such as market rates of salary / wages to employees and having the resources to maintain controls.

If an employee is not paid at market rates and controls are not maintained appropriately, the risk of fraud will increase.

So what is the answer? It is not an easy question to answer considering the amount of media that is regularly given to the percentage of donated funds that are used for the organisation’s mission. Ultimately it is a longer term education process so that donors of funds understand that a reasonable percentage of funds are needed to administer the organisation.

Auditor Management Letters

2010-04-02T19:38:00.000+10:00

In a previous fraud tip we discussed how it is not the primary role of the auditor to detect fraud. They are engaged to provide an opinion as to the reasonableness of the financial statements. To be able to provide that opinion, one thing that the auditor needs to do is to consider the reasonableness of internal controls.

Issues that the auditor finds, such as weaknesses in internal controls, are provided to the organisation by way of a management letter. The following should be considered in relation to the management letter:

If there are a number of issues or if the issues are complex in nature, the auditor should meet with the board to discuss the issues;
The board needs to understand the issues raised;
The board should consider each of the issues and prioritise the list in order of importance so as to ensure the issues raised are corrected;
The board should work with management to ensure issues raised are corrected within a reasonable time frame.

It should also be noted by correcting issues raised in the management letter, problems with internal controls can be corrected which should result in a reduced risk of fraud. Correcting the issues may also save funds by reducing the time needed by the auditor to undertake the audit, thus reducing the audit fee.

Bad Debt Policy

2010-03-21T20:31:00.000+10:00

Policies are an important part of any organisation. One of the policies needed is a Bad Debt Policy which provides details of when a debt should be written off. It also provides details of how the write off process needs to be authorised. So how does this help with fraud prevention?

A common method to hide a fraud is to take funds as they are received and to record them in the accounts as a debtor. As the debtor gets larger and is seen not to be being collected, it is written off, thereby reducing the risk of the fraud being discovered. This is especially a problem for organisations that are regularly owed funds from clients or other customers which do not pay and there is a history of writing off the debt.

When preparing a Bad Debt Policy, you need to clearly set out the criteria of when a debt is to be written off as well as how the write off is to be authorised. It is the authorisation process that should pick up potential fraud.

Budgeting as a tool to reduce fraud

2010-03-07T19:43:00.001+10:00

Budgets should be a part of any organisations. What a lot of people do not realise is that the budgeting process is a useful tool in the fight against fraud. For example, the comparison of actual results to budgets may show discrepancies in spending which when investigated may show significant over spending which has not been approved.
But to enable reliable comparisons of actual results to budgets, the preparation of budgets need to be undertaken with care. Hints on developing budgets are:

It doesn’t matter how big or small your organisation is. It should still have a budget;
Go back to last year’s budget (if there is one) and see how accurate it was compared to actual results;
Go back to last year’s actual results and determine when income was received (eg. was it seasonal) and when expenses were incurred (eg. are there a number of expenses that are paid once a year?);
If there are new programs or expenditures that are to be included, have that relevant person or department prepare a detailed “mini budget” to be included in the budget;
Determine if there are new events that may affect the budget (eg. capital expenditure);
Make sure the board sign off on the budget after having thoroughly reviewed the budget.

To reduce fraud, the budget needs to be accurate. If you find that the budget is starting to have significant variances from the budget, it may be necessary to restate the budget. It is these variances that may show fraud is occurring and if variances are common place, fraud may be missed.

Good Culture = Reduced Fraud

2010-02-21T19:53:00.002+10:00

An organisation can never underestimate the value a good culture within the organisation plays in reducing the risk of fraud. Having a good culture includes management and the board leading by example as well as employees and volunteers enjoying working for the organisation and believing in the organisation’s mission.

A poor culture where employees and volunteers feel that they are not part of the organisation, feel ignored and have low morale have less loyalty to the organisation and do not have the same, if any, feel of guilt at committing fraud against the organisation.

But how do you know if you have a good culture within your organisation. Using employee/volunteer surveys is one way to determine if the organisation has a good culture. Another way is to review retention rates and sick leave rates. If rates are increasing it may indicate a slide in the organisation’s culture.

The following are some issues that may detract from the culture within the organisation and therefore lead to an increase in fraud:

Management and the Board not leading by example, being autocratic, do not take action against inappropriate action and do not reward good behaviour;
Actual or perceived inequalities in the way staff and volunteers and managed;
Not being recognised either with appropriate promotion and/or market rates of pay;
Unrealistic budget expectations, both reducing costs and increasing funding or a combination of both; and
Poor training and lack of other employee benefits.

Trust

2010-02-07T20:46:00.001+10:00

Something that I hear all the time when I talk to nonprofit organisations is that they trust their employees. It is also interesting that in many instances, the organisation trusts employees more than volunteers.
While the majority of employees and volunteers are honest, there will always be some that are not. So what do you do? Here are some tips to help:

Don’t be concerned about implementing new controls. You are doing this for two reasons. Firstly to protect the organisation from fraud and secondly to protect employees and volunteers that do follow the rules.
If you can’t segregate duties, put other controls in place that will act as detection controls.
If someone has been doing the same role for a long time and it is difficult to suggest you need to change the way it is done, explain the risks – for example an employee would regularly take the cash takings to the bank in their her car every day. She was not concerned when we suggested a change to make sure the organisation was covered by insurance and she would not at risk of potentially being robbed.

While all organisations will ultimately have to place some level of trust in employees and volunteers, don’t ever be afraid to implement new controls or change controls already in place. You can’t put all of your trust in a person without the back up of some form of control. This is simply not acceptable.

What is the true cost of fraud?

2010-01-31T20:54:00.000+10:00

The following, while not an exhaustive list, need to be considered:

Of course the actual value of the fraud needs to be taken into account.
How much does it cost to investigate the fraud? This could be the cost to bring in someone externally to conduct the investigation or the time cost of people within the organisation to investigate the fraud.
Who will liaise with law enforcement and take the necessary time to work with them and potentially ultimately attend court to give evidence?
Fraud comes straight off the bottom line – consider this: if your organisation runs with a 1% surplus, a $50,000 (off the bottom line) fraud means that you need to raise $5,000,000 (top line) to replace that $50,000. This is a very difficult task to do.
Would the fraud mean your organisation would need to either need to arrange an overdraft or extend the overdraft to maintain the cashflow? The additional interest becomes a cost of the fraud for the length of time it takes to no longer need the overdraft or extended overdraft.
It is very difficult if not impossible to determine the cost of the fraud on the reputation of the organisation. What effect would the fraud have if it made the front page of the newspaper?
Could the organisation be at risk of losing funding such as grants?
Losses can be offset by any insurance, but it needs to be remembered that an insurance payout is “after the fact” and cashflow can be significantly affected before the payout is received.

Does Your Board Hinder Your Fraud Prevention?

2010-01-24T21:16:00.001+10:00

I am often asked the question of how does the person charged with fraud prevention in an organisation, get buy in from the board and in some instances from management.

There is no easy answer, but the following are some ideas that may help:

Remind the board of their duties to the organisation – eg. duty of care;
Have the board consider what they organisation could do with an amount that could easily be lost to fraud, say $50,000 (eg. run a specific program, provide a service to 250 clients);
Step the board through the true cost of fraud (eg. the loss of funds to the fraud, extra interest on an increased overdraft facility, cost to investigate the fraud, legal costs);
Explain that employees and volunteers should not be concerned with the introduction of a fraud control program – the program is important to protect those employees and volunteers that are honest and find those that are not.

How do you deal with the media?

2010-01-17T19:54:00.002+10:00

There are a number of issues you need to deal with when fraud is discovered. One of those is how do you deal with the media. The following are suggestions on issues that need to be considered:

The first thing you need to consider, and pre-plan for, is the potential risk to your organisation of media attention, should it become publich that it has suffered a fraud. For example, a charity is likely to be at a higher risk as funds it relies on are from public donations and it would therefore potentially make newsworthy reading.
The organisation then needs to be prepared. Does the organisation have a media policy? If yes, part of that policy should be who has authority to speak to the media. This person should be the person authorised to speak to the media if enquiries are made about the fraud. It also needs to be determined who authorises what can be said to the media.
The organisation needs to consider how they will address the issue if they are contacted by the media. It is the reputation of the organisation that is at risk if a report that is not favourable to the organisation is published.

How Do You Recover Funds Lost to Fraud

2009-12-06T18:48:00.002+10:00

When developing a Fraud Control Policy an important part of that plan is determine if it is possible to recover funds that the organisation has lost to fraud. A number of issues need to be considered:

Does the organisation have insurance for fraud? This has been discussed previously. If the organisation has insurance for fraud, remember that cash flow potentially could be affected until such time as a payment is received.
Determine if it is economically viable to take civil recovery proceedings. If the fraudster has a gambling or other addiction it is unlikely that funds will be available. However, if the fruadster has purchased a property or utilisied the funds in some other similar way, funds may be available for recovery. The organisation must remember that the funds that have been taken are the organisations. The organisation should not “feel sorry” for the fraudster.
When the fraudster is found guilty, the court may order restitution. However, in this case the organisation must wait until the matter has been through Court. This may take 18 months or more. In this time, the fraudster may have disposed of any funds and assets that they have owned. This is the least favourable of the three alternatives.

Should Fraud be Reported to the Police

2009-11-29T20:23:00.002+10:00

When developing a Fraud Control Policy an important part of that plan is a clear statement as to whether fraud that has been discovered will be reported to the Police. A number of issues need to be considered in making this decision:

In some jurisdictions, it is required by law that any serious offence is report to the Police. An organisation needs to understand if such a requirement is in place in their jurisdiction;
If an organisation does not report the matter to Police, the organisation needs to consider what message this send to other employees and volunteers;
If an organisation does not report the matter to Police, will the person committing the fraud go on to another employer and commit fraud there?;
By reporting the matter to Police, the organisation needs to consider if it is likely that the fraud will be reported in the media as it goes through the Court process and the potential damage this could cause the organisation;
The organisation’s insurance policy may require the fraud to be reported to the Police.

Cheque Fraud

2009-11-22T21:39:00.002+10:00

Cheque fraud can easily occur and can cost an organisation significant amounts if appropriate controls are not in place.

Cheque fraud can occur in a number of ways:

Using false invoices to have a cheque paid in favour of the false business;
Changing a legitimate cheque (payee and amount) without having authority to do so;
The theft of cheques and the use of those cheques at a later time;
Duplication of cheques, especially if they are preprinted by the company;
Depositing a cheque into another account without authority.

To prevent cheque fraud, there are a number of possible controls:

Reconcile the bank account on a regular basis;
Never sign blank cheques. Only sign cheques when details have been completed and there is documentation supporting the payment;
Limit the number of signatories on the account and remove signatories when they are no longer required;
Ensure that cheques require at least two signatories;
Keep all cheques in a safe place to deter theft;
Avoid the use of acronyms when completing the Payee;
If you are expecting more cheques and they have not arrived, contact the bank and cancel them.

Using Imprest Accounts

2009-11-15T21:24:00.000+10:00

If you operate at a number of different locations or have a number of branches, the use of imprest accounts may be a good solution.

An imprest account is used on the following basis:

A set bank account balance (set depending on the spending requirements of the location / branch and on the regularity of the reimbursement (eg. weekly, monthly));
Deposits are made to the organisations general account and not the imprest account;
A reconciliation of the imprest account is conducted when a reimbursement is required;
Signatories to the imprest account are usually people located at the location / branch for ease of use of the account.

The use of an imprest account reduces the risk of fraud as it reduces the possible spending people at the location / branch can undertake.

The imprest account system allows locations / branches to have some autonomy while still being restricted in the amount they can spend and still providing regular support for the expenditure they undertake.

Travel Expenses

2009-11-08T20:26:00.001+10:00

How do you control expenses spent by employees while travelling on work related trips? There are a few options which can be considered, each with their own benefits and risks.

Per Diems

These allow an organisation to reduce paperwork if they have a number of employees and volunteers travelling. A per diem is an allowance which can be easily set by referring to meal allowances as set by the relevant federal government. In Australia, this is set by the Australian Tax Office. If the employee spends more, it will be at their own personal cost. However, if they spend less they keep the amount they did not spend.

The benefit to the organisation is that it knows exactly how much it will spend and has a reduced level of paperwork. The potential cost to the organisation is that the employee spends less and therefore the organisation overpays the employee.

Full reimbursement of costs

In this situation, employees need to provide receipts for all meals and other costs incurred. However, the organisation needs to clearly set out what is and is not acceptable expenditure. For example, no alcohol, no mini bar in the hotel room. If a number of employees and volunteers travel frequently, the administration of this system can out way the benefits of only reimbursing the actual costs incurred. Also employees can spend more than they would under the per diem system because it’s “on the boss” or the organisation is paying for it. The other concern is that receipts are obtained by the employee where these costs are not actually incurred and reimbursement made.

Both systems have advantages and disadvantages. Whichever system is used, there needs to be a clear policy developed for when employees and volunteers are travelling on business.

Internet Fraud

2009-11-01T16:56:00.003+10:00

I am surprised with the number of phishing emails that still arrive in my Inbox every week – most supposedly from banks which I don’t even have a bank account with. But the concerning aspect is that people still fall for the email and click the link, ending up giving their contact details.

So how do people get our information over the internet.

Phishing requires that a person provides their information. It is often via the email process we all see. An email is received from what appears to be a legitimate company (in many instances a bank). The emails advise you of some issue – the bank has had a security upgrade for example – and they need you to verify your information. You click the link and are taken to a web page that looks almost identical to the company you have been dealing with. There you put in your username and login and the hackers have your information.

A Trojan is malware. It is used by a hacker to obtain unauthorised access to the user’s computer system. Trojans are designed to give hackers remote access to the users computer and give them the ability to perform the same functions the user can.

Key logging programs do as the name suggests. The program allows for each key stroke entered by the user is recorded by the program. These programs are used frequently to obtain a persons username and password for internet banking.

No matter what the issue, the preventative measures are the same. Here are some examples:

Have appropriate firewalls on computer systems;
Have up-to-date virus checking software and regularly check for updates to it;
Use a strong password and change it regularly;
If it seems to good to be true – it probably is - for example never give your password to anyone;
Use security tokens or similar for internet banking.

Protecting a whistleblower

2009-10-25T21:29:00.002+10:00

A question I am often asked is – how do you protect a whistleblower?

Maintaining confidentiality is always the best alternative, but it is often impractical. A great summary of the practical problems that arise with maintaining confidentiality, along with practical alternatives has been prepared by the New South Wales Ombudsman.

A summary of these practical examples, being the minimum steps to be taken in all cases are:

Supporting the whistleblower;
Providing guidance to the whistleblower of what is expected of them;
Provide the whistleblower with information about how the disclosure will be dealt with;
Responsibility should be given to someone senior to make sure it is dealt with appropriately and expeditiously;
Conduct a prompt investigation; and
Respond appropriately.

For more detail on these practical alternatives as well as for when the identity of the whistleblower is or is not likely to become known, click here for the article from the New South Wales Ombudsman.

Whistleblower Policy

2009-10-18T17:57:00.002+10:00

A whistleblower policy establishes a process that allows the board, employees, volunteers and other interested parties the ability to report in good faith any suspicions they may have regarding illegal, unethical or inappropriate actions.

When developing a Whistleblower Policy, the following should be considered:

The policy should include protection for all those involved with the organisation, including directors, employees, volunteers and other with an interest in the organisation (eg. members).
The policy should clearly set out what should be reported such as fraud, workplace safety issues, misconduct, breaches of policies, any activity that is illegal, abuse of authority etc.
The policy should clearly set out to whom and how someone should report suspicions. The person to whom reports are made should carefully be chosen. For example, it is suggested that it is not someone who has access to the organisation’s funds such as the financial controller as these are people who may be the subject of the reports. It is also appropriate to have a secondary reporting person for when the initial person in on leave or if the report is being made about that person. Also these two people need appropriate training on their responsibilities.
The option of using an external whistleblowing service should also be considered rather than utilizing an internal person. These services are readily available and should be investigated. The provider of the services will take reports and either provide those reports to an appropriate person internally to investigate or assist the organisation with the investigation.
It is recommended that a “line manager” is not an appropriate reporting person. The reasons for this are that it may be the line manager who the report is being made about and therefore it could make it difficult for the whistleblower to make a report. It requires training all line managers with their responsibilities as a receiver of reports rather than one or two people who deal with the issues on a regular basis.
When a person reports their suspicions they must be able to do so without fear of retaliation. However, it must also be clearly set out that a person will be dealt with if the report is made maliciously.
People should be able to make reports anonymously if they chose. However, people should understand that by making a report anonymously they may slow down the investigation. For example, the investigator cannot check with the person for additional information.
To reduce the possibility of anonymous reports, the policy should clearly promise confidentiality to the extent it is possible. For example, it may be necessary to advise law enforcement of the name of the person who made the report.

Whistleblowing – Friend or Foe?

2009-10-11T21:00:00.000+10:00

Many of us dodge the term Whistleblower – is it really a ‘dirty word’?

A whistleblower is someone who comes forward with information that has previously been concealed and it may not just be in relation to fraud. It could be in relation to workplace safety issues, harassment, etc.

Think about some of the well known whistleblowers in recent times - Cynthia Cooper of Worldcom and Sherron Watkins of Enron – by coming forward the information they were able to provide resulted in two of the largest corporate frauds in history being discovered.

No matter whether people like it or not, whistleblowing is one of the most effective ways of discovering fraud. In the 2008 Association of Certified Fraud Examiners Report to the Nation Survey, it was found that 46.2% of cases of fraud were detected by tip off or a whistleblower. The 2008 BDO Not-for-Profit Fraud Survey found that 38% of fraud was discovered by tip off. The statistics speak for themselves.

So how do we make use of the benefits of whistleblowers while protecting our employees and volunteers? We will address these issues over the coming weeks. Stay tuned!

Resume Fraud – Is It Real?

2009-10-04T18:02:00.002+10:00

A great article on “Resume Fraud: The Top 10 Lies” by Christopher T Marguet, CEO, Marquet International Ltd and Lisa JB Peterson listed the top ten to be:

Stretching Dates of Employment
Inflating Past Accomplishments & Skills
Enhancing Job Titles & Responsibilities
Education Exaggeration & Fabricating Degrees
Unexplained Gaps & Periods of “Self Employment”
Omitting Past Employment
Faking Credentials
Fabricating Reasons for Leaving Previous Jobs
Providing Fraudulent References
Misrepresenting Military Record

Falsifying a resume can cost an organisation significant sums if the employee does not have the skills to undertake the role appropriately or the information omitted related to previous fraud matters.

For more on the article by Marquet International Ltd, please click here.

Using an internal audit facility

2009-09-27T20:57:00.000+10:00

An internal auditor can be a great tool to help prevent and detect fraud. The role of the internal auditor can really be what the organisation wants and needs. An internal auditor usually assists in areas of corporate governance and risk management.

An internal auditor can review, test and recommend improvements in controls and processes, test the reliability of the financial reporting process, ensure the organisation complies with standards and legislation as well as deterring and investigating fraud. The board can make use of an internal auditor to cover areas where the board is concerned, is suspicious of inconsistencies or improve controls where gaps or weaknesses exist.

If an internal auditor is appointed he or she needs to be able to report directly to the audit committee or if your organisation does not have an audit committee, a board member such as the treasurer or chair of the board.
For organisations that cannot put a full time internal auditor or have an internal audit department, there are other options. It is possible to either hire an internal auditor on a part time basis (eg. one day a week) or engage the internal audit division of an accounting firm to assist.

Collusion

2009-09-20T20:56:00.002+10:00

Collusion is when two or more people agree (usually in secret) to deceive, mislead or defraud others.

If collusion is occurring, it usually is the result of a breakdown in controls. Collusion does, in some way, cost your organisation money. For example:

Consider collusion occurring between an employee and an employee of a contractor who is tendering for major construction works. It is likely that either the tender will be cheaper for the contractor to win and thereby it may result in poorer quality workmanship and / or materials used or may be overvalued and the organisation may be charged more than should be; or
As the purchasing officer in the organisation, the employee allows the supplier to charge more than the items could be purchased for elsewhere, thus incurring additional costs for the organisation.

To attempt to avoid collusion:

All employees should be required to disclose any potential conflict of interest that may exist;
All employees should be required to, at least yearly, sign off that they understand all policies and procedures;
Ensure that vendors and suppliers are fully aware that gifts and gratuities are not to be given to employees or volunteers. If they wish to support the organisation, it should be made by way of donation;
Ensure employees, volunteers and suppliers have a way of reporting suspected collusion. It is surprising the number of times collusion is picked up by another organisation who also has an employee involved in the collusion.

Collusion is very difficult to discover and also very difficult to investigate as any benefit is usually received by the individual. Any suspicion of collusion needs to be investigated thoroughly.

Payments

2009-09-13T20:10:00.001+10:00

Payments are usually made in one of three ways: cash, cheque or electronic payments. Each payment method has its own risks.

Cash Payments

When making cash payments (eg. out of petty cash) an invoice or receipt should be obtained for every payment made and the invoice / receipt needs to be confirmed to the cash amount paid. The person controlling the cash should not be the same person who reconciles the cash and the invoices / receipts, so any discrepancy can be adequately investigated. The fewer the cash payments needed the better.

Cheque Payments

The question is, is one signature enough? The answer is no. Not even if the cheque is for a small amount. Cheques need to be signed by two people. Also the following should also be undertaken:

Cheques should never be pre-signed;
When the cheque is prepared for signing, all documents supporting proof of the requirement for payment should be attached;
The people who are signing the cheques need to thoroughly review the documents supporting the payment and sign the documents showing the appropriate approval;
The amount and payee on the cheque needs to be the same as on the supporting documents and needs to be confirmed by the people signing the cheque.

Electronic Payments

The first thing people who are authorising electronic payments need to remember is that their password for signing in to authorise the payments is the equivalent of their signature on a cheque. A person would not allow a person to forge their signature, so why let a person use their password.

The following should be undertaken when making payments electronically:

When the electronic payments are prepared for payment, all documents supporting proof of the requirement for payment should be thoroughly reviewed by the people authorising the payment;
The amount, payee and bank account details on the electronic payment authorisation needs to be the same as on the supporting documents and needs to be confirmed by the people authorise payment.

It needs to be remembered that a common way for someone to commit fraud with electronic payments is for the person who sets up the payments puts in their own bank account number instead of a creditor’s bank account number. The people authorising payments need to be aware of this issue.

Is your identity or your organisations information at risk?

2009-09-06T19:46:00.000+10:00

There has been a lot of media about identity theft. However, you don’t just need to worry about someone stealing your personal papers, credit cards, drivers license or passport.

Norton Symantec has released a list of the 100 most dangerous website on the internet and warn about malware.

For details of this very important topic, click here.

Make sure employees take holidays

2009-08-30T19:35:00.001+10:00

One of the common methods of detecting fraud is when the employee is away and another person undertakes their responsibilities. Some tips in relation to detecting fraud by making people take their holidays include:

Have a policy that requires employees to take at least part of the annual leave / holidays each year;
Have employees trained in other rolls;
When an employee takes leave / holidays, another employee should step into the roll;
If an employee, while on leave, comes into the office “just to get a few things up to date”, question the need for them to be there and what they are doing;
Determine if an employee on leave needs access to the organisations systems (including banking) – if not, deactivate access while they are away.

Be Aware of Skimming

2009-08-23T17:14:00.001+10:00

Skimming is the theft of funds before they are recorded in the records of an organisation. Skimming does not only involve the theft of cash however. It may be the theft of cheques or other types of payments, although cash is the most common.

Examples of skimming include:

A sporting club running a food stall – a person working at the stall puts cash from the sales of the food in his or her pocket rather than in the cash tin. At the end of the day, only the cash that has been placed in the cash tin is counted, recorded in the accounting records as income and subsequently banked;
As cheques are received into the organisation, an accounts clerk takes the cheques and banks them into a bank account opened in a similar name. From that account the clerk can divert funds to any account;
Selling items through a shop run by the organisation, the person does not “ring up” the sale but puts the money in the cash register in front of the customer. When the customer leaves, the person takes the cash out of the cash register.

Skimming can be difficult to discover and also to investigate.

Here are some ideas that may help prevent skimming:

Rotate duties. This can be hard when you rely on volunteers (eg. At sporting events or at shops). Rotate the person who takes the cash, rotate the volunteers between shops or stalls or on a reasonably regular basis have someone else undertake the role and compare takings.
Conduct reconciliations. For example, a reconciliation may be undertaken of the cash received from a food stall (eg. To determine the number of hamburgers that were sold) to the amount of stock used.
As a specific example, for food stalls use tickets. A cashier receives the cash and hands the person a ticket (eg. a blue ticket for a hamburger, red ticket for a hotdog). When the item is cooked, the customer hands over the ticket to the person preparing to food who places the ticket into a box which is locked (with opening on the top for the tickets). At the end of the day, two people who have not worked on the stall count up the cash and the tickets – they should reconcile.

Take regular computer back ups

2009-08-16T18:26:00.000+10:00

This may seem like a common sense statement to make, but unfortunately many organisations do not take back ups of their computer data, or if they do, the back up sits next to the computer which means it would also be damaged, destroyed if a fire occurred or could also be stolen if the organisation was broken into.

There are a number of alternatives for how to appropriately store computer backups, but you need to investigate the options thoroughly.

For example, I was reviewing procedures for an educational facility and found that the IT manager was taking backups home. Unfortunately these backups held information on students and could fall into the wrong hands if the manager’s house was broken into.

Another example, if for small organisations such as sporting clubs which may have the treasurer maintain the accounting records from home. The club needs to determine the best option for maintaining the back up of data. This may be to have one or two other members of the board keep regular back ups in their home safes.

For larger organisations, a safe deposit box at a bank is always a good option.

Other options exist. For example, if you already have an offsite storage facility for your paper records, this may also entitle you to safely store your electronic back ups. You should investigate such options with your provider. However other back up facilities such as online back ups, but these should be investigated thoroughly. For example, who else has access to your information if you are using an online back up service?

Back ups are not just a function of disaster recovery. As an organisation, records need to be maintained for a set period of time (eg. Five years), you should ensure you have a back up methodology that allows you to recover records for that period. This does not mean you have to keep every back up. For example, you may want to keep monthly, quarterly or yearly back ups.

But how does this relate to fraud? There are a few issues:

Back ups can show how, over a period of time, a person has hidden the fraud they have committed;
Back ups may be the only way to restore records after the fraudster has decided to destroy any evidence they believe may incriminate them;
Back ups of programs other than the accounting program (eg emails) can provide a lot of useful information to the investigation such as who the perpetrator has had contact with (eg. Discussions with a real estate agent about purchasing property which may be able to be recovered);
If the fraud is referred to law enforcement, back ups may be required as evidence.

Conflicts of interest

2009-08-09T19:56:00.000+10:00

A conflict of interest involves a conflict between a person’s duty and the persons own personal or private interests. A conflict of interest can be an actual conflict or can be perceived or a potential conflict.

A conflict of interest is not necessarily unethical or wrong. However, it is how the conflict is identified and dealt with that is important.

An example of a potential conflict of interest is a board member’s family computer company being given the contract to supply the organisation with new computers and file server. The conflict would not be handled properly if the board member did not advise the board of his interest in the computer company and arranged for no other quotes to be obtained. The conflict would be handled appropriately if the board member advised the rest of the board of his interest in the computer company and whenever the potential contract was discussed and the contract awarded, the board member removed himself from the discussions.

So what should be done to avoid conflicts of interest?

A conflict of interest register should be maintained and should be completed by all board members for any potential conflicts of interest;
If a conflict of interest arises or potentially arises, the board needs to be advised immediately;
Any discussions or other dealings with the issue that resulted in the conflict of interest should exclude that board member, including not being provided any documents such a board papers or copies of tenders received relating to the matter;
Do not be involved in any discussions regarding the issues, including leaving the room during any board meetings when the matter is discussed;
Do not place yourself in a position that may result in a conflict of interest, eg. accepting a gift from a supplier or contractor or being able to use confidential information for personal gain.

The Need to Change Passwords

2009-08-02T19:10:00.001+10:00

A friend of mine, Micheal, provided a good example of when things can go wrong with passwords. Micheal's comments to last weeks newsletter was:

I had a client where 13 people knew the super-user password to the timesheets application - which fed timesheet data to the payroll program. It had just happened that way over time as people got lax.

Needless to say everyone took advantage of the opportunity to their benefit...

It is important that as people move from position to position within the organisation, their roles are reviewed which includes what systems they should have access to and what passwords they have ability to use. Master passwords should be changed when people who have had access to those passwords change positions or unfortunately, the above may happen.

Payroll Master File Fraud

2009-07-26T19:16:00.003+10:00

Payroll fraud has been a common fraud for many years and continues to be so. One area of the payroll system susceptible to fraud is the payroll master file. Issues in relation to the payroll master file include the following:

Unauthorised changes being made to a persons pay classification, pay rates, allowances paid.
Adding an additional person on the payroll – ghost employee.
Not removing an employee who no longer works for the organisation from the payroll.
Unauthorised changing of bank account details.

So how do we go about making it difficult for someone to commit fraud using the payroll master file? The following are examples of controls that will help reduce the likelihood of fraud occurring:

Develop an exception report that details any changes made to the payroll at each pay run. The report should be forwarded to someone not in the payroll section and any changes that do not appear reasonable should be investigated.
The person who has authority to make changes to the payroll master files does not have authority to process the regular payroll or have access to this section of the payroll function.
Develop a report that shows any duplicate payments to one employee or one bank account. Again, this report should be forwarded to someone not in the payroll section and anything listed on the report should be investigated.
HR should, on a periodic basis review the payroll for any names of employees that are no longer in the employ of the organisation.

Be aware of red flags

2009-07-19T21:03:00.001+10:00

I find it amazing that every time I do a fraud investigation that I still hear the same comment – “why didn’t we see that”. Every fraud investigation I have done, familiar red flags have been present and unfortunately have gone unnoticed for some time allowing the fraud to go unnoticed.

A red flag is a set of occurrences that are unusual in nature or vary from what would be considered the normal activity of the organisation. It is a signal that something may be wrong or out of the ordinary and needs further investigation. However, it must be remembered that a red flag does not mean that fraud has happened, it is a trigger that something may have happened and therefore the issue needs to be investigated.

There are many red flags. Here are just a few:

unexplained items on reconciliations
inconsistent or vague responses from inquiries made
excess voids or credits
multiple remittance addresses for the same creditor
lack of segregation of duties
infrequent bank deposits allowing cash to accumulate
a delay in issuing of monthly, quarterly or annual financial reports
key financial or operating personnel leaving the organisation
missing assets
questionable handwriting on documents
a poor culture within the organisation

Undertake regular bank reconciliations

2009-07-12T20:56:00.000+10:00

Undertaking regular bank reconciliations is a very useful fraud detection control. How regularly you undertake bank reconciliations should depend on the number of transactions made through the bank account on a daily basis and the value (in dollar terms) of funds flowing through the bank account. The higher the number and value of transactions, the more frequently bank reconciliations should be conducted (eg daily or weekly). Bank reconciliations should be done at least monthly for smaller organisations with few transactions in number and volume.

Any unusual transactions on the bank reconciliation should be investigated immediately. To hide fraud, a person conducting the bank reconciliations will need to ‘force’ the bank reconciliation to reconcile. To do this, one of the methods used is to create a ‘balancing item’ such as an outstanding deposit. However, that deposit remains as a reconciling item from one bank reconciliation to the next, growing in size as the value of the fraud increases over time.

To confirm that the bank account has been reconciled and actually does balance, the bank reconciliation as well as a copy of the last page of the bank statement should be included as part of the board pack provided for each board meeting.

Understand why people commit fraud

2009-07-05T18:22:00.002+10:00

To be able to be in a position to understand how fraud is committed, reduce the likelihood of it happening and if it does, investigate it thoroughly, we must first understand why people commit fraud.

There are four components to why a person commits fraud, as follows:

Pressure

Pressure on the person is the reason people make the decision to commit fraud. Pressure includes:

Living beyond ones means;
Greed;
Poor credit;
Personal financial loss;
Unexpected financial needs.

Rationalisation

Rationalisation is how a person who commits the fraud believes what they are doing is reasonable. It must be remembered that rationalisation is in the mind of the person committing the fraud, not what a reasonable person would consider to be rational. Some of the ways a person committing fraud rationalises what they are doing are as follows:

“It’s only a loan. I’ll pay it back as soon as I can."
“They didn’t give me the pay rise I deserve.”
“Nobody will get hurt. It’s only a company not a person.”

Opportunity

Opportunity is what within the organisation allows the person to commit fraud including a lack of controls, poor culture within the organisation or failure of management to handle fraud appropriately. Consider opportunity as follows:

A perceived opportunity
+
Ability to conceal the fraud
+
Avoidance of it being discovered
+
Avoidance of it being punished
=
Opportunity

Capability

Capability means that a person is able to commit the fraud, for example:

The person’s position in the organisation provides them with the ability to exploit an opportunity to commit fraud that may not be available to others;
The person is smart enough to understand and exploit weaknesses in internal controls and be able to use their position and access to exploit the weakness;
The person has a strong ego and confidence that he/she will not be detected or he/she believes he/she could talk himself/herself out of trouble if caught – a person’s arrogance;
He/she can coerce others to commit or conceal fraud – he/she has a persuasive personality;
He/she lies effectively and consistently – he/she must be able to look management, auditors, investors, bankers and others in the eye and lie convincingly;
He/she deals very well with stress – committing and managing the fraud over time can be very stressful.

Maintain appropriate password security

2009-06-28T21:50:00.003+10:00

One of the most frustrating aspects of using a computer at work is the regular reminders to change your password. However, it is also a very important way of reducing the risk of fraud.

Cracking passwords can be an easy process if good protocols are not put in place.

There are three main ways people will attempt to crack a password – guessing, dictionary attack and brute force attack.

Some passwords can easily be guessed by someone who knows the password holder well. Examples of passwords that may easily be guessed include:

A password being written on a piece of paper and attached to the person’s monitor;
A password not being used at all;
Leaving the password as what was set by the system administration – regularly “password” or “admin”;
A password being the name of a spouse, child or pet;
A password being a person’s favourite type of car, favourite celebrity or band;
A password being a combination of the month and year; or
A password being the person’s name or using their actual login as their password as well.

Many people also use standards words. In this case a dictionary attack will not take long to determine what the password is.

The last option is a brute force attack which will try every combination of letters, numbers and symbols. The time taken to determine the password will depend on the number of characters and the combination of letters, numbers and symbols. By using a combination of letters, numbers and symbols, there are over 100 possible combinations for each character.

It has been estimated that the time taken to crack a password is as follows:

4 characters = 10 seconds
6 characters = 1,000 seconds
7 characters = 1 day
8 characters = 115 days
9 characters = 31 years
10 characters = 3,000 years

So what does this mean? For the best password security:

the greater the number of characters in the password, the better (at least 8);
use a combination of upper and lower case letters, numbers and symbols;
do not use common words;
do not give your password to anyone else;
regularly force users to change their password;
force users to use a minimum number of characters;
force users to use a combination of letters, numbers and characters; and
do not allow the password field to be left blank.

Develop a robust employment screening process

2009-06-21T16:37:00.001+10:00

One method of reducing the risk of fraud in your organisation is to ensure you do not employ a person who has previously been convicted of fraudulent activity. To do this, an organisation should undertake an appropriate employment screening process.

The process should be undertaken prior to the final acceptance of an offer of employment and also when an employee is promoted to a management position.

Examples of the type of screening that should be undertaken are as follows:

Conduct a criminal history check to determine if the person has a previous conviction for a fraud related offence. Consent will be needed by the potential employee to enable such a search to be undertaken;
Verify the potential employees previous work history. Before contacting referees, verify the contact telephone numbers of the referees to ensure you are making contact with the appropriate person;
Verify qualifications. Consent may need to be obtained from the potential employee to enable confirmation to be obtained from educational facilities and professional bodies;
Give the applicant an opportunity to provide reasons for gaps in employment;
Conduct an internet search such as a Google search. It’s amazing what can be found on the internet;
Check social networking sites such as Facebook and Twitter for postings by the potential employee.

Understand what Beyond Reasonable Doubt means

2009-06-14T21:08:00.001+10:00

I have conducted many fraud investigations as well as defending people who have been charged with fraud. Something I see on a regular basis is that a person conducting the investigation does not understand the level of proof they need to obtain. It must be proven “beyond reasonable doubt” that a person has committed fraud. Beyond reasonable doubt is the standard of proof that is used by a magistrate, judge or jury to decide if an accused is guilty or not guilty of a criminal charge.

There are different terms for beyond reasonable doubt depending on the country you are conducting the investigation in. However, the ultimate meaning is the same.

The meaning is the proposition that is being presented by the prosecution must be proven to the extent that there is no reasonable doubt that a reasonable person would, in their own mind, consider the defendant is guilty. To be able to provide this level of proof you should also consider if you need to disprove any possible reasons why a transaction, that is subject to the criminal charge, occurred.

Control the Use of Petty Cash

2009-06-07T15:37:00.001+10:00

What is the Risk?

The risk is that someone claims personal expenses through petty cash or makes fraudulent petty cash claims.

How to Mitigate the Risk

While petty cash may only be a small amount when compared to other assets, it is an easy target for a person contemplating committing fraud for the first time. If the person is able to easily defraud the organisation of petty cash, it may encourage the person to continue to commit fraud.

Steps to reduce the likelihood of petty cash fraud occurring includes:

Develop a policy that clearly sets out what can be claimed through petty cash with a limit on the monetary value able to be claimed;
All claims that are made should have source documents clearly stamped with “Paid” to ensure that they can not be used in a future claim;
All claims made should contain supporting documents (eg. receipts and invoices) of items that have been purchased;
Petty cash should have adequate physical security (eg. locked in a safe);
Put procedures in place to regularly reconcile cash, claims and source documents.

Understand the role of the external auditor

2009-05-31T16:16:00.002+10:00

The role of the external auditor has often been misunderstood. This “expectation gap” has long been explained as being the gap between what the actual requirements and standards required of the auditor and audit process as compared to the expectations of the public as to what an auditor does in the audit process.

It has often been thought that the audit provides certainty as to the accuracy of the financial statements by the auditor undertaking a 100% check of the organisation’s accounts. It has also been thought that auditors should be able to provide early warning if there are solvency problems with the organisation and lastly, it is thought that a primary role of the auditor is to detect fraud.

An example of this can be seen in the BDO Not-for-Profit Fraud Survey 2008. 61% of respondents to the survey gave a reason they did not perceive fraud to be a problem for their organisation was that fraud had not been discovered by the external audit process.

It is important that not-for-profit organisations understand the role of the audit and not to relying solely on the external audit process as a way of detecting fraud. It is also important to consider that auditors, while conducing an audit as per the auditing standards, they are also conducting the audit on a fee paying basis. To undertake an appropriate audit, an appropriate fee is required to be paid.

Auditing standards provide us with guidance as to the auditors’ responsibilities regarding fraud. For example:

“The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment. This involves a commitment to creating a culture of honesty and ethical behaviour which can be reinforced by an active oversight by those charged with governance.” Paragraph 4 of ASA240 (Australian Auditing Standard – The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report)

“The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected. The auditor has no responsibility to plan and perform the audit to obtain reasonable assurance that misstatements, whether caused by errors or fraud, that are not material to the financial statements are detected.“ – SAS99 (US Auditing Standard – Consideration of Fraud in a Financial Statement Audit).

Understand what can and cannot be done to the audit trail of the accounting software

2009-05-24T21:20:00.003+10:00

The audit trail of accounting software can be a very useful tool when conducting a fraud investigation, especially when combined with an appropriate and effective IT Policy. An audit trail provides a history of who has accessed the accounting software and what transactions those people have conducted in the accounting software.

An audit trail allows for the examination of access history by users of the software. It shows what users have accessed or attempted to access as well as what those users have changed. An audit trail can also show when someone attempts to by-pass the security that has been put in place. It can act as a method of detecting fraud if people are aware it is reviewed regularly.

Audit trails can also be used as a method of detecting fraud. By reviewing the audit trail it can show patterns of when a person conducts transactions or even potentially turn the audit trail on and off. When fraud investigations have been undertaken, it has been discovered that the audit trail would be turned off and within a short period of time turned back on. During this time the fraudulent transactions were processed.

An organisation needs to understand the security measures attached to the audit trail, if the audit trail can easily be turned on and off and how to protect the data collected by the audit trail.

If the accounting package being used allows, the organisation should have the IT administrator turn the audit trail on and password protect it so that no user of the software can turn the audit trail off or delete transactions within the audit trail.

Develop appropriate controls over events

2009-05-17T20:15:00.002+10:00

Risk

Funds are lost due to theft during the hectic operations of a special event.

Methods to Mitigate the Risk

Many not-for-profit organisations run large fund raising events which can involve the receipt of large quantities of cash.

Such an event can provide a hectic time with potential for large quantities of cash to be stolen. To ensure all cash received is properly accounted for during such an event, the following safeguards may be of assistance:

Encourage all donations and purchases to be made by credit card.
If donations and purchases are made by cash, ensure controls are in place to control the money that is received (eg. having two people receipting the cash).
Have a separate person register donations and purchases to the receipt of funds so that the two can be reconciled at a later time.

Determine if the organisation wants insurance for fraud

2009-05-09T22:16:00.001+10:00

Fraud can cause significant financial stress to an organisation, including significant cash flow problems. Obtaining fidelity insurance may help with that problem. Fidelity insurance covers an organisation for losses caused as a result of fraud.

An organisation needs to make an informed decision as to whether it wants to maintain fidelity insurance or not. When considering this issue, questions to consider include:

What will the insurer require to enable a payment to be made (ie. Will it require a full investigation to be completed, will the insurer require a conviction?)
How long will it take for the insurer to make a payment? The longer the time it would take, the longer the organisation could suffer financial stress as a result of the fraud.
What is the excess of the claim and what is the maximum payout?
What is excluded from the policy? For example, one policy I saw excluded forgery – this could potentially exclude fraud where an employee forges a signature on an organisations cheque.

Again, an organisation needs to make an informed decision considering the cost of the policy and the benefits that may flow from the policy if a claim is needed to be made.

Develop and maintain a fraud risk register

2009-05-03T16:21:00.001+10:00

Many organisations maintain a Risk Register, but few of these incorporate specific fraud risks and the associated review undertaken for a risk to be placed on the register.

A Fraud Risk Register can usually be developed from the completion of a Fraud Risk Assessment and should incorporate the following:

· A description of the risk;
· Explain the impact of the risk on the organisation if the risk is not mitigated;
· Assessment of the likelihood of the fraud occurring;
· Assessment of the seriousness / consequence of the fraud;
· What actions need to be taken to mitigate the loss;
· Who will be responsible for implementing the actions to mitigate the loss;
· What is the timeline to implement these actions; and
· The checklist for implementing the actions.

A Fraud Risk Register should be updated on a regular basis (preferably on a yearly basis) or at such times as when there is a change in such things as technology (eg. a new computer system) or a change in services provided or grants received.

Develop a fraud recovery plan

2009-04-26T15:25:00.005+10:00

Planning is the key to dealing with any issue. Fraud is no exception – actually planning what your organisation will do if fraud occurs is best done before the event. When fraud occurs it can be very emotional – it is reasonably common that the person who has committed the fraud is a trusted employee / volunteer and considered a ‘friend’. So planning when people are ‘thinking straight’ (ie. Before the fraud has occurred) is the best option.

Many organisations have a Disaster Recovery Plan (and if they don’t they need to develop one of these also!). For example, a Disaster Recovery Plan can set out what should be done if the computer system fails – where can the server be hosted until a new server is purchased, installed and made operational again. Think of a Fraud Recovery Plan in the same way.

So what should an organisation include in a Fraud Recovery Plan. It should be noted that for a Fraud Recovery Plan to work appropriately, the board will need to pre-approve the use of the plan if fraud does occur. This means that the person who is responsible for the plan needs to be able to implement the plan as soon as fraud is discovered without need to first seek approval from the board – the longer it takes to commence an investigation, the increased likelihood of losing evidence.

Following are some ideas of what should be included:

Does the organisation have the internal skills to investigate the fraud. If not, are resources available externally to conduct the investigation and will those skills be available at short notice;
As per the Fraud Control Policy, the matter should be reported to the police. Therefore, who will liaise with the police in relation to the fraud;
Who will deal with the terminating of the employment of the person who committed the fraud. Will the organisation request the assistance of their lawyers in this regard.
If the organisation has insurance against fraud, what is the excess on the policy, what is the maximum amount able to be claimed and when does the insurer need to be notified of the fraud;
Will the organisation be at risk of losing funding such as government grants;
Will the organisation be at risk of having cash flow problems? If so, is it possible to gain a temporary increase in any overdraft facility;
How will other employees and volunteers be advised of what has happened; and
How do you manage any reputation risk that the organisation may suffer, such as how will the organisation deal with the media should it become known that fraud has occurred or should the organisation issue a media release about the issue.

Clearly set out what your organisation defines fraud to mean

2009-04-18T21:08:00.004+10:00

There are many definitions of fraud. However, to deter and detect fraud, an organisation needs to clearly define what fraud means to them and maintain a consistent definition across the Fraud Control Policy and any other policy or Code of Conduct where the definition may appear.

Examples of definitions of fraud are as follows.

Butterworths Concise Australian Legal Dictionary defines fraud as:

An intentional dishonest act or omission done with the purpose of deceiving.

Paragraph 9 of ASA 240, the Australian Auditing Standard on The Auditor’s Responsibility to Consider Fraud in an Audit of a Financial Report states:

The term “fraud” refers to an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Although fraud is a broad legal concept, for the purposes of this Auditors Standard, the auditor is concerned with fraud that causes a material misstatement in the financial report. Auditors do not make legal determinations of whether fraud has actually occurred. Fraud involving one or more members of management or those charged with governance is referred to as “management fraud”; fraud involving only employees of the entity is referred to as “employee fraud”. In either case, there may be collusion within the entity or with third parties outside of the entity.

Australia Standard AS8001-2008, Fraud and Corruption Control, defines fraud as:

Dishonest activity causing actual or potential financial loss to any person or entity including theft of moneys or other property by employees or persons external to the entity and where deception is used at the time, immediately before or immediately following the activity. This also includes the deliberate falsification, concealment, destruction or use of falsified documentation used or intended for use for a normal business purpose or the improper use of information or position for personal financial benefit.

Section 408C of the Queensland Criminal Code (this is the definition I work with mostly as Queensland is my home state) defines the criminal offense of fraud as follows:

A person who dishonestly applies to his or her own use or to the use of any person:

Property belonging to another; or
Property belonging to the person, or which is in the person’s possession, either solely or jointly with another person, subject to a trust, direction or condition or on account of any other person; or
Obtains property from any person; or
Induces any person to deliver property to any person; or
Gains a benefit or advantage, pecuniary or otherwise, for any person; or
Causes a detriment, pecuniary or otherwise, to any person; or
Induces any person to do any act with the person is lawfully entitled to abstain from doing; or
Induces any person to abstain from doing any act which that person is lawfully entitled to do; or
Makes off, knowing that payment on the spot is required or expected for any property lawfully supplied or returned or for any service lawfully provided, without having paid and with intent to avoid payment;

commits the crime or fraud.

When selecting a definition of fraud to use in your anti-fraud program, you need to select a definition that best suits the size and type of your organisation. Do not be afraid to use the definition of fraud as it appears in the criminal legislation in your country or state if a criminal charge of “fraud” is clearly defined.

Develop a series of exception reports and act on any exceptions

2009-04-12T19:04:00.002+10:00

There are often many red flags which, in hindsight, are obvious to those who are left to deal with the aftermath of the fraud.

Risk

The risk is that fraud could be discovered but is not, as the organisation does not recognise the red flags associated with the fraud due to not having approriate exception reporting in place.

Methods to Mitigate the Risk

An organisation should be prepared to develop a series of exception reports that highlight red flags of fraud.

It must be remembered that red flags are just that. They indicate a potential problem. However, if the potential problems are not recognised and then investigated the fraud, if it is occuring, will continue to occur. For that reason, any red flags that are highlighted by the exception reports, need to be investigated.

An example of an exception report is to consider if employees have created false creditors which are being paid by the organisation. To do this involves electronically comparing employee and creditor bank account numbers, street addresses, postal addresses, post codes/zip codes, telephone numbers and mobile / call phone numbers (especially those employees in the accounts payable and payroll departments).

Another simple exception report is to consider variances between actuals to budgets for income that is below budget and expenses that are above budget.

It should be noted that there are numerous exception reports that can be utilised by an organisation. Each organisation should determine which exception reports are appropriate to them.

To make exception reporting easier, it can be computerised. An organisation should take the time to set up the exception reports that are appropriate. Once this initial investment of time has been made, the exception reports can easily be run on a regular basis. Then the investment of time will be investigating exceptions as they arise.

Utilise an Exit Checklist when Employees Leave

2009-04-05T00:03:00.002+10:00

Many organisations use an exit checklist when an employee and/or volunteer leave. However, it needs to be comprehensive so that it covers all areas that could cause detriment to the organisation.

When employees and / or volunteers leave the organisation, it is important that they no longer have access to the organisation’s information and no longer have possession of assets of the organisation.

Risk

The risk is that someone who leaves uses their previously provided information and/or assets to cause detriment to the organisation. This can be done in a number of ways. For example:

Remotely accessing a member list and deleting important information or obtaining a copy of the information for future use;
Remotely access client information that should remain confidential and allow that information to be released to the public damaging the reputation of the organisation;
Accessing the organisation’s premises to cause physical damage;
Keeping assets they are not entitled to keep; or
Incurring expenses after they have ceased employment.

Methods to Mitigate the Risk

A checklist should be established for when an employee (and in some instances a volunteer) leaves the organisation. The checklist should include all items that need to be returned to the organisation, all authorisations that need to be cancelled and any other matters that should be addressed. This is so an ex employee (or volunteer) cannot defraud the organisation after they leave.

The following is a list (but not an exhaustive list) of matters that should be included:

· Items to be handed back to the organisation:

o Corporate Credit Card

o Laptop / computer / modem / AV equipment etc

o Thumb drives / external hard drives and any other external storage devices

o Software

o Mobile phones and accessories

o Internet connection equipment

o Manuals

o Car and car keys (including all items that should be in the car (eg. First aid kit)

o Fuel card

o Keys / access card to the building, office, cupboards and filing cabinets

o Security tokens for online banking, email access and any other remote access requirements

o Staff identification card and name tag

o Uniforms

· To be changed / closed

o All computer access restricted both in the office and remotely

o Taken off the bank accounts as a signatory

o Password for online banking cancelled

o Security codes for access to the office / building cancelled

It must be remembered that the above are examples only, and a full list of items included on an Exit Checklist will vary from organisation to organisation.

Maintain appropriate controls over assets

2009-03-29T09:16:00.002+10:00

Assets can be a significant investment for many organisations. Ensuring the security of those assets is important, especially considering the different types of assets an organisation has.

Risk

The risk is that assets are taken by employees and / or volunteers and / or external parties of the organisation for personal use and not returned (in effect, the theft of the assets).

Methods to Mitigate the Risk

When developing controls over assets, the following should be considered:

Small assets should be secured by using locks or similar security measures where appropriate (for example, a security lock attaching a laptop to a desk);
All assets should be tagged with an Asset Number;
An Asset Register should be maintained. The Register should include the following information - Asset Tag number, Description of the asset, Date of purchase, Warranty information, Location of the asset.
Stock takes of assets should be undertaken at least yearly and any discrepancies to the Asset Register should be investigated. The stock take and investigation of discrepancies should be undertaken by a person who is not responsible for the recording of assets in the Asset Register.
If an asset is to be disposed of, it can only be removed from the Asset Register with a properly authorised Asset Disposal Form having been completed as required by the Asset Disposal Policy. Refer to my Blog post on 26 January 2009.

Determine if controls in place are detection or prevention controls

2009-03-22T20:03:00.001+10:00

When developing a set of internal controls or reviewing the current internal controls in place in an organisation, it is important to determine if the organisation has a balance of prevention as well as detection controls.

Prevention controls are those controls that reduce the likelihood of fraud occurring or “prevent” the fraud from occurring. Detection controls are effectively a “back-up” control and are there to detect fraud if the prevention controls have not been effective and have allowed the fraud to occur. Detection controls that are in place should allow for the fraud to be detected as quickly as possible.

Prevention controls can be split into two types – macro and micro prevention controls.

Macro prevention controls are those controls at a strategic level that are in place to prevent fraud from occurring. Examples of macro prevention controls include:

Having a board and management structure that lead by example – this is regularly referred to as the “tone at the top”. If the board and management of the organisation do not support fraud prevention and control in the organisation, it is difficult to have employees and volunteers support it.
Having an appropriate fraud control plan / strategy in place which employees and volunteers are aware of and receive appropriate training on. This allows employees and volunteers to understand that fraud is not acceptable within the organisation.
Having an ethical organisational culture within the organisation. It is important to understand the value of having an ethical organisational culture when it comes to fraud prevention. An ethical organisational culture is considered by organisations to be a primary factor in reducing the risk of fraud.[1]

Micro prevention controls are those controls that effect the day to day operations of the organisation. Examples of micro prevention controls include:

Segregation of duties. For example, the requirement to have two people process and approve a payment makes it more difficult for one person to commit fraud unless there is collusion involved or the person committing the fraud by-passes the second person, for example by forging the person’s signature approving the payment.
Having two cheque signatories or two passwords required for internet banking again makes it more difficult for an individual to commit fraud.

Examples of detection controls include:

Undertaking bank reconciliations on a regular basis and investigating any discrepancies that arise. For example, a common method of hiding a fraud is to “force” a bank reconciliation to reconcile (eg. to include incorrect entries, have a deposit outstanding for more than one reconciliation, have an outstanding deposit increase from one reconciliation to another). By having the bank reconciliation reviewed on a regular basis and conducting an investigation of any discrepancies can allow fraud to be discovered quickly.
Prepare realistic budgets and compare actuals to budgets on a regular basis and investigate discrepancies.
Conduct exception reporting and investigate discrepancies that arise.

[1] BDO Not-for-Profit Fraud Survey 2008, Chart 5.5, page 66.

Secure non cash donations received

2009-03-15T19:44:00.004+10:00

Many organisations will receive non cash donations (for example from bequests) of expensive items such as jewelry. These items are easy targets for employees and/or volunteers to steal.

Risk

The risk is that an employee or volunteer either does not pay for or pays undervalue for an item that has been donated to the organisation for the purpose of sale so as to raise funds for the organisation.

Methods to Mitigate the Risk

To reduce the likelihood of this occurring, the following steps could be taken:

Have all donations of jewelry and other small valuable items sent directly to a valuer or auctioneer rather than to your organisation’s office. The valuer or auctioneer can catalogue items which provides independent verification that the items have been received and the value of those items;

Set a policy that states one of the following:

Employees / volunteers and their immediate families cannot purchase these types of donations in any circumstances;
Employees / volunteers cannot purchase these types of donations unless it is at auction; or
Employees / volunteers can purchase these types of donations before auction but only at the valuation / reserve price set by the valuer.

Reduced cash receipts = reduced cash theft

2009-02-23T20:54:00.002+10:00

According to the BDO Not-for-Profit Fraud Surveys cash theft is the most prevelant form of fraud.

Risk

Cash is an easier target to defraud than funds that have been deposited into a bank account.

Methods to Mitigate the Risk

Many organisations accept cash donations, membership fees or other income. Cash can easily be taken, is difficult to trace and is therefore a significant risk to fraud. To reduce the risk of cash theft, encourage deposits directly into the organisations bank account as first preference, or otherwise donate or pay by credit card (of course credit card fees will need to be considered).

Of course, controls must then be maintained over the relevant bank accounts to ensure cheque fraud or online payment fraud does not occur.

Do your employees and volunteers know your policies?

2009-02-16T21:11:00.012+10:00

It is surprising the number of times when undertaking a fraud investigation and the person being investigated says “I didn’t know I couldn’t do that”. It’s hard to understand how someone could think that doing such things as fuelling their private car with the organisation’s fuel card or paying for a family dinner on the organisation’s credit card is not acceptable. However, it is regularly an excuse that is heard.

Risk

The risk is that an employee or volunteer, when being investigated for fraud, will use excuses such as:

"I didn't know I couldn't do that"; or
"No one told me that wasn't acceptable".

Methods to Mitigate the Risk

It is important that employees and volunteers understand the organisations policies. Firstly, it is important that the organisation has appropriate policies in place. No matter what the size of the organisation, policies should be in place – policies suitable to the size of the organisation that is.

Once appropriate policies are in place, there are a number of ways an organisation can make sure employees and volunteers understand their policies. Examples include:

Develop a training program that employees and volunteers are required to attend. When attending, the employees and volunteers are required to sign an attendance sheet confirming their attendance at the training and a declaration of their understanding of the policies.
Provide online training on the organisation’s intranet whereby employees and volunteers are ‘tested’ as to their understanding of policies and test results are maintained for future reference.
Have employees and volunteers sign a declaration on a yearly basis (at the time of an annual performance appraisal or similar is an appropriate time) declaring that they have read and understood the organisation’s policies. Policies will need to be readily available to employees and volunteers so that they can have appropriate time to familiarise themselves with the policies.
All new employees and volunteers should also receive training on the organisation’s policies and sign an appropriate declaration of their understanding of the policies.

Using Internet Banking

2009-02-08T21:06:00.004+10:00

Online banking is a convenient and cost effective method of paying creditors and employees. However, online banking fraud is on the increase. The BDO Not-for-Profit Fraud Survey 2008 found that online banking fraud had increased to 8% of all fraud reported from 3% in 2006. This is in contrast to the decrease in cheque fraud from 10% of all fraud reported in 2006 to 5% in 2008.

Risk

Organisations do not take appropriate controls over their online banking facilities and leave themselves open to not only internal fraud but also external risks such as having the facility hacked.

Methods to Mitigate the Risk

As more and more organisations embrace the use of online banking rather than using cheques, it is understandable that online banking fraud will also be on the rise. Some of the issues to be considered in relation to online banking fraud are as follows:

Many organisations have long had a requirement that two signatures were required on cheques. However, when transferring to online banking they only set up one password or if there are two passwords, both password holders know both passwords. An organisation should consider the use of a password for online banking in the same light as they do a signature on a cheque. A cheque signatory would not allow another person to sign a cheque using their signature (this is forgery), so why would they give their password to another person? Unfortunately it happens. At all times, a person having a password to online banking should never give that password to anyone else. An Online Banking Policy should clearly set out that the holder of a password will not provide that password to another person.
The use of security tokens should be introduced. Security tokens are provided by financial institutions as a second security step or second level of authorisation. When a person logs onto online banking they will enter their user name and password. The number that is showing on the security token is then required. Even if someone discovered the password to the account, the security token number is constantly changing.
Only ever log onto internet banking on a familiar computer (ie. One that you know is appropriately protected with firewalls and anti-virus software). Online banking has made it easier for organisations, as a person authorising the online banking payments can log in from any location to do so. However, the password holder needs to be confident that the computer he or she is using does not have a virus that could jeopardisea the security of their internet banking.

Never forget the Mission of the Organsation

2009-02-02T17:13:00.003+10:00

A not-for-profit organisation’s mission is the reason for its existence. Funds are raised to ensure it can undertake its mission. When funds are lost to fraud, the organisation is unable to undertake its mission to the organisations fullest potential.

Risk

The organisation’s funds are not able to be utilised in meeting the mission of the organisation as they are taken by the person defrauding the organisation. Also, a subsidiary risk is that when an organisation discovers a person (be it a paid employee or a volunteer) commits fraud against the organisation, the organisation takes pity on the person and does not take appropriate action, to the detriment of the organisation.

Methods to Mitigate the Risk

The charitable nature of not-for-profit organisations can mean that they sometimes will take pity on a person who commits fraud (especially if that person has some form of problem such as a gambling addiction or serious illness). The concern is that when it is discovered that a person has committed a fraud, the person does not have their employment terminated, but is shifted to a different position within the organisation so that they will not be tempted to commit the same fraud again. It is interesting to note that the BDO Not-for-Profit Fraud Survey 2008 found that 20% of organisations did not terminate the employment of the person who committed the fraud.

It is not only the fraud that takes much needed funds away from the mission of an organisation. It must also be remembered that there are a number of additional costs to the organisation as a result of fraud. For example, the time it takes someone internally to investigate the fraud or the physical cost to bring external expertise into the organisation to conduct the investigation, time taken during the court process, an increase in insurance costs as a result of a claim being made and the potential loss of funding (eg. donations or grants). It is difficult to put a dollar value on these additional costs but they all take funds and time away from the mission of the organisation. However, a significant issue to consider is how the reputation of the organisation will be affected as a result of the fraud.

Whenever an organisation considers the issue of fraud and what actions should be taken as a result of fraud occurring, the mission of the organisation should be front of mind. By not terminating the employment of a person who has committed fraud (even if they show remorse and repay the money) there is an opportunity for the person to reoffend. It also sends the wrong message to other employees and volunteers, which may result in more fraud being committed. Once again this takes funds away from the mission of the organisation.

To protect its mission statement, an organisation should include the following statements in its Fraud Control Policy:

The mission of the organisation is the reason for its existence, therefore fraud will not be tolerated as it takes much needed funds away from its mission;
An employee who commits fraud will have their employment terminated;
The organisation will take all actions possible (if it is economically viable to do so) to recover funds from the perpetrator of the fraud.

Disposing of Assets

2009-01-26T21:58:00.006+10:00

Assets can be a significant investment for an organisation. Those assets can have value to the organisation at the time those assets are due to be disposed of.

Risk

The risk is that assets that may have a value to the organisation at the time of disposal are not disposed of in a method that is in the best interests of the organisation.

Methods of Mitigate the Risk

An organisation should set out a clear policy on how assets of the organisation will be disposed of when they are not longer needed by the organisation.

If the asset has some value the organisation needs to clearly define what is to happen. A transparent method of disposal needs to be in place. Examples of this include:

Motor Vehicles – It may be decided that all motor vehicles that are no longer needed by the organisation will be sold at auction and that any employees or volunteers wishing to purchase a vehicle may do so but only through the auction process;

Computers – It may be decided that all computers be sent to auction when they are to be disposed of and employees or volunteers wishing to purchase a computer may do so but only through the auction process; or
It may be decided that employees or volunteers can ‘purchase’ a computer when its useful life has been reached by the organisation. Any such purchase price could be a pre-determined percentage of the original purchase price.

In general if the asset is something that will have no value if attempted to be sold, it can be appropriate to allow employees and / or volunteers to take the asset at no cost. However this needs to be done transparently. For example a disposal form is completed and the employee and / or volunteer signs the form acknowledging that they have received to asset in a ‘as is’ condition. The form can then be used as a reason for the asset to be written off / removed from the asset register.

Corporate Credit Cards

2009-01-18T21:22:00.007+10:00

Many organisations use corporate credit cards which provide the card holders with a convenient way of conducting business. Rather than not issuing corporate credits cards in fear of fraud, policies and procedures can be put in place that can reduce the likelihood of fraud occurring.

Risk

The risk is that someone misuses their corporate credit card by using it to pay personal expenses and then either claiming the invoice is work related or altering the invoice to make it appear to be business related.

Methods to Mitigate the Risk

Corporate credit cards can easily be misused in the hands of the wrong person. Potential fraud can be minimised by taking some extra steps. These include:

Have a written policy on the distribution and use of corporate credit cards. Employees who are provided with corporate credit cards should be required to sign the Corporate Credit Card Policy to acknowledge their understanding of what is required of them to hold the corporate credit card.

Determine who actually needs corporate credit cards and obtain credit cards only for those people. If people only have an infrequent need to use a corporate credit card, they could utilise their own credit card or cash and have the cost reimbursed with the appropriate documentation.

Set spending limits per person and not just have the same limit for everyone. By setting limits per individuals’ requirements, the organisation limits the maximum amount of fraud that can be perpetrated using the credit cards. As an example, it may be determined that the Chief Executive Officer only requires $2,000 per month, while a Purchasing Manager may require $10,000 per month. An organisation should not be afraid to set such limits.

Corporate credit cards should only be used for business expenditure. What constitutes inappropriate use should be clearly set out.

All expenses charged to corporate credit cards need to be supported with appropriate documents such as invoices.

Be aware of peak risk periods. Consider this example. It is ‘back to school time’. An employee usually computers for the organisation. However, at the start of the school year the employee adds a laptop that never makes it to the organisation but instead ‘falls into’ their childs school bags.

The cardholder should sign off on monthly credit card statements that all expenditure is for business purposes only. This can be done by the cardholder signing either a form attached to the statement or a stamp placed on the credit card statement that states words to the effect: - “All expenses charged on this statement are business related and are not personal in nature.”

Do not allow cash withdrawals to be made on corporate credit cards including over the counter withdrawals at the bank or at an automatic teller machine. If a person is traveling overseas and needs cash for local currency, provide them with cash separately and require them to acquit the cash provided.

Credit card statements should be approved for payment by an appropriate person after the cardholder has substantiated all expenses with appropriate documentation and verified that all expenditure is business related.

When an employee resigns, an exit checklist should include the return of a corporate credit card.

Not-for-Profit Fraud Surveys

2009-01-17T21:31:00.006+10:00

In 2005, I realised that there was very little data on the extent of fraud in the not-for-profit sector. For that reason, I wanted to conduct research into the sector to determine just how prevelant fraud was. The result of this was the BDO Not-for-Profit Fraud Survey 2006. The survey was done in conjunction with Not-for-Profit Network and Queensland University of Technology. In 2008, the second BDO Not-for-Profit Fraud Survey was released, in conjunction with Not-for-Profit Network, Queensland University of Queensland and a new partner in the University of Southern Queensland.

The surveys provide information on the amount of fraud occurring in not-for-profit organisations in Australia and New Zealand and how important not-for-profits consider fraud prevention to be. To enable the research to be ongoing, it is intended for this research to be conducted every two years with the aim of expanding the research beyond Australia and New Zealand.

To download the fraud surveys, please follow the links below:

BDO Not-for-Profit Fraud Survey 2008

BDO Not-for-Profit Fraud Survey 2006

Welcome

2009-01-17T20:56:00.004+10:00

Welcome to my Fraud in NFP Blog. The Blog is dedicated to the issues associated with fraud in the not-for-profit sector. From my experiences over the last 20 years, in investigating fraud in the not-for-profit sector, fraud can have a significant impact on a not-for-profit organisation – more so than if a ‘for profit’ organisation suffers a fraud. Fraud can lead to bad publicity, the loss of donations, the loss of government grants and many other issues.

My hope is that my Blog will give you useful ideas that will help you and your not-for-profit organisation prevent fraud from occurring and if it does occur, then enable you to discover it quickly to reduce the damage it causes.

Lisa Bundesen