Few execs would leave the office unlocked at the end of the day. Even fewer would leave some signed blank checks on top of their desk on the way out. Everyone is familiar with the security precautions that keep our organization’s property safe, and the procedures that control traditional financial transactions.
Today, however, financial transactions are changing. Nonprofits are saving time and money paying bills online, collecting fees by electronic transfer or on the website, paying employees by direct deposit, and more. The challenge is, as we say goodbye to paper, we’re also saying goodbye to our traditional internal control procedures. Though electronic transactions are efficient, they can completely bypass traditional controls designed for the paper world. You may put two signatures on every check, but if your controller can go back to his office and pay bills online without further approval, even three signatures on a check won’t prevent or detect fraud. As you adopt new electronic financial processes in your organization, ask yourself: are you leaving a window open for fraud?
Your bank accounts are also vulnerable to “dive bombing” attacks from outsiders. The same banking information you provide to someone sending you an electronic funds transfer can be used by criminals to prepare fraudulent checks and ACH requests. Sophisticated hackers use phishing schemes to try to attach malware to your laptop, enabling them to eavesdrop on your passwords and logins. They then use that information to take over your accounts, writing checks and even approving them through your check verification service. These types of attacks are on the rise and nonprofits are increasingly at risk.
Our biggest risk may not be from the outside. According to the Association of Certified Fraud Examiners, most frauds are occupational frauds. Many victims are smaller organizations without good separation of duties. So while news stories of outsiders attacking bank accounts are alarming, the fraud we may be most likely to experience is embezzlement. Frequently, we read about frauds in the news where a trusted employee used the authority of his position to divert funds for personal purposes. Electronic transactions can make it that much easier to divert funds if the window is left open for fraud.
Smaller nonprofits feel the most pressure. Without the resources to spend on internal control procedures, many are tempted to give up on controlling transactions in today’s environment. Is that advisable? How important is internal control? The answer is: it depends. The importance of internal control depends on the degree of risk, and the need for accountability.
A single business owner who controls his own money has little risk of embezzlement. His business model demands little accountability other than to himself. For him, internal control is not very important. With low risk and little need for accountability, the sole proprietor can decide whether or not he wishes to implement internal control procedures.
However, in a nonprofit, the risk of embezzlement is much higher. All transactions are conducted by non-owners. In addition, we all know that the nonprofit environment demands a great deal of accountability. Nonprofits are accountable to their Boards, their members, donors, grantors, to the IRS and to the general public. These factors make internal control very important in the nonprofit environment. With high risk and great need for accountability, nonprofit execs and Board members can’t ignore the need to safeguard the organization’s assets with adequate internal control procedures.
Nonprofits can close the window on fraud by following a simple maintenance routine. Inspect your transaction processes annually, and look for new areas that require new controls. Take a walk through your business cycle and ask: if an unauthorized transaction occurred here, how would we know? Ensure that procedures are adequate to cover both the risk of inside fraud as well as the risk of outside fraud. The controls you develop to prevent or detect embezzlement, will also detect fraud by outsiders. Let’s see how the maintenance routine works in these common transaction areas:
Online Payments–If your controller initiated an unauthorized payment through online bill paying, how would you know? Some free online bill paying platforms allow users to prepare payment transactions and then release them without further approval. This is like leaving a stack of signed blank checks out on your desk. Fortunately, many banks offer more than one online bill paying platform.
- Close the window on fraud by choosing the banking platform that offers multiple levels of permission. Using a password generator token, one individual has permission to prepare payments but not release them. Another individual reviews and releases the payments.
If someone initiated a fraudulent check or ACH payment out of your account, how would you know? Anyone with your banking information can present a fraudulent check or ACH on your account.
- Close the window on fraud by utilizing the protection services offered by your bank. Sign up for your bank’s check verification service. You tell the bank what checks you approved and the bank will only honor those checks.
- Sign up for ACH blocks or filters. Your bank will block all ACH requests, or will only honor ACH payments from vendors you have approved in advance.
- U need a UPIC. Ask your bank to assign you a Universal Payment Identification Code that allows you to receive electronic funds transfers without revealing your bank routing number or account number. The UPIC can’t be used to make withdrawals.
- Use online access to watch the daily activity in your account. It sounds simple, but it’s the best way to keep an eye out for unauthorized transactions.
Website Collections–If an insider diverted some of your website collections into another account, how would you know? Individuals with authorization control the destination of website sales deposits. Some vehicles for website collections allow cash to accumulate in a separate account until transferred, and payments can be made out of this account without detection. Individuals in your organization who are authorized to make refunds can initiate fraudulent refunds to their own credit cards.
- Close the window on fraud by comparing a report of website activity to bank deposits internally.
- Watch for activity in the cash reservoir if you have one. Be sure the account is emptied regularly and that any payments made out of it are identified and recorded on the books.
- Control credit card refunds with a refund authorization program.
Online payroll–If an insider gave themselves a bonus or a raise, or used a terminated or fake employee to deposit extra pay into their bank account, how would you know? When your employees are paid by direct deposit, the individual who transmits payroll to the payroll service is effectively a check signer. Some payroll service platforms permit users to initiate payroll and then release payroll without further approval. Fortunately, many payroll services offer more than one platform.
- Close the window on fraud by choosing the payroll platform that offers multiple levels of permission. One individual is authorized to set up payroll transactions and another individual is authorized to review and release the transactions.
Today’s electronic transactions offer significant opportunities for nonprofits to save time and money. However, these new transaction processes bring a new set of risks. Nonprofit execs and Board members have a duty to be sure new controls are in place to keep assets safe. To review your risks, ask yourself the questions above, and use the answers to close the window on fraud.
Joan M. Renner, CPA, CGMA, has been providing audit and accounting services to nonprofits for more than thirty years. She is a Shareholder in Renner and Company, CPA, P.C. in Alexandria Virginia where she is in charge of the firm’s services to not-for-profit organizations. A graduate of the McIntyre School of Commerce at the University of Virginia, she has been a leader in bringing quality financial information to the nonprofit community through firm seminars, professional conferences and as Chair of a number of nonprofit Boards. Joan and her husband, John were named Living Legends of Alexandria in 2010.
©2014 Renner and Company, CPA, P.C. all rights reserved.