Nonprofit organizations have been a popular topic in the news in the past few weeks. Unfortunately, these articles did not feature the many positive accomplishments of nonprofits. First, there was a front page article in The Washington Post concerning required disclosures on Form 990 of significant diversions of assets. More recently, another feature article in the Post described a $5 million embezzlement from a nonprofit organization headquartered in Washington, DC. Both articles drew attention to the need for solid, functioning internal controls in nonprofit organizations by highlighting the possible consequences of not having such controls.
It’s not necessarily shocking that there are “diversions” of assets from nonprofit organizations. For-profit organizations are also subject to diversions but, unlike nonprofits, are not required to disclose them. In addition, grantors, rating agencies and other groups actively promote or require low rates of administrative spending as evidence of good management. Unfortunately, these low rates are sometimes artificially low, resulting in a serious lack of capacity to effectively handle the accounting and internal control needs of nonprofit organizations.
The multi-million dollar embezzlement case highlighted in the Post appears to be more of a case of internal controls that were just not functioning. This case does not involve any new technology or sophisticated procedures. It appears to be a plain vanilla accounts payable fraud. The controls to prevent this sort of fraud are uncomplicated and can be used by most nonprofit organizations regardless of size.
In an accounts payable fraud, the employee has the ability to approve invoices for payment and is able to have the prepared checks returned to her after signing. These two seemingly small steps allow him/her to create fictitious vendors, whose names often mimic real vendor names, approve the payments to these vendors and receive the checks so that they are not mailed to the real vendors.
Preventing this type of fraud requires just a few steps. First, do not allow checks to be returned to either the person that approved the invoice or wrote the check. After signing, all checks should be mailed to the vendor by someone outside the accounts payable function. It can be done by a receptionist, administrative assistant or even a volunteer. This simple control procedure reduces the chances of a check going to a fake vendor.
Another important control is to separate the approval of invoices from the ability to create vendors in the accounting system. This makes it difficult to create and use duplicate or fake vendors. In addition, it’s a good practice to have an annual review of the vendor list. This review can be coordinated with preparation for 1099s.
Look for any vendors that are not currently being used and have them changed to an inactive status. Also review the list for vendors whose names are only shown as initials or an acronym. Vendors with duplicate names or names that are similar to other vendors should be investigated and may need to be eliminated with any activity transferred to the correct vendor name.
The vendor list should include addresses and EINs. Multiple vendors with the same address or EIN should also be investigated. An annual “clean up” of the vendor list can help reduce both mailing errors and the chances of fraud.
In the short run, a good system of internal controls may cost more and adversely affect an organization’s expense ratios. In the long run, it can prevent a much more expensive fraud.
©2014 Renner and Company, CPA, P.C., all rights reserved.