External audits are essential tools to help uncover critical information about a Not-For-Profit’s financial standing and overall health. Although auditors adhere to a strong, mandated protocol to test the internal controls of an organization, there are some limitations to the process. Many organization leaders and staff believe it is the external auditor’s responsibility to detect fraud that has occurred as a result of employee dishonesty. It is also a common misconception that a clean opinion means that no fraud has been identified. Contrary to these assumptions, the external audit is only one component of the comprehensive plan that every Not-For-Profit (NFP) must have in place to prevent employee dishonesty and respond effectively when it is suspected or discovered. This plan starts with the Board of Directors, who accepts responsibility for its creation, design, management and oversight. The obligation also lies on the Board to set the tone from the top-down that employee dishonesty cannot be tolerated.
Where Fraud Occurs in Not-for-Profit Organizations
Employee dishonesty can occur in a few different operational areas in an NFP organization. These money hot spots are where payments are handled, checks are written and goods are stored. Therefore, cash and payment operations, accounts payable, fundraising collections, payroll and purchasing are key areas of focus in the dishonesty prevention process. Often these areas are short-staffed due to tight budgets, and it is common for management to overlook the risk of theft that can ensue where very few employees cover many sensitive jobs at a time. The danger is then further compounded when one or two trusted employees have administrative access and password control over specialty department and accounting software. These employees have the potential to use their power to manipulate the financial reports as a way to hide their dishonesty from the Board.
How to Prevent Employee Dishonesty
Preventing employee dishonesty rests on an effective internal control system that is tailored to the organization and includes an adequate separation of duties among the employees operating sensitive controls. When separation of duties cannot be effectively realized, managers need to intervene personally to provide compensating controls.
A practical program starts with a clear understanding of how the financial system works. Often written policies and procedures do not reflect how the organization really gets the job done. While this analysis usually occurs in the Finance Department, it should be expanded to include all departments that handle cash, collect payments, and order and receive goods. Many NFPs find it helpful to start by creating a map that documents the flow of paper through the financial functions of the organization and connects them with people responsible for handling these tasks. Control issues quickly become apparent from this map, and these are the areas where management should focus their attention.
For example, an accounts payable clerk may have the ability to create and approve a new vendor. The same clerk may also be responsible to receive an invoice from a vendor, approve a voucher, and create and sign a check. These functions must be separated, or at least regularly audited, because a ghost vendor can easily be paid in this poorly controlled system. Another example of a system that would need reworking would be if the human resources manager’s duties include inputting employees into the payroll system, creating timecards and distributing paychecks. This creates the opportunity for the individual to create a ghost employee and administer payment to them over many payroll cycles.
Once the deficiencies in the control system are identified, the operational system should be reorganized to provide check and balances to approval, custody, recordkeeping and reconciliation functions. Personnel should be cross trained in several financial functions and rotated at least semi-annually. To drive rotation, many NFPs require personnel to take vacations and alternate staff to fill the job over a week. Don’t forget to integrate all departments that handle funds.
All NFPs should install an effective whistleblower system. Employee dishonesty is most often discovered through a tip from another employee. The system must be anonymous without fear of reprisal, and employees need to see that valid and vetted tips are recognized and acted upon by management.
Fraud Happens: Planning for the Organization’s Response Is Critical
The worst day in any professional administrator’s work life is news that a fraud is suspected or known. Usually the reaction is fear that a career may be lost, betrayal that a trusted employee or vendor could do such a thing, and panic as to what to do next. Emotions run high and mistakes are inevitably made that can jeopardize the future of the organization. Most NFPs are simply not prepared to handle the situation professionally because they believe it could not happen to them―so they do not plan for this eventuality. This is a myth: fraud indeed happens to almost every organization at some time, and the way it will be handled must be planned in advance. Similar to how a government body carefully prepares their response to a natural disaster, an NFP must be ready to address fraud as soon as it happens.
Every NFP should complete the preparedness process, a step that is as critical as the prevention plan. Once the organization receives credible information about possible fraud, a designated “need-to-know” group should be assembled that will manage the investigation from start to finish. Managing does not mean conducting the investigation, but rather assuming responsibility for credibility of any tips, engagement of the best legal advice possible, managing the scope and conduct of the inquiry and preserving evidence and chain of custody. This group will take the lead in decisions related to administrative leave, the potential use of a public relations consultant and engagement of forensics experts. The members should also act as the liaisons between the organization and law enforcement.
The work of this team must be confidential, including the work of the team members conducting the investigation. The investigation should be limited to the evidence at hand and should avoid pursuing fruitless claims. Based on the evidence obtained, and in consultation with counsel, the team could pursue restitution through a civil action or by filing an insurance claim.
There are many benefits to this type of planning, but the greatest is the NFP’s ability to report to its stakeholders that it is in control and working productively to solve a problem in a way that will prevent fraud risk in the future. Every organization faces the inevitable act of employee dishonesty. Creating a prevention plan and actively working that plan creates a hostile environment for fraud and will limit its occurrence. Not to mention, creating a plan to deal with an incident limits the fallout from a bad actor.