Of course, an ounce of prevention is worth a pound of cure. As part of a comprehensive risk management plan, an organization should have certain internal controls in place to prevent employee theft. “Nonprofits are not defenseless against charitable asset diversion.”
Effective Internal Controls
There is no “one-size-fits-all” model for every entity; appropriate precautions depend on the size and the complexity of the organization and its financial management systems. But accounting and security experts generally suggest a number of steps that can be taken to prevent fraud and embezzlement or to detect it in progress.
These are among the most frequently recommended:
- Dual Signatures and Authorizations
Require two signatures for every check over a specified amount, as well as two signatures on every authorization or other payment. If possible, have someone else – an administrative assistant, for instance – bring the checks to each of the signers, so there is an intermediary serving as a buffer.
- Back-up Documentation
Require backup documentation – an invoice or document demonstrating the transaction is appropriate – for each request for a check or for a cash disbursement. For costs over a specified amount, require prior written approval from two people for credit card payments, and require documentary proof of the reason for the expense.
With credit cards, require prior written approval, again from two individuals, for costs estimated to exceed a certain amount. Require backup documentation demonstrating the need for the expense. The person using the card should not be the one approving the credit-card use. “Multiple layers of approval will make it far more difficult for embezzlers to steal from the organization.”
- Segregation of Duties
“Hand-in-hand with multiple authorizations goes the segregation of duties.” Create a system where different people: prepare payment records, authorize payments, disburse funds, reconcile bank statements, and review credit card statements. Make sure that duties concerning money coming into the organization are handled by more than one person. “No single individual should receive, deposit, record, and reconcile the receipt of funds.”
- Automated Controls
Take advantage of available electronic notifications to alert more than one senior member of the organization about: bank account activity, balance thresholds, and wire notifications.
- Fixed Asset Inventories
At regular intervals, conduct fixed asset inventories to determine if any equipment or other property are missing.
- Audits and Board-Level Oversight
Schedule regular external audits to ensure these controls are effective.
Establish audit committees of the board of directors, preferably with at least one person familiar with finance and accounting who will serve as primary monitor of these anti-fraud measures. In lieu of an audit committee, recruit a CPA or other financially knowledgeable person to serve on the board.
Periodically bring in an outside expert – for instance, a CPA experienced in conducting fraud audits and in evaluating internal control systems.
- Encourage Whistleblowers
Draft and adopt a written whistleblower policy. In Whistleblower Policy and Nonprofits (August 12, 2015), we explained this requirement. An organization “must develop, adopt, and disclose a formal process to deal with complaints and prevent retaliation.” It must “take any employee complaints seriously, investigate the situation, and fix any problems or justify why corrections are not necessary.”
Create a “comprehensive and vigorous compliance program, … tailored to the organization, with a written code of ethics,” and regular training. Include “real consequences for violations of the policy, have an effective reporting mechanism, and be periodically audited to ensure its effectiveness.”
The kindly school library clerk, whose pilfering exploits were described in our earlier post, was able to walk off with $300,000 from the Clinton Valley Little League precisely because that tiny organization had neglected to put in place even a single item in this list of recommended controls.
Make sure that your organization doesn’t make the same mistake.
— Linda J. Rosenthal, J.D., FPLG Information & Research Director