Helping Nonprofit Clients Avoid and Manage Embezzlement

Online CLE

Helping Nonprofit Clients Avoid and Manage Embezzlement

1 General CLE credit

From the Oregon State Bar CLE seminar Safeguarding Oregon Nonprofits, presented on November 12, 2020

© 2020 Susan Bower, Lottie Zorn, CPA. All rights reserved.

ii

Chapter 1

Presentation Slides: Helping Nonprofit Clients Avoid and Manage Embezzlement

Susan BowerOregon Department of JusticeCharitable Activities Section

Portland, Oregon

Lottie Zorn, CPACharitable Audit Coordinator

Oregon Department of JusticeCharitable Activities Section

Portland, Oregon

Chapter 1—Presentation Slides: Helping Nonprofit Clients Avoid and Manage Embezzlement

1–iiSafeguarding Oregon Nonprofits


1–1Safeguarding Oregon Nonprofits

Helping Nonprofit Clients Avoid and Manage Embezzlement

OREGON DEPARTMENT OF JUSTICE

CHARITABLE ACTIVITIES SECTIONSUSAN A. BOWER, AAGLOTTIE ZORN, CPA

IntroductionsInstructors

Function of Charitable Activities Section



Course Objectives

Why nonprofits are vulnerable to embezzlement

How to reduce the risk of embezzlement

How to detect embezzlement

What to do when embezzlement occurs

Tales from the Trenches

CCaassee ssuummmmaarryy:: TTrriifflliinngg TTrruusstteeee

•Charitable trust fund created solely to provide college scholarships to low-income students•Trustee had full control of assets, no oversight, wife terminally ill, son with addiction issues•DOJ audit:

$200,000 total expenses$167,000 trustee personal spending$ 33,000 actual scholarships paid

RReessuulltt:: rreeppaayymmeenntt,, AAVVCC,, lliiffeettiimmee bbaann



Tales from the Trenches

CCaassee ssuummmmaarryy:: SStteeaalliinngg ffrroomm SSiicckk KKiiddss

•Nonprofit established to support diseased children•Executive director was trusted with all financial tasks while facing divorce and gambling addiction•No board oversight, no bank statement review, no budget/financial analysis•Fraud was undetected until the bank called to say that the savings account was empty•DOJ audit:

At least $670,000 embezzled over 7 yrs

RReessuulltt:: 33 yyeeaarrss pprriissoonn,, AAVVCC,, lliiffeettiimmee bbaann

Fraud Facts - Losses

Average duration of fraud scheme – 14 months (Average duration of payroll scheme – 24 months)

Median loss across all industries - $125,000Median loss to nonprofits - $75,000

2020 Report to the Nations, Association of Certified Fraud Examiners



Fraud Facts – Perpetrators at Nonprofits

Director/Executive – 39% of casesMedian loss of $250,000

Manager/Supervisor – 35% of cases Median loss of $95,000

Employee – 23% of casesMedian loss of $21,000

2020 Report to the Nations, Association of Certified Fraud Examiners

Fraud Dynamics



Why Nonprofits Are Targets

Fewer resources and smaller staff

Mission-focused and over-reliant on trust

Inattentive or unskilled board

Low salaries may amplify financial crisis or rationalization

Fraud Types in Nonprofits

2020 Report to the Nations,Association of Certified Fraud Examiners

Corruption 41%

Billing 30%

Expense reimbursements 23%

Cash on hand 17%

Noncash 16%

Skimming 15%

Check and payment tampering 14%

Cash larceny 12%

Payroll 12%

Other



Ways to Reduce Risk of Fraud

•CCrreeaattee aann aattmmoosspphheerree ooff aaccccoouunnttaabbiilliittyy•SSaaffeegguuaarrdd yyoouurr aasssseettss•IImmpplleemmeenntt iinntteerrnnaall ccoonnttrroollss•WWaattcchh ffoorr rreedd ffllaaggss

Create Accountability

•Active board oversight•Strong compliance program•Ethics training at all levels•Encourage whistleblowers



Safeguard Assets

•Physical safeguards•Digital safeguards•Inventories•Theft/forgery insurance

Internal Controls:

POLICIES

•Risk analysis and response

•General financial controls

•Conflicts of interest

•Data protection

•Financial reports and budgets

•Documentation of control activities



Internal Controls:

ACTIONS

•Segregation of duties

•Background checks

•Monitor financial accounts

•Regular account reconciliation

•Cash and noncash income sources

•Inventories

•Timesheet controls

•Sporadic self-audits

•Talk to donors and clients

•Analyze variances

Revenue and Cash:

Know your sources of funds and how to protect each source

Grant funds

Contract payments

Cash donations (money, checks, credit)

Noncash donations (goods, stocks, software, professional services, free rent, advertising)

Special events

Thrift stores and other enterprises

Conduct random audits and perform analytics



Debit and Credit Cards

• Limit the number of cards issued

• Set spending limits on each card

• Have written agreements with each card holder

• Require original receipts for every purchase

• Someone other than card holder should review and reconcile statements monthly

• Cancel cards immediately when the card holder separates from the organization

Disbursements

•Documentation: invoice, contract, or similar writing required for all payments•Separation of duties: Someone other than the person writing the check (or digital payment) should review and approve•Automated controls: bank notifications, positive pay•Employee reimbursements: require pre-approval, original receipts



Timesheets and Payroll

PPaayyrroollll iiss oofftteenn tthhee oorrggaanniizzaattiioonn’’ss bbiiggggeesstt eexxppeennssee aanndd ggrreeaatteesstt rriisskk

• Timesheet review and approval

• Payroll report review and approval

• Documentation of hiring rates, raises, terminations, draws

• Sporadic audits for ghost employees, unauthorized raises, duplicate checks, unpaid draws

Budgets:A key internal control

Should be developed in advance

Can be revised within reason

Help maintain compliance with grant/contract spending requirements

Board and management should be familiar with the budget and notice deviations

Compare budget to actuals; compare current period to prior periods; adjust expectations when

warranted

Ask questions and inspect supporting documentation



Require Regular Financial Reports

Financial Reports should be prepared regularly and promptly

Late or missing financial reports are a red flag

Analytics are a key detection method:• Compare results to expectations, prior

periods, similar organizations, and market trends

• Compare actuals to budget

• Ask questions and inspect supporting documentation

Documentation: if it isn’t documented, it didn’t happen

• Sign and date every review/authorization

• Organize and maintain the filing system

• Have and follow a document retention & back-up policy

• Prepare for the unexpected, e.g.: illness or separation of key employees, natural disasters, loss of key information due to fraud



Conflict of Interest Policies

•Corruption (e.g., bribery, kickbacks, conflicts of interest) is the most common form of nonprofit fraud

•Organizations should have a written conflict of interest policy

•Directors must understand and apply the policy

•Board minutes should reflect how and when the policy is implemented

Data Protection

• Limit and monitor access to critical systems

• Every user should have a separate login

• Log out when not at your station

• Protect and control mobile devices (phones, tablets)



Data Protection:

CONTINUED

• Random system audits to ensure no unauthorized access, stale accounts, compromised data

• Train all users to prevent digital theft, phishing, social engineering

• Cancel access immediately when the user separates from the organization or suspicious activity discovered

• Regular system back-ups

Remote Work Security:A Brief Overview

PPhhyyssiiccaall SSeeccuurriittyy

Locked doors, line-of-sight privacy, no devices left unattended/in cars, document protection

TTeecchhnniiccaall SSeeccuurriittyy

No public WiFi, use VPNs, separation of personal/employer devices, encryption, external drives/hardware

CCyybbeerr AAttttaacckkss

Phishing, social engineering, spearfishing, whaling, links, attachments, hijacking, ransomware, thumb-drive-drops



Oregon Data Breach Laws

OOrreeggoonn CCoonnssuummeerr IIddeennttiittyy TThheefftt PPrrootteeccttiioonn AAcctt:ORS 646A.600 through 646A.628

IItt ccoovveerrss:Giving a breach notice, freezes on credit reports, no public display of SSNs, data security requirements

EEnnffoorrcceemmeenntt:DCBS and DOJ

Oregon Data Breach Reporting

MMuusstt nnoottiiffyy wwiitthhiinn 4455 ddaayyss:All persons compromised by the breach

IIff 225500++ ppeerrssoonnss ccoommpprroommiisseedd:Must also notify the Attorney General

SSeeaarrcchhaabbllee ddaattaabbaassee ooff bbrreeaacchheess:https://justice.oregon.gov/consumer/databreach/



Detecting Fraud

Means of Detection

2020 Report to the Nations, Association of Certified Fraud ExaminersTips 40%

Internal Audit 17%Management Review 13%By Accident 7%Document Review 6%Other



Organizational Red Flags

Unusual/unexplained revenue decrease or expense increase

Lack of receipts/invoices for reimbursements/bill payments

Disorganized financial records

Equipment, inventory, or petty cash is missing

Vendors or employees don’t have legitimate contact information

Complaints from donors or clients

EmployeeBehavioral Red Flags

Living Beyond Means

Financial/Emotional Difficulties

Unusually Close Vendor/Client Relations

Unwilling to Share Duties

Irritability/Defensiveness

Overwork/refusing vacation



What to Do If Embezzlement Occurs

Action Steps:

MITIGATE

o Secure documents and assets

o Rescind digital and physical access of suspects

o Notify the Board of Directors

o Assess the need for confidentiality

o Engage experts (outside counsel, forensic accountant, digital expert)



Action Steps:

INVESTIGATE

o Contact ODOJ – we can help

o Police report if appropriate

o Investigate facts and losses

o Identify/interview witnesses

o Documentation

Action Steps:

OBVIATE

o Recover funds/assets

o Identify weaknesses that may have precipitated the loss

o Anticipate employment law issues

o Anticipate liability issues

o Take steps to prevent future occurrences



Action Steps:

COMMUNICATE

o Inform stakeholders

o Inform major funders

o Press releases

o Form 990 disclosures

o Disqualified persons

A Few Resources

Oregon Department of Justice Charitable Activities www.doj.state.or.us/charitable-activities/

Committee of Sponsoring Organizations of the Treadway Commission (COSO) www.coso.org

Oregon Department of Justice Consumer Protection Division data breach pagehttps://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/

National Council of Nonprofits www.councilofnonprofits.org

Nonprofit Association of Oregon www.nonprofitoregon.org

CPA Hall Talk: How to Lessen Segregation of Duties Problemshttps://cpahalltalk.com/how-to-overcome-segregation-of-duties/

Association of Certified Fraud Examiners: www.acfe.com



Thank you!

Susan A. [email protected] Department of JusticeCharitable Activities Section100 SW Market StreetPortland, OR 97201971.673.1940

Lottie [email protected] Department of JusticeCharitable Activities Section 100 SW Market StreetPortland OR 97201971.673.1922

Documents

Helping Nonprofit Clients Avoid and Manage Embezzlement