48
Nonprofits are Not Exempt From Fraud Marie Schmitz, CPA October 2, 2015
Nonprofits are Not Exempt From Fraud
Marie Schmitz, CPA
October 2, 2015
1
bergankdv.com
Nonprofits are Not Exempt from Fraud
Is it fraud?
2
bergankdv.com
Nonprofits are Not Exempt from Fraud
Agenda
• Fraud fundamentals
• Fraud statistics
• Role of external auditor
• Preventing and detecting fraud
• Risk assessment
• Questions
3
bergankdv.com
Nonprofits are Not Exempt from Fraud
Fraud fundamentals
Definition of fraud• Dishonesty calculated for advantage• Deception intended to result in financial or
personal gain• Deliberate misuse or misapplication of the
employing organizations resources or assets.
4
bergankdv.com
Nonprofits are Not Exempt from Fraud
Fraud fundamentals
Types of fraud• Misappropriation of assets
• Skimming• Financial statement fraud
5
bergankdv.com
Nonprofits are Not Exempt from Fraud
Fraud fundamentals
Recent charges/cases • Bill Davis, Minneapolis Community Action and his son Jordan Davis
• Charges of alleged theft and fraud for misusing $250,000 in taxpayer money.
• Roberta Barnes, Agape House for Mothers (“Agape”) and Sierra Young Family Institute (“Sierra”)• Spent more than $460,000 of the grant funds on personal
expenses for herself and her family; she attempted to conceal her fraud scheme by creating fraudulent invoices that reflected false expenses incurred by Agape and Sierra..
5
bergankdv.com
Nonprofits are Not Exempt from Fraud
Fraud fundamentals
How fraud happens• Starts small• Inconsistency
• Application of controls• Accountability
• Trust
Reference:http://www.asaecenter.org/Resources/ANowDetail.cfm?ItemNumber=644445
6
bergankdv.com
Nonprofits are Not Exempt from Fraud
Fraud fundamentals
7
bergankdv.com
Nonprofits are Not Exempt from Fraud
Fraud fundamentals
5 areas employee fraud commonly occurs:• Purchase-to-pay• Corporate credit cards• Payroll• Sales and receivables• Information systems and critical data
Reference:http://ww2.cfo.com/accounting-tax/2013/11/top-five-areas-monitor-employee-fraud/
8
bergankdv.com
Nonprofits are Not Exempt from Fraud
Fraud fundamentals
Why nonprofits are more susceptible to fraud?• Often place excessive control in their founder, executive director, or substantial
contributor.• Often allocate limited resources to accounting, internal controls, and financial oversight.• Often have many volunteers working in the organization who are privy to confidential
information.• Frequently have all-volunteer boards of directors, with little or no financial oversight
expertise.• Typically have nonreciprocal transactions, such as charitable contributions, that are easier
to steal than other sources of revenue where there is consideration exchanged.• Highly susceptible to the effects of negative publicity and, therefore, are reluctant to
report, or even discuss, fraud when it occurs.
Reference:http://www.eisneramper.com/non-profits-fraud-0410.aspx#sthash.XTGUhNH4.dpufhttp://mpninc.com/pdf/Case%20Studies%20in%20Employee%20Fraud.pdf
9
bergankdv.com
Nonprofits are Not Exempt from Fraud
Fraud statistics
2014 Global Fraud Study – ACFE (Association of Certified Fraud Examiners)
Summary of findings:• Typical organization loses 5% of revenues each
year to fraud• Median loss caused by frauds was $145,000
Reference:Report to the Nations on Occupational Fraud and Abuse: 2014 Global Fraud Study, ACFE
10
bergankdv.com
Nonprofits are Not Exempt from Fraud
11
bergankdv.com
Nonprofits are Not Exempt from Fraud
12
bergankdv.com
Nonprofits are Not Exempt from Fraud
Fraud statistics
Summary of findings - continued:• Median duration was 18 months• 85% - Misappropriation of assets• 9% - Financial statement fraud• Over 40% of cases detected by tips
Reference:Report to the Nations on Occupational Fraud and Abuse: 2014 Global Fraud Study, ACFE
13
bergankdv.com
Nonprofits are Not Exempt from Fraud
14
bergankdv.com
Nonprofits are Not Exempt from Fraud
15
bergankdv.com
Nonprofits are Not Exempt from Fraud
8
bergankdv.com
Nonprofits are Not Exempt from Fraud
Fraud fundamentals
Impacts of fraud• Costs are not just monetary• Negative publicity• Employee moral• Disrupted operations
Reference:http://www.raffa.com/Fraud/Resources/Pages/Fraud-Fundamentals-How-Your-Association-Can-Prevent-and-Detect-It.aspxhttp://mpninc.com/pdf/Case%20Studies%20in%20Employee%20Fraud.pdf
16
bergankdv.com
Nonprofits are Not Exempt from Fraud
Role of external auditor
Responsibility:• Provide reasonable assurance that the financial
statements are free of material misrepresentations• Do not guarantee that the organization is free from
fraud
17
bergankdv.com
Nonprofits are Not Exempt from Fraud
Role of external auditor
Risk based audit planning process:• Detection of fraud not primary purpose• Top down approach• Internal planning meeting• Specific tests to cover risks
• Inquiry• Focused testing
18
bergankdv.com
Nonprofits are Not Exempt from Fraud
Preventing and detecting fraud
Internal control categories• Preventive• Detective• Monitoring
Reference:http://www.raffa.com/Fraud/Resources/Pages/Fraud-Fundamentals-How-Your-Association-Can-Prevent-and-Detect-It.aspx
19
bergankdv.com
Nonprofits are Not Exempt from Fraud
Preventing and detecting fraud
Preventive control examples:• Segregation of asset handling and recordkeeping
duties• Physical security over cash and other assets• Pre-reimbursement expense report review and
approval• Dual signatures on checks
Reference:http://www.raffa.com/Fraud/Resources/Pages/Fraud-Fundamentals-How-Your-Association-Can-Prevent-and-Detect-It.aspx
20
bergankdv.com
Nonprofits are Not Exempt from Fraud
Preventing and detecting fraud
Detective control examples:• Bank reconciliations• Automated user access and edit logs for computer
systems • Master vendor list audits• Periodic inventories• Whistleblower hotlines or other reporting
mechanismsReference:http://www.raffa.com/Fraud/Resources/Pages/Fraud-Fundamentals-How-Your-Association-Can-Prevent-and-Detect-It.aspx
21
bergankdv.com
Nonprofits are Not Exempt from Fraud
Preventing and detecting fraud
Monitoring control examples:• Comparing monthly and quarterly financial activity
to budgeted activity• Review of monthly and quarterly expenses• Review of account reconciliations • Review compliance with policies set in place
Reference:http://www.blueandco.com/nfp_12062012.html
22
bergankdv.com
Nonprofits are Not Exempt from Fraud
Preventing and detecting fraud
Other means to prevent fraud• Diligent background checks• Recurring fraud-risk assessments
Reference:http://www.asaecenter.org/Resources/ANowDetail.cfm?ItemNumber=644445
23
bergankdv.com
Nonprofits are Not Exempt from Fraud
Preventing and detecting fraud
What if fraud is discovered?• Follow organization plan• Never assume controls are sufficient• Seek professionals
• Attorney• Forensic accountant
Reference:http://www.raffa.com/Fraud/Resources/Pages/Fraud-Fundamentals-How-Your-Association-Can-Prevent-and-Detect-It.aspx
24
bergankdv.com
Nonprofits are Not Exempt from Fraud
Preventing and detecting fraud
What can you do now?• Foster culture• Educate yourself about fraud• Evaluate fraud risk and design controls to match• Have a good fraud prevention policy and program
(including hotline)
References:http://www.raffa.com/Fraud/Resources/Pages/Fraud-Fundamentals-How-Your-Association-Can-Prevent-and-Detect-It.aspxhttp://www.councilofnonprofits.org/files/YH%20-%20Fraud%20+%20EO%20Final.pdf
25
bergankdv.com
Nonprofits are Not Exempt from Fraud
Preventing and detecting fraud
What can you do now - continued?• Have a well-developed fraud management plan • Identify the role of board members• Perform internal audits or spot checks
References:http://www.raffa.com/Fraud/Resources/Pages/Fraud-Fundamentals-How-Your-Association-Can-Prevent-and-Detect-It.aspxhttp://www.councilofnonprofits.org/files/YH%20-%20Fraud%20+%20EO%20Final.pdf
26
bergankdv.com
Nonprofits are Not Exempt from Fraud
Is it fraud?
27
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
• Are you hearing about Enterprise Risk Management (ERM) initiatives?• Prevalent since early 1990s in corporate America and more recently in the
nonprofit sector.
• What is ERM in simple terms?• Identifying risks,• Prioritizing risks, • Developing plans to mitigate risks
• Drivers for ERM• Accelerating pace of social and technological change,• Complexity of a digitized and globalized business environment,• Evolving regulatory demands have intensified
27
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
• Trends• Success
• Identifying and prioritizing risks• Generating high level reports
• Falters• Lack of common approach or framework• Don’t understand the benefits and goals
• Tips• Involve the entire team• Identify risks early• Communicate, communicate, communicate• Analyze and prioritize then reprioritize• Plan and implement risk responses • Developing plans to mitigate risks
27
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
• Risk = the chance of something happening that will have an impact on objectives.
• Important to understand what the objectives are prior to attempting to analyze the risks.
• Risk Management = the systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analyzing, assessing, treating, monitoring and communicating.
• Risk management can be applied to all levels of an organization, in both the strategic and operational contexts, to specific projects, decisions and recognized risk areas.
References:http://scu.edu.au/risk_management/index.php/2
28
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
A simple process
1. Identify the risks:
Most nonprofit organizations will share the same type of broad risks that can be generally described as follows:• Internal or external fraud• Misuse of assets• Inadequate monitoring or understanding of investments• Incomplete, unreliable or improperly reported information• Damage to reputation caused by a variety of potential factors• Violation of legal requirements• Government investigations or audits
References:http://scu.edu.au/risk_management/index.php/2http://nonprofitquarterly.org/2012/05/08/risky-business-why-all-nonprofits-should-periodically-assess-their-risk/
29
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
A simple process
2. Identify the causes: • Try to identify what might cause these things to occur
• Example: the key team member might be disillusioned with his/her position, might be head hunted to go elsewhere; the person upon whom you are relying for information might be very busy, going on leave or notoriously slow in supplying such data; the supervisor required to approve the undertaking might be risk averse and need extra convincing before taking the risk etc.
References:http://scu.edu.au/risk_management/index.php/2
30
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
A simple process
3. Identify the controls: • Identify all the things (controls) that you have in place that are aimed at
reducing the likelihood of your risks from happening in the first place and, if they do happen, what you have in place to reduce their impact (consequence) • Example: providing a friendly work environment for your team; multi-
skill across the team to reduce the reliance on one person; stress the need for the required information to be supplied in a timely manner; send a reminder before the deadline; provide additional information to the supervisor before he/she asks for it etc.
References:http://scu.edu.au/risk_management/index.php/2
31
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
A simple process
4. Establish your likelihood and consequence descriptors, remembering that these depend upon the context of your analysis
• i.e.. if your analysis relates to your work unit, any financial loss or loss of a key staff member, for example, will have a greater impact on that work unit than it will have on the Organization as a whole so those descriptors used for the whole-of-Organization (strategic) context will generally not be appropriate for the work unit or the individual
• Example: a loss of $300,000 might be considered insignificant to the Organization, but it could very well be catastrophic to your work unit.
References:http://scu.edu.au/risk_management/index.php/2
32
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessmentRisk Likelihood Descriptors
33
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessmentRisk Consequence Descriptors
34
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
A simple process
5. Establish your risk rating descriptors: • What is meant by a Low, Moderate, High or Extreme Risk
needs to be decided upon ahead of time.
References:http://scu.edu.au/risk_management/index.php/2
35
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessmentRisk Rating Descriptors
36
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
A simple process
6. Add other controls: • Generally speaking, any risk that is rated as High or Extreme should
have additional controls applied to it in order to reduce it to an acceptable level.
• What the appropriate additional controls might be, whether they can be afforded, what priority might be placed on them etc. is something for the group to determine.
References:http://scu.edu.au/risk_management/index.php/2
37
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
A simple process
7. Make a Decision: • Once the above process is complete, if there are still some risks that are
rated as High or Extreme, a decision has to be made as to whether the activity will go ahead.
• There will be occasions when the risks are higher than preferred but there may be nothing more that can be done to mitigate that risk• Example: they are out of the control of the work unit but the
activity must still be carried out. In such situations, monitoring the circumstances and regular review is essential.
References:http://scu.edu.au/risk_management/index.php/2
38
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
Risk treatment• Identifying the range of options for treating risk, • Assessing those options, • Preparing risk treatment plans, and• Implementing them
The options available for the treatment of risks include:• Retain/accept the risk • Reduce the likelihood of the risk occurring• Reduce the consequences of the risk occurring• Transfer the risk • Avoid the risk
References:http://scu.edu.au/risk_management/index.php/2
39
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
A simple process
8. Monitor and Review: • The monitoring of all risks and regular review of the
unit's risk profile is an essential element for a successful risk management program.
References:http://scu.edu.au/risk_management/index.php/2
39
bergankdv.com
Nonprofits are Not Exempt from Fraud
Risk assessment
A simple process
8. Monitor and Review: • Regardless of size and sophistication you should consider:
• Segregation of duties• Set payment controls• Conduct due diligence and legal review• Conduct audits (external and internal)• Implement and follow strong internal policies• Set the right tone at the top
40
bergankdv.com
Nonprofits are Not Exempt from Fraud
41
bergankdv.com
Nonprofits are Not Exempt from Fraud
Questions?
42
bergankdv.com
Nonprofits are Not Exempt from Fraud
Contact
Marie Schmitz, CPA, CGMAAudit DirectorNonprofit Industry Group [email protected]
