I recently moderated a session at an association meeting “The Role of Internal Controls in Preventing Bank Fraud”. The speakers included a Bank Examiner, a CPA and the CEO of a nonprofit agency. They provided a nice balance of different points of views and resulted in a good discussion.
Internal and external vulnerabilities
One thing quickly became apparent, there are really two avenues for bank fraud, internal and external, and there are different activities or functions that a nonprofit should include to reduce the chance of fraud in their nonprofit. All of these apply to government agencies as well. I’m going to spend the rest of this post on internal issues and will add a later post on external issues.
Cash Receipts, Accounts Payable and Payroll - 3 Critical Areas to Review
For internal fraud there are three areas that must be managed, including Cash Receipts, Accounts Payable and Payroll. Each provides an opportunity for individuals to divert funds illegally and in all cases separation of duties and multiple eyes on activity reduces the chance for fraud.
The most vulnerable area is probably cash receipts - especially if the organization handles cash - but even checks are subject to misuse. With cash receipts it’s critical to have a separate person handle the initial receipts and to log them in a book or spreadsheet. Then the receipts should be forwarded to a second person to enter into the accounting system and batch into deposits. The deposits should be reconciled to the original log. Even in a small organization these duties can be separated. I’ve seen the ED’s assistant and front desk clerks do the original opening of envelops and logging the receipts, for example.
The second area to review is Accounts Payable where two kinds of fraud can take place: fraudulent charges and redirected payments. In the first case extra bills are slipped in from a dummy company or for services not really rendered. An employee puts them into a run and they get approved because they look correct or are similar to other charges from real vendors. I have heard of this going on for a long time as once it’s started the manager gets used to seeing bills from the fraudulent vendor. The best solution for this is to have the operating departments approve all invoices prior to payment and to have a fiscal review. If an agency is large enough to support it, this should be one of the functions of the internal auditor: to spot check invoices and determine that the services or supplies were actually delivered. Even in a small organization there should be two reviewers/approvers for all invoices. If the invoices and payments are for the finance department perhaps the Executive Director should review their bills for appropriateness and validity. Fraudulent charges is an important area to monitor as it can be easy to slip in a bill if the review and approval steps are not in place.
Redirected payments is the third area to monitor for fraud. Typically this happens either by substituting the vendor name on the check for valid bills, or by cutting extra checks. Again with the flow of funds through a bank account and the fact that checks don’t even get returned anymore it can be difficult to capture this fraud. There are several actions an organization can take to reduce this. First is separate invoice entry and payment selection from the person who actually cuts the checks. If the AP clerk is doing entry and preparing the check ruin, have a second person actually run the check run and compare it to the preliminary register. The name and amounts should be the same. Treat it as a batch to be reconciled and require the preliminary register be delivered with the checks to be signed. If because of volume, software that signs the checks up to a limit is used it’s even more important to have the payment batch review by a second party. Some software records the name actually printed on the check as part of creating the check record. In this case a final register should also be printed showing the stored vendor name. Part of this process should also be to track all check numbers in a batch and from batch to batch. If there are missing check numbers determine why there are breaks. This may not stop someone from cutting a check manually and not including in the system, but this will show up quickly during the reconciliation and will reduce it to a one time occurrence. Most of the new systems utilize blank stock and print the entire check. This helps with fraud prevention as there are no preprinted checks sitting around to steal. The down side is there are no pre-printed numbers to monitor, but as long as someone can get your bank transit and account number, having pre-printed stock won’t stop them.
One way to catch redirected fraud more quickly is through the use of “Positive Pay” available from most banks. To do this after every check run, you upload a file to your bank that lists the check number date amount and vendor name of all checks cut. If a check is presented that doesn’t match the file, the bank will notify you and provide a copy of the check for you review. This is also discussed in external fraud, but it’s just as relevant for re-directed or extra checks that may be created by an employee.
Redundancy of processes
One recurring theme you’ve probably noticed in the advice above, is the need for redundancy in processes so that one person isn’t control all of the steps in any one cash related activity. It’s much harder to defraud an organization when multiple staff are involved in these activities. In a larger organization it’s easier to provide these controls, however it’s possible and essential to do them in smaller organizations.
The next posting will talk more about preventing external instigated fraud.