Unlock the Ideal Security Bill Format for NPOs with airSlate SignNow

Security bill format for NPOs

nonprofits and fraud protecting the people you serve was a live webinar that was originally produced on Thursday May 25th 2017 the presenters for this presentation were Janice Snyder David hammerberg and Jim shellenberger all with mcconley Asbury enjoy this webinar recap and visit us online at .pa.com for more information about our future events thank you Tyler my name is Janice Snider and I'm a partner and M con Asbury and I lead our audit segment I spend a significant amount of my time serving nonprofit organizations as well as healthc Care organizations so I'm pleased to be here today with two of my colleagues and I'll turn it over to Dave thanks Janice my name is Dave herberg I'm a principal at mcky Asbury been here a couple years 17 and uh I head up the fraud segment uh handle fraud investigations and as well as do some uh Security reviews and we are also doing this uh webinar with Jim shellenberger thank you Dave Jim shellenberger I'm a principal with the group have not been here as long as Dave so those on the call can figure out the the math I'm a little bit younger than him been here been here 15 years uh and I I concentrate my practice in the not for-profit area as well as uh working a lot with Janice and some others in the affordable housing industry as well so glad to be here and look forward to spending the next 50 minutes with everybody talking about fraud so Dave I'm G to kick it back to you and let you go over some stuff thank you Jim before we get into the agenda I thought I'd just uh put a slide up here for news headlines um it seems like uh every day we're getting or every week at least we're getting new headlines of different frauds um and here are just three that are fairly current uh Pennsylvania recently prosecuted 45 people for welfare fraud uh they're hoping to eventually receive $315,000 315,000 in restitution we'll see how that goes um but again the fraudsters were charged with fently receiving public assistance so um again these are just current events um the second one man stole more than 6,000 from Boy Scouts now we've done uh a few investigations similar to this um in this case the individual stole um from two uh I think it was a uh a troop and a Cub Scout um and total of 6,000 and it doesn't sound like a lot but if you think of a budget for a troop it's not a ton of money so 6,000 could be a quarter you know a third of the of the budget or maybe even more maybe even more I don't think so so um that's significant and um that individual you know is stealing not only from other kids but his son most likely so it's uh it almost makes chills up your back that someone could be a little that devious um former PTO president the next one this one we've actually uh investigated PTO in the past uh this uh former PTO president stole $8.4 th000 from the teacher school supply over two school years so again8 $8,000 budget in a uh from a PTO is significant it's a lot of pencils and erasers Dave that's that's right that's right that's a lot of fundraisers that's a lot of Hershey Park fundraisers that's a lot of you know a bunch of different things a lot of field trip funds too yep yep and a lot of times you know we're you know definitely with pto's it doesn't seem like there's a whole lot of um the funds are commingled you know a lot of times that that's what we see is the individual and the um school will be commingled so um that would be the first thing if you were in a PTO you want to make sure things are separate but um definitely uh some current events and I think we we see these almost every week and maybe a few years ago 10 15 years ago we'd see these once in a while and maybe just because they weren't reported as much um but now they're almost common place and we see them and we don't get astounded um so that's that's a worry of mine that hey we see these every week and we're not like oh my gosh that Firehouse down the down the street haded fraud um we're almost common place it's like violence in movies the more we see it the more we're just all right well it happens um but anyway those are the new news headlines um and we'll jump into the agenda great so thanks for setting the stage Dave we're going to spend some time today um talking about some of the recent fraud statistics um then we're going to focus uh very briefly on the fraud train triangle if you're not familiar with that we'll we'll familiarize you with that we're going to go through three case studies and some of the lessons that you can learn from those and hopefully at the end here give you ways to implement the following best practices so we're going to talk about those best practices see what some things you can practically do in your organizations hopefully a lot of you are already doing them and this is just a reminder and hopefully you you learn something new from those best practices and um we'll leave some time at the end for your questions so I'm going to send it back to Dave to go through some of the fraud statistics here are some fraud statistics these are taken from the acfe report to the Nations um and it's a report that's done uh every other year and it's a report that is uh combination of um frauds that were submitted by cfes certified fraud examiners um I think it has some telling statistics and here are a few that are uh pertinent to nonprofits or um go along with nonprofits the uh the first one 5% of revenues in a given year are lost to fraud and that goes across nonprofits corporations there's really no difference um so that could be a huge amount of money um and we'll get down to another statistic that's even more frightening um in regards to large organizations and small organizations but again 5% of your revenues I think of many nonprofits Dave I mean 5% of their Topline Revenue that's that's significant I mean that can be doing so much more Mission and serving so much more IND so many more individuals um with those funds um that's just a shame yeah think about how hard you work for that $100 contribution and you're you're fundraising you're soliciting you're spending a lot of time and effort and 5% right off the top correct yeah I mean that $100 of Revenue might 10% might good to you know Administration function whatever and and and you might as an organization only receive $80 worth that then you're going to lose 5% of that so um it could be uh definitely a uh a big issue the uh second one the median loss for nonprofit cases was $100,000 so think about your organization um you know can you handle losing $100,000 you know think of that first statistic how do you know you're not losing 5% of Revenue right now can you tell me you're not losing it how do you know you're not losing it do you have controls in place to say you know to prevent it to detect it um you know a lot of times I do a lot of Security reviews and you say you know have you been breached well I don't know if I've been breached I don't have the tools in place to know if I've been breached how do you know you're not losing 5% now um a lot of these uh investigations that we do for nonprofits will last years and years and and people just don't know so um we got to make some changes to to figure that out uh the last one there frauds are more likely to protected by tip than audits uh I think and I think the statistics is coming up um I think it's 82% of um the participants of this study had an audit done but all of them had a fraud occur so I don't know about you but that tells me that an audit is not sufficient in preventing fraud occasionally I think we detect fraud with an audit but it's not going to prevent it um and it's rarely going to detect it because in my stance you know you can be very prepared for an audit when someone walks in you know they're asking for samples and you have days to literally Photoshop those samples I mean um you know we do the best we can but I think there's you know for a good fraudster there's ways around it what do you think Jim yeah if if you're relying on your your audit to be your your most significant and important fraud detection tool you're you're in trouble I mean that that should not be your number one I think it's like using semantic antivirus for your security software if you're if that's the thing you're betting the house on you you're you better find a new house I agree so the next uh slide here um and again this is a deep deep commment here the longer the fraud goes the more money it's going to cost not very deep but anyway the uh the last sentence there any um schemes that lasted more than 5 years cause a median loss of $850,000 that's huge um and I would say the majority of nonprofit cases that I've handled probably have gone between two and five years so it's it's significant theyve I've seen an organization with less than 10 million in annual revenue and they had an extended fraud over you know a number of years and they estimate they lost5 to $6 million um that that's just out astounding for for an organization that's of that size you think about the nature of a nonprofit organization uh largely comprised of volunteers who are doing a lot of the controls and processes to you know that you would suspect that would stop fraud from occurring they might be in that position for 10 years going undetected not looked at um so yeah I certainly agree with you here Dave it's scary I mean say we have fraud or you know fraud in the organization and Jim's our Treasurer you know he's been there for 10 years you don't want Jim as a Treasurer we'll call him the frauder uh you know he's been there for 10 years and uh you know he's doing a lot of work spends a little you know who else wants to do his job right who wants to question what he's doing because we want Jim to be a volunteer but you know Jim's on the side taking couple thousand dollars a month um you know it's an issue you know how do you bring up how do you question a volunteer right we we all love our volunteers we want people to volunteer and I'm not saying saying that uh volunteers are bad or they're going to commit fraud eventually I'm saying we have to have some kind of checks and balances in there um and the last one uh 95% took some effort to conceal mostly uh creating and altering physical documents that could be checks could be uh false vendors could be uh invoices you know you'll see a lot of like some uh pretty beginner fraud in regards to a vendor and they'll send an invoice in and that the AP will pay it um and that'll that check will go to relatives or friends or this day and age so easy to create false documents isn't it oh it's it's great I mean it's uh oh great for the fraud great for the fraud exactly next slide um here's the here's the statistic that I think worries me the most um or should worry you the most uh the median loss suffered by small organizations and large organizations are the same meaning you know in my when I think of that I think a large organization could handle you know several million dollar organization could handle $100,000 fraud what about that $750,000 nonprofit or whatever um can they handle that not really um so we have to uh make sure that we do our due diligence and we prevent detect fraud organization of different sizes tend to have different fraud risks the larger the organization there'll be more corruption uh smaller organization going to have uh check tampering skimming payroll cash laring schemes um so and I think there's probably a whole lot of those schemes that go on that don't get detected ever um so just my opinion um external audits of the financial statements we mentioned this before 82% of the study had had an audit and 81% had a code of conduct in place so you know we have all these policies in place that say Hey Jim's a standup guy you know he shouldn't do this do this do this and he should do this and do this well how are we checking that you know just because we have a policy doesn't mean Jim can read right correct right yeah and he gave me permission to pick on him before this yeah Dave that's the second time you've brought up uh external audits I mean you know I lead our audit practice and clearly our standards say an audit is not designed to detect fraud and then they say here's the six things we have to do to see if it might be there so I think an audit can can support the position that people know the books and records are being looked at and it may in some way deter the fraud but it's clearly not going to prevent it and if an audit even doesn't cover it in the rare circumstances that we do happen to see something um it's obviously happen happening pretty rarely I agree I agree uh we just can't count on that obviously we need them we need the audit we need um but an audit is almost there for honest you know if you have honest employees giving you the information yeah um you're really counting on sort of honest management um the next slide we go through this quickly we bring this up in most of our fraud presentation so I assume most people have seen this uh we have three elements of fraud all those elements need to be present in a fraud um for fraud to occur um with one caveat if you're John Doe and you and you're meant you know you're a criminal and that's all you want to do is steal money obviously you don't need all these to have the scheme occur but you'll have opportunity rationalization and pressure uh rationalization and pressure are hard to you know if you have the fraudster you don't know how they rationalize you don't know how their pressure is or perceive pressure that pressure could be a medical situation for their kid uh medical situation in their family somewhere personal debt gambling um and rationalization you know some people are hey I will never steal um some people are like well the toner at the top is sort of weak he's taking money I'll take them $500 and I'll pay it back next week well you know and then that week goes and it gets bigger and bigger uh but again rationalization you know we do background checks when employees start Etc but how do you know how that person thinks you know how do I know what you know I've worked with Jim for 15 years so I feel like I have a good idea idea of his Integrity but you know you never know opportunity now that is perceived opportunity so a fraudster is going to look at different opportunities differently um and as a company we want to make sure that perceived opportunity is low as possible so for instance if I have um a cash-based business and I put a a camera above that cash register that perceived opportunity for that employee is going to go down now it could be a camera and that perceived opportunity is still the same it's going to go down now if it's a real camera I'll be able to detect fraud a little bit better because I can look at the footage um but again perceived opportunity we just got to lower it and awareness is a big thing for employees you know if management is aware of Fraud and it's telling employees hey this is out there we've got to make sure we doing this this and this um opportunities going to be lower in the perceived perceived outlook for the employee just do always like when I see this Dave to focus in on opportunity it is the one thing the organization can control the only thing only thing when you look at the three aspects of the fraud triangle so that's what we're going to focus on today when we talk about best practices how do we prevent that perceived or actual opportunities to commit fraud and I think that the great thing about risk assessments is they look at each individual area of the company whether you're line employee management uh cash register whatever you know what are the perceived opportunities from that employee because obvious a lot of times Management's perceived opportunity is totally different than a line worker or someone in the field I also love your your example of the the security camera in my mind it brings up the question of is a control a preventive control or a detective control and as we go through some of these case studies and some of the ways that we can Implement best practices to be thinking about that is this a prevention type control or is it more of a detective in nature and of course you know resources for any organization is going to um come into place when you're trying to put these controls in place how much does it cost you know if I put a DVR system in place and it cost me2 ,000 versus a camera that cost me $15.99 you know um it's going to um possibly give me the lower opportunity but maybe not a detective control so I have a feeling Dave you could talk about the fraud triangle for for hours I could and uh I was told that that the presentation should not be entirely on that slide so I've accomplished my first goal all right jumping into non the nonprofit case study one um this is an investigation that we have we did uh it was a few years ago um it was a student run bookstore for a small private religious or religious uh school and it was uh close to Harrisburg um total of 13,600 was misappropriated doesn't sound like a ton of money but we're talking about a small private bookstore we're talking about pencils erasers um maybe some T-shirts um so 13,600 over one school year is probably all the the prophets or a good chunk of the prophets might even be more than the prophets um we'll call the uh individual with oversight of the school store Jean doe uh she was the ultimate decision maker um and very nice lady uh older lady um almost sort of a grandma figure I bet everyone trusted her everyone trusted her uh we'll see you in the next slide that she was there forever um and not all all old ladies who are trusted are frauders just want to point that out um or young ladies um don't want to discriminate uh reconciliations were done by Jane Doe um and then uh Jane Doe had a son with medical condition that put her behind on her bill so these are some of the facts of the case um so we'll walk through that the next slide uh Jane do recently went through a divorce that added a financial strain to already tough situation and there's no oversight of Jane Doe so she pretty much ran the bookstore um and she did it forever um so that's sort of the the facts of the so we're going to jump in um to what kind of warning signs should we have seen or should have the organization have seen now and I and I'll mention this just because there's a lack of segregations of Duties in a organization doesn't mean there's fraud you know no oversight or review doesn't mean there's fraud um a combination of all of this makes you more likely a fraud doesn't mean you have fraud uh but in this case looking back 2020 is always a lot nicer than looking forward right um or you can tell more um all of these came into place and there was fraud yeah we certainly understand that there's lots of nonprofit organizations out there that are limited in their resources and do not have a robust accounting department uh management team Etc and rely a lot on volunteers or a few individuals to perform certain duties so like Dave said just having a small staff that prevents lots of different uh controls and might enter into a situation where you have lack of segregation du it's not necessarily mean a fraud occurs there's certain steps that you can take to overcome that we'll talk about that later today but yeah to rer at Dave's point just because you have no oversight or review does not mean a fraud occurred correct I was adamant about putting that in the presentation so thank you Dave yeah good good uh so again warning signs of this case study again we we did the the uh investigation for the um school store uh we found lack of segregation of Duties obviously no oversight uh Financial strain on employee most of the frauds I investigate there's some kind of financial strain whether it's medical uh gambling is a big thing in central Pennsylvania um so again Financial strain and that's hard to tell like I can't tell you know what Janice's Financial stability is or how she's doing at home or nor should I probably ask those questions um so it's hard hard to know those again the fraud triangle you can't control those pressures but you can control the opportunity correct but again sometimes you can see those pressures um sometimes people kind of wear it on their sleeve and you can tell so it's it's good to know that element exists um if Jim comes in and you know he's like oh it was a late night at the again I had to walk to work because I lost my car but I have a ro X on and you know there's there's certain things that you know I did an investigation it was a million dollar fraud and uh the guy was a gambler and everyone knew it you know but he was there for 20 years and he was trusted and his kids played with my kids and um you know everyone cried when he left and they brought he brought Donuts every day and anyway um so you know we have to understand that the three elements are there in order to prevent or detected you know so um and each piece of the puzzle helps helps understand what's going on cash-based business uh majority of the payments if not all the payments were made to the bookstore in cash and Jane do is a trusted employee for seven years so all those again you know they're all warning signs uh put them all together and there's more likely than that you have some kind of fraud what can we learn from this study or this case fraud is preventable with the right controls in place um we could have taken I think I think that previous slide three or four of those examples and prevented them and would have prevented the fraud I do believe that lady had decent integrity and you know a little bit of more awareness and more push back from management would have prevented that that fraud from occurring but there was so much opportunity um and then no one saw that she took some money so it just it it snowballed so in that case there was not a lot of accountability for what she was doing on a day-to-day basis that's correct yeah and so you know when an employee finds they can steal $500 one week and no one says anything no one cares and then when they're going to pay a pack next week or the next payroll um and they need another $500 they're like oh I I'll take $1,000 do and I'll pay it back next month well it just gets out of hand I know a lot of frauds we do they'll go to you know they'll go to prosecute them they be like yes I stole the money but I didn't steal that much you know so say they stole 400 ,000 they're like I definitely did this this is how I did it but I only stole 100,000 and we're like well did you have a spreadsheet no but I could there's no way I stole 400,000 and we're like well you know we have the the facts to sort of to B to uh base our accusation can see how that can quickly get out of control and the amounts just escalate um when you especially when you view it as you're borrowing the funds and I'll pay them back and this was an extreme circumstance especially if it's a gambling habit or something like that you're spending money that you're not getting anything for so that could quickly you're win eventually the next hand the next hand yeah so again those things can be preventable and uh we just have as organizations we got to know that and we've got to you know in every project that we do we've got to in the planning stage think about fraud controls before we get into the next case I just want to remind the audience we we do welcome questions so if you have as we're going through these that you feel are relevant certainly shoot those over to us we want to answer those on the Fly I think Dave and I do the best speaking and thinking on our feet so I think hope so at least uh so go ahead and send those in to us thanks for excluding me Jim Janice is always prepared The nonpr Profit case study to now this is just a one slide event and it's uh sort of meant to be that way this is a nonprofit Adult Day Camp uh for the mentally challenged they had a fraud occur uh total of $53,000 was stolen it was a basic check tampering scheme where the accounts payable clerk had um vendors created uh entered those into the accounting system uh had invoices come in for them and paid those invoices and those checks went to relatives and friends um interesting side comment on on check tampering Dave I was doing a little research before this presentation that's good I know it's pretty good isn't it that I was reading that check tampering is three times more prevent than payroll fraud and we often hear a lot about payroll fraud and and adding more to employees paychecks Etc that way uh but check tampering is three times more prevalent I think u c accounts payable check tampering stuff is a lot easier to do without coordination with other employees like I feel like uh you know if you're accounts payable clerk you have no segregation of Duties and you're decent with Microsoft Word and you know you could Fair easily get by with a check gamering scheme now there's mitigating controls very easy controls to put into place to make sure that doesn't happen but if they're not there it's a very easy scheme and we see it over and over again um the second comment here or the second point is no forethought or planning surrounding accounting controls around collected data this worries me more than the 50,000 $53,000 fraud um because again we're dealing here with a nonprofit adult day camp for mentally challenged so what else do we have besides accounting and and money to lose a lot of confidential and protected health information exactly you know so we have a lot of uh health checks you know a lot of stuff that is could be direct hippo violations which would make that $53,000 look like change in the bank uh or you know change in your pocket um and I'd like to to put this out there that fraud prevention cannot be accomplished effectively without good security controls so if we don't have good security controls we cannot effectively prevent fraud we can try and we can you know maybe do an okay job but to effectively prevent fraud security controls need to be in place and I think in this situation there's no security controls fraud occurred but is fraud the worst thing that could happen to this organization you think of that health information you have hippo violations down there hippo violations are extremely costly if you have that protected health information and there are many things that qualify as hippo violations but their minimum per instance um penalties of $10,000 but I mean some of these annual penalties um for violations go up to $1.5 million um just for having a leak of that data do you think most nonprofits that collects data like this know that they're hip of violations or you know know of the circumstances I I think a lot of the healthc Care organizations are really in tune to this because they're dealing with it every single day I think it's some of like the Human Service organizations that maybe don't view themselves as Healthcare or other organizations who are collecting a tremendous amount of information because we're going somewhere and we need all this health information and Allergy information and all this kind of stuff um about our service recipients and those who we're serving the mission to that potentially aren't thinking about the data that way I think that even bridges into donor data as well how many different charities I think do I give to that have my personal information and credit card information and and are they really protecting that information so I think there are all elements of that I think a lot of organizations that had a $53,000 fraud $53,000 fraud surrounding accounts payable would would ultimately look at accounts payable fix it put all the controls in place place and not do a good risk assessment of the organization and realize that that isn't their biggest risk you know their biggest risk is that Health Data um so again we want to correct both but for an organization you know they have to know what their higher risks are and and fix those and really the higher risk here is hippoc controls y um they could definitely terminate this nonprofit with just hipo violations if that occurred absolutely great and I see some someone's actually listening to my comment so we have a question uh so Dave I'm going to before we go to the next case study which is our third one uh I'm going to read a question from uh from Jeffrey David in your experience uh what's the percentage of frauds that actually get prosecuted and two what percentage of those frauds fraud losses get recovered that's a good question um the very few get prosecuted um a lot of the organizations for one way one reason or another a lot of times reputation don't prosecute uh the bummer there is you know Jim the fraudster goes to the next accounting firm and defrauds them so it's almost our responsibility to put an end to the situation um so a lot of uh I would say uh one out of 10 get prosecuted um it's very they're the ones we know about correct correct um and then the second question was what percentage of the losses get recovered that's a great question I think the larger the organization the better chance of recovering those losses just because a lot of times we'll have insurance policies in place uh to recover that uh that million dollar fraud um a lot of that was recovered but you know you get into $8,000 for the Boy Scouts you know how are they going to recover that um most of the time the individual doesn't have the money anymore um we'll get into our case study three where millions of dollars were stolen and two of the individuals there was three individuals that really were kingpins I guess in the situation but two of them one had to pay $775,000 back and the one you know didn't pay anything back because they didn't have any money so it's like you know very unlikely for for the money to come back in full Dave I haven't seen nearly the frauds you have because I only see the ones that would happen um at you know over my 20-year career as doing financial statement audits um but I've seen the recoveries be very very small to try and recover from the individuals and sometimes I'm just amazed that there's nothing there like you stole tens of thousands or hundreds of thousands of dollars and it's not anywhere so either they're really brilliant and have it hidden somewhere or it's just completely gone and they have no idea what they did with it it's at the that's the big thing they don't know what they did with it and they don't know how much they stole so it's uh it's a scary situation and I imagine once you get to that point where you don't know how much you stole you just keep going and you know it's regular day business but um good questions yeah thank you for the question our nonprofit case study three uh did not investigate this but I thought it was a a good kind of case study to talk about um talk about fraud from a donor perspective as well as an internal perspective because a lot of times we talk about an internal but I would say probably the majority of people on this webinar you know they donate money to worthy causes um and what not worthy cause than the cancer fund of America cancer Support Services the children's cancer fund of America or the Breast Cancer Society all of those sound very legit you know if I go to Jim and say Hey you know please support Breast Cancer Society I think he would I'd say yes he would he would support me you see words like Children's Cancer fund they're tugging at heartstrings right there trying to get you to to donate I would absolutely want to give my money there is currently 1, 97,000 public Charities out there so about 100,000 Charities new each year pop up new so we're talking a ton of different charities and these Charities um the fraud was 187 million in donations it was a family effort family scheme um there was a lot of related parties um and they you know went vacations clothing jewelry uh and it's funny because we're this is the case I'm talking about they didn't have any money at the end so they spent $187 million um and that's a lot of donations and that could have went to a lot of worthy causes um so it's uh so in this in this uh I think we go to the next Slide the they allegedly inflated or fabricated the value of donated Goods um and then sent those in need to make it appear that they spent hundreds of million dollars on those suffering from cancer um they also hid money um by an accounting scheme that involves shipping Pharmaceuticals to developing countries so there's different couple different schemes um nothing that was too crazy um I that seems like a what's on the screen right now a very simple scheme to come up with um but yet this went over a few years and $187 million so we're talking a lot of of money warning slides um and I think what I what I'd have to say about the next three slides is this is from a donor's perspective and again I don't know how many times I would donate and I would never look beyond the cover of what the donation is right um sure you won't be surprised to hear that I do Dave but I look at 990s all the time never do and uh it's just something that I mean what do you Jim do Jim uh I split my donations 50/50 half to people that I don't know at all and other half to reputable organizations so you're just gambling with the 50% exactly so we'll find out as we go through here what are some steps a donor can do to make sure that the money is going to a a good cause uh or a cause they would they' like so here's a warning sign you know if you looked um for this these organizations they were on a few worst 50 charities in America list now a lot of organizations put that list out but they were on majority of them and it wasn't like they were on the bottom of the list they were near the top so obviously uh something to do a Google search before you donate um and if you would have done a Google search of this organization uh you would have found that it's bad news and the actual the the uh James Reynolds who's sort of the uh Father Figure here um he was being investigated uh I think going back to the ' 80s 90s for this sort of fraud um so and the sad thing about this is like you said the Breast Cancer Society the children's cancer I mean those names are in a lot of real good nonprofit organizations so by them stealing this 187 million not only did they steal that money but they took money from other good organizations probably in the future because people are skeptical about donating um so obviously I mean this family is just a very selfish money grabbing uh sort of situation here um which is sad now we get into I think it's a tax form now I'm just joking what Janice was saying about the It's actually an informational return very good about the form 990 which is a public document um and uh one of the things we have at M Asbury is we want to make sure all data goes out encrypted but you know 990s are public information so it's it's okay but anyway um over Reliance for nonprofit fundraisers we can see that on the 990 uh we can see uh different um different things on 9 what do you look on the 990 when you're looking at different charities um when I go through their 9990 I'm certainly looking at the mission I'm looking at who they served and how they're serving them but I'm also looking at their their Financial so are they financially sound are they managing their money well but I'm also looking at some of those percentages of how much of their money is spent on fundraising versus their actual operations versus management administrative and you can see those different buckets on the 990 so I want to know that they're being good stewards of that money so and I think that's important for all the organizations on the phone to really think about what message is their 990 conveying to to the public and to realize I mean I think everyone knows it is a public document but what message are you putting out there yeah I spend time looking at the compensation of top management and board of directors and Rel that relative to the organization's overall Financial Health and and strength that's a big big part of it that could be an indicator of uh some type of bonus plan that might you know need to be considered uh also look at the governance policies area uh do they have the policies that you mention often Dave the conflict of interest and fraud policies and then I also look to see if there's been an audit done you're required to disclose whether you have a compilation review or an audit done and see if that's been been completed as well as a single audit of any federal funds do you ever look at I know there's a spot in there for uh relatives on the board related parties yeah interested individuals absolutely yeah I mean there's some boards that do have that but it sort of reads a little red flag and these are all red flags you know not one of these things again means that they have fraud or not all of them means they have fraud but again red flag of you know maybe I should look into this more let's figure out what's going on here um but in this situation they did not say they had any related parties on the board and obviously they were related um so again we're we're hoping the organizations are at least you know the fraudulent organizations are at least honest on their 990 too so um I guess that's a a question there and just so you saw on the previous slide guidestar.org is where you can go ahead to find 990s that are that are published uh encourage everybody to sign them for a free account there's there's no strings attached and you can get a lot of information that way MH great information Jim Tyler great job with the slides back and forth for me and we can go to the next slide so from an internal perspective so that was from the more of the donor side and again you know that's sort of a different side for me because we never we we're always investigating it preventing it detecting it from the internal side um so again that hopefully that was a little bit little bit changed a little fun for you um from internal perspective uh what can be learned non nonprofit organizations need a strong independent competent board in place um if you don't you're sort of relying on management to run its own and it it gets crazy I mean what's your experience with a weak board and strong management I I definitely think that creates opportunities for things to go wrong it doesn't mean it necessarily will but you certainly want a strong strong board Independence is important but you want a board that's going to speak up that's going to challenge things um there's nothing worse than being in a board meeting where no one is asking questions and no one is is really invested in what's going on so you really don't want a board that's going to check the box and and hopefully the board is you're recruiting board members and looking to others you want those that are really going to challenge the organization because it helps protect management and the board I mean the tone at the top a lot of time with the board starts you know with the organization starts with the board you know if you have high integrity individuals on that board it's going to float down um not necessarily means if you have a bunch of crooks on the board that Management's going to do the wrong thing but again a lot of time the tone at the top flows down um so um I think the culture needs to start there and if I find an organization um that has a good culture at the top a lot of times that flows down if they have fraud awareness at the board the fraud awareness is going to be at management it's going to flow yep I look at that word you say strong independent competent board um the word that I look there is is educated as well I look for an educated board who is aware of the various funding streams of the nonprofit that they're sitting on the board for how does that organization work are they financially sophisticated where they can review reports that they're asking for management it's one thing to get a report that says these are my results but to actually understand and then ask the followup questions that are relevant is uh where educated board members come to play and I think it's nice to have a board of different expertise you know if you have one expertise on there and everyone's like yeah that's right but you don't have someone thinking outside the box um it's always nice to have that one person thinking outside the box and has little different experiences um and again the board you're looking for the board to make sure they have fraud prevention in place uh fraud height lines um and fraud policies and again we've hit segregation of Duties a few times throughout the uh presentation but again best practice is to have segregation of d I in most of your uh activities um no one person should dictate everything in this case the uh I think it was the COO um pretty much did everything and so they pretty much wrote themselves checks um and that 87 million didn't take long to disappear yeah look at your previous a couple previous slides so Tyler don't you don't need to move it uh you talked about inflating donated um contributions right that's probably done with a journal entry right recording that activity who's reviewing journal entries and that that's what comes up to in my mind here was was the CEO CFO the one making those entries to artificially inflate the Topline revenue and then ultimately the expenses as well to make them look like they're doing a great job who's reviewing the journal entries in that situation probably nobody exactly I mean most frauds either they're too busy they're too successful to business and and they're doing great but you know they don't have time I hear that all the time we don't have time we don't have resources but do you have time to lose $100,000 you know how much I would you know you got to take you know that time and uh make sure you do things correctly so Dave we do have a question that's come in um how much does a fraud investigation typically cost and how long does it take fraud investigations uh unlike audits are always different so if we're talking a million dollar fraud you know it could cost upward of $200,000 to if it's a really complex fraud if it's you know if you're subpoenaing you know working with detectives uh subpoenaing records you know and those records um bank records records Visa records um household records um so you know again that could be a very costly Affair if we're talking about the local PTO you know you might look at $5,000 to $10,000 um or less you know if it's an $8,000 fraud it's very simple um you you could be looking at $3,000 but it's not going to be much much less than that thanks daeve but again prevention is going to be a whole lot cheaper than investigation you know if we a million dollar fraud and we did a prevention I think you know it would have cost them a fraction so I'm always P pushing risk fraud risk assessments uh stuff like that that really will prevent and detect fraud sooner and Cost You Less in the in the uh the end Dave while we're on the topic of segregation of Duties we do have a question that came in I'm going to push it to Jim get his thoughts on it how what do you do about segregation of Duties when your AR clerk does the bank deposit and the bank reconciliations one area that I would think about when this and the idea of segregation duties is Al is off obviously to split the task and I would look is there anybody else who could actually make that deposit at the bank um is there a controller that could do that um a lot of times you'll see the board treasure if it's a small enough organization where the board treasur the volunteer board Treasurer is part of that they would they could be the one making that bank deposit as well and I'm going to ask Dave for his thoughts as well can you read the question again sorry about that what do you do when the AR clerk does your bank deposit and the bank reconciliations I guess I would also look at what else can they have access to from a accounting system pers perspective are they able to record and post certain entries as well you know there's a lot of things that go into that you know do you have the same accounting package is it all integrated you know I've seen where they've had a different point of sales system and an accounting system and they have some someone separate supposed to make the deposit um and it's all it all depends on the oranization how the Pol procedures go um in the fraud that I'm talking about there was and it's always a red flag for me if if if everything's not going in the same system and you have import export because it makes it a lot easier to get out you know transactions in there so um you know segregation of Duties is you know there's no book that says this is the way it's got to be um every organization like different but this this had two accounting packages GL and point of sale and they had a different person other than the uh accounts receivable clerk make the deposit but that person was stealing money oh um so they would uh change the deposit but since it was a point of sales system that person also handled the journal entri so they kind of reconciled it on the GL side so even though there was segregation of Duties between the AR and the depositor there was still an issue um so again there's no hey this is the way that's going to prevent fraud every organization needs to do a risk assessment and understand with that going back with that some organizations are sharing here that they have a different person make the deposit um but they also have remote deposit entry and they can always go back and see the scan checks I think that works really well if you have checks and you have H's and things but cash coming in that could create a problem as well so I think that's a good idea cash is always like that illustration I was giving that's what was stolen so that is really yeah you know checks aren't i' I've seen checks stolen but most of the time it's the cash going back to that previous question I didn't answer the full the length of the fraud I'm thinking I forgot something so that length of the fraud is going to be different but again um it could be a couple weeks if you're not getting records from outside sources or it could be 2 and a half years you've had some go on very long two and a half years is probably the longest one I've gone on and that one um and that's just uh the investigation part prosecution Etc is years after that so um what's the shortest one if that's one of the longest what you said a few weeks I would say probably a month or two um you know if you have a small uh organization and all the records are internal everything's available um it could be fairly short but that's rare all right we'll let you get back to the best practices as we keep interrupting but these are very good questions thank you and keep sending questions in please so best prac second one on there is fraud awareness I mean again I think that is an easy thing to do for an organization it doesn't cost any money you know how let people know that hey we're worried about it this is what we're doing to protect it um and I think fraud awareness comes after you understand what your risks are as management you know if I have a high risk around uh you know cash leaving the register I'm going to make people aware that hey we're taking procedures to make sure that doesn't happen you know Walmart always puts out and I find it funny hey we uh we we caught this cashier stealing $138 from the cash register and they have it on pen live and I'm like and people are like $138 but that goes a long way to the next cashier down the road yeah you know they're like hey I steal anything they're I'm going to end up in the paper and I'm out um so I think uh I wish more ganizations were had that mindset Dave I have a list here I call them easy controls and I'll be happy to share them with anybody on today's webinar if you just send me an email I'll send you the link to the article but one of them is transparency and Walmart being very transparent in what they do is is in very easy control MH yeah trust but verify um again this is uh you know I trust Jim but again you know we might have worked together for 15 years but you still have to have checks and balances um and I think one of the things you know when I said before is you need to have security controls in in place in order to have effective fraud controls um you can't just put a security control in place and just hope it works can't put a fraud uh procedure or control in place and hope it works we need to verify make sure they work um you know we don't have backup runs and hope they work when we have a disaster we restore things and we do tests so just in that area we have to do it in this area I think of trust but verify a lot in terms of an audit I want to trust my clients I want to trust that they're always telling me the truth but it's my job as the auditor to go verify that and I think management needs to internalize some of that with some other processes to say I trust my employees and I want to trust that they're following the processes and hopefully you have good processes in place but you need to verify from time to time that they're really doing what they're supposed to be doing it's all about communication because if someone came to me and said I want to look at all of your stuff and I want to make sure you're doing it right well that that that doesn't come across real well but you're come to gym and say say Hey you know as an organization we want to really prevent fraud we want to make sure that we maximize bonuses we want to make sure that we have money for this and this and for all of our segments and everything we want to make sure that the controls are in place and to prevent fraud well Jim's going to be like hey that's great I would love more bonus I want to make sure fraud so it's all communication when we do risk assessments it's not hey we're going to find the evil person we're going to make the company better and we truly are so um we just got to remember communication is is a a good thing fraud hotline um again that is huge in um tips a lot of frauds are found by uh a fraud hotline and employees you know it's a unanimous way of saying hey you know I saw uh Jane Doe you know she walks out with 12 computers each day I'm not sure what's going on there maybe she's recycling them but it's good to know like you know some of those tips will lead to to any a fraud issue fraud hotline sounds like a great idea Dave but it also sounds expensive so for a small nonprofit organization how do you go about setting up that type of fraud hotline not real expensive um there's a lot of uh business out there that do that now so you can contract with them um and they will be able to receive the calls anonymously and report that information so it's really not a whole lot of excuse to not do it um and on top of my head I don't have the list of of those vendors um but there is and I think even the aicpa promotes one of them um so they're definitely out there and you know it would be a costly Affair and a lot of large organizations do it internally um but a lot of small nonprofits and small organizations you know would be better served if they that's great if they went to a great tip contract so strong independent board uh we talked about this pretty pretty good we want to make sure that uh you know that tone at the top flows down that uh individuals on there have different experiences and that uh fraud awareness is a huge huge thing for them yeah we touched on strong independent board earlier Dave we have a question that has come in like what if you are the controller working with a very small nonprofit and the executive director doesn't want to review your work um so a lot of things rest with a controller I think this is an occasion where a strong independent board can really help with that I mean I've been treasurer of organizations in the past and I want to know how the controls are working what the checks and balances are I want to understand those processes if that organization has to be audited those processes have to be documented in some form and given to the Auditors um and as the treasurer I want to know that so I think a strong independent board is one of the answers to that question of of what do you do if the executive director really doesn't want to be all that involved in the finances you know a lot of times executive directors may not have the expertise in the Finance area so a strong board most likely will have someone on there with a strong expertise in that area so um you know it's not you know it's nice when the executive director can handle it but you know sometimes that's not feasible you know there's I'm sure plenty of executive directors out there that really um don't have the financial expertise that would be great for reviewing something like we're talking about yeah know your risks only way to know what to know what to make mitigate you know we're doing risk you got to do risk assessments you can do internal risk assessments external but you need to start somewhere in order to uh mitigate stuff you need to know what the vulnerabilities are you got to pay attention right pay attention and uh you need to have an expertise in that area to understand what those risks are just like uh you know we say every Fraud's different every organization's different and every risk assessment is going to be very different for each organization sure we're going to take advantage of our last two minutes here um question has come in why would a nonprofit want to cook the books um stealing I get but we don't pay taxes um so yeah I mean when you think about fraud it's you know this the stealing and the theft is pretty easy to think about but cooking cooking the books is often thought of secondarily and for a nonprofit there's no real incentive you would think to inflate your income because you don't right you don't pay taxes but you have the perception in the public eye that you want to be a strong organization that you want to show Progressive growth and you know contribution growth or perhaps you want to become appear to be needy from a perspective of um a potential donor perhaps you have federal dollars that you're trying to match and recording an extra accounts receivable and revenue to match those federal funds would be a reason why you would cook the books possibly you want to keep your job yeah you know there's there's definitely uh different situations and I think there's as much this is my own opinion much as much fraud and nonprofit as there is in for-profit you know just because you don't pay taxes or whatnot is definitely not a fraud prevention controller policy that's going to be effective there's there there's compensation models for nonprofit Executives that are tied to financial results so that's another real big reason why um cooking the books would be thought of when you're looking at fraud yeah great so one more question for Dave before we wrap it up if a fraud is to occur even in a small organization should we prosecute um you I'm wor about the public becoming aware even if the dollar amount is small um maybe not small to the organization but you don't want to lose future donations I mean reputational risk is huge our recommendation has always been to prosecute um if you talk to detectives Etc I mean it's always going to be to prosecute and the reason being um you're preventing that person going to the next organization and doing the same uh same fraud um I've SE I've seen fraudsters go from one organization to the next organization and because because of HR regulations and I'm no HR expert but you can only say so much when you call to that other organization and say hey did jym work for you yes Jim worked for me from January 1st 2009 to 2014 um and what else can you say that's that's about it um so uh prosecution is um a good thing I think um and again the reputation um may get a hit but again you know you're doing the right thing and it's going to show fraud awareness for employees other employees are going to think twice about doing it short short term it might hurt but thinking long term for the the long long long you caught what I had I did catch what you had the the longevity of the organization I think Pro you know doing the prosecution is is the way to go I mean it's all about communication you know getting ahead of it and having a plan just like when you have a fraud risk assessment and you're doing a project you have fraud and Security in your plan communication of that uh fraud that prosecution getting ahead of it is going to make uh instead of pen live catching it and you have you know your employees don't know about it Etc you got to have a plan got to think about it communication great I do see we're out of time I thank everyone for joining us today we do have a few more questions we we'll reach out to you personally we have your emails from when you registered so we do appreciate all of those questions and I hope you all have a wonderful afternoon thank you once again for joining us for this presentation produced by mccon Asbury we hope you join us for our upcoming events you can stay up to date with news and learn more more about our upcoming events by visiting us at .pa.com thanks again and have a great day