Alliance of Children and Families, September 15, 2009
Preventing Employee Theft
Tips to minimize your risk of loss
I have been amazed by how many incidents of nonprofit employee theft or fraud have been reported in the past few months in the Chronicle of Philanthropy. A recent article that caught my eye involved a trusted long-term employee who used access to the agency’s expense reimbursement system to steal $9,000.1
The Chronicle noted that a trusted employee is the most likely operator, since you wouldn’t put someone you don’t trust in a position where this could happen. One expert reported that 15 percent of employees would never steal, regardless of the opportunities presented. Another 15 percent will always steal if they think they can get away with it, and the 70 percent in the middle can succumb to temptation if there is motive, opportunity, and some sort of internal justification.2
Theft and fraud cases almost always follow a lapse on the employer’s part. Often something that could have been done to prevent the theft was not done, or obvious opportunities for fraud were overlooked because the person had been at the organization for many years, or was beloved by most.
We will no doubt discover more nonprofit theft in coming years, as the new Internal Revenue Service (IRS) Form 990 creates a more transparent reporting system and computers allow questionable transactions to be tracked in more sophisticated ways. In the meantime, here is what you need to do to prevent theft or fraud, as well as advice for what to do if you discover that it has already occurred.
The most common forms of theft and fraud involve:
• receiving kickbacks from vendors,
• purchasing supplies or services from fictitious companies,
• making unauthorized purchases,
• overcharging for goods and services,
• creating false invoices or engaging in other fraudulent billing practices,
• overpaying employees or writing payroll checks to nonexistent employees,
• stealing inventory or other company property,
• forging checks or stealing cash, and
• inflating expense accounts.
Establish a Control Environment
The best way to avoid employee theft is to adhere to the ordinary controls that have been developed over the years to rein in employee errors, mismanagement, and fraud.3 A good internal control policy should accomplish four general objectives: authorization, recording, safeguarding, and accountability.
Authorizations and Approvals. The first goal is to ensure that transactions conform to agency intentions. Authorizations are done in advance and may be general (relating to all transactions) or specific to a single transaction. Approvals come after the transaction has occurred and ensure that a completed or partly completed transaction meets specified requirements. Authorizations and approvals should always be done by a superior, and it is especially important that neither task revert to an automatic rubber stamping.
Recording. Recording is intended to ensure that authorized transactions are recorded (1) in the proper accounting periods, (2) at the correct amounts, and (3) for the appropriate accounts. Recording controls focus on documents (purchase orders, shipping records, and sales invoices) and books of account (the general ledger, subsidiary ledgers, and journals).
Safeguarding. Safeguarding is meant to ensure that access is limited to authorized persons under proper controls. You control access to physical assets by having proper storage facilities, keeping updated asset inventories, and establishing policies and procedures for those who access computers and other valuable agency properties.
Accountability. Accountability processes are intended to ensure that preventive controls are functioning as intended and, if the preventive controls are breached and a fraud is committed, that it will be detected before harm is done. Controls generally involve some form of comparison: comparing asset records with the assets themselves, accounting records with the supporting documentation, or general ledger accounts with subsidiary ledgers and journals.
Processes to safeguard nonprofit assets involve segregation of duties. Your accounting or auditing firm should be providing you with a good basic policy. It is a good idea to revisit that policy from time to time in order to ensure that it continues to meet your needs (I suggest an internal controls checklist, a sample of which is available at magazine.alliance1.org).
Your goal is to create a “control environment,” an infrastructure and ethos that reinforces the theme that everyone is involved in reducing the risk of loss. A control environment is marked by a top-down culture of competence and accountability. Standard policies that demonstrate a policy of no tolerance toward theft include:
• rigorous background checking process of all new hires,
• emphasis on control issues during orientation,
• obtaining surety bonds for employees who handle money or other valuable assets,
• a written code of ethics that is clearly enforced by your disciplinary process,
• a whistleblower hotline or open door policy,
• an audit process that is supervised by your board of directors, and
• leaders who clearly “walk the talk.”
If a Loss Occurs
Every case is different. There are a number of actions that must be taken, and others that can or should be taken depending upon the type of loss. Here are some suggestions:
Report to Your Board. No matter what the loss, bring the matter to your board chair or president and let him or her decide whether to include other board members in evaluating the situation and planning your response.
File a Police Report. File a report with your local law enforcement agency and seek assistance with your investigation if that would help. They can help you connect with prosecutors if the loss involves violation of criminal statutes.
File an Insurance Claim. Review your policy’s notice requirements and file a claim within the prescribed time limits.
Prepare a Crisis Management Plan. The publicity that follows a loss can cripple the organization if it appears that management was slack. Be sure to work with your public relations staff or consultants to establish and implement a public relations plan to blunt public criticism and work behind the scenes with donors.
Conduct a Forensic Audit. Because there are legal consequences, you may want to conduct a forensic audit. This will ensure that the activities are documented for future legal review.
Report to State Charity Regulators. If your state has a department of government that is responsible for charitable solicitation, its charity regulators may assist with your investigation.
Report to State Professional Licensing Boards. If the offending individual is a licensed professional, report the incident to his or her professional licensing board.
File Reports with the IRS. The IRS considers theft loss to be a casualty loss rather than income to the offending individual, since income is given for services performed rather than assets taken.4 If the matter can be described as an excess benefit transaction, you may be required to report it on your Form 990 Information Return for the relevant year.5 Finally, the IRS also has a fraud unit in its Dallas office that is specific to exempt organizations.6
File Reports with the Post Office. If the loss involved use of mail, notify your local postmaster or call the Postal Inspection Service Criminal Investigation Service Center.7
Whenever there is a loss due to theft or fraud, be sure to work closely with your accountants and legal counsel to be sure you have covered all bases. You certainly want to be sure to plug the holes that allowed the incident to occur in the first place.
The best outcome is a return of the assets, punishment of the thief, and no loss of reputation. The most important information to disseminate is that you have already identified the problem, reported it to the proper authorities, and taken steps to prevent future losses.