A new auditor's report: Seven changes to know

The Ramifications of Fraud and How You Can Prevent it

Welcome to part two of our article on nonprofit fraud. If you missed our first installment, you can read it here.

You’ve just become aware of a fraud that has occurred at a nonprofit in your community. As someone who cares about the community and the nonprofit sector, you start to wonder, “What is going to happen to that organization”?

While the ramifications can differ in each case, they probably will include some, if not all, of the following:

• The board and management will want to understand how the fraud happened, and what management is doing to prevent it from ever happening again.
• The community is going to look to the board for answers, and wonder why the organization didn’t have controls in place to prevent the fraud.
• Management will be expected to explain to the board where the breakdown in controls occurred that allowed the employee to steal from the organization.
• The board knows it has a fiduciary duty to oversee the organization and its internal controls and assets. They aren’t sure what they should have done differently, given that they’re volunteers doing this community service in addition to their “day jobs.”
• The board and management will want to reach out to donors to assure them that their contributions to the organization are going to be recovered if possible, and that controls are being improved to help safeguard future gifts.

This organization could potentially lose major donors if they believe there are not enough controls in place to ensure their dollars are being spent according to their wishes. If enough donors are negatively affected by this event and choose not to support the organization, its very survival may be at stake, thus impacting those in the community the entity serves.

Management will now have to divert time and other resources not only to implement stronger internal controls to help ensure this does not happen again, but also to reassure the board and the public that the organization is well protected to prevent future fraud.

Fraud can be extremely costly to an organization, not only from a financial perspective, as often the organization will not recover the stolen funds, but also from the loss of an organization’s reputation as a trusted charity. This can be even more devastating. The organization may never recover in the public’s eye, risking their relationships with not only their long-time donors but also new and future donors.

What can you do?

So, what can you do to help prevent fraud from recurring, or to detect it quickly if it does? Here is a simple, yet effective three-step process:

1. Consider the risks of fraud and determine where it is more likely to occur.
2. Look closely at the internal controls the organization currently has in place and determine whether they address these risks sufficiently.
3. Identify gaps where controls are inadequate, and identify controls to be put in place where they are most needed.

Organizations can also consult their auditors to seek advice and guidance on how to implement these very important internal controls. It may be prudent to review previous audits to see if auditors have brought risks to management’s and the board’s attention, and if they provided recommendations on how to improve their current control structure.

The silver lining? The board and management now have a keener sense of the risks of fraud in the nonprofit environment, which should contribute to an engaged dialogue among the board, management and the auditors about how to develop and implement cost-effective controls that protect the organization’s assets.

As part of the audit, the auditors may point out one or more shortcomings in controls that they believe constitute a “material weakness.” While that may sound ominous, it merely means (in auditing jargon) a situation involving a reasonable possibility of a material misstatement of the financial statements. Auditors tend to set the bar low when it comes to classifying deficiencies that create fraud risks as material weaknesses, for the simple fact that users of the financial statements (donors, lenders, other funders) tend to have a lower materiality threshold with respect to misstatements caused by theft.

It is also important to remember that control deficiencies noted in previous audits that may not have been considered material weaknesses in the past may be considered that way today, as expectations of management’s actions regarding fraud prevention and detection go up every time a nonprofit fraud incident hits the media.

Every organization that has more than one person (including board members) associated with it has the opportunity to segregate incompatible duties at some level to help protect assets. At times, organizations don’t have such segregation in place, but instead have implemented compensating controls, such as detailed review of monthly financial statements by the appropriate level of management and/or the board. If this is the case, the organization should ask itself the following questions in order to avoid over-relying on this compensating control:

• How does this compensating control work? Who reviews the financials, what is their experience level, and how do they document their review to confirm that it’s being done?
• How often do you question expenditures, and are these questions and their answers evaluated and documented? It is important to remember here that a fraudster would be working hard to escape detection by this compensating control.
• If the compensating control is a detailed review compared to budget:
  • Who is involved in building the budget?
  • What are the controls that would protect against a fraudster building their theft into budgeted expense line items?

Take a proactive fraud risk assessment and response like the one described here to give you reasonable comfort proper controls are in place to prevent and/or detect fraud. This isn’t about being paranoid – it’s simply a matter of prudently carrying out your fiduciary and management responsibilities to protect the organization you feel so strongly about.

Remember, the one characteristic that every financial theft in history shares—someone was trusted at some point.

It’s Monday morning. You grab a cup of coffee and flip on the local morning news before you get ready for work. The lead story catches your attention “Local Accounts Payable Manager Steals Thousands.” Based on your experience as a board member of a nonprofit organization and the prior fraud you’ve heard about in the community, three things come into your mind:

1. The fraud involves either a nonprofit organization or local government.
2. The Board will come out and say how shocked they are – Fred has been here forever, and we trusted him!
3. The Board will state they have now put in place proper controls to ensure this will never happen again.

And you may be close to the mark. Nonprofits and governmental organizations often have a higher risk of fraudulent behavior and theft due to their limited resources and ability to implement strict fraud prevention controls. What makes these organizations so susceptible?

• They frequently run on tight or breakeven budgets, which means they have difficulty hiring enough people to implement strict internal controls.
• They often have a salary structure that is lower than that of for-profit companies, creating incentive for employees to commit theft in order to make ends meet.
• They are sometimes targeted by unscrupulous individuals who know that they likely lack the resources available to stop them.

In addition, nonprofits often seek to hire people who believe in the mission. While this can lead to tireless, dedicated employees, certain side effects of this approach may come into play and increase the risk of theft. For example:

• The passion for, and shared commitment to, the mission at many nonprofits give rise to a culture of trust. This culture of trust may cause the organization to be less likely to implement checks and balances critical to sound internal controls.
• New employees are sometimes drawn to a specific nonprofit organization because they have experienced some of the challenges which the organization was formed to address. Working for the organization may help them in some ways, but it may also create more financial strain for them or family members, increasing the chances of them committing illegal acts.

There are three elements that must be present for fraud to occur. These are the three sides of what is collectively called the fraud triangle: opportunity, incentive, and rationalization.

• Opportunity: an employee working at a nonprofit may have opportunity if they are a trusted employee and resources are limited, causing the internal controls to be less robust than they should be.
• Incentive: the incentive is in place when an employee, as mentioned above, has unexpected events happen in their life that may pressure them into committing fraud.
• Rationalization: the employee rationalizes that they need the money for their family to survive. This often starts as “I’ll just borrow the money until payday”. Unfortunately, payday arrives and the funds aren’t available to be repaid; in fact, they need to “borrow” just a little more.

Let’s be clear, though – many nonprofits, regardless of size, have appropriately designed and implemented controls that properly protect the organization from the risks of fraud.

Soon we’ll look further at the ramifications frauds can have for nonprofits and how any organization—even small nonprofits, can put certain internal controls in place, to reduce the chances they’ll be the next organization in the headline story of the morning news.

I have to say, accountants have really been taking some uncalled-for heat for causing the 2008 financial crisis. I understand the need to identify scapegoats, but when people hire mortgage brokers to originate bad loans, sell interests in those bad loans to investors, and insure it all through AIG, is it really the accountants’ fault when those loans go bad? And if the federal bank examiners missed the fact that Fannie Mae and Freddie Mac were engaged in such shenanigans, what hope do we have of being able to adequately apprise investors of such details via financial statement disclosures?

Undaunted, FASB has taken a shot at developing new requirements for banks to report information in their financial statement footnotes about their exposure to liquidity and interest rate risk. I understand the pressure FASB is under, I really do. There’s something called the Group of Twenty, consisting of the top finance officials from the 20 largest industrialized countries, that’s been pressuring FASB to improve accounting rules in a manner that will somehow prevent future financial meltdowns. To me, the Group of Twenty sounds uncomfortably similar to the Gang of Four, which ran China with an iron fist back in the Sixties and Seventies, so, if I were FASB, this group would make me nervous, too.

On the surface, it seems reasonable to expect that more information about liquidity and interest rate risk experienced by banks would be a good thing, as these are probably the two risks you hear about most when banks fail. Dig deeper, though, and two points about these new proposed disclosures become apparent:

1. Most of this information is already available to users, through SEC and bank regulatory filings.
2. To the extent it isn’t, that’s because no one uses the information, not even management of the banks!

It would be interesting to look back at some of the banks that failed during the recent recession, identify which of the proposed disclosures weren’t already available to investors and regulators, and decide whether anyone would have reacted differently if they were. Or was it simply the case that bad business decisions were made, and, when that happens, companies go under? And when recessions hit, sometimes banks fail?

I remember a TV interview during the height of the 2008 crisis, in which the focus was on blaming stock analysts (they hadn’t gotten around to accountants yet). The interviewer asked, “How many stock analysts do we have to hang on Wall Street before they all get the message?” The expert he was interviewing said, “Probably just one.” I’m guessing that holds true for accountants, too. There are already rules in place to disclose significant risks, concentrations, obligations of the institution, and the like. If Lehman Brothers and AIG don’t follow them, appropriate sanctions (I’m not advocating hanging, mind you) should follow; we can pass more rules, but if they didn’t comply with the existing rules, what makes us think they’ll follow the new ones?

If you have questions, please reach out to Tyler Butler or Tracy Harding.

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

• What metrics will be monitored, specifically?
• Why do the metrics being monitored matter to our own business objectives?
• What thresholds must be met to notify us or produce an alert?
• What does exceeding a threshold mean to our business?
• Who on our team will be notified if an alert is warranted?
• What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

1. People: Create and maintain a vigilant workforce
   Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
    

   According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

   Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.
   
   So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.

2. Plan: Implement a disaster recovery and incident response plan 
   Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.
   
   It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
    
   1. How will we communicate internally with our staff about the incident?
   2. How will we communicate with our clients? Our patients? Our community?
   3. When should we call our insurance company? Our attorney?
   4. Is reception prepared to describe what is going on if someone visits our office?
   5. Do we have the technical expertise to diagnose the issue?
   6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
   7. When the press gets wind of the situation, who will communicate with them and what will we share?
   8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

3. Practice: Prepare your team with table top exercises  
   Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.
   
   A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.
   
   Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Recently, federal banking regulators released an interagency financial institution letter on CECL, in the form of a Q&A. Read it here. While there weren’t a lot of new insights into expectations examiners may have upon adoption, here is what we gleaned, and what you need to know, from the letter.

ALLL Documentation: More is better

Your management will be required to develop reasonable and supportable forecasts to determine an appropriate estimate for their allowance for loan and lease losses (ALLL). Institutions have always worked under the rule that accounting estimates need to be supported by evidence. Everyone knows both examiners and auditors LOVE documentation, but how much is necessary to prove whether the new CECL estimate is reasonable and supportable? The best answer I can give you is “more”.

And regardless of the exact model institutions develop, there will be significantly more decision points required with CECL than with the incurred loss model. At each point, both your management and your auditors will need to ask, “Why this path vs. another?” Defining those decision points and developing a process for documenting the path taken while also exploring alternatives is essential to build a model that estimates losses under both the letter and the spirit of the new rules. This is especially true when developing forecasts. We know you are not fortune tellers. Neither are we.

The challenge will be to document the sources used for forecasts, making the connections between that information and its effect on your loss data as clear as possible, so the model bases the loss estimate on your institution’s historical experience under conditions similar to those you’re forecasting, to the extent possible.

Software may make this easier… or harder.               

The leading allowance software applications allow for virtually instantaneous switching between different models, permitting users to test various assumptions in a painless environment. These applications feature collection points that enable users to document the basis for their decisions that become part of the final ALLL package. Take care to try and ensure that the support collected matches the decisions made and assumptions used.

Whether you use software or not there is a common set of essential controls to help ensure your ALLL calculation is supported. They are:

• Documented review and recalculation of the ALLL estimate by a qualified individual(s) independent of the preparation of the calculation
• Control over reports and spreadsheets that include data that feed into the overall calculation
• Documentation supporting qualitative factors, including reasonableness of the resulting reserve amounts
• Controls over loan ratings if they are a factor in your model
• Controls over the timeliness of charge-offs

In the process of implementing the new CECL guidance it can be easy to focus all of your effort on the details of creating models, collecting data and getting to a reasonable number. Based on the regulators’ new Q&A document, you’ll also want to spend some time making sure the ALLL number is supportable.  

Next time, we’ll look at a lesser known section of the CECL guidance that could have a significantly negative impact on the size of the ALLL and capital as a result: off-balance-sheet credit exposures.

Benchmarking doesn’t need to be time and resource consuming. Read on for four simple steps you can take to improve efficiency and maximize resources.

Stop us if you’ve heard this one before (from your Board of Trustees or Finance Committee): “I wish there was a way we could benchmark ourselves against our competitors.”

Have you ever wrestled with how to benchmark? Or struggled to identify what the Board wants to measure? Organizations can fall short on implementing effective methods to benchmark accurately. The good news? With a planned approach, you can overcome traditional obstacles and create tools to increase efficiency, improve operations and reporting, and maintain and monitor a comfortable risk level. All of this creates competitive advantage — and isn’t as hard as you might think.

Even with a structured process, remember that benchmarking data has pitfalls, including:

• Peer data can be difficult to find. Some industries are better than others at tracking this information. Some collect too much data that isn’t relevant, making it hard to find the data that is.
   
• The data can be dated. By the time you close your books for the year and data is available, you’re at least six months into the next fiscal year. Knowing this, you can still build year-over-year models you can measure consistently.
   
• The underlying data may be tainted. As much as we’d like to rely on financial data from other organization and industry surveys, there’s no guarantee that all participants have applied accounting principles consistently, or calculated inputs (full-time equivalents), in the same way, making comparisons inaccurate.

Despite these pitfalls, it is a useful tool for your organization. It lets you take stock of your current financial condition and risk profile, identify areas for improvement and find a realistic and measurable plan to strengthen your organization.

Here are four steps to take to start a successful benchmarking program and overcome these pitfalls:

1. Benchmark against yourself. Use year-over-year and month-to-month data to identify trends, inconsistencies and unexplained changes. Once you have the information, you can see where you want to direct improvement efforts.
2. Look to industry/peer data. We’d love to tell you that all financial statements and survey inputs are created equally, but we can’t. By understanding the source of your information, and the potential strengths and weaknesses in the data (e.g., too few peers, different size organizations and markets, etc.), you will better know how to use it. Understanding the data source allows you to weigh metrics that are more susceptible to inconsistencies.

3. Identify what is important to your organization and focus on it. Remove data points that have little relevance for your organization. Trying to address too many measures is one of the primary reasons benchmarking fails. Identify key metrics you will target, and watch them over time. Remember, keeping it simple allows you to put resources where you need them most.

4. Use the data as a tool to guide decisions. Identify aspects of the organization that lie beyond your risk tolerance and then define specific steps for improvement.

Once you take these steps, you can add other measurement strategies, including stress testing, monthly reporting, use in budgeting, and forecasting. By taking the time to create and use an effective methodology, competitive advantage can be yours. Want to learn more? Check out our resources for not-for-profit organizations here.