Our Fraud Awareness in the Church series continues with part 2 on Fraud Prevention Programs – Fraud Reporting. We asked churches to respond to this statement:
“Our church has established appropriate channels for reporting and resolving sensitive issues like fraud and illegal acts. (Examples include establishing an anonymous fraud hotline, posting notices, etc.)”
Survey Results: Only 40% of the respondents have established any form of fraud reporting mechanism.
KEY: Key Point: Statistics make it clear that the most common method of fraud detection is anonymous tips!
Few churches have the stomach or the nerve to do what businesses and local governments are increasingly doing. For example, A “Report Fraud” link on a school district’s or city’s website gives comfort to most taxpayers. But, the same people would choke if they saw a fraud tip hotline on their church’s website!
One solution I have seen:
A church contracted with an HR services firm to take care of all of their payroll compliance issues such as wage and hour laws, discrimination, workmen’s comp, immigration, etc. The HR company also drafted the church’s personnel manual which included an 800 number hotline. The HR professionals maintain the hotline assuring that all fraud reporting remains confidential.
Our Fraud Awareness in the Church series continues as we look at Information Technology Security. We asked churches to respond to these statements:
“Our church has a formal information technology security plan.”
“Our church financial secretary or accountant/bookkeeper has access to all modules of the church’s software system.”
Churches struggle to keep up with the challenges of the rapid change in information technology. Even when they want to address the issues in the two questions above, the workload crush of most churches makes it very difficult to stop the train long enough to develop a good IT plan. This is clearly (to me) reflected in the:
Survey Results: Only 50% of the participants have implemented a formal information technology security plan.
In another indicator of the impact workload pressure has on fraud protection, a whopping 80% of the churches surveyed confessed that their accountant/bookkeeper had access to ALL of their church’s software applications.
In the vast majority of churches this large degree of “trust” is placed in the hands of very good people and a problem never arises. But if, just once, a church employs an individual given to theft and gives him or her this much access…trouble is probably just around the corner.
In PSK’s Faith Based Accounting Blog I posted an article titled “Taking IT for Granted”, where I addressed this issue. The following are a few questions each church should ask itself when developing strong IT controls:
- Does our church have a formal Information Technology security plan?
- Do any individuals at our church have access to all modules of the church’s software system?
- Does our church partition its computer applications so that employees and volunteers have access only to files necessary to perform their duties?
- Does computer access require passwords that are confidential and unique?
- Are our passwords changed periodically?
- Are passwords complex including alpha, numeric and case sensitive characters?
- Do we have backup procedures that are performed regularly that include off-campus storage?
- Do we have measures in place to protect the church from malware?
- Do we train our employees to avoid accepting email from unknown locations?
- Do we have a download policy?
- Do we maintain separate public and private wireless networks?
Part 5 of our series on Cash Disbursements. In our recent Fraud Survey, we asked churches to respond to these statements:
“Our church issues credit cards (in the church’s name) to employees and/or volunteers.”
“Our church has implemented a written credit card policy to control credit card purchases.”
Survey Results – The first question had the largest variance between all respondents (58%) and respondents active in the NACBA (43%). My assumption is that because NACBA members, through local chapter meetings, certification training, and the national conference, have heard plenty of the horror stories about credit cards “gone wild”.
It remains a mystery to me why churches handle credit cards in this manner (i.e. giving cards to ministers in the church’s name). It is definitely not the practice in the business world. Even if a corporation does issue corporate cards, the employee’s name is on the account too. The employee pays the bill after being reimbursed under an accountable plan. But if no backup is produced, or a personal expense is incurred, the employee pays the bill.
My worry that so many churches issue credit cards is somewhat alleviated by the results of the second question: Of the churches that hand out credit cards, almost three fourths have a written credit card policy in place.
KEY: A word of warning. The worst fraud investigation of my career was in the 7 figure range. 75% of the theft was accomplished with church issued credit cards.
Part 4 of our series on Cash Disbursements. In our recent Fraud Survey, we asked churches to respond to this statement:
“Our church has established a “Positive Pay” program with our bank.”
Survey Results – Less than 5% of the respondents use such a program.
While the phrase “Positive Pay” is the trade name of one commercial bank, it has become a generic term for an agreement between a bank and its customer that works like this:
- The church establishes a standard routine for paying bills, for most churches once each week.
- A list of approved bills is compiled and transmitted to the bank.
- The bank only clears checks or other charges presented for payment that are on the church’s list.
- The church is also informed of any checks or charges presented for payment that were not included on the list.
Increasingly, businesses are using arrangements like this to address a newer face of economic fraud. Fraud experts have historically used the “fraud triangle” of pressure, rationalization, and opportunity to describe the key ingredients of a fraudulent act. Generally, this discussion has focused on “inside jobs”.
However, with the advance of technology, a new face has arrived on the scene – the “hacker” completely outside the organization (in many cases completely outside the country!). Using Positive Pay is one protection against this type of fraud activity.
Perhaps a new leg needs to be added to the fraud triangle. (I guess that would make it a square…)
Part 3 of our series on Cash Disbursements. In our recent Fraud Survey, we asked churches to respond to this statement:
“Our church has established an “approved vendor” list. All payments for goods or services are made only to vendors on the list.”
Survey Results – Only 20% of the churches surveyed reported using an approved vendor list.
The low compliance rate of this question was a big surprise to me. The surprise was that so few churches have a formal process for determining who they choose to do business with.
In a previous post we discussed collusion. One of the methods of theft, resulting in some of the largest dollar losses, is vendor fraud. Vendor fraud often occurs when a purchasing agent within an organization COLLUDES with a corrupt vendor outside of the organization.
What makes this type of fraud especially effective (from the fraudster’s point of view) is that it is extremely difficult to detect, by both the church and its auditors.
KEY: Fraud prevention includes KNOWING who you are doing business with.
Having a vendor application, approval and acceptance process helps the church apply this key.
Our Fraud Awareness in the Church series continues with a 5-part series on Cash Disbursements.
When churches finally get around to considering their exposure to fraud, they almost universally focus on the cash receipts or the inflow part of their cash processes. Without doubt, many churches have been hit by fraudsters skimming from the offering plates. But in most cases, the losses are relatively small for two reasons:
- Most churches have strong count team processes, although more of them should add some rotation to their teller mix.
- The vast majority of offerings come in the form of checks or credit cards. Very little is cash.
KEY: The fact is, the biggest scams usually occur on the “outflow stream” not the inflow…
In the next series of posts we will see how well protected our church survey participants are on this side of the ledger.
Part 7 of our series on Segregation of Duties. In our recent Fraud Survey, we asked churches to respond to this statement:
“Our church requires volunteers to collect, administer and account for special event receipts using a written report developed to properly account for such events.”
Survey Results – Once again, a little over one-half of our respondents are in compliance with this fraud prevention measure.
KEY: Many churches farm out the reporting of special event accounting and require little or no accountability from their volunteers.
A significant example of this took place in our region a few years ago. It took place within our local school district, but the same thing can and has happened at churches. A sports booster club held two annual fundraisers. Some agitated parents (whose children evidently didn’t make the team…) discovered or were tipped off to the fact that checks received during the event were deposited in the club bank account. However, cash received was deposited in the coach’s personal account. The parents didn’t report it to the school district first – they turned him into the newspapers!
Part 6 of our series on Segregation of Duties. In our recent Fraud Survey, we asked churches to respond to this statement:
“We present a list of authorized check signers to the leadership team/elders, etc. for review at least annually.”
Survey results – Approximately 55% of respondents reported reviewing their bank accounts and related signature information at least annually.
Dormant Bank Accounts
I would imagine if we had sent a question asking if they knew why this annual review was important the result would probably be close to zero! This question was lifted right out of our firm’s audit procedures. We ask this question each year and are often asked why this is important.
Here are two good reasons:
Poor management of check signing authority can result in a once-authorized check signer to continue to be one, even though they may have not been a church member/employee for years.
More importantly, poor management of signatures indicates poor management of bank accounts. Occasionally churches will even forget about a few bank accounts that are infrequently used. Unfortunately, fraudsters do not forget once they have found an untended, forgotten about account.
KEY: DORMANT BANK ACCOUNTS can be a useful tool to a thief allowing him to store stolen funds and later transferring them to personal accounts with little chance of detection.
Part 5 of our series on Segregation of Duties. In our recent Fraud Survey, we asked churches to respond to these statements:
“Our church has a formal policy describing the characteristics required for participation on the count team, including limiting related individuals and restricting the same individual from participating in more than one component of the process.”
“Church volunteers are required to “rotate off” their assignments periodically.”
Survey results – 70% of our respondents reported using some type of screening process for determining teller team members. Unfortunately, only 25% reported that they required all team members to periodically rotate off the count team on a systematic basis. My guess of why this number is so low is that, from my observations, many people serving on count teams consider the service they provide a ministry. It is very difficult for many churches to limit anyone’s ministry.
Collusion
If a church does screen its volunteers (as 70% appear to do) why is teller team rotation important to fraud prevention? This question can be answered with one word – COLLUSION. Even the strongest internal control systems can be penetrated when two or more people collude (conspire) to commit economic fraud.
The longer people serve together in any role, the more comfortable with each other they become. Over time, they may become tempted. It is much easier to broach the subject of committing fraud with a close acquaintance, than a stranger.
KEY: Being a relative or long-time friend with a fellow volunteer makes collusion a little bit easier.
Part 4 of our series on Segregation of Duties. In our recent Fraud Survey, we asked churches to respond to these statements:
“Our church does not allow an individual who serves on the count team, is involved in check preparation, or is involved in general ledger and financial statement presentation to participate in the bank reconciliation process.”
“Someone other than the preparer reviews the completed bank reconciliations.”
Survey results – Around 65% of our respondents reported implementation of these controls. And that is good because…
KEY: The bank reconciliation is the Grand Central Station of your church’s financial process.
Bank Reconciliation
All of a church’s financial activity should flow through the bank reconciliation. If a person has complete control over the bank accounts and accounting processes, AND is given the task of bank account reconciliation, the church has created a HUGE faucet. No, it’s probably closer to a fire hydrant!
KEY: The most effective step that can be taken to alleviate poor segregation of duties is to have someone outside the day to day accounting processes reconcile the bank account.
DOUBLE KEY: This should be much more than just balancing the accounts. This review should include a close inspection of cancelled checks, deposit slips, etc., and looking closely at payees, endorsements and check signers for abnormalities.
