Now is the time for nonprofits to review and strengthen financial internal controls.
Conventional wisdom is that embezzlement and fraud occurs more in tough economic times. Perpetrators may be facing personal financial distress and may want to borrow money or assets, or think the organization doesnt really need those things.
It is easier to hide fraud during good times, however, especially during times of economic recovery. The number of transactions rises, making it harder to identify a single incident or a pattern. Also, vigilant boards and senior staff may relax as times get easier.
Here are some steps that may help prevent embezzlement and fraud:
- Have multiple layers of approval for expenditures: Require two signatures for expenditures above an amount that is significant. The check preparer is not to sign the check.
- Require original receipts, invoices and other documentation before payment is made.
- Segregate duties: No one person is responsible for an active financial transaction. This means no one person is responsible for receiving, depositing, recording and reconciling the receipt of funds. And no one person is responsible for authorizing payments, disbursing funds and reconciling bank statements.
- Back up financial records daily.
- Require employees who hold financial positions to take an uninterrupted vacation for two weeks. This permits transactions to clear in their absence. An employee refusing to go on vacation could signal a problem.
- Never pre-sign checks.
- Actively encourage whistleblowers and have a whistleblower policy.
- Have an independent audit. Although these audits must only give reasonable assurance that no material misstatements have been made, the process the auditors use helps uncover improper transactions.
- Conduct pre-employment background checks for all employees with fiduciary duties.
- Prosecute perpetrators.
Barry VanderKelens Nonprofit Strategies column is special to The Tribune. He is executive director of the San Luis Obispo County Community Foundation. Reach him at firstname.lastname@example.org.