Reputations at risk: although not-for-profit organizations are a horse of a different color, auditors can help them tame fraud that can publicly impact their mission and drive donors away.
Lately, though, new issues facing the not-for-profit sector are changing many of those special circumstances that have made it so complicated for internal auditors to help their organizations mitigate fraud risk effectively. The new reality: Fighting fraud in the not-for-profit sector is even more complicated. There's no hiding management malfeasance in these days of 24-hour news and the Internet. And the image of incompetence that comes with a high-profile case of fraud can dry up a not-for-profit's pool of available funds--and even its pool of fundraisers. Who wants to call potential donors if the organization in question is suddenly associated with criminal activity? Further, more and more of the people who do donate to not-for-profits demand that their gifts be used for specific purposes, which further increases the risk of fraud.
The good news for internal auditors in all the changes rocking not-for-profits is no matter how complex that sector gets, sound, basic internal audit procedures can still help prevent and detect fraud. It's easier said than done, but treating the organization like a business and approaching the fraud prevention and detection aspects of the internal audit function from that perspective can bring fraud risks into focus and offer the audit team a clear path to protecting the organization's greatest asset--its reputation for doing good. That, of course, is what's most often lost when a not-for-profit must face a public episode of fraud. Indeed, internal audit experts at not-for-profits agree, mitigating reputational risk is an institution's greatest fraud-related challenge and the audit department's most important fraud-related task.
Such risk exists at for-profits, of course, but a blow to a money-making company's good name likely won't have the same dramatic, immediate impact on its revenues that it would have on a not-for-profit's donations. "Corporate boys will be corporate boys," quips Tim Holmes, who used to run the internal audit department for the American Red Cross. "If they stumble ethically and somebody gets caught committing fraud, but the stock price is going in the right direction, a lot of bad behavior will be tolerated. But with a not-for-profit, people vote with their feet." Elizabeth Folsom, senior vice president and director of internal audit at the Washington, D.C.-based Academy for Educational Development, which helps individuals, communities, and institutions solve critical social problems, puts it like this: "If a US $100,000 fraud occurred at a company the size of Coca-Cola, it might make the inside page of the newspaper and wouldn't affect the stock price. A US $I00,000 fraud at most not-for-profits could easily make the front page of the newspaper, result in people being fired and in donors withholding money, and possibly lead to downsizing at the organizational level."
The need to protect their reputations from fraud is further complicated by a changing landscape in which a greater number of not-for-profits must compete for a decreasing pool of donations. Part of the problem is the proliferation of small not-for-profits that perform many of the same functions as old-line mega-charities like the Red Cross. "So many organizations have cropped up recently that when someone's asked to give money to a charity, there are thousands of other options if the donor is unhappy about anything the institution has done," Holmes says.
The reputational risk situation at not-for-profit educational institutions is no less stark; indeed, James Seaman, vice president, internal audit, at Aston, Pa.'s Drexel University, calls it a university's greatest risk. Simply put: Good faculty and students will not go to corrupt schools, and the government and donors will not give to institutions they don't trust. Fundraising, in fact, is one of the most damaging reputational risk reverberations not-for-profits face. "Individuals and organizations are disappointed if their contributions are misapplied," says Steven Mchenga, director of internal audit at the Lilongwe-based Malawi Social Action Fund, which finances self-help community projects involving health, education, sanitation, transportation, and food safety in the Southern African nation. "They would prefer to send their contributions directly to the beneficiaries than to an intermediary that misappropriates a portion of them."
The situation Mchenga describes wasn't always the case. In the good old days, a not-for-profit's stakeholders often overlooked incidents of fraud as the unavoidable side effect of an underfunded, overambitious service organization or institution. Can a multinational charity really be expected to feed refugees of natural disasters and make sure no low-level staffers are skimming cash contributions? Can a county arts organization that puts on plays for elementary school students be held to the same fraud prevention and detection standards as a money-making company? Those days are long gone. No one wants to be associated with the not-for-profit that just made the news because a mid-level executive skimmed US $20,000 in contributions.
VULNERABLE TO BASIC FRAUDS
That, unfortunately, is just the type of fraud risk internal auditors in not-for-profits are most likely to face. Traditionally, in fact, small not-for-profits have tended to be more prone to the fraud basics like check-tampering schemes, such as forging signatures or making checks out to the fraudster who also reconciles the bank account, reports Gerard Zack, president of Zack Accounting & Consulting PC, Gaithersburg, Md., and the Nonprofit Resource Center Inc., Rockville, Md., which provides financial management training and consulting services to charitable organizations and associations. And not-for-profits have generally been more vulnerable to one type of fraud than their for-profit counterparts: skimming frauds, where the fraudster takes incoming funds intended for an organization before the money is ever deposited into the organization's accounts. "There is no outflow of products or services by the charity in exchange for the payment, making skimming of that type the most difficult to detect," Zack explains. Complicating matters for not-for-profits is the fact that fundraising activities are often entrusted to outside vendors or volunteers, who are not subject to the same types of internal controls as an organization's own employees.
Moreover, Holmes says the most frustrating fraud is perpetuated by outsiders. "The ones you see in the newspapers are the executive directors or bookkeepers who took money because they knew the system inside out," he comments. "But in my world, we were usually looking on the outside, where people try to rip off funds that haven't been recorded." That fraud, especially for charitable service organizations, even includes individuals with no formal connection to the not-for-profit. Say there's been a natural disaster. "You'll have people at traffic intersections saying they're collecting for XYZ charity," Holmes explains. "But they may be putting the cash into their pockets for beer and cigarettes for the week. People take advantage of not-for-profits' good names."
More and more, contributors are demanding that those not-for-profits do more to protect their good names--and, by association, those of their contributors. "There are increasing demands from our donors for quality performance and accountability," Mchenga says. "That includes the areas of fraud and corruption." Part of the reason for that is pure self-interest, as donors want to know what their "return on investment" is, Holmes notes. Even the certified public accountants (CPAs) who come in to perform audits have a changing financial stake, notes Vickie Caughron, chief audit officer at Knoxville, Tenn.'s Oak Ridge Associated Universities, a consortium of 99 research institutions that partners with national laboratories, government agencies, and private industry to advance science and education. Many small not-for-profits rely on volunteer external audits as their only audits of any kind. "Even small CPA firms have stopped performing audits altogether because the audits cannot be done at a profit and they cannot volunteer their services because of new peer review requirements" imposed on CPAs by the American Institute of Certified Public Accountants, she says.
Seaman sees change, too. "There is increasing pressure on institutions of higher education from the federal government and donors to promote better governance practices, and for the governing boards of the institutions to exercise their fiduciary responsibilities in a more efficient and effective manner," he says. Fueling that change is the reality that academia is no safer from fraud than service, arts, or other organizations. Several incidents in this decade have heightened awareness of the issue, Seaman reports, but none so much as when Benjamin Ladner, the president of American University in Washington, D.C., was scrutinized for his salary and spending habits in late 2005 by U.S. Sen. Charles Grassley, at the time the chairman of the Senate Finance Committee. In addition to Ladner's allegedly excessive spending, Sen. Grassley expressed concerns about the governance and oversight of not-for-profit organizations in general, particularly higher education institutions. And then there's the press and the Internet. "Your batting average for good decisions has to be high," Holmes says, "because a wrong decision is already out there, as soon as it's made. You don't have a whole lot of opportunity for spin control."
A LACK OF RESOURCES
That's not how an internal auditor would design the not-for-profit sector, of course. But in a profession built on controls--developing them, auditing against them, revising them--the one thing that seems to characterize a not-for-profit internal auditor's day is the chaos that often-unpredictable finances coupled with perhaps less-than-professional leadership and intense global scrutiny creates. At the Red Cross, for example, revenues were often driven by the news of the day. If a natural disaster wasn't in the headlines, the organization would raise less money. And depending on an organization's size, it may have little internal audit capability available to keep an eye on such cash-flow ups and downs. Not-for-profit organizations "tend to be much less likely to have an internal audit function than for-profits, even those for-profits of similar size," Zack says.
Caughron points out that she's lucky because her organization is a consortium, so it can draw on the internal audit expertise available at its member colleges and universities. Plus, in large organizations like hers, the board is less central to day-to-day operations; management fills that role. Small not-for-profits "are at a disadvantage, as they may not recognize the need for trained boards or just don't have the connections to attract experienced boards or the resources to train them," she explains. Unfortunately, she adds, "board members are typically the main players in small not-for-profits."
Holmes calls not-for-profit board members "good-hearted people who generally are not sophisticated about internal controls." Also frustrating to many not-for-profits are board members on the opposite end of the sophistication spectrum: the movers and shakers who are often an organization's best line to significant cash donations. But those high-profile board members often can't be counted on for much in the way of actually helping the organization avoid fraud. "They'll come to the meetings, but you're not going to get them rolling up their sleeves in the intervening weeks," Holmes says. "They tend to go to a board meeting once a month and respond to what's been put in front of them on the agenda as opposed to asking about the monthly financial statements." That's been compounded lately by the increasing demands the U.S. Sarbanes-Oxley Act of 2002 has placed on board members of for-profits, who often serve on not-for-profit boards as well. These volunteer board members can't be expected to devote all their energy to their not-for-profit commitments.
That's why fighting fraud can be so tough for not-for-profit internal auditors. And, Zack notes, not-for-profit boards of directors are often made up of "mission focused individuals," with only the larger organizations recognizing the need for specific financial expertise. While it may provide cold comfort to internal auditors, he does note the double standard at play. "Not-for-profits seem to be expected to have the same types of controls as the largest of the world's for-profits," he says. The last company listed on the Fortune 500, he points out, reported US $4.3 billion in revenues in 2007. How many not-for-profits can claim that kind of revenue? "So, while not-for-profits could generally be doing a better job of recruiting financial expertise to their boards and instituting internal audit functions," Zack adds, "they're under more of a microscope because of the public and sensitive nature of their operations, even though they do not have nearly the resources that for profits have."
Despite challenges, internal auditors at not-for-profits do have the means to respond to the changes taking place around them. Indeed, the experts agree, the tactics that work best for preventing and detecting fraud in the challenging new environment for not-for-profits are those they know best: Set up well-targeted internal controls, educate staff about fraud and how to spot it, and, most importantly, make it as easy as possible for everyone in the organization to report suspicious behavior anonymously. Naresh Ramaswamy, senior director of internal audit at Save the Children, based in Westport, Conn., calls for "a very robust, well-advertised, and internally well-recognized hotline program that allows the staff to communicate with management directly." His organization's hotline procedures center around a headquarters-level global service that is supplemented by localized procedures in each of the high-risk countries it serves. "Fraud is hard to find, because it involves any number of types of collusion," Ramaswamy says. "Unless a witness has an avenue to get to management immediately, that's very hard to combat." His shop gets involved much sooner after an emergency situation arises than in the past. "Management sees the value of internal auditing getting involved within a six-month time frame, identifying internal control gaps as well as the local fraud sensitivities and strengthening those points, where needed, to prevent opportunities from presenting themselves," he explains.
Caughron also emphasizes a classic best practice: close ties with the organization's leadership. "Try to ensure that the relationship of internal auditing with management is one of trust so that management will discuss its concerns with you to ensure they are addressed internally instead of getting exposed externally," she emphasizes. A good way to start is helping management appreciate the necessity of ensuring that the organization has fully segregated appropriate financial duties. What may look like smart, streamlined financial management to someone who is not an internal auditor looks a lot like opportunity knocking to someone trained to spot fraud risks before they become fraud incidents. During a recent post-implementation audit of its financial management system, auditors at Oak Ridge Associated Universities found inappropriate segregation of duties based on responsibilities assigned in the system. "We identified individuals outside of the financial department with improper access to financial responsibilities primarily because read-only access had not been established or reports had not been designed to meet their needs for information," Caughron explains.
Training everyone to spot fraud is key as well, Holmes adds. Executives who hoped to advance through the operational side of the Red Cross were coached in fraud prevention, he explains, and a Web site included fraud detection tools and a checklist for what to do if an employee suspected something was amiss. Also, he adds, he always tried to use "teachable moments," those rare opportunities when the theoretical becomes real. "If there's a breakdown," he says, "and fraud occurs, in addition to pushing for prosecution, take people through the steps of investigating it and understanding what control failed and where else something similar could occur." Folsom agrees with an emphasis on education. "You get the most bang for your buck by hammering home the red flags," she says. For example, auditors can show executives, as part of their leadership training, findings from audits that could lead to fraud and corruption and summaries of the results of prior investigations. "Emphasize fraud early and often--and in memos," she quips.
Richard T. McKinless, a Washington, D.C.-based partner in KPMG LLP's Not-for-profit Client Services division, advises not-for-profit internal auditors to find opportunities to communicate with all levels of staff about fraud awareness. He advocates interviewing junior staff members about how they think someone could conceal fraud, about how they view the tone at the top, and whether they think minor fraud, such as expenses padding, would be tolerated. Also, he says, "if you have overseas operations, educate the executive team and audit committee how varying business climates can make some types of fraud even more difficult to prevent because of the culture in which you may be working and hiring staff." Relief organizations in particular may not develop a permanent presence in the regions they serve, he adds, which poses extreme challenges to creating a culture of accountability locally. Cash handling, expense reimbursement, procurement, and housing arrangements are common risk areas for these organizations.
THINKING LIKE A BUSINESS
All of that should sound familiar to for-profit internal auditors. Indeed, the key to understanding and mitigating fraud risk at a not-for-profit organization is simply treating it, to the extent of its resources, like a for-profit organization. One way not-for-profits are starting to do that, McKinless points out, is by treating fraudsters in the same way that their for-profit counterparts would. "Culturally, most not-for-profits don't like policies that feel heavy-handed, as they are perceived to be obstacles to the staff focusing on advocating for the program or the mission," he explains. Still, more and more are starting to do a better job of prosecuting egregious cases of fraud. When he started in the not-for-profit sector almost 30 years ago, McKinless says, standard fraud operating procedure for many of his clients was to quietly terminate the fraudster so as not to alarm donors or embarrass the whole organization. "Now I find staff and board leaders saying, 'Let's make an example of them.' They no longer settle for just restitution. They prosecute as a way to show donors they're doing everything they can do to protect their interests."
McKinless also advocates a very businesslike approach to not-for-profit fraud prevention and detection: Get used to the frustration. Auditors should focus on the goal, and not on their favorite methods of reaching it. "Internal auditors should develop their fraud-prevention programs within the culture of the organization, because they rarely can transform it," he says. "I've seen a lot of frustrated internal auditors who can't get management to pay attention to fraud risk because they don't view it as serious." He says auditors should tailor their fraud-mitigation tactics to fit the organization's culture and how things get done within the organization. Rather than insisting on everyone using a whistleblower hotline, for example, which some not for profit boards may find too punitive, start by recommending fraud awareness training. "Work within the culture of the organization to make fraud awareness part of its DNA," he advises. "If you don't, the culture will fight you and probably outlast you."
For his part, Zack says he's seen a noticeable increase in midsized not-for-profits looking for information on outsourcing their internal audit functions. "And I have seen many not-for-profits starting up audit committees, many requesting more detailed analyses of internal controls--Sarbanes-Oxley Act-type analyses of controls above and beyond what is done in a basic financial statement audit," he adds. Seaman emphasizes a Sarbanes-Oxley-driven approach to fraud risk mitigation as well. "Universities are beginning to see the benefits of implementing the best practices of Sarbanes-Oxley," he comments. "Universities need to operate as businesses, and their internal auditors need to help their boards carry out their fiduciary responsibilities."
That's the case with all not-for-profits, the experts agree. Their internal auditors need to approach the fraud prevention and detection aspects of their jobs as they would at the largest, best-funded Wall Street titans--but they must do so because their life's blood is the polar opposite of those corporate behemoths'. "Think of your grandmother's US $25 donation to a local food bank," Holmes says. That's what's at stake. So auditors must acknowledge that fraud will occur, that it will be uncovered, and that word of both events will become public surprisingly quickly, he explains. They must be able to demonstrate, simply, that professional, sound internal audit processes are in place. As Holmes puts it, "You want to be able to stand in front of your stakeholders and explain, "This is what we had in place. This is what the fraudster did to get around it. This is how we've improved our controls as a result.' That'll save the day for you."
To comment on this article, e-mail the author at email@example.com.
ILLUSTRATION BY LINDA FRICHTEL
RUSSELL A. JACKSON
|Printer friendly Cite/link Email Feedback|
|Author:||Jackson, Russell A.|
|Date:||Jun 1, 2008|
|Previous Article:||The auditor's role in mergers and acquisitions: companies often underestimate the importance of risk management during the M&A process.|
|Next Article:||The case for risk roundtables: organizations can improve their response to risk by creating a forum for risk managers to share their ideas.|
|Investigating assets: The CPA's role in detecting and preventing fraud.|
|Fraud Detection in Audits of Not-For-Profit Organizations.|