Think again. Every two years the Association of Certified Fraud examiners publishes its Report to the Nations on Occupational Fraud and Abuse. It’s amazing to me to see how consistent the results are from period to period and across industries. The report also reminds me how dangerous and costly blind trust can be to organizations. Many of our nonprofit clients tell us that fraud is just not a significant risk for their organization because their employees are commited the cause.  And who could be more trustworthy than someone willing to serve an important cause?

If that’s really true, then why are are nonprofit organizations involved in almost 10 percent of all fraud cases reported in the study?

We often let our desire to trust other people cloud our judgment. Especially people we hired personally and have spent years building relationships with Monday through Friday. Deep down, we all believe we’re exceptional judges of character.

And that’s when it happens. 

If the most important fraud control in place in your organization is the ability to judge character in the people you hire, you may already be a victim.

If you’re concerned that you may be the victim of a fraud, or want more information on preventing fraud, we can help.

When the Sarbanes-Oxley Act was signed into law on July 30, 2002, it overhauled corporate governance practices for publicly traded companies, with a significant emphasis on the role of the board of directors. In the years following, many of the governance policies and practices mandated for public companies were also adopted by nonprofit organizations as their board members began to question their own responsibility for the governance and oversight of their organizations. In 2005, according to a GuideStar survey of nonprofit organizations, 61 percent of of the participants said their organization had made changes in response to Sarbanes-Oxley.

Nonprofit boards had begun to change their focus, but not enough to stop the continued reports of fraud, misuse of assets, and excessive compensation for top executives.  The result was increased public scrutiny, new legislation, and the most significant changes to Form 990 in over 25 years. Those changes effectively required the board of directors to take responsibility for the oversight and governance of their organizations.

Although the fundamental principles of governance have not changed, governance practices have been completely redefined as boards have become more proactive in protecting the mission of their organizations by ensuring compliance with legal, financial, and ethical standards, and monitoring the progress and overall performance of their organizations. Time will tell if the “new” governance paradigm will protect nonprofit organizations from even more burdensome regulation that will divert already limited resources from the mission.

The State of Texas adopted the Uniform Prudent Management of Institutional Funds Act (UPMIFA) effective September 1, 2007.  UPMIFA replaces the Uniform Management of Institutional Funds Act (UMIFA) which was approved by the National Conference of Commissioners on Uniform State Laws in 1972 and adopted by the State of Texas in 1989.

UPMIFA was developed to improve the protection of donor intent with respect to expenditures from endowments and applies to charities organized as charitable trusts or as nonprofit corporations and trusts managed by charities. The Act does not apply to funds managed by trustees that are not charities or trusts managed by corporate or individual trustees. UPMIFA provides guidance and authority to charitable organizations concerning the management and investment of funds held by those organizations and imposes additional duties on those who manage and invest charitable funds to provide additional protection for charities and also protect the interests of donors who want to see their contributions used wisely. The Act updates the rules governing expenditures from endowment funds, whether donor restricted or board designated, to provide stricter guidelines on spending endowment funds and to give institutions the ability to cope more easily with fluctuations in the value of the endowment.

In addition to identifying factors that a charity must consider in making management and investment decisions, UPMIFA requires a charity and those who manage and invest its funds to 1) give primary consideration to donor intent as expressed in a gift instrument, 2) act in good faith, with the care an ordinarily prudent person would exercise, 3) incur only reasonable costs in investing and managing charitable funds, 4) make a reasonable effort to verify relevant facts, 5) make decisions about each asset in the context of the portfolio of investments, as part of an overall investment strategy, 6) diversify investments unless due to special circumstances, the purposes of the fund are better served without diversification, 7) dispose of unsuitable assets, and 8) in general, develop an investment strategy appropriate for the fund and the charity.

Has your organization adopted an investment policy that complies with your state’s version of UPMIFA? Review your state’s requirements and make sure your policies conform to the prudent management of funds.

For additional information see http://www.upmifa.org.

For the State of Texas version of UPMIFA see http://www.statutes.legis.state.tx.us/SOTWDocs/PR/htm/PR.163.htm

I recently completed a ‘self-test’ in the Journal of Accountancy, March 2010 edition, titled “Internal Control:  Test Your Knowledge” and it reminded me of several questions that I have received from my clients. Many individuals within organizations believe that internal controls are only really necessary for large companies. This is a fallacy. Internal controls are VERY important for all types of organizations. Even if a company is very small, with only a few people working in the accounting department, processes can be developed to ensure that a sound control environment is consistently maintained.

It can be a daunting task to get individuals to engage in making changes to the processes and controls already in place at their organization but when they are educated on how important the controls really are they may be more willing to with stain from their resistance to change. Read the rest of this entry »

When there are only a few staff in an organization, it is very difficult to obtain the appropriate level of segregating duties.

In January 2010, Carl Ho, CPA posted an article on Blue Avocado (http://www.blueavocado.org) titled “Five Internal Controls for the Very Small Nonprofit” that gives some insight as to what the most important controls are for small organizations. The most important controls relate to checks and balances. Establishing a “tone at the top” so that policies are in place and all employees including management follow them. Other importants considerations include clearly defined responsibilities, locking up checks, using protected passwords on computers, having two people count cash together, reconciling bank statements timely, review of reconciliations or bank statements by someone other than the bookkeeper or preparer, requiring two signatures on checks, and not allowing the bookkeeper to be a check signer. Even with these procedures in place, fraud can occur if there is collusion or if management circumvents the policies or controls. For the full article visit, http://www.blueavocado.org/content/five-internal-controls-very-small-nonprofit.

Governance plays a significant part in the control environment. Listed below are a few links from the IRS website regarding governance practices for non-profit organizations.

Governance and Tax-Exempt Organizations – Examination Materials

http://www.irs.gov/charities/article/0,,id=216068,00.html

http://www.irs.gov/pub/irs-tege/governance_check_sheet.pdf

Governance of Charitable Organizations and Related Topics

http://www.irs.gov/charities/article/0,,id=178221,00.html

Our next Executive Exchange is scheduled for Wednesday, March 3rd, located at the Funding Information Center, 329 S. Henderson in Fort Worth, TX. The training is designed for executive directors, presidents, chief financial officers, controllers and board members.

Topic: Exploring the New Governance Realities

Nonprofit governance is more in the spotlight than ever with the rewrite of the Texas Business Organizations Code and the Form 990. While the principles of good governance have not changed, laws, regulations, compliance and scrutiny certainly have. The following Panelists will discuss their experiences in the past couple of years and how Boards and regulators are dealing with the major issues:
• Carol Klocek, Executive Director, YWCA of Fort Worth & Tarrant County
• Sandy Kautz, retired nonprofit CEO and Realignment Consultant with Girl Scouts of the USA; Current Community Volunteer
• Becky DaVee, CPA – Rylander, Clay and Opitz, LLP 

Date: Wednesday, March 3, 2010
Time: 11:30 – 1:30
Location: Funding Information Center, 329 S. Henderson, Fort Worth – 817-334-0228
Cost: $20 (lunch is provided)
Registration: http://www.fic-ftw.org/signup/EE%203.3.10.htm

In my previous post we discussed external financial statement audits. Now we will discuss the audit process.

To begin the audit, the accountant (or equivalent) will present the auditor with a listing of all accounts and the related balances that are used to compile the financial statements. Basically, the accountant is saying this is what I believe to be the balances of these accounts. Then the auditor goes through various steps, such as confirming information with third parties, reviewing invoices, contracts, receipts, bank statements, and analytical procedures to prove that the balances are not “materially misstated” and that the statements conform to generally accepted accounting principles.

An audit does not look at every transaction that occurred during the year. Normally this would be cost prohibitive. So the auditor will look at various accounts and take a sample of transactions from those accounts. Because we “test” the account balances and not review 100%, our report is not saying that the financial statements are necessarily 100% accurate, but our report tells the users of the financial statements that we believe there is not a material misstatement that would cause you to alter a decision.

For example, your organization may report to us that they have a balance of accounts receivable of $2 million. Through various means of testing this balance, we have reviewed $1.9 million of this balance and believe it to be accurate. But we have not audited the remaining $100,000. We believe that the users of the financial statements would make the same decision if the actual balance were $2 million or $1.9 million. When errors are found during the audit, the auditors will discuss the issues with management and propose adjustments to the financial statements.

Understanding what an audit of financial statements entails helps management, Board of Directors and others to know what they are paying for and that the statements fairly represent the financial status of the organization. If the accountant uses the same generally accepted accounting principles to compile the monthly financial statements, this will help management and the Board of Directors make consistent, well-informed decisions.

Listed below are some additional controls that I believe are necessary for a sound control environment in an employee benefit plan (again this list is not intended to be all inclusive as the facts and circumstances of employee benefit plans vary):

1. Determine if employee deferrals comply with current regulations (See limitations at: http://www.irs.gov/retirement/sponsor/article/0,,id=151925,00.html)
2. Determine if employee deferrals comply with the Plan’s maximum percentage requirements, if applicable (controls should be in place to ensure that employees are not allowed to elect to contribute more than the Plan’s elected maximum percentage as indicated in the Plan Document)
3. Controls should be in place to ensure that contributions are submitted to the Plan in a timely basis (Determine the who and the when to make sure it happens as required by law). Key – Timing should not be in excess of the number of days it takes an employer to transmit payroll taxes
4. Knowledgeable personnel should review and approve all loans and distributions made from the Plan . This knowledgeable person has read and fully understands the Plan document and requirements contained therein.
5. For loan approval – Understand the plan requirements for the following: loan amount complies; interest rate in loan agreement complies; condition for loan.
6. For distributions – Understand the following:  distribution complies with plan provisions and ensure all necessary documentation is retained (specifically for hardship distributions); distribution request includes the appropriate amount and the accurate amount of withheld taxes (10% and possibly an additional 20% if early distribution); ensure the appropriate vested percentage is utilized for employer contributions; determine if distributions required by law (required minimum distributions, etc) were completed during the year.

I hope the information is helpful in establishing a sound control environment for your organization’s employee benefit plan.  If there are areas that I have missed feel free to leave a comment to help out the other readers.  The controls that I have listed are coming from an auditor’s point of view and you may have insights related to your field of expertise that could be beneficial to others!

When I tell folks that I am an auditor, I immediately get that defensive look as they assume that I am a dreaded IRS auditor (which I am not). When I further explain that I audit financial statements, I usually receive a weak smile and a slight head nod, as if to signal that they are glad I am not with the IRS, but they really don’t have an idea what I do and are a little too embarrassed to ask or don’t really care. For those of you employed at non-profit organizations or serve on their Board of Directors, I thought I would take a few moments and explain what an audit of financial statements really entails. In a later post I will address who may need to have an audit.

So what is an audit of financial statements? Usually on a monthly basis, the controller, CFO, or accountant at your organization prepares financial statements, usually consisting of a balance sheet and income statement. These statements are used by staff, management and the Board of Directors to make decisions about the organization. But all of the information is gathered by and reported by people INTERNAL to the organization. A financial statement audit involves someone EXTERNAL to the organization, an independent certified public accountant.

Audits of financial statements are done according to a set of standards that all CPA’s must adhere to, which are referred to as Generally Accepted Auditing Standards (GAAS). These standards have been developed by the American Institute of Certified Public Accountants and are monitored and revised based on financial circumstances, including failures related to fraud.

So how do we perform an audit? See my post, next month.

To ensure a Plan Sponsor is fulfilling their fiduciary obligations related to the oversight of an employee benefit plan I have listed some of the internal control matters that should be addressed (please note this is not an all inclusive list as facts and circumstances of each Plan vary):

1. Ensure all user control considerations included in the third party administrator’s (record-keeper, trustee, custodian, etc) Type II SAS 70 are in place at the Plan Sponsor
2. Analyze compliance testing results provided by the third party administrator and if the Plan failed any tests ensure that corrective action is taken in a timely manner (distributions or additional contributions to the Plan as necessary)
3. Determine if established internal controls are designed appropriately to catch errors or fraud that may occur during the processing of transactions related to the Plan. Consider conducting a brainstorming session with individuals involved in the Plan in determining what could go wrong and then determine if controls currently in place are adequate to address such risks.
4. If the census is prepared by the Plan Sponsor ensure that the total wages included in the census reconciles with the organizations payroll records (remember census must include all employees that received a paycheck during the year whether employed by the organization or not during the year); the census should also be reconciled with the record-keeper statements (employee contributions, employer contributions and loan repayments). Key point – A reconciled census that agrees with the Plan Sponsors audited financial statements and the record-keeper statements will save time and money during a benefit plan audit
5. Controls should be in place to ensure all information included on the participant statements (social security #, name, compensation, date of birth, date of hire and date of termination) is complete and accurate.  Inaccurate information could lead to:

• Allowing individuals to enter the plan when they were not eligible to do so or not allowing an employee into the plan that is in fact eligible.
• Inaccurate amounts being withheld for employee contributions and/or employer matching contributions.
• Inaccurate amounts being withheld or forfeited when an employee receives a distribution (early distribution tax penalties or issues related to utilizing the appropriate vesting percentage for employer contributions)

     6. Determine if the annual Form 5500 reconciles to the Plan’s financial statement’s

 Interested in refining your internal controls for benefit plan recordkeeping. More will come in a later blog post…