Virtual Nonprofit - Nuts & Bolts - preventing fraud

This is part II of an open-ended series on running a virtual nonprofit. Nuts and bolts. It's not the fun creative stuff, but if you don't get it right your nonprofit can't grow, or will die. All of the board members should have a working knowledge of nuts and bolts – enough to know when to ask questions, and who to ask.

Not all boards do! In arts organizations I've been involved with, board members are there because they already volunteer for the organization, for the feeling of doing good, for social prestige, because they want to be entertained, because their friends are there, – good, good reasons that have nothing to do with knowing how to run a business, especially something with a lot of extra rules, like a tax-exempt nonprofit. Some of these board members go on to become effective, informed board directors. Some agree to anything the last person they spoke to wanted, or are afraid or unwilling to speak up.

I first got involved in fraud auditing decades ago, as a temp agency bookkeeper trying to raise enough money for another year of music school. I was assigned to reconcile invoices for an automobile dealership whose problems ranged from the manager leaving the trade-ins out of sales invoice accounting so he could drive the cars to Mexico, a parts manager who, in six months, managed to shrink the parts inventory to the tune of an entire Volkswagen Bug, to be reassembled in his girlfriend's garage, to a cashier (you got it, the girlfriend), who was dipping into everything from the parts department cash register to the coffee kitty. I found the missing trade-in cars in the bookkeeping gaps and the cashier was busted when the other coffee drinkers came to me because they were afraid they'd be blamed. An auditor who was paid a heck of a lot more than me came in and one of his staff found the missing Volkswagen. My training began.

The fraud triangle

Whether you have a $5K a year budget or a $5M a year budget, you can be ripped off by people you trust. There are three things that have to happen for an insider fraud to occur, and it's called the fraud triangle, a concept invented in 1973 by Donald R. Cressey. If you can break any of the three legs, you greatly reduce your vulnerability to illegal fraud. Legal fraud is another area, not covered here.

1. The first leg of the fraud triangle is motivation. A potential fraudster usually has a financial problem that he or she doesn't want to admit and believes can't be solved legally. Sometimes it's a couple, or relatives working as a team. They start coming up with ideas for taking cash or valuables and falsifying financial documents. The financial problem is usually personal – debt, a gambling problem, a drug problem, feeling entitled to better stuff. It can be professional, such as pressure from bosses or investors to show more productivity or profits.

How to break this leg:

a. Do your due diligence on people in your organization, know who they are, where they live, what their situations are. 

b. Pay attention to the people in your organization, what they say, how they feel, who they like, who they don't like. These are real people with real problems, not just a way for your company to make money.

Anecdote: A medical organization with an lucrative consulting practice hired me because the billing system was a mess. Medicare and the IRS were calling Dr. Chairman more often than he found comfortable. Translation: he was screaming and banging stuff on his desk. He'd hired his brother to be the "financial planner" and they had created a snarl of interlocking corporations and partnerships, then Brother quarreled and left. Doctor AngryChair brought in his brother's son and put him in charge of the books and the bank accounts. Bright kid, twenty years younger than me. Wants to call me "honey". 

So I hired them a medical billing clerk, and started shutting down the bogus corporations. It was a puzzle. A rough estimate showed maybe twice the wealth as apparent income, but when I combined assets from each corporation, I had plugs the size of Boston. No wonder the IRS was interested. I found QuickBooks files on the computer system, half a dozen of them, no one seemed to know the passwords, I'm on the phone to tech support and not feeling the love. 

Meanwhile, I'm training the clerical staff. We watch the lunchtime soaps, talk about our kids. Some eye rolling when Dr. AngryChair and Nephew's name come up, yeah they're jackasses, but everyone's paid well, brilliant doctor, it's a good cause, shrug. Then one of the youngest ladies, maybe six months pregnant, comes and sits next to me, fuming. It turns out that Nephew is a groper. He also chants passwords out loud while he's typing and groping. She wrote them down and handed them to me. 

The kid made off with a little less than $2M. The family settled it among themselves and with the nonprofit. Mrs. Doctor, a nurse, was persuaded to give up tennis and volunteer for a few months, where she immediately found more hanky-panky and did bimbo-cleanup among the nursing staff while I taught her some bookkeeping basics. One of the bimbos was charging the nonprofit thousands a month for phone calls to a boyfriend residing in an out-of-state penitentiary and owned suspiciously expensive handbags that showed up on her boss's credit cards. Ya can't make this stuff up. The IRS was happy to talk to me instead of Dr. AngryChair. Everyone learned. Don't base your banking and accounting systems on trust. Pay attention to your staff. Not too much attention, the normal, good kind of attention.    

2. The second leg of the fraud triangle is opportunity. Perceived opportunity. How the crime will be committed and how it will be kept a secret. A thief sees a way he or she can abuse a position of trust without getting caught. The methods are too many to list in one article – my examples above describe a few. This is the area where you can do the most to protect your company.

Some of the ways to be vigilant:

a. Make sure that the person with responsibility for safeguarding assets (bank accounts, anything valuable) is not the person who keeps the financial records - the bookkeeping. This is difficult in small organizations; do it as soon as you can.

b. Do regular surveys of all of the company logins to all of your accounts, what they connect to, and who has access to what. If anyone leaves for any reason, change all the passwords. 

c. Make your transactions transparent to the board – bank statements, donations, invoices, payment records – the more eyes on the records the better. Directors can be held liable for company decisions, and have a right to the information. If you don't trust a board member with this information, he or she doesn't belong on the board. Larger organizations have a financial subcommittee, outside auditors, and bigger fraud problems. In all nonprofits I've been involved with who had unexpected financial issues from fraud, the board had been denied access to financial information and trusted a charismatic organization director.

b. Listen to people attentively and objectively. Listen to yourself. If it sounds like a financial person in the organization is being discredited for reasons that aren't clear, it's worth checking into to see that he or she isn't being scapegoated or gotten out of the way. I've seen this nasty in for-profit as well as nonprofit organizations. On the other hand, sometimes the hints and gossip are right and that's your perp.

Anecdote: Once a bookkeeper I had found for a client told me he loved Sammy Davis, Jr., mourned him, wished he could see him just one more time. For some reason that bugged me and I could not figure why. Really bugged me. Two weeks later, after I had finished the job, I'm still patting myself on the back for finding such a bookkeeper, bilingual, great with numbers, everyone loves him. Then I get the phone call. Two sheriffs have arrived at the company offices and arrested him. He has a gambling problem and stole hundreds of thousands from his previous employer. Who had given him a glowing recommendation when I was checking him out and they hadn't found out yet. Yeah, two weeks.

The only reason he hadn't ripped off my client is that when the board wanted to give him the signature stamp for one of the checking accounts with about $500K in it, so they could go on a retreat and he could do payroll, I hit the ceiling and yelled (because of 2.a. above) until they said OK. Not because they agreed with me, just to shut me up. They called me back in to do a review, the only thing missing was a laptop they'd bought him. No, I never figured out the Sammy Davis thing, maybe the Las Vegas connection? Just that I really liked the guy except for that one buggy feeling.

3. The third leg of the fraud triangle is rationalization. Most thieves within an organization are either first time offenders or have never been caught. They see themselves as ordinary people who have had bad luck, not hurting anyone, and that the company deserved it. Good guys, smart, even admirable, just ask'em. Not much you can do about it. Stuff I've heard them say:
a. I was going to pay it back. Translation: I did pay it back and stole it again. Twice. This is called “kiting”.
b. I've got kids, I had to buy groceries. Translation: I am a drug addict. 
c. The Company didn't pay me enough. No, turns out they were paying you too much. 
d. XXX is a scumbag and deserved it. Fair point, but no.
e. What the [expletive deleted] do you care?