Armanino Blog

Internal Controls Fight Fraud for Nonprofits

by Paul O Grady
March 26, 2013

The ability to accept and make online payments and maintain databases with detailed profiles of constituents offers obvious benefits to nonprofits under constant time and money pressures. But it may also be subject to fraud attempts that can dodge your traditional internal controls. Fortunately, measures are available to combat these risks.

Making Online Disbursements
Many nonprofits are now paying their bills online, rather than mailing payments. Of course, the ability to make online payments essentially makes the employee who does so a check signer who can, in turn, make unauthorized payments. Similarly, the employee who oversees direct deposit payroll transactions may choose to pay “ghost” employees, give unauthorized raises or otherwise divert funds.

If your organization makes these types of online disbursements, ensure that all payments are subject to an independent review by a different employee. The reviewer can check payments online or examine the bank statements for discrepancies. The reviewer should also study payroll reports that come straight from the payroll system (vs. coming from the employee who oversees payroll).

Of course, the reviewer should be aware that those two employees might be working together to commit fraud. Your bank also might offer verification services to confirm that payments are authorized before they clear.

Accepting Payments
One of the most significant changes in how nonprofits conduct business in recent years has been the widespread adoption of systems that allow online payments for event registrations, membership fees, product purchases and donations. These payments generally are deposited directly into an organization’s bank account.

The risk is that the employee responsible for the online payment system could redirect the ultimate destination of payments. If the accounting department records income based on bank deposits, this fraud could go undetected. To close this control gap, make sure you take the added step of reconciling the bank deposits against online income from the donor system.

Protecting Privacy
Many nonprofits possess their members’ and donors’ credit card information and other personal data, making them potential targets for both internal and external hackers and fraudsters. Imagine the consequences if criminals were to access your constituents’ data. It could be disastrous in terms of remedial costs, legal liability and reputational damage.

Perhaps the most effective privacy control is adherence to the Payment Card Industry (PCI) Data Security Standard (DSS). DSS applies to all entities that store, process or transmit credit cardholder data and outlines technical and operational system requirements to protect that data. Although DSS isn’t technically a law, several states have enacted legislation mandating compliance with some of its provisions.

The DSS requirements vary depending on the number and type of credit card transactions an organization conducts, both online and offline. It’s a good idea, though, to take steps to comply with the strictest requirements, including:

  • Installing and maintaining a firewall to protect cardholder data,
  • Encrypting the transmission of cardholder data,
  • Restricting access to cardholder data with unique IDs and on the basis of “need to know,” and
  • Using and regularly updating antivirus software.

Although it isn’t a requirement, it is strongly recommended to “segment” (or isolate) the cardholder data environment from the rest of your network.

Key Takeaway
Do not be afraid of moving forward with technology, but do proceed with caution. As nonprofits proceed towards an operating environment that encompasses greater use of technology, they must remain cognizant of the impact that such changes can have on the organization’s internal controls.  Additional risks should be evaluated, with a focus on the effectiveness of legacy controls in the new environment. Nonprofits should also be consulting with their IT professionals and auditors to ensure that appropriate controls accompany technological changes so that fraud and other related risks are effectively considered and addressed. There’s no turning back from the technological advances nonprofits are currently enjoying. The key is to remain vigilant against the evolving risk of fraud. 

March 26, 2013

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Related News & Insights
Sage Transform VIP Experience
Live Event
VIP luncheon for top finance executives attending Sage Intacct 2022.

October 12, 2022 | 09:30 AM - 10:45 AM PT
Women in Life Sciences: Women’s Health & Wellness
Spill the Tea With Delphine O’Rourke on the State of Women’s Health

October 11, 2022 | 02:00 PM - 03:30 PM PT
ASC 842: Lessons Learned From Early Adopters
Get the scoop from early adopters who have implemented ASC 842.

October 6, 2022 | 09:00 AM - 10:00 AM PT