Four Eyes On Everything!

Date August 4, 2022
Categories

I continue to be amazed reading about nonprofits as victims of fraud or theft. Girl scout cookie money stolen, church collections under deposited, prom and wedding dresses and a fedora purchased from corporate accounts: the incidents just keep coming.

Nonprofits, particularly smaller ones, face a great number of challenges. They often operate with limited resources, have fewer financial controls, tend to be more trusting of staff and volunteers, have ongoing staff turnover, and many are not well versed in financial matters. The Center for Audit Quality noted, “Fraud cannot occur unless and an opportunity is present.”

Some red flags often ignored:

  • An employee living beyond their means
  • An employee unwilling to share job duties or take a vacation
  • Vendors who are not “recognizable” outside the accounting department
  • Bank accounts not reconciled timely and reviewed by a second responsible party
  • Thinking the auditor will catch it
  • Volunteers having access to confidential data, such as banking information
  • Missing documents

A recent report indicated that 34.5 percent of fraud involves cash. How is the fraudster operating? Some usual schemes:

  • Stealing from cash on hand: petty cash funds, cash register banks, church collections, and donation cans are all subject to cash theft.
  • Creating fake vendors or fake employees and writing checks to them
  • Creating fake or duplicate checks, then writing, cashing,and recording them in accounting records as vendor payments
  • Falsifying financial reports and documents: altering or back-dating documents
  • Submitting false expense reimbursement requests
  • Paying personal expenses from organization accounts

The list is not all-inclusive, and, perhaps even more shocking, in a large number of reported frauds, the fraudster has been with the organization for years. Seniority didn’t matter.

Self-defense

So how can a nonprofit defend itself? Fraud prevention does not necessarily require a large budget or a full-time risk manager. Smaller organizations can follow some simple steps to create an anti-fraud environment:

  • Establish an anonymous reporting system.
  • Create a culture of compliance, where nothing gets overlooked and no one gets ignored or criticized for coming forward.
  • Require supporting documents for EVERYTHING!
  • Control the use and access to credit and debit cards.
  • Segregate duties as much as possible; require vacations be taken and those duties be handled by another staff member or volunteer.
  • Rotate duties, particularly for volunteers.
  • Establish and train a board audit committee to review safeguards throughout the organization on a regular basis.
  • Train board members who may be less savvy. Someone on the board should have the skills, knowledge, and expertise to handle financial issues.
  • Reconcile bank accounts immediately each month. Understand that “uncleared” anything may be a problem that should be addressed immediately.
  • And my personal favorite: four eyes on everything. Require two signatures on checks and two people counting all cash being handled.

A recent report indicates that about 40 percent of nonprofit frauds do not get reported to law enforcement. Nonprofits fear damage to their reputations, negative publicity, and the resulting loss of funding. So what should be the protocol when a fraud or theft is discovered? The organization should have a standard response plan that should address:

  • Who gets notified of the situation: the board, the attorney, the insurance agent, the bank?
  • How is an investigation handled?
  • Who addresses the other employees and volunteers?
  • Who addresses the public, donors, and the media?

Planning ahead and documenting the process should be a standard practice for every nonprofit. Good, consistent internal control systems can help to provide reasonable, if not absolute, assurance to the organization. Still, no organization is immune.

If you have any questions regarding nonprofits as victims of fraud or theft, please reach out to your HBK Adviser.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



ID.me IRS Facial Recognition Update

Date February 10, 2022
Categories
Article Authors
Nicole Vinco
HBK CPAs & Consultants

Under pressure from Congress, the IRS announced it will transition away from using a third-party facial recognition service to authenticate people creating new online accounts, as we mentioned in our article IRS Will Soon Require Selfies to Access Some Features on Their Site . Last year, the IRS began requiring taxpayers to use “ID.me” to access personalized eligibility information for the expanded child tax credits funded by the American Rescue Plan. The agency had planned to expand use of ID.me to all taxpayers later this year.

The use of facial recognition has received criticism on a bipartisan basis from the Senate Finance Committee. Republicans on the Committee sent a letter to IRS Commissioner Chuck Rettig last Thursday, writing: “While we understand the IRS’s use of ID.me is intended to protect data and reduce fraud, we have serious concerns about how ID.me may affect confidential taxpayer information and fundamental civil liberties.” On Monday, the Democratic chair of the Committee also sent a letter asking the IRS to discontinue the program, writing: “I have long argued that Americans should not have to sacrifice their privacy for security. The government can treat Americans with respect and dignity while protecting against fraud and identity theft. The IRS should take immediate steps to address the many valid concerns that have been raised by taxpayers about its use of facial recognition technology.”

IRS Commissioner Chuck Rettig quickly responded that the IRS would oblige: “The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said Rettig. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

To prevent larger disruptions during filing season, the transition will occur over the coming weeks. The IRS plans to “quickly” develop and bring online an additional authentication process that does not involve facial recognition. The transition announced today does not interfere with the taxpayer’s ability to file their return or pay taxes owed. The IRS will continue to accept tax filings and people should continue to file their taxes as they normally would.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



IRS Will Soon Require Selfies to Access Some Features on Their Site

Date February 4, 2022
Categories
Article Authors
Nicole Vinco
HBK CPAs & Consultants

UPDATE: See here for new update regarding ID.me Beginning this summer, taxpayers will be required to confirm their identity through a third-party company to access their IRS.gov account. To protect taxpayers’ privacy and reduce fraud, the IRS has partnered with ID.me to confirm users’ identities. We expect the IRS to expand the program in the future, but this should not impact your ability to pay or file taxes. If you have an existing login, it will be deactivated after the summer of 2022. You will need to create an ID.me login to continue using the following IRS services:
  • Child Tax Credit Update Portal
  • Get Transcript Online
  • Get an Identity Protection Pin (IP Pin)
  • View Online Payment Agreements
  Before you begin, you will need a valid government-issued photo ID – a driver’s license or passport are both valid forms of ID. You will also need access to a smartphone or a computer with a webcam to take a selfie. The steps can be quite lengthy – especially if you are required to use alternative methods for identity verification. Follow these steps when you are ready to begin: Step 1: Navigate to IRS.gov and click on “Sign in to Your Account” in the middle of the screen. You will be prompted to either login with ID.me or create a new account with ID.me. Step 2: Create a new account. You will be prompted to enter your email and create a password. Once this step is complete, you will be prompted to confirm your email address by clicking on the link in the verification email. Step 3: Choose a Multi-Factor Authentication (MFA) option from the following: text message, phone call, push notification, code generator application, FIDO security key, or NFC-enabled mobile security key. Step 4: Upload images of your government-issued ID. You have the option of taking a picture with your smartphone or uploading the ID. Step 5: Once your documents are accepted, you will be prompted to take a live selfie so that ID.me can compare the live image to your government-issued ID. Step 6: Verify your landline or cell phone number. Voice-over-IP will not be accepted. Step 7: Verify your social security number. Step 8: Review the summary of personal information and select the checkbox for the Fair Credit Reporting Act. Step 9: Grant access to your personal identifiable information to the IRS. If you deny access, you will not be granted a login. Creation of an ID.me login is not currently required. However, given the time investment required to go through these steps, we advise that you confirm your identity sooner rather than later so that you have access to your account when the need arises. If you have any questions regarding this new requirement, please reach out to your HBK tax advisor.
Speak to one of our professionals about your organizational needs

"*" indicates required fields



Mitigating Fraud

Date January 5, 2021
Categories
Article Authors
Tejal Shah

Nonprofits Vulnerability to Fraud

According to the 2020 global fraud study by the Association of Certified Fraud Examiners (ACFE), the typical organization loses an estimated five (5) percent of its annual revenue to fraud. The ACFE reported that public and private companies had a median loss of $150,000; however, nonprofit organizations had the smallest median loss of $75,000, with an average loss of $639,000. For some a $75,000 loss may be insignificant, but for many nonprofits, financial resources are extremely limited and a loss of $75,000 can be particularly devastating.

Beyond the immediate financial loss, however, an even greater potential cost of fraud to nonprofit organizations is the reputational damage that can occur. Because most nonprofits depend on support from donors, grantors, or other public sources, their reputations are among their most valued assets. In addition, fraud in nonprofit settings often garners unrelenting negative media attention.

How Fraud Occurs and Common Fraud Schemes

Occupational fraud is a chilling reality for businesses and organizations of all sizes and occurs across industries—even within the nonprofit sector.

ACFE’s report cites the three most common types of occupational fraud as asset misappropriation, corruption and financial statement fraud. Financial statement fraud occurs least frequently of the three types, making up only 10% of cases, but results in the greatest median loss. While asset misappropriation leads to the lowest median loss, it happens in 89% of cases making it the most commonly occurring form of occupational fraud by far.

Some of the common Fraud schemes are as follows:

  • Skimming — Cash is stolen before the funds are recorded in the accounting records
  • Credit card abuse — Perpetrators either use organization-issued credit cards for personal use or use donor credit card numbers
  • Fictitious vendor schemes — Perpetrators set up a company and submit fake invoices for payment
  • Conflicts of interest — Board members or executives have hidden financial interests in vendors
  • Payroll schemes — Continued payment to terminated employees, overstatement of hours, or fictitious expenditure reimbursement
  • Sub-recipient fraud — Abuses by a sub-recipient entity include intentional charges of unallowable costs to the award, fraudulent reporting of levels of effort, and reporting inaccurate performance statistics and data
  • Deceptive fundraising practices
  • Misrepresentation of the extent of a charitable contribution deduction entitlement, misrepresentation of the fair market value of donated assets, and failing to comply with donor-imposed restrictions on a gift
  • Fraudulent financial reporting
  • Misclassifying restricted donations to mislead donors or charity watchdogs, misclassifying fundraising and administrative expenses to mislead donors regarding funds used for programs, and fraudulent statements of compliance requirements with funding sources

How Can Fraud Be Prevented?

1. Internal Controls

“Internal controls are the mechanisms, rules, and procedures implemented by an organization to ensure the integrity of financial accounting information, promote accountability, and prevent fraud.” Examples of internal controls include:

  • Separation of duties ensures that no individual is solely responsible for executing a financial transaction from start to finish. For example, the person who signs a check should not be the same person who writes the check. Having multiple signers is a plus!
  • Regular and timely bank reconciliation provides an opportunity to review transactions and bank balances so any unusual activity can be spotted and investigated.
  • Petty cash controls establish rules on things like the maximum amount of available petty cash as well as who has access to use those funds and who is responsible for approving disbursement. These controls should also document requirements and processes for approval requests (e.g., setting expense limits and requiring a receipt for every transaction).

2. Monitoring Financial Statements: as we previously mentioned, financial statement fraud has the potential to hit your finances the hardest, and it can be incredibly difficult to detect due to efforts by fraudsters to conceal the suspicious activity. Instituting a process for reviewing financial statements and ensuring that the committee or individuals responsible for reviewing financial statements for anomalies have proper knowledge and training on what to look for will drastically improve the likelihood of detection.

3. Anti-Fraud Training

An important part of any fraud prevention program is training. All employees—including managers and executive leadership—should be mandated to participate in the training program to ensure that everyone in the organization is educated on all policies and procedures related to fraud prevention, detection, and reporting. Employees should be able to answer the following questions:

  • What is fraud?
  • How is it damaging to the organization?
  • Who commits fraud? How do they commit fraud?
  • What behavioral and financial indicators could point to potentially fraudulent activity?
  • What are the organization’s fraud policies? What are the consequences of committing fraud?
  • How can I report suspected fraud?

As reported by ACFE, 40% of fraud detection was the result of a tip—the most common method of detection. Empower employees by giving them proper training and a way to report suspected fraud safely and without the risk of retaliation.

4. Technology

To support your fraud prevention efforts, it’s critical to adopt financial technology that can help you monitor risks and enforce your control activities.
  • Access Controls: Ensure segregation of duties in your financial system by controlling user rights. An advanced technology solution will allow administrators to configure user access at a granular level—from limiting who has rights to edit data to defining specific fields and transactions that can be edited (or even viewed) by individual users.
  • Approval Rules: Your financial management software should allow you to configure a seamless approval path where you can require, review, and approve any documentation for expenditures requested by your employees.
  • Bank Account and Credit Card Integration: Being able to view real-time bank and credit card information directly within your organization’s financial system can be hugely beneficial to catching suspicious activity early. Live bank and credit card feeds can allow approved financial staff to securely review the most up-to-date activity from your financial institution and compare that information to what has been recorded in the system.

The True Value of Fraud Prevention

While there are many obvious benefits we could touch on here, ultimately, it’s the ability of social good organizations to foster relationships built on trust—internally as well as with supporters, funders, and the people they serve—and continue the good work they do in the community that is at the heart of fraud prevention.

Proper controls, training, and supporting technology will help your organization create a culture of transparency and trust. Ongoing monitoring and upkeep of your fraud prevention program will keep your organization on track to maintaining its reputation as a good steward so it can continue to create positive change in the world.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Pandemic Spurs Fraudulent Activities

Date April 8, 2020
Categories
Article Authors

During a crisis like COVID-19, fraudsters move quickly to develop new schemes to take advantage of consumers through misinformation and scare tactics. Their mode of communication runs the gamut: phone, email, postal mail, text, social media. Within a month of the COVID-19 outbreak, China experienced a surge in phishing scams directing targeted victims to malicious websites; over 4,000 new domain names incorporating some form of COVID-19 were requested.

Identity Fraud
As always, with or without a crisis in play, everyone should protect their money and identity by not sharing personal information, such as:

  • Bank account number
  • Social Security number
  • Date of Birth
  • Usernames
  • Passwords

While the subject of economic stimulus checks has been a topic of much discussion in the news recently, the U.S. Government is not sending—nor will they send—unsolicited emails seeking your private information. Other potential phishing email topics include:

  • Charitable contributions
  • General financial relief
  • Airline carrier refunds
  • Fake cures and vaccines
  • Fake testing kits

Be aware of unsolicited fake emails from the Centers for Disease Control and Prevention (“CDC”) and the World Health Organization (“WHO”). If the email looks questionable, hover over the link in the email to identify the source, that is, the website address from which it was issued. Focus on any slight inconsistencies in the domain address, such as misspellings or a suspicious link—for example, an address ending in “.com” for a supposed government website that, were it legitimate, would end in “.gov.” Do not click on untrustworthy attachments or links. Clicking on an inappropriate link subjects your computer system to malware—and malware’s goal is to steal personal information or to lock your computer and demand a ransom to unlock it.

Also, be wary of websites and apps claiming to track COVID-19 cases worldwide. Fraudsters are using malicious websites to infect and lockdown devices until payments are received. If you are looking for accurate and up-to-date information on COVID-19, the best sources of information are:


Fraudulent Products

The U.S. Food and Drug Administration (“FDA”) has issued letters to seven companies warning them to stop selling fraudulent COVID-19 products. The fraudsters are trying to tempt consumers to buy or use questionable products that claim to diagnose, treat, cure or prevent the virus. The products have not been evaluated by the FDA for safety and effectiveness and could be dangerous. A few of the fraudulent, misleading types of products are:

  • Teas
  • Essential Oils
  • Tinctures
  • Colloidal silver- immune support
  • Sanitizing products
  • Personal protective equipment

As well, test kits sold online for COVID-19 are not authorized by the FDA. The FDA has not authorized a home test for COVID-19. Currently, the only way to get tested is through your healthcare provider. Temporary COVID-19 testing facilities have been set up in many areas; they require a prescription from a healthcare provider.

The FDA offers the following tips to identify false or misleading claims:

  • There are no self-tests for the Coronavirus.
  • Be suspicious of products that claim to treat a wide range of diseases.
  • Personal testimonials are not a substitute for scientific evidence. Celebrities have been victims of identity theft when companies use their image to promote a product that the celebrity did not agree to promote.
  • Few diseases or conditions can be treated quickly.
  • Miracle cures: if it seems too good to be true, it probably is.

The best way to protect your financial assets is to stay on top of your bank accounts, credit card statements, and retirement accounts by monitoring your transactions. Each of the three major credit reporting companies—Experian, TransUnion and Equifax—offer a free annual credit rating report; taking them up on that offer is a financially sound practice.

Stay safe and be wary of the new wave in fraudulent schemes.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



2020 Resolution: Date Documents With The Full Year

Date January 21, 2020
Categories
Article Authors
HBK CPAs & Consultants

As we begin 2020 and many have committed to (and already broken?) New Year‘s resolutions, we recommend one that is easy to keep: when dating documents from now through December 31, use the full “2020” to denote the year, as opposed to just writing/typing “20”.

Doing so will not only generate a sense of accomplishment for keeping at least ONE resolution by year’s end, it may also protect you from potential fraud. Signing documents with an abbreviation (e.g. 1/20/20) may make them more susceptible for manipulation, resulting in a greater risk of the signer falling victim to deceptive practices. Consider the following scenarios:

-You write a personal check to your new boyfriend or girlfriend in the amount of $5,000 on February 14, 2020 as an intended “shopping spree” Valentines Day gift. You date the check 2/14/20. Several month pass –and you realize this is not the person you want to spend the rest of your life with– so you part ways. If the check was not cashed within a reasonable time frame, it would not be honored by your bank so, no big deal. Fast forward to the year 2021 when your ex finds the check and decides to edit the date to 2/14/2021 (by tacking the final two digits onto the end of the date) so the bank will cash the check. Since the bank was unaware that the check was altered, you are now out $5,000 a full year after writing the check.

-You provide your shady landlord, with whom you’ve had several disputes, a document of notice for intent to vacate his property (i.e. You’re finally moving out!). You sign and date the document using the abbreviation 4/25/20. Now, assume the landlord refuses to return your security deposit, so you take him to small claims court. There, the landlord claims you overstayed your lease and remained on the property long after you informed him that you would vacate, which would allow him to retain the good faith deposit you paid in the beginning of your contract with him. He produces the document that you signed, but has altered the date to read 4/25/2019, thus “proving” that you stayed a full year after you told him of your intent to vacate. Assuming you did not keep a copy of the signed document, you will likely have a hard time proving the actual date on which you officially signed the notice. This may end up costing you your deposit, not to mention court costs.

While these scenarios may seem exaggerated, they both highlight how easily documents can be manipulated, especially this year. Clearly, in both scenarios writing out 2020 in reference to the date would have protected these documents and rendered them much harder to change.

The simple addition of a few pen strokes –by writing the full year of 2020 when dating documents– can save you potential headaches, and maybe even considerable money, down the line. Also, it will give you added peace of mind that your documents are secure. This is one New Year’s resolution that is definitely worth keeping.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



IRS Warning on Phishing Emails Demands Attention

Date December 27, 2018
Article Authors

Recently, the IRS issued a warning that internet hackers have stepped up their phishing campaigns. Specifically, the hackers are increasing the usage of business email spoofing and business email compromise phishing campaigns. A common variation of this type is known as CEO Fraud or Gift Card Fraud (which HBK Risk Advisory services warned clients and colleagues earlier this month – Don’t Fall for the Phish(ing) Bait).

The warning from the IRS highlights two versions of the phishing scam:
  1. Emails impersonating company employees to Human Resources staff members requesting changes to the “employees'” payroll direct deposit bank accounts.
  2. Emails impersonating company executives to the staff members responsible for wire transfers requesting a wire transfer to a specific bank account on the “CEO’s” behalf.
Tips for Identifying Phishing Emails:
  1. Look for clues such as poor spelling or grammar, these are common in phishing messages.
  2. Don’t fall victim to the “urgent request” prompt. Unexpected messages that requires “your immediate attention” or are earmarked as “emergency” emails are often phishing scams.
  3. Be VERY skeptical! Place a phone call to the requesting employee or executive to verify the request of payroll or banking account changes.
Reminders of How to Keep Your Company’s Electronic Messaging Cyber Safe:
  1. Implement a formal Cyber Awareness Campaign. It should include regular educational updates about the red flags of phishing email campaigns.
  2. Establish an inventory of your Information Technology (IT) assets (including data mapping).
  3. Implement or update IT Security Policies (including data classification).
HBK can assist with any of the above action items, as well as advise on additional cyber security topics. Contact Bill Heaven at wheaven@hbkcpa.com for details or to schedule a business consultation.
Speak to one of our professionals about your organizational needs

"*" indicates required fields



States Continue to Expand Efforts to Avoid Identity Theft

Date January 30, 2017
Categories
Article Authors

Driver’s License Information May be Required to E-file State Tax Returns

States are taking additional steps to protect taxpayers’ identity to combat stolen identity tax fraud. For 2016 tax returns, Ohio, New York, and Alabama will require driver’s license or state identification card information to be provided in order to e-file. This information will include the license number, the date issued, the expiration date, and the state of issuance.

Other states, such as California, Kansas, and Wisconsin request, but do not require, driver’s license or state issued identification card information when completing tax returns. Providing this information may allow the state tax returns to be processed more quickly or help confirm a person’s identity if their identity is stolen.

We expect most, if not all, states will eventually require driver’s license information or other personal data to confirm a person’s identity.

In addition, many states also require certain taxpayers to pass an online or telephone identity confirmation quiz in order to have a refund claim processed. For example, Ohio has an Identity Confirmation Quiz, which requires three out of four questions to be answered correctly to pass. The questions are about personal information, such as streets and cities lived in the past. Ohio requires taxpayers to take the identity quiz within 30 days of receipt of the notification letter. If a taxpayer fails the quiz or does not take it within 30 days, then Ohio requires certain supporting information to be provided to process the refund. Other states have similar identity test programs.

Please contact a member of our firm if you have questions or concerns about protecting your identity.

Speak to one of our professionals about your organizational needs

"*" indicates required fields