Fraud: A Growing Crisis - Part 3
Article Series in pdf format
By Rodney Smith, CPA CFE
This article is the last in a series of articles about fraud in the church. In previous articles, we observed that tips, management oversight, and internal audit efforts are the most common methods of fraud detection; however, we also outlined some easily implemented anti-fraud maneuvers. By far, sound internal controls are the best component of an anti-fraud culture. Even though there is always a chance for collusion, there is no substitute for common-sense checks and balances.
In this article, we will share a more advanced technique for fraud prevention, particularly, how to organize and execute a Fraud Risk Assessment (FRA), with The Fraud Triangle as a backdrop.
The stories of the victims are scary enough, but they only provide motivation for reducing fraud risk. The thought of instituting a comprehensive fraud risk prevention program can be overwhelming, even to the most capable church business leader.
Occasionally, a church administrator will ask me if I can share a sample fraud policy, and my customary smarty-pants response is, “Yes. I’m opposed to it.” If they do not hang up the phone, then I explain that fraud prevention is not a policy that is adopted and filed away. Fraud prevention is a way of life. Also, each church has its own unique culture and control environment, and as an auditor, I must remain objective and independent. I cannot be directly involved in development of my clients’ internal controls.
To borrow a slogan from The Church Network, when it comes to fraud prevention, my advice to a church business administrator is Don’t Go It Alone. In fact, the executive primarily responsible for a church’s business affairs should NOT spearhead a fraud risk assessment, and certainly not a member of the accounting staff. Standing committees typically already have plenty to do, so if you want to perform an FRA, then utilizing a special task force is best practice.
Knowing that the word “committee” is a dirty word in many churches these days, you will need to form an ad hoc team. Call it the Fraud-buster Task Force (FTF), or something clever so people will be eager to participate.
The FTF Coordinator will play the key role, so this person must be carefully selected – one with the requisite technical and leadership skills to execute an efficient and effective initiative.
Regarding formation of the FTF, the last thing I recommend is scanning the church member roster to identify all the accounting professionals that can serve. I mean no disrespect to my CPA buddies, but the FTF should be composed of people from a range of adult age groups and varied industries or professions. Here is a partial list of workers that are generally good candidates to serve on an FTF:
Ideally, there would be six, nine or twelve people on the team, PLUS the coordinator. Depending on the complexity of the organization, the coordinator can divide the team into groups of three or four and dole out assignments, if desired or deemed necessary to balance the workload.
Choose FTF members that work in high fraud-risk industries and those that are trained to understand human behavior, must follow strict regulations or tight controls, or regularly tolerate a lot of “red tape.” For example, warehouse managers are trained to prevent inventory shrinkage, but the purchasing agents they work with are tempted to accept bribes or kickbacks from suppliers. Social workers and police detectives work with folks on a regular basis that exhibit ethical standards driven more by survival instincts than societal norms. Bankers and software developers are accustomed to changes in technology and the necessary controls that accompany them. As explained later in the article, brainstorming and role-playing are methods utilized to assess fraud risks. The sales representative may be best to play the role of the pressurized, rationalized, opportunistic fraudster, because in my three-plus decades of experience as an accounting and auditing professional, I have learned that if there is a way around a system, the sales rep will find it!
There are many resources readily available to help identify the actual internal control weaknesses or other environmental factors that would be considered a fraud risk. (Even without much coaching, a properly assembled FTF will have little trouble identifying the potential leaks in the church’s cash flow.)
This article is not intended to detail all of the accounting processes to evaluate for the following reasons: First, that level of detail would turn this article into an absolute snoozer. Second, administrators that intend to conduct a fraud risk assessment (but still have not) procrastinate, not because they do not know what to do. Instead, they often perceive it as a monumental task, and they just do not know how to get started.
So, here it is, step by step:
1) Pray (repeat as necessary).
2) Sell the idea to the church governing body responsible for financial oversight.
3) Identify the candidates for FTF Coordinator.
4) Explain to these candidates that the project should take no more than 20 hours of time for the Coordinator, and no more than 8 hours of time for each member of the FTF. Total timeline, start to finish, is seven weeks. (I like seven. It is a biblical number, right?)
5) If one of the candidates accepts, say a prayer of thanksgiving and proceed. If not, then pray a prayer of supplication and go back to Step 3.
6) Recruit FTF members, explaining to them that they would need to participate in three meetings that are 1 hour each, and then they would have some homework assignments with a similar time commitment in advance of each meeting.
7) Calendar three meetings with about two weeks in between.
8) Execute the Fraud Risk Assessment and report to the governing body.
The coordinator’s first action related to the FRA will be to request the written accounting policies and procedures from the church business office along with the most recent financial statements. If the current procedures are incomplete or nonexistent, then the business office personnel must outline the processes they follow as an alternative. They will only have two or four weeks to produce the information, and they should not be allowed to ask for an extension of time, because that would delay the entire process. This may seem like an unreasonable position, but if this is the reality of the situation, then the church is exceptionally vulnerable, and there needs to be a “come to Jesus meeting…” with the business manager.
It is also important to note that no member of the church staff should be a member of the FTF; however, there should be a liaison that is available to answer questions and provide clarification throughout the process. This liaison should be dismissed from any FTF meetings while any brainstorming or other discussions are conducted.
Before the initiative is launched, the coordinator and everyone else involved, must understand the objective of the FRA:
1) Identify fraud risks.
2) Determine whether or not they are adequately mitigated.
3) Report findings to the Church’s financial oversight body.
There are many ways a Fraud-buster Task Force can conduct its affairs. I offer the following template:
FTF Homework Assignment 1 – sent by coordinator via email
• Explain objectives of the FRA.
• Remind members of the date and time of each meeting, and the commitment they have made to be prepared for each one.
• Send recent financial statements of the church, and ask the FTF to be prepared to brainstorm about areas where the church might be at risk of fraud, particularly embezzlement or misappropriation of assets.
FTF Meeting 1 – meet via video conference, in person, or a combination of the two. Screen sharing / video projector in the meeting space is a must. Adhere to an agenda that has time limits for each matter. Exchange all documentation during the draft in a common format, so it can be easily edited. Avoid, retyping handwritten information. If everyone brings a computer to the meeting, it can save a lot of time. Copy, Cut, Paste and Edit are your friends.
• Document the brainstorming session on possible vulnerabilities to fraud, based simply upon reading the church’s financial statements.
• Divide the team into groups of three or four and assign areas to investigate further.
FTF Homework Assignment 2 – sent via email immediately after Meeting 1
• Current policies and procedures that were requested from staff at the beginning of the FRA should now be sent to FTF members. (Do not send before first meeting because you do not want the initial brainstorming session to be influenced by this information.)
• The FTF sub-groups should determine the current policies and procedures that would mitigate the fraud risks identified in Meeting 1, and then also determine which fraud risks do not appear to be adequately addressed.
• Phone calls with or interviews of church staff could be conducted to clarify the actual procedures performed.
FTF Meeting 2
• Discuss findings from homework assignments of each group.
• Conduct role playing or additional brainstorming exercises, as necessary.
• Outline major elements of the report.
FTF Homework Assignment 3 – Coordinator drafts report and distributes in advance of Meeting 3
• Read draft report and be prepared to offer and discuss edits at the final meeting.
• Remember it is NOT the role of the FTF to write (or re-write) policies and procedures. Instead, the FTF should simply report its findings to the governing body. (For example, if there is no written credit card use policy, or there is one that is not enforced, simply say so in the report.)
FTF Meeting 3
• Live edit of the report in order to produce final draft during the meeting.
• Each FTF member should have a chance to affirm content.
• If there is any disagreement over final report content, it should be documented in the report, so that the oversight body is aware.
• Findings do not have to be absolutely conclusive, or based upon unanimous consent of the FTF; the oversight body can draw its own conclusions.
Once the Fraud Risk Assessment report is sent to the oversight body, the FTF can be thanked, acknowledged for their efforts, and disbanded. It would now be up to the oversight body to coordinate changes in controls with the church staff. Forward the FRA to the church’s audit firm, and then be prepared to share management’s responses to that report.
Rodney Smith is a CPA with PSK. He can be reached at rodney.smith@pskcpa.com.