CPA and non-profit consultant Vonna Laue helps to identify why churches fall victim to fraud, how you can recognize it — and what you can do about it.
Why do churches fall victim to fraud?
Trust: It’s the baseline. If you don’t trust your employees or volunteers, you need to address that. I would expect that you trust everyone who’s on staff or working with you; however, as a friend of mine says, “Trust is not an internal control.” We can’t rely on it alone.
Limited time and staff: When we’ve got limited time and staff, sometimes we take shortcuts. Or, we make mistakes. When this happens, it’s an environment ripe for fraud.
Lack of controls: Likewise, when we have limited staff or volunteers, it’s easy to say, “I don’t have enough people to be able to have good internal controls.” At one point years ago, I used to feel sorry for smaller organizations on this front. Then, I saw internal controls done well in several places — regardless of size — and realized we can’t use that excuse anymore.
A dynamic environment: A dynamic environment is certainly another factor contributing to fraud. By this, I mean when we’ve got new personnel or new software; maybe we’re converting from one church management software program to another, or we’ve got significant growth. Those times are when it’s easier for fraud to occur.
As churches, we might have policies and procedures in place that are effective. Then, we train someone new; they leave, and someone steps in on an interim basis. Then, we get a full-time person to replace them. Pretty soon, we’re three iterations down the road.
Things are especially fraught with risk when there are software changes underway, which obviously disrupt everything. We don’t know how the new software works. There are mistakes, and an uncertain environment. That transition time can lead to problems, whether they’re intentional or accidental.
What is a “fraud triangle,” and how does it come in to play when fraud is happening?
There are three different factors that allow fraud to happen: opportunity, motivation and rationalization. There’s only one which you and church staff have any control over — opportunity.
Rationalizations when someone commits fraud include sentiments like, They owe it to me, or I’m underpaid, or I’m undervalued, or I’ve worked here a long time, and they haven’t given me raises.
Motivation is, for example, when someone’s spouse has recently lost a job. Or, that person might face significant medical needs in their immediate family.
Opportunity is what we’re providing when we don’t have good internal controls. It’s when we allow the opportunity to access these funds and let it go undetected.
We can’t do much about motivation or rationalization. So, we need to focus our efforts on opportunity.
What do financial control best practices do?
Having best practices in place protects the church’s assets and reputation. You want to make sure there’s no easy access to assets. If the people in your church find out that funds were misappropriated, you’re facing a significant reputational risk.
You also want to protect the individuals involved. I worked with a church business administrator who was being considered for a position at another church. Her requirement of that church was that they have an annual audit. She said, “I want to make sure somebody else is looking over my shoulder. I’m going to be fully responsible for a lot of what happens here; I want to be protected.”
Good internal controls allow us to detect mistakes as they happen. When we have checks and balances in place, those will be detected — and corrected — quickly.
What do good internal controls look like?
The first element of good internal controls is segregation of duties. We want to make sure that three components of any given process are separated: custody, authorization and recordkeeping. The main areas where funds come in to and go out of your church are through cash receipts, cash disbursements and payroll. So, if we take cash disbursements as an example, and we think about custody of the assets, we’re referring to the check stock. Who has access to the check stock?
The authorization would be the people who sign the checks. Also, who is authorized to pay funds out of the bank account?
Recordkeeping refers to the individual who’s keeping track of those funds in the accounting system, such as QuickBooks. The point is that we don’t want any one person to have access to all three.
What are some good processes to follow pertaining to
cash receipts?
Dual custody of uncounted funds: We want to make sure that when the funds are gathered, they’re not in the custody of one person before they’re counted.
And it’s not just the cash that we have to take care of; it’s also the checks.
Listen to the webinar!
“How to prevent financial fraud at your church”
Available on-demand NOW at www.churchexecutive.com/webinars
We want to make sure that we never have a person who has full custody of uncounted funds. We also don’t want someone to have sole access to the safe.
Restrictively endorse checks as soon as possible: Make sure you’ve got a stamp that reads, “For deposit only,” with the bank account information for the church. When those checks come in, be sure that’s done as soon as possible, as it helps protect against those checks being misdirected.
Timely deposits that undergo a proper process: We need to cut a check and have the right person approve that and sign it. We do that so we have a proper accounting of things and we know the gross receipts and gross expenses, not net.
Donor statements: These can be a very good financial control best practice, because individuals can look at them and make sure they’re in agreement. Do these annually, semiannually or quarterly. Include year-to-date amounts so you have a control that you’ve deposited the amounts donors say they’ve given.
What are examples of good processes, or controls, for
cash disbursement?
Don’t pre-sign checks. Even if you have two check-signers, there’s always the risk that they could both go out of town at the same time. It becomes an easy habit to say, “If I just keep five or six of these signed checks around, then I don’t have to bother them.” We need to make sure that we’re not leaving ourselves open to risk, here.
Review and approve invoices before payment. Did someone actually order that? Why? Was it approved, and is it the right amount? You’ve probably been challenged or concerned about some purchases that were made. If people know we’re paying close attention, it minimizes questionable charges.
Review canceled checks. This should be done by someone who’s outside the day-to-day processing. If we have a good process in place for signing checks, we can be sure the checks aren’t going back to the preparer and being altered after the fact. That’s why we’d have a review of canceled checks.
No checks made out to “cash.” Even if it’s a petty cash reimbursement, it can be made out to an individual, just like any other expense reimbursement. Likewise, we need to make sure we’re reconciling petty cash. Also, church credit cards need to have the same controls in place as any other expense we’ve discussed.
What are some examples of payroll-related controls?
Make sure there’s a review of payroll before it’s processed. A lot of people do this already (i.e., ensure they’ve “got a second set of eyes”) because it ensures everyone is being properly paid.
After payroll has been processed, not only should a change report be reviewed, but it should be verified that what was approved prior to processing payroll agrees with the final payroll reports. Someone should review changes. These happen when you add or remove an employee, or change a pay rate. Beyond these circumstances, it really shouldn’t be happening frequently.
Also be sure your church is reconciling its W-2s or 941 quarterly reports to payroll expense. This is one way in which misappropriation or financial fraud has been detected in several churches; those amounts didn’t reconcile.
What’s the benefit of performing a risk assessment at
our church?
When you’re thinking about the risks your church faces, start with your leadership. Brainstorm for an hour, and I think you’ll be amazed at how in-depth and comprehensive your list of risks actually is. Identify those risks, and then review the list with governance. Consider all areas — financial, legal, HR, facilities and reputational. That last risk — reputational — is one of the most significant; however, if there’s a lapse, it will affect nearly every area.
How do we proceed after identifying our risks?
Next, you’re going to look at those risks and prioritize them. If there’s a risk that might cost $5 to fix if it happens, it goes towards the bottom of the list. Likewise, if there’s a risk that the entire Sunday offering could “walk away,” that goes at the top.
Then, determine your mitigating controls. For some risks, you’ll want to ensure dual control or segregation of duties. Ask yourself, Is this a process issue? Do we just need to have a policy in place related to this?
Review and update these items annually. Things change; we can’t put them on a shelf and say, “The risk assessment is done.” We need to make sure it’s being updated, just like the segregation of duties. We should have documentation of the processes we have in place for cash receipts, cash disbursements and payroll. Someone else might need to come in and do that.
What should we do before we discover fraud in our church?
Have a discussion with the church board about what you would do if financial fraud occurred. A few policies should also be in place, such as a whistleblower policy or a conflict-of-interest policy. Consider having an audit or an external review of your financial statements, or at least your processes. This can give you suggestions or offer an outside perspective on your controls and processes, and whether they’re effective or not. They can also identify if you’ve missed something.
How do we recognize fraud?
The Association of Fraud Examiners puts out a report every other year. The most common fraud detection method is tips, followed by management review, internal audit and by accident. Lack of internal controls contributed in almost 30% of identified cases. Forty-one percent of those cases weren’t reported to police.
Behavioral red flags existed in 79% of the cases of fraud included in the survey — things like a person living beyond his or her means, exhibiting excessive control issues (not letting anyone else do their job), a recent divorce or family problems, or an attitude change.
How do we respond to fraud?
Get an attorney involved early. If it truly looks like fraud, enlist a certified fraud examiner. If there’s a chance it will become a legal action, make sure you’ve preserved the evidence and that interviews have been conducted in the right way. Don’t make any assumptions, good or bad; you don’t want your board of trustees or elders to find out through the rumor mill that something like this is happening. If anyone asks about it, say, “This is a confidential matter; we’re investigating. We don’t know all the details at this time, but we’ll give you more information when we have it.”
If it turns out to be fraud, two things: (1) Learn from it. How did it happen? How can you put policies or procedures in place to prevent it in the future? (2) Consider that what a person confesses to, or what you find in your initial investigation, is likely less than the actual amount taken.
Continue to monitor everything, and make sure that controls that are in place, stay in place.
More questions? Moderator Eric Spacek dives deeper
Director of Risk Management
and Loss Control
GuideOne Insurance
Spacek: (Attendee question) How do we develop a standard operating procedure for our online giving process when only one person handles the process?
Laue: Probably the biggest risk I see there is a change in the bank account. Online giving is processed by an organization and then deposited into the bank account. We need to know who has access to change where the bank account can be directed. It’s possible it could get changed for three or four days, and then changed back.
It would be great if someone like the board treasurer had that ability — if he or she was the only one who could change where those funds go. That person could be separate from the person who is actually downloading all the transactions, putting them into the donor system, etc.
At the very least, make sure there’s someone else who has read-only access to be able to look at those donation reports from the online giving module and compare them to deposits in the church bank account.
Spacek: (Attendee question) Any tips for handling cash from the Sunday offering?
Laue: Have two people count the cash, and have them both sign off on a count sheet. Then, if the collection is going into a safe where we’ve got dual control, that’s great. If not, let’s make sure it’s at least going into a sealed bank bags. Or, self-sealing envelopes (like the ones FedEx uses) are good, too; that way, no one can get into the envelope without it being detected.
As far as petty cash, I’d encourage you to keep as minimal an amount as possible on hand.
Spacek: (Attendee question) How does the church go about finding an independent auditor? How often should independent audits be done, and when are they absolutely required?
Laue: Don’t just find a CPA that does audits; find someone who understands churches. You’re unique in that you take a Sunday offering. No other business besides nonprofits has restricted funds that come in which need to be spent for that purpose. You need to have a partner in your auditor who understands that.
In terms of what would require an independent audit, oftentimes it’s a loan covenant or your bylaws. It might be something that’s denominationally driven.
If there’s a requirement to have an audit, it should be done annually. Even if you’re not required to have an audit, I think it’s important to have a third-party, independent person who looks at your processes. A review is smaller in scope than an audit and, therefore, less costly.
As you work with CPAs who are very knowledgeable in churches, they should be able to help you identify the level of service you need.
— Reporting by Joyce Guzowski
What’s the benefit of performing a risk assessment at
our church?
When you’re thinking about the risks your church faces, start with your leadership. Brainstorm for an hour, and I think you’ll be amazed at how in-depth and comprehensive your list of risks actually is. Identify those risks, and then review the list with governance. Consider all areas — financial, legal, HR, facilities and reputational. That last risk — reputational — is one of the most significant; however, if there’s a lapse, it will affect nearly every area.
How do we proceed after identifying our risks?
Next, you’re going to look at those risks and prioritize them. If there’s a risk that might cost $5 to fix if it happens, it goes towards the bottom of the list. Likewise, if there’s a risk that the entire Sunday offering could “walk away,” that goes at the top.
Then, determine your mitigating controls. For some risks, you’ll want to ensure dual control or segregation of duties. Ask yourself, Is this a process issue? Do we just need to have a policy in place related to this?
Review and update these items annually. Things change; we can’t put them on a shelf and say, “The risk assessment is done.” We need to make sure it’s being updated, just like the segregation of duties. We should have documentation of the processes we have in place for cash receipts, cash disbursements and payroll. Someone else might need to come in and do that.
What should we do before we discover fraud in our church?
Have a discussion with the church board about what you would do if financial fraud occurred. A few policies should also be in place, such as a whistleblower policy or a conflict-of-interest policy. Consider having an audit or an external review of your financial statements, or at least your processes. This can give you suggestions or offer an outside perspective on your controls and processes, and whether they’re effective or not. They can also identify if you’ve missed something.
How do we recognize fraud?
The Association of Fraud Examiners puts out a report every other year. The most common fraud detection method is tips, followed by management review, internal audit and by accident. Lack of internal controls contributed in almost 30% of identified cases. Forty-one percent of those cases weren’t reported to police.
Behavioral red flags existed in 79% of the cases of fraud included in the survey — things like a person living beyond his or her means, exhibiting excessive control issues (not letting anyone else do their job), a recent divorce or family problems, or an attitude change.
How do we respond to fraud?
Get an attorney involved early. If it truly looks like fraud, enlist a certified fraud examiner. If there’s a chance it will become a legal action, make sure you’ve preserved the evidence and that interviews have been conducted in the right way. Don’t make any assumptions, good or bad; you don’t want your board of trustees or elders to find out through the rumor mill that something like this is happening. If anyone asks about it, say, “This is a confidential matter; we’re investigating. We don’t know all the details at this time, but we’ll give you more information when we have it.”
If it turns out to be fraud, two things: (1) Learn from it. How did it happen? How can you put policies or procedures in place to prevent it in the future? (2) Consider that what a person confesses to, or what you find in your initial investigation, is likely less than the actual amount taken.
Continue to monitor everything, and make sure that controls that are in place, stay in place.
