Category Archives: Fraud

Credit Cards and Fraud

Having a policy can thwart fraud

mbkWhen it comes to fraud in any organization, credit cards are frequently a fraudster’s tool. Because the use of credit cards is so commonplace today, there’s always the risk of improper charges to your account. Credit card misuse could hurt your organization financially and jeopardize its reputation in the community. Always remember that physically locking credit cards only protects you from unauthorized use by those who have never been in possession of the card. Online purchases don’t require physically having the card, just knowledge of the card information. But there are ways to protect your organization against credit card fraud. Developing a credit card use policy is an important first step.

Certain components make sense
While each organization’s policy will vary according to its circumstances and priorities, certain components are both commonsense and essential. It’s important, for example, to address eligibility by setting restrictions on which employees may have or use your organization’s credit cards. You might, for example, want to limit cards to full-time employees who:

  • Travel regularly for their jobs,
  • Purchase large volumes of goods and services for the organization’s use, or
  • Otherwise incur regular business expenses of a kind appropriately paid by credit card.

You also should require written approval from a supervisor prior to having a credit card issued to an employee. In addition, your policy should clearly identify prohibited uses for the cards, such as cash advances, bank checks, traveler’s checks and electronic cash transfers — and explicitly state that the credit cards may never be used for personal expenses. You also might bar using the card for purchases of alcohol or other items inconsistent with your organization’s mission and values. Additionally, you may want to prohibit capital purchases, which often need to go through a more layered approval process. Finally, your policy should specify that reimbursement for returns of goods or services must be credited directly to the card account. The employee should receive no cash or refunds directly.

Spending limits should be specified, preapproval required
In addition to restricting the types of purchases, your policy should set a spending limit. Or you can rely on the specific limit set with the issuer for each card if that limit is in sync with the user’s needs. Do you know you can make more than one payment per month on a credit card? If you must use corporate credit cards, low credit limits are amongst your best tools to limit exposure to fraud. Many nonprofits require all employees to seek preapproval (usually in writing) prior to incurring any credit card charge as a proper internal control. Clearly state in your policy that unauthorized credit card purchases and charges without appropriate documentation are the responsibility of the employee, including any related late fees or interest.

Documentation and statement reconciliation are key
Employees must provide documentation — usually the original itemized receipt — to support all charges. For meal purchases, require employees to provide the names of everyone in attendance and a description of the meal’s business purpose to comply with IRS regulations. Request that all original receipts be submitted to the accounting department in an organized manner, and provide users with a standardized format to expedite processing by requiring department coding and descriptions of each charge. Supervisors should indicate their review and approval of the charges by a signature and date on the receipt or on the required form. Your accounting department should reconcile monthly credit card statements, and the statements should be reviewed by an executive or board member.

Enforcement should be mentioned
A policy without an enforcement mechanism is simply a piece of paper. Your policy should state that violations will result in disciplinary action, up to and including termination of employment and, where appropriate, criminal prosecution. Once you communicate your credit card policy, require the employee to sign an acknowledgment stating that he or she has read and understands the policy and procedures governing credit card use before receiving the card.

The right steps
Credit card use is sometimes a convenient way to handle expenses, particularly for event planning and travel. So if your not-for-profit permits credit card use, make sure that you have controls in place to deter and guard against misuse. Also implement similar controls for debit and purchase card use. Our best advice is:  Don’t go it alone. Ciuni & Panichi, Inc. has a team dedicated to working with not-for-profit organizations. The team provides accounting and 990 preparation as well as management advisory services. Additionally the firm provides consulting services on fundraising strategies, board and volunteer engagement, and marketing. Contact Mike Klein, CPA, Partner, at or 216-831-7171 to learn more.

You may also be interested in:

Smartphones:  The Next Fraud Frontier

Consider Your Not-for-Profit Growth Stage

Cybercrime and Not-for-Profit Organizations

By Reggie Novak, CPA, CFE
Ciuni & Panichi, Inc. senior manager and certified fraud examiner

Is Your Not-for-Profit a sitting duck?

ReggieNovakNot-for-Profits generally have limited administrative personnel and often lack dedicated IT staffers. They also typically have smaller budgets for technology solutions such as firewalls, antivirus programs, and intrusion protection. It’s no surprise, then, that the nonprofit sector is one of the most frequently compromised by hackers.

Your Not-for-Profit’s computer network probably contains a wealth of data to entice hackers — for example, donor information, including names, addresses, credit card numbers and bank account information. Also coveted by cybercriminals are personnel data, such as employee Social Security numbers and direct deposit information, and accounting records related to payroll, payables, banking, investments and other financial functions.

Hospitals and other Not-for-Profit health care organizations that collect and store patient data, including medical records and insurance information, are particularly vulnerable. Colleges and universities also are popular targets because of their multiple networks and many users — that includes students who participate in risky online behavior such as illegal file downloading.

Is your defense strong enough?
Most Not-for-Profits are already familiar with protections such as firewalls and antivirus programs. And as long as you keep your programs current and download updates as soon as they become available, you can count on some measure of cyber security.

But your defensive strategy should extend to include policies and procedures, such as data-handling rules. Overworked staffers may neglect to weed out old files and it’s important to implement procedures for disposing of sensitive data that’s no longer needed. Key data and systems should be backed up regularly and stored in a safe offsite location. Because Not-for-Profit employees often share responsibilities, be sure to create accountability for specific jobs.
Training for staffers, volunteers and board members is critical, too. For example, your network’s users should be made aware of such issues as e-mail scams and “social engineering,” where criminals manipulate people into volunteering passwords and other information. Also educate your employees about the proper use of laptops and mobile devices.

Finally, consider taking proactive steps against an attack by hiring a “white hat” hacker. This consultant uses the latest techniques to test your network and devices for holes so that you can plug them.

Are you up for a fight?
Of course, a robust cybercrime-fighting program takes time and at least a small bite out of your Not-for-Profit’s budget. Convincing your board that such expenditures are necessary may be tough.

Increasingly, nonprofits are creating technology committees led by tech executives or other knowledgeable board members. If your board lacks tech expertise, make recruiting someone who understands the need for cyber security — and how to achieve it — a priority. Your tech committee might be tasked with creating policies, determining budgets, evaluating software and products such as cyber liability insurance, and planning how your organization would respond to a cyber attack.

If your tech committee plans to act as first responders to a cyber security incident, be sure to include a public relations expert in the group. The timing and wording of communications can significantly affect how the media and your organization’s stakeholders respond to an event.

Thwarting cyber thieves
Unfortunately, cybercrime will continue to threaten organizations of all types. Join us for a free seminar to learn more about how you can protect your organization on Thursday, April 21 at 7:30 am at the Doubletree Independence, 6200 Quarry Lane, Independence. Click here for more details and to register for the event.

Reggie Novak is a Senior Manager in the Audit and Accounting Services Group.  As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services, including recommending internal controls and other measures to be implemented to prevent theft or misappropriation.  If fraud is suspected, he can investigate and present his findings and recommendations.  Contact Reggie Novak at 216.831.7171 or for more information.

You may also be interested in:

What it takes to manage an endowment

March Tax Tips

How Can Board Actions Impact an Organization’s Fraud Risks?

The Fiduciary Responsibilities of the Board

Fraud happens everywhere, in all industries and in companies of all sizes, and research by the Association of Certified Fraud Examiners (“ACFE”) shows that those organizations that focused more on fraud have less risk of fraud occurring.  Organizations worldwide lose an estimated five percent of annual revenue to fraud, according to the ACFE 2014 Global Fraud Study.  The results of this study demonstrate that the presence, or lack thereof, of Board oversight has a profound effect on the median loss and duration of fraud.  The business case for managing fraud risk should be at the front of every director’s mind when considering the cost/benefit of fraud detection and prevention efforts.

The basic fiduciary duty of care principle, which requires a director to act in good faith with the care an ordinarily prudent person would exercise under similar circumstances, is being tested in today’s business climate.  Personal liability for directors, including removal from the Board, civil penalties, and tax liability, as well as damage to the reputation of themselves and their organizations, appears not so far from reality as once widely believed.  Yet, many directors continue to be in the mindset of “that won’t happen in my organization.”  Because of this, a basic understanding of the director’s fiduciary obligations and how the duty of care may be exercised in overseeing the organization’s internal control and compliance systems has become critical.

While fraud risk management should be a part of an overall risk management program, effectively addressing the risk of fraud requires dedicated, deliberate focus and consideration, including a formal process for oversight by directors.  The Institute of Internal Auditors, American Institute of Certified Public Accountants, and ACFE jointly recommended that the committee charged with fraud risk oversight “should meet frequently enough, for long enough periods, and with sufficient preparation to adequately assess and respond to the risk of fraud, especially management fraud, because such fraud typically involves override of the organization’s internal controls.”

Dedicated and observable fraud risk oversight activities by the Board will not only enhance the ethical reputation of the organization but will also set the stage for an antifraud culture within their organization.  Moreover, the directors’ proactive involvement in fraud risk management initiatives has the added benefit of serving as a strong deterrent to fraud by heightening the perception of detection throughout the organization.  Increasing the perception that potential fraudsters will be caught is among the most effective deterrence mechanisms available.

Accordingly, a director must be educated on fraud’s “red flags” and be willing to ask the tough questions, both of a general nature and specific to potential fraud risks.  The best director is inclined to think like an investigator when details don’t add up or explanations don’t make sense.  Answers should not be accepted at face value as necessarily accurate or even, in some cases, honest or truthful.

By requiring, implementing, and overseeing a proactive fraud risk management plan, directors will meet their fiduciary responsibilities, while helping to secure a financially and ethically sound future for their organization.

For more information or if you have concerns about your organization, contact Reggie Novak at 216-831-7171 or

Reggie is a Senior Manager in the Audit and Accounting Services Group.  As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services including recommending internal controls and other measures to be implemented to prevent theft or misappropriation.  If fraud is suspected, he can investigate and present his findings and recommendations.