Archive for Internal Controls

Payroll Fraud: A Risk & How to Address It

We often hear stories in the news about fraud affecting non-profit organizations. Frequently, such organizations are victimized when an individual in a position of financial authority makes unauthorized withdrawals or disbursements from bank accounts or misdirects cash deposits. In response to these risks, many organizations have added controls that are intended to prevent and detect fraud relating to cash, but what is often overlooked is the potential for payroll fraud. 

According to a 2014 report by the Association of Certified Fraud Examiners (ACFE), payroll fraud is the top source of accounting fraud and employee theft. The ACFE indicates that payroll fraud occurs in 27% of businesses (for-profit and non-profit) and happens twice as often in organizations with less than 100 employees than in larger ones. Finally, they note that the average payroll fraud lasts approximately 24 months. So, for not-for-profit organizations, who typically have limited resources, the risk is too great not to be addressed. While adding additional controls and steps in the payroll process may seem cumbersome, the benefit of reducing the risk for payroll fraud is worth it. Following are a few simple steps that can be taken to prevent and detect fraud in this important area:

  • An organization should maintain timecards for all employees, and supervisors should be required to review and approve them each pay period. Particularly, overtime (for hourly employees), sick time, vacation and other leave time should require an approval. The timecards should be filed as support with the payroll registers each period so they can be reviewed along with the registers.
  • An organization should maintain an adequate segregation of duties within the payroll processing function. For example, the individual who posts the payroll to the general ledger should not be the same individual who processes the payroll within the payroll module of the accounting software or with the third party payroll provider. This will allow for a reasonableness review of each period’s payroll at the time it is paid.  
  • Payroll registers should be reconciled to the general ledger payroll accounts quarterly. This exercise will assist in detecting if payroll has been mis-posted to another area of the general ledger or if other fraudulent transactions (i.e. cash-related fraud or fraudulent financial reporting) have been posted to payroll accounts in attempt to “bury” it within typically large numbers.
  • Many organizations prepare a detailed payroll budget each fiscal year. Comparing actual payroll results to budget monthly or quarterly can be helpful in identifying fraudulent activity. Any significant variances from budget should be easily explainable. Reviewers should also keep in mind known variances from budget (i.e. an open position that was budgeted for) and ensure that these variances are being realized.
  • An executive of the organization, who is independent of the payroll and accounting function (such as the president, executive director, treasurer, etc.), should review the payroll registers periodically for unusual or unexpected activity. For example, he or she should review the hours worked (for hourly employees) along with employee pay rates to ensure they are consistent with expectations. Further, he/she should review the listing of employees paid to identify potential “ghost employees” (individuals being paid who do no work for the organization), or terminated employees who continue to be paid. Many organizations outsource their payroll processing to a third party provider. Through the online platforms made available by payroll providers or within payroll modules embedded in the accounting software, organizations typically have access to a variety of useful reports, including an “audit report” which can be run for a specific payroll period or longer period of time and provides a detail listing of all changes made within the payroll system, such as employees added, employees terminated, rate changes, withholding changes, etc. This is an especially important control for smaller organizations in which the individuals processing and posting payroll also have responsibility for maintaining the employee database, pay rates, withholdings and deductions. Reviewing such a report in connection with a review of the payroll registers can be very useful. Changes identified by an “audit report” should be supported by the appropriate paperwork and authorizations within the employee files. 

In the end, the key to payroll fraud prevention is identifying how it could occur within your organization and adding reasonable controls, such as the ones recommended above, to address the risks. 

Chris Ernest, CPA oversees audit and tax engagements and is responsible for engagement planning, staff supervision and coordination with client personnel to ensure successful completion of projects.  Chris provides services to a wide range of  non-profit organizations, including independent schools, country clubs, museums and trade associations. In addition, he specializes in audits of employee benefit plans.

Internal Control Checklist for Small Non-Profits: 5 Critical Steps

Frauds in NonprofitsEstablish a strong control environment:  Setting a tone at the top of the organization can go a long way in deterring fraud.  Having an effective control environment will naturally foster strong controls and facilitate employees following protocol.  Ideas:  create written procedures and assign responsibilities/authorization power, use budgets and deadlines and hold employees accountable and, most importantly, involve the Board or other governing body by providing financial reports and expect them to stay engaged and ask questions.

Create and maintain segregation of duties:  This is essential.  History shows that most instances of fraud occur because the person had an opportunity, usually meaning there was no one else involved in certain functions and thus no one would notice, especially in small incremental amounts.  In a small office, this can certainly be a challenge; however there are several things you can do between two or three people that will create those checks and balances.  Ideas:  a) when dealing with cash receipts, have two people count, double check and record cash; b) for purchases, separate individuals should be approving purchases, generating checks, recording expenses in the general ledger and reviewing and signing checks (and avoid using a signature stamp); c) also be sure to consider authorization rights with your online banking and discuss available controls with your bank, such as email notifications or authorization codes for payments made online.

Physical Controls:  Simple things such as keeping offices locked, check stock locked in a file cabinet (one or two people keep the key) and passwords on computers and for software will help keep your assets safe.

Review and reconcile the bank statement:  Ideally, someone other than the person writing checks should receive the unopened bank statement and prepare a reconciliation of bank activity to general ledger activity, in which case discrepancies can be detected timely.  The bank statement should be reviewed by someone outside the cash function.  In a very small office, it may be necessary to have the treasurer or other board member perform this review.  Pay particular attention to cancelled checks and withdrawals, noting payee, amount and frequency for reasonableness.  A person committing fraud may record a payment to a known vendor in the system or on a check stub, while the actual check is made payable to someone else.

Payroll:  Look at weekly payroll reports from the payroll company to make sure employees and pay rates are within your expectations.  It is also important to review year-to-date figures by employee (summarized on one report), which will include all payments, including bonuses, corrections, direct deposits, etc.  Payroll fraud often occurs in separately processed payroll, which can be excluded from your weekly payroll reports, but would be reflected in year-to-date totals.  Try to discuss available controls with the payroll company. Many will offer emails to be sent directly to a designated individual for notification of all processed payroll, pay rate changes, added and terminated employees.  If this were the case, it would be difficult for any erroneous information to go undetected, especially in a small office environment.


Jeanne Pagnozzi Boston AccountantJeanne Pagnozzi is a manager in BlumShapiro’s Accounting and Auditing Department, based in Quincy, Massachusetts, Jeanne oversees attest and tax engagements and is responsible for engagement planning, staff supervision and coordination with client personnel to ensure successful completion of projects.