We often hear stories in the news about fraud affecting non-profit organizations. Frequently, such organizations are victimized when an individual in a position of financial authority makes unauthorized withdrawals or disbursements from bank accounts or misdirects cash deposits. In response to these risks, many organizations have added controls that are intended to prevent and detect fraud relating to cash, but what is often overlooked is the potential for payroll fraud.
According to a 2014 report by the Association of Certified Fraud Examiners (ACFE), payroll fraud is the top source of accounting fraud and employee theft. The ACFE indicates that payroll fraud occurs in 27% of businesses (for-profit and non-profit) and happens twice as often in organizations with less than 100 employees than in larger ones. Finally, they note that the average payroll fraud lasts approximately 24 months. So, for not-for-profit organizations, who typically have limited resources, the risk is too great not to be addressed. While adding additional controls and steps in the payroll process may seem cumbersome, the benefit of reducing the risk for payroll fraud is worth it. Following are a few simple steps that can be taken to prevent and detect fraud in this important area:
- An organization should maintain timecards for all employees, and supervisors should be required to review and approve them each pay period. Particularly, overtime (for hourly employees), sick time, vacation and other leave time should require an approval. The timecards should be filed as support with the payroll registers each period so they can be reviewed along with the registers.
- An organization should maintain an adequate segregation of duties within the payroll processing function. For example, the individual who posts the payroll to the general ledger should not be the same individual who processes the payroll within the payroll module of the accounting software or with the third party payroll provider. This will allow for a reasonableness review of each period’s payroll at the time it is paid.
- Payroll registers should be reconciled to the general ledger payroll accounts quarterly. This exercise will assist in detecting if payroll has been mis-posted to another area of the general ledger or if other fraudulent transactions (i.e. cash-related fraud or fraudulent financial reporting) have been posted to payroll accounts in attempt to “bury” it within typically large numbers.
- Many organizations prepare a detailed payroll budget each fiscal year. Comparing actual payroll results to budget monthly or quarterly can be helpful in identifying fraudulent activity. Any significant variances from budget should be easily explainable. Reviewers should also keep in mind known variances from budget (i.e. an open position that was budgeted for) and ensure that these variances are being realized.
- An executive of the organization, who is independent of the payroll and accounting function (such as the president, executive director, treasurer, etc.), should review the payroll registers periodically for unusual or unexpected activity. For example, he or she should review the hours worked (for hourly employees) along with employee pay rates to ensure they are consistent with expectations. Further, he/she should review the listing of employees paid to identify potential “ghost employees” (individuals being paid who do no work for the organization), or terminated employees who continue to be paid. Many organizations outsource their payroll processing to a third party provider. Through the online platforms made available by payroll providers or within payroll modules embedded in the accounting software, organizations typically have access to a variety of useful reports, including an “audit report” which can be run for a specific payroll period or longer period of time and provides a detail listing of all changes made within the payroll system, such as employees added, employees terminated, rate changes, withholding changes, etc. This is an especially important control for smaller organizations in which the individuals processing and posting payroll also have responsibility for maintaining the employee database, pay rates, withholdings and deductions. Reviewing such a report in connection with a review of the payroll registers can be very useful. Changes identified by an “audit report” should be supported by the appropriate paperwork and authorizations within the employee files.
In the end, the key to payroll fraud prevention is identifying how it could occur within your organization and adding reasonable controls, such as the ones recommended above, to address the risks.
Chris Ernest, CPA oversees audit and tax engagements and is responsible for engagement planning, staff supervision and coordination with client personnel to ensure successful completion of projects. Chris provides services to a wide range of non-profit organizations, including independent schools, country clubs, museums and trade associations. In addition, he specializes in audits of employee benefit plans.