Fraud Risks Affecting Private Schools

0 Facts About

• Estimated that typical organization loses 5% of its annual

• $7+ billion was the total loss caused by the cases in the study

• The median loss was $130,000

• 22% of these cases caused losses of at least $1 million

• 9% of these results were applicable to NPOs with a median loss of $75,000

• 16% of these results were applicable to government with a median loss of $118,000

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

1 1 Facts About Fraud

misappropriation was most common (89% of cases), causing the smallest median loss of $114,000

fraud was least common (10% of cases), causing the most median loss of $800,000

 Corruption was in the middle, with (38% of cases), causing a median loss of $250,000

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

2 2 Facts About Fraud

 The longer a fraud lasted, the greater the financial damage it caused

 While the median duration of the fraud was 16 months, the losses rose as the duration increased

 At the extreme end, schemes that lasted more than five years are 20x more costly

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

3 3 ACFE’s 2018 Report on Occupational Fraud

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

4 4 Facts About Fraud

 In 97% of cases, perpetrator took efforts to conceal fraud

 Most common concealment methods were creating & altering physical or electronic documents

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

5 5 Facts About Fraud

 Most common detection method was tips (40% of cases); organizations that had reporting hotlines were much more likely to detect fraud through tips than organizations without hotlines (46% compared to 30%, respectively)

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

6 6 Facts About Fraud

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

7 7 Facts About Fraud

 In cases detected by tip at organizations with formal fraud reporting mechanisms, telephone hotlines were the most commonly used method (42%)

 However, tips submitted via email (26%) & web-based or online forms (23%) combined to make reporting more common through the internet than by telephone

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

8 8 Who Reports Occupational Fraud

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

9 9  Organizations without hotlines were more than twice as likely to detect fraud by accident or by external

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

10 10 Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

11 11 Internal Control Weaknesses that Contributed to Fraud 2018

Lack of internal controls (30%)

Lack of management review (18%)

Override of existing internal controls (19%)

Poor tone at the top (10%)

Lack of competent personel in oversight roles (8%)

Lack of independent checks/ (4%)

Lack of employee fraud education (2%)

Lack of clear lines of authority (2%)

Lack of reporting mechanism (<1%)

Other (6.0%)

12 12 Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

13 13 Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

14 14 Facts About Fraud

 Fraud perpetrators ALMOST ALWAYS display warning signs they are engaging in illicit activity (85% of the cases reported had at least one of these red flags)

 15% of occupational fraudsters had been charged or convicted of a fraud-related offense & 72% had been punished or terminated by an employer for fraud-related conduct

 Employee education is the foundation of preventing & detecting occupational fraud. Staff members are an organization’s top fraud detection method; employees must be trained in what constitutes fraud, how it hurts everyone in the company & how to report any questionable activity

Source: ACFE’s Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse

15 15 Behavioral Red Flags Displayed by Perpetrators

Instability in life circumstances

Other

Excessive family/peer pressure for success

Complained about lack of authority

Past employement-related problems

Refusal to take vacations

Past legal problems

Social isolation

Excessive pressure from within organization

Complained about inadequate pay

Addiction problems

Irritability, suspiciousness or defensiveness

"Wheeler-dealer" attitude

Divorce/family problems

Control issues, unwillingness to share duties

No behavioral red flags

Unusally close association with vendor/customer

Financial difficulties

Living beyond means

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

16 16 Motives for NPO Fraud

 Bonus, raise or promotion based on reported results

 Positive performance evaluation

 Retaining job based on reported results

 Obtain a new grant/impress grantors/donors

 Impress watchdog group

 Obtain bank financing or meet bond/loan covenants

 Meet grant requirements

 Private inurement—related party—don’t have to pay taxes

17 17 Understanding Internal Controls

•Evaluate design of controls •Verify implementation of controls

18 18 Process vs. Control

Process Control

Captures data, changes data & Does not change; prevents or potentially introduces possible detects & corrects errors errors introduced through processes

19 19 Three-Step Process to Understand Controls

•What process is used to complete a transaction? •What could go wrong? •What controls are in place to prevent errors?

20 20 Example Analysis

Cash Receipts Process What Could Go Wrong Control

Set Up Contributor Fictitious contributor Review of new donors

Set Up Receivable Balance Wrong amount, wrong aging, wrong restriction, wrong period Supervisor review & approval

Donor reports or questions any changes or Acknowledgment Letter Sent Sent to wrong contributor, wrong amount mistakes

Revenue/Rec. JE Created Input/processing error, data lost, access issues Supervisor review & approval of entry

Cash Received Cash stolen, record wrong amount Reconciliation & review

Create Cash Receipts Listing Cash stolen, record wrong amount Reconciliation & review

Cash JE Created Wrong , period, amount Review & approval

JE Posted to GL Input error – account, period, amount Review

Financial Statements Created Wrong line item Management review & comparison

21 21 Control Analysis

•What controls are in place? •Are there any gaps that need to be addressed? •Do the controls in place provide an effective & efficient organization/operation?

22 22 #1: The Control Environment

 Tone at the top – YES, YOU MAKE THE BIGGEST DIFFERENCE TO PROTECTING YOUR ORGANIZATION

 Typical management exceptions

 COSO

o Integrity & ethical values

o Commitment to competence

o Board of directors & audit committee

o Management’s philosophy & operating style

o Organizational structure

o Assignment of authority & responsibility

o Human resource policies & procedures

23 23 Strong Control Environment

•Strong controls environment (manual & application controls) •Management oversight & involvement throughout process •Preventive controls •Detective controls

24 24 #2: Segregation of Duties – Understanding

 One-person staff

o Bookkeeper  Two-person accounting staff

o Bookkeeper

o Controller  Three-person accounting staff

o Bookkeeper

o Accounting clerk

o Controller

25 25 #2: Segregation of Duties

 No single individual is responsible for receiving, recording & depositing funds or writing & signing checks

 No single individual is permitted to request, authorize, verify & record expenditures

 Flowchart the process

 Journal entries

26 26 #2: Segregation of Duties (Continued)

 Receipts process

 Payroll process

process

 Disbursement process

 Use executive director or other people to best segregate duties

 Use of board members

 Use of volunteers

 Use of third-party vendors

27 27 #3: Controls over Payroll & Hiring Process

 Time sheet approval

 Encourage/require a direct deposit requirement for payroll

 Separate bank account for payroll

 Use third-party administrator/staffing services

 Background & credit checks

 Exit interviews

 Reference checks—beware of internal referrals

 Past work experience checks

28 28 #4: Controls over Disbursements/Contracts

 Set up approved-vendor list

 Invoice approval procedures – delegation of authority

 Petty cash

 Check processing & don’t forget wires

 Limit employee advances & reimbursements

 Periodic review by an objective person of the list of all vendors receiving fees/checks from the not-for-profit (because a common scheme involves creating a fictitious vendor)

29 29 Case Examples

 A bookkeeper was sentenced to two years in prison in 2016 for stealing $800,000 from National Veterans Service Fund in Connecticut from 2009 to 2014, writing checks to herself & then altering the to make it appear the money went to veterans

 A not-for-profit dedicated to helping the rural poor in Southeast Asia, reported its then-president diverted $950,000 for his personal use in 2012 when the group was based in Boston. The charity said the executive promised to make full restitution as part of a settlement, but a former director said no one was ever prosecuted

30 30 Case Examples (Continued)

 From a Washington Post article, a former employee of the Association of American Medical Colleges was able to create fake invoices in the names of legitimate groups that she then approved for payment. When the checks were ready, she had them returned to her, not sent to the vendors

 Under that system, a spelling change of just four letters allegedly netted $3.7 million for her when she purportedly created nearly 200 false invoices in the name of the well-known Brookings Institution policy center, but deposited the checks into accounts she opened for her own “Brookings Institute”

31 31 #5: Controls over Bank Reconciliations

 Bank reconciliation procedures

o Time frame to be completed

o System access

o Reconciliation to the general

o Who does the reconciliation

o Approval procedures

o Bank statements  Wire transfer procedures

 Mail handling; random checks

32 32 #6: Controls over Credit Card Purchases

 Don’t have them (time requirement to keep up with credit cards can easily be a day’s worth of work)

 Policies & procedures

 Number of users

 Limits

 Authorization

 Review

 Preapproval

33 33 Corporate Credit Cards

Problems in Many Organizations Include

Wasteful & improper spending

Lack of documentation, e.g., receipts, invoices

No explanation of business purpose

Personal charges to be “reimbursed later”

Lack of adequate policies

Expectations not communicated to employees

Lack of second review of all charges

Lack of adequate review of charges by key employees (& any relatives of who also are employees)

34 34 Reimbursement/ Credit Cards/P-Card Schemes

•Any scheme in which an employee makes a claim for reimbursement of fictitious or inflated business

o Employee files fraudulent expense report, claiming personal travel, nonexistent meals, etc., as incurred business expenses o Employee purchases personal items & requests reimbursement from the employer

35 35 Expense Reimbursement/ Credit Card Fraud Schemes

2016 2014 2012 2010

Estimated $40,000 $30,000 $26,000 $33,000 median loss

Median 24 months 24 months 24 months 24 months duration

< 100 16.7% 13.1% 13.7% 14.2% employees

100+ 13.9% 16.5% 17.3% 16.8% employees

36 36 Red Flags for Expense Reimbursement/Credit Card Schemes

 Purchases that do not appear to be business related

 Missing original documents supporting expenses

 Altered receipts

 Many receipts from the same vendor

 Submitted receipts are consecutively numbered

 Expenses in round dollar amounts

 Expenses just below receipt submission threshold

 Segmenting expenses across periods to remain below receipt submission threshold

 Cash payment for expenses typically paid with credit card

37 37 Ideas for Improving Processes

 Create clear policies & procedures o Update current policies as necessary  Employee signature to agree to comply with policies  Get supporting documentation for purchases o Original receipts – not just credit card statement o Documented business purpose  Second review of charges at all levels o Be sure to address possible/known weaknesses in review process . No review/weak review . Wrong person doing the review  Periodic outside review of charges  Question any potentially inappropriate purchases

38 38 Ideas for Improving Expense Reimbursement Processes

Review & update reimbursement policies

Formalize expense reimbursement process

Review work/vacation schedules

Institute use of mileage tracking apps

39 39 Ideas for Improving Credit Card Process

Monitor credit card holders & implement two-step approval process

Limit use of personal credit cards

Do not allow personal purchases on corporate credit cards/P-cards as a standard practice

Set reasonable/lower credit limits

Merchant code blocking (P-cards)

Electronic analysis of charges

40 40 Using Electronic Data to Monitor Credit Cards

 Data benefits

o High-quality data o External data source o Standard formats o Industry standards (merchant category codes) o Level III data o Ability to quantify usage . By vendor . By card . By department

41 41 Using Electronic Data to Monitor Credit Cards (Continued)

 Ability to quickly/fully analyze

o Transactions in round amounts o High-risk merchants . Online merchants . Foreign merchants

o Split transactions o Transactions on leave days . Weekend . Holiday . Vacation

o Outlier transactions

42 42 Example

 A former elementary school bookkeeper is accused of cashing $55,239 worth of checks from the PTA between 2011 & 2015

 The bookkeeper was in charge of purchasing items for the PTA on a district-issued credit card; PTA would then cut checks to reimburse the school account

 The bookkeeper would cash the checks personally & pocket the money

43 43 #7: Controls over Receipts

 Use a lockbox

 Involve a second person in cash receipts processing

 Verify cash logs

 Make bank deposits daily

 Don’t forget volunteers (safety/security)

 Receiving credit card donations/receipts (Paypal)

 Physical movement of cash (wires)

44 44 #8: Controls over Physical Safeguards

 Limiting access (locking cabinets, doors, etc.)

 Don’t forget controls over collections &

 Fireproof safes

 Reconcile physical inventory of furniture & equipment

 Fundraising events

 Physical inventory of gifts donated (silent auctions)

45 45 #9: Controls to Help Prevent & Detect Potential Financial Statement Fraud

 Watchdog organizations – expense classification  Donor restrictions – help ensure a system to identify restrictions before they are recorded  Grant compliance  Budget to actual  Comparison to prior year  Does the board truly understand how to read the FS?  Distribute financial reports to staff  Flash reporting – financial & nonfinancial data—critical areas to review—dashboard sheet

46 46 #10: Electronic Controls

• Protecting confidential • Encryption technology information of donors, clients etc. (this often is a legal • Anti-virus protection requirement) • Back-up system • Websites • Cellphones/thumb drives • Passwords • Database management • Appropriate access for systems • Cybersecurity

47 47 Cyberthreats

Average annualized of cybersecurity (USD) $11.7M

Percent increase in cost of cybersecurity 22.7% in a year $6.0 Average number of security breaches each 130 Trillion year (per company) Cost of damage by 2021 Percent increase in average annual 27.4% number of security breaches Source: Ponemon Institute LLC, “The Evolving Role of CISOs and their Importance to the Business,” Ponemon Institute LLC, “2017 Cost of Cyber Crime Study”

48 48 Cyberthreats

% Increase from Previous Year 250% 212% 200% 200%

150%

100% 54%

50%

0% Malware Injections Web Application Vulnerabilities Mobile Malware

Source: Osterman Research, “Best Practices for Protecting Against , Ransomware and ,” April 2018.

49 49 Cyberthreats

 In February 2018, there was

o One phishing attempt in every 3,331 emails &

o One piece of malware for every 645 emails

o On average, an organization of 500 email users who receive a median of 100 emails per day, the security infrastructure will receive 15 phishing attempts & 77 pieces of malware each day

 There continues to be targeted ransomware campaigns focused on specific industries like health care & government, among others

50 50 Cyberthreats

 Cybercriminal organizations are successful because

o They are generally well funded o They have technical resources to create new & increasingly more capable attack methods

o They are highly collaborative in nature

Motivations Behind Attacks 2016 3.4% 2017 4.3% 4.7%

14.2% 14.5% 9.2% 77.4% 72.1%

Cyber Crime Cyber Espionage Cyber Crime Cyber Espionage Hacktivism Cyber Warfare Hacktivism Cyber Warfare

Source: Hackmageddon, http://www.hackmageddon.com/2018/01/17/2017-cyber-attacks-statistics/

51 51 Cyberthreats

 According to IBM’s “Cyber Security Intelligence Index,” 95% of all security incidents prey on human weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information

 59% of respondents agree that most information technology security threats that directly result from insiders are the result of innocent mistakes rather than malicious abuse of privileges

52 52 Cyberthreats

INSIDER RISKS

Source: Bogmar Privileged Access Threat Report 2018

53 53 Cyberthreats

INSIDER RISKS

Source: Bogmar Privileged Access Threat Report 2018

54 54 Cyberattacks to Watch Out For

1. Phishing

2. Pretexting

3. Baiting

4. Quid pro quo

5. Tailgating

6. Ransomware

55 55 Phishing

 Phishing is crafting a message (typically an email) & is designed to influence the recipient to “take the bait” via a simple mouse click  Seek to obtain personal information, such as names, addresses & Social Security numbers  That bait is most often a malicious attachment but also can be a link to a page that will request credentials or drop malware

56 56 Phishing

 May use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate (Bitly, TinyURL, Ow.ly, etc.)

o From: https://securityintelligence.com/the-role-of-human-error-in- successful-security-attacks/

o To: https://ibm.co/1PO3b9x  Fake/disposable email address generators

o Yahoo Mail, Dispostable, Guerrilla Mail, GMX Mail, etc.  Messages tend to incorporate threats, fear & a sense of urgency in an attempt to manipulate the user into acting promptly

57 57 Phishing (Continued)

 Some phishing emails are more poorly crafted than others to the extent that their messages often exhibit spelling & grammar errors

 In a normal (median) organization, 78% of people don’t click a single phish all year. That’s pretty good news

 On average, in any given phishing campaign, 4% of people will click it – The vampire only needs one person to let them in

 Only 17% of phishing campaigns were reported. Additional training also should be bestowed on users who don’t report the phishing!

58 58 Phishing Examples

Fake sender Bad grammar domain (hover &/or misspellings mouse over) [email protected]

Suspicious Hovering over content link reveals suspicious URL

http://www.southmountainlaw.com/options/htaccesss.html

59 59 Phishing Examples (Continued)

60 60 Phishing Examples (Continued)

61 61 Pretexting

 Pretexting is a more focused method compared to phishing  Involves the creation of a false narrative to obtain information or influence behavior

 Could be a phone call, text message, email, etc., designed to steal victims’ personal information

 Scammer pretends they need certain bits of information from their target in order to confirm their identity

 Pretexting also may involve impersonating co-workers, police, bank, tax authorities, clergy, insurance investigators, auditors, etc.

62 62 Pretexting (Continued)

 The pretexter must simply prepare answers to questions that might be asked by the victim

 In some cases, all that is needed is a voice that sounds authoritative, an earnest tone & an ability to think on one’s feet to create a pretextual scenario

 Unlike phishing emails, which use fear & urgency to their advantage, pretexting attacks rely on building a false sense of trust with the victim

 The attacker may develop a relationship & even help the victim execute the exploit

63 63 Email-Based Pretexting Example

Warns of a “Fraud Alert” on your bank account

Link to official- looking site that asks for PII

64 64 Phone-Based Pretexting Examples

 New credit card

 Past-due bill/collection call

 Delinquent taxes

65 65 Baiting

 Baiting is the promise of an item or good that hackers use to entice victims to get login credentials to a certain site

 Baiting attacks are not restricted to online schemes. Attackers can deliver malware via the use of physical media

 Many people will pick up USBs & plug them into their computers without thinking

 The USBs may automatically activate a keylogger that allows access to observe an employee’s online activity & login credentials or install malware

66 66 Quid Pro Quo

 The quid pro quo usually assumes the form of a service

 May impersonate IT service people & spam call as many direct numbers that belong to a company as they can find, or a pop-up box warning

o These attackers offer IT assistance

o Eventually they will reach someone with a legitimate problem

o The user will be grateful & will eagerly follow their instructions

o The fraudsters will promise a quick fix in exchange for the employee disabling their anti-virus program that assumes the guise of software updates

o The attacker then gets the user to install malware on their computer

67 67 Tailgating

 Another social engineering attack type is known as tailgating or “piggybacking”

 These types of attacks involve someone who lacks the proper authentication following an employee into a restricted area

68 68 Ransomware

 Attacks are inevitable

 Around half of business victims pay the ransom

 Most are able to retrieve data after payment

 Many would pay again

 Ransomware will continue to be one of the most prevalent attacks

 Perpetrators are being greatly assisted by the emerging Ransomware as a Service (RaaS) Source: Telstra Security Report 2018

69 69 Ransomware

 City of Atlanta, Georgia (March 2018) Five of Atlanta’s 13 government offices were “hijacked.” What

made Atlanta such an easy target—even for a relatively According to the common form of ransomware—was its incredibly outdated use Telstra Security Report 2018, four out of technology; old computers running on nonsupported of five ransomware platforms. Cost to date $2.7 million victims who paid a ransom to recover their files said they  Colorado Department of Transportation (February–March would pay the 2018) SamSam ransomware morphed into something new & ransom again to recover data if no reinfected CDOT computers that had already been cleaned. In backup files are April, 80% of functionality had been restored at an estimated available cost of up to $1.5 million after a computer virus forced the department's back-end operations offline

 City of Leeds, Alabama (March 2018) Paid $12K in bitcoin to remove lock

70 70 Recommendations – Basics

 Educate

o Technology is no substitute for employee education

o Educate & re-educate the entire organization, not just IT

o Include the board, executives & vendors

o Knowledge is power

o Do not discourage false-positive reporting

o Document your security policies in a knowledge database so everyone understands exactly what is going on & why

o Develop & rehearse a robust incident response program

71 71 Recommendations – Basics (Continued)

 Patch

o Applications

o Databases

o Operating systems – servers, workstations, etc.

o Anti-virus/anti-malware – engines & signatures

o Third-party applications

72 72 Recommendations – Basics (Continued)

 Limit

o Control use of administrative privileges o Limit access based on need-to-know (least privilege) o Limit & control remote access o Do not share credentials. Consider a password safe o Consider multifactor authentication o Limit the use of portable media o Be situationally aware for potential physical security issues o Make your trash unattractive to dumpster divers o Consider disabling macros

73 73 Recommendations – Basics (Continued)

 Check

 Lock down everything that is not needed

 Generate logs & review them. Don’t forget to document your review

 Escalate potential security issues

 Limit & monitor vendor access

 Filter out suspicious emails addressed to employees

 Implement a policy for dealing with suspected phishing & pretexting

74 74 Recommendations – Basics (Continued)

 Prevent

o Lock your laptop whenever you are away from your workstation

o Do not give out personal or company confidential information on the phone, through the mail or over the internet unless you have initiated the contact or know whom you are dealing with

o Monitor inbound & outbound traffic for unusual patterns

o Encrypt data at rest & in motion. Don’t just protect the perimeter (firewall), also protect the data

o Segment critical data. Encrypt data within crown-jewel segments

75 75 Recommendations – Basics (Continued)

 Backup

o Implement a regularly scheduled backup program that meets your business & records retention requirements

o Put some distance between your primary & secondary sites

o For critical applications, perform a full restoration or fail-over test at least annually

o Back up & restore not only data, but also the applications

o Understand the differences between cloud storage & cloud backup

76 76 Cyber Trends for 2018

 Experian projects the top data breach trends of 2018 include the following

 The United States may experience its first large-scale attack on critical infrastructure, causing chaos for governments, companies & private citizens

 Failure to comply with new European Union regulations will result in large penalties for U.S. companies

 Perpetrators of cyberattacks will continue to zero in on governments, which could lead to a shift in world power

 Attackers will use artificial intelligence (AI) to render traditional multifactor authentication methods useless

 Vulnerabilities in internet of things (IoT) devices will create mass confusion, leading to new security regulations

77 77 Example of Phishing

 The American Museum of Natural History in New York City reported it lost $2.8 million in 2015 after an employee fell for an email scam & erroneously wired the money

 The museum reported the incident to police, but the perpetrators have yet to be identified or return the money

78 78 Best Practices

Review & update policies & procedures annually

Perform walk-through of controls either annually or on a rotating basis to determine reliability

Annual review of user access rights

79 79 Questions?

80 Joseph Blatt, CPA Partner

Joseph Blatt is a partner at BKD. He has been actively engaged in work with both health care and not-for-profit organizations for over 30 years. Mr. Blatt provides both audit and consulting services to a variety of organizations, including private schools and other educational institutions as well as health care facilities, housing, social services organizations, drug rehabilitation, museums and cultural arts centers, fundraising organizations, foundations, religious and other organizations.

Mr. Blatt has also provided audits in accordance with Government Auditing Standards. Mr. Blatt participates closely with his clients on an on-going basis, not only on accounting and auditing problems, but also in various managerial and consulting roles, including budgeting, forecasting, development of accounting controls, development of accounting policy and procedure manuals, management problem solving, and as a board advisor.

Joseph Blatt received his degree from Queens College with a B.A. degree in accounting. He is a member of both the American Institute of Certified Public (AICPA) and the New York State Society of Certified Public Accountants (NYSSCPA). Mr. Blatt is a member of the NYSSCPA Not for profit committee and NJAIS Not for Profit interest group.

Mr. Blatt frequently presents at training and educational seminars on auditing, accounting and reporting of not-for-profit and health care organizations.

[email protected] Telephone # 212-867-4000 x13112

81 Thank You! bkd.com/nonprofit | @BKDNFP

82