In today’s world, fraud is a serious problem that almost everyone will have to deal with at some point. While there are many different variations of fraud, it all boils down to someone else trying to take advantage of you in some way. While there will always be bad people out there who want to take your money, that doesn’t mean that you have to allow it to happen. Here are a few simple steps that anyone can take to help with fraud prevention.
(more…)
Our Fraud Awareness in the Church series continues as we look at Information Technology Security. We asked churches to respond to these statements:
“Our church has a formal information technology security plan.”
“Our church financial secretary or accountant/bookkeeper has access to all modules of the church’s software system.”
Churches struggle to keep up with the challenges of the rapid change in information technology. Even when they want to address the issues in the two questions above, the workload crush of most churches makes it very difficult to stop the train long enough to develop a good IT plan. This is clearly (to me) reflected in the:
Survey Results: Only 50% of the participants have implemented a formal information technology security plan.
In another indicator of the impact workload pressure has on fraud protection, a whopping 80% of the churches surveyed confessed that their accountant/bookkeeper had access to ALL of their church’s software applications.
In the vast majority of churches this large degree of “trust” is placed in the hands of very good people and a problem never arises. But if, just once, a church employs an individual given to theft and gives him or her this much access…trouble is probably just around the corner.
In PSK’s Faith Based Accounting Blog I posted an article titled “Taking IT for Granted”, where I addressed this issue. The following are a few questions each church should ask itself when developing strong IT controls:
- Does our church have a formal Information Technology security plan?
- Do any individuals at our church have access to all modules of the church’s software system?
- Does our church partition its computer applications so that employees and volunteers have access only to files necessary to perform their duties?
- Does computer access require passwords that are confidential and unique?
- Are our passwords changed periodically?
- Are passwords complex including alpha, numeric and case sensitive characters?
- Do we have backup procedures that are performed regularly that include off-campus storage?
- Do we have measures in place to protect the church from malware?
- Do we train our employees to avoid accepting email from unknown locations?
- Do we have a download policy?
- Do we maintain separate public and private wireless networks?
Part 4 of our series on Cash Disbursements. In our recent Fraud Survey, we asked churches to respond to this statement:
“Our church has established a “Positive Pay” program with our bank.”
Survey Results – Less than 5% of the respondents use such a program.
While the phrase “Positive Pay” is the trade name of one commercial bank, it has become a generic term for an agreement between a bank and its customer that works like this:
- The church establishes a standard routine for paying bills, for most churches once each week.
- A list of approved bills is compiled and transmitted to the bank.
- The bank only clears checks or other charges presented for payment that are on the church’s list.
- The church is also informed of any checks or charges presented for payment that were not included on the list.
Increasingly, businesses are using arrangements like this to address a newer face of economic fraud. Fraud experts have historically used the “fraud triangle” of pressure, rationalization, and opportunity to describe the key ingredients of a fraudulent act. Generally, this discussion has focused on “inside jobs”.
However, with the advance of technology, a new face has arrived on the scene – the “hacker” completely outside the organization (in many cases completely outside the country!). Using Positive Pay is one protection against this type of fraud activity.
Perhaps a new leg needs to be added to the fraud triangle. (I guess that would make it a square…)
Part 10 of our ongoing Fraud in the Church series. PSK in cooperation with the National Association of Church Business Administration (NACBA) conducted a survey to determine the extent to which churches are attempting to address the problem of church fraud. We asked them to respond to this statement:
Our church has established a “Positive Pay” arrangement with our bank.
Increasingly, due to technological change and advancement, the threat of fraud is no longer limited to dishonest employees. Hackers and other “online bandits” have become quite proficient in draining the bank accounts of the unsuspecting. One defense against this is to establish a Positive Pay arrangement with your bank.
Only 5% of our respondents have this type of bank account protection in place, which is surprising because Positive Pay is a simple three-step process.
- During the check writing process, a list is compiled of bills to be paid.
- The list is sent to the bank.
- The only checks or drafts to be cleared by the bank are those on the list.
I am very curious why so few take advantage of this. Any ideas?
Until the 1960s, perhaps into the 1970s, churches were rather slow to pick up on new ideas, particularly in regard to technology. (If you have a hard time believing this, think back to the first time someone wanted to bring an electric guitar into your sanctuary!) But that is no longer the case, especially when it comes to information technology.
Churches have embraced the digital world and are becoming very proficient in the use of computers. A vast array of applications has been made available to the church including sophisticated financial accounting and reporting, childcare security, online purchasing, online tithing, phone trees and coffee bars with free wireless internet. Without a doubt, churches have become technologically savvy.
Unfortunately, there is a vast array of other things that most churches aren’t so savvy about: the numerous new portals computers provide through which fraudsters can gain entry into the church. Key: Computer and online crime is drastically changing the face of fraud prevention.
To stay abreast of the rapid change in technology and the risks this change brings churches should ask themselves the following questions on a regular basis:
- Does our church have a formal Information Technology security plan?
- Do any individuals at our church have access to all modules of the church’s software system?
- Does our church partition its computer applications so that employees and volunteers have access only to files necessary to perform their duties?
- Does computer access require passwords that are confidential and unique?
- Are our passwords changed periodically?
- Are passwords complex including alpha, numeric and case sensitive characters?
- Do we have backup procedures that are performed regularly that include off-campus storage?
- Do we have measures in place to protect the church from malware?
- Do we train our employees to avoid accepting email from unknown locations?
- Do we have a download policy?
- Do we maintain separate public and private wireless networks?
“We have rotating count teams with clear rules that account for every penny we collect in offerings…”
While this statement is not inaccurate, it is short-sighted. When churches think of fraud, Sunday offering protection is usually the first thing that comes to mind. And as a result, most churches do a very good job in protecting Sunday receipts. In fact, Fort Knox may be an easier target than some churches I have visited who have ratcheted down tightly their Sunday collection procedures!
But, if this is all a church does in protecting itself from fraud, they are at risk. There are at least two significant reasons:
First, Sunday offerings are not the only time cash comes into the church. Many churches with air-tight security over Sunday collections completely ignore what happens from Monday through Saturday. And in many churches, the amounts can be substantial, including day care fees, special event fees such as banquets and conferences, food sales, book sales, fund raising revenues, etc., etc., etc. Also, tithes and offerings that are dropped off during the week often circumvent the entire teller process and instead land directly on the bookkeeper’s desk.
Second, cash inflow is not the only place where embezzlement takes place. In fact, a case can be made that the larger cases do not involve the cash inflow processes, but the outflow. The Association of Certified Fraud Examiners backs this assertion with statistics showing that while skimming (taking money before it is recorded) makes up 20% of reported fraud cases; check tampering is even more prevalent, making up 25% of the cases. In addition, fraudulent expense reports and payroll scams chip in another 29% for good measure.
So, churches with tight controls over Sunday cash receipts should be commended for their efforts, but also reminded that effective fraud prevention includes extending this vigilance to the other means of inflow, and the outflow side as well.
If you’d like to hear more about our Best Practices Review or one of the many other services we provide, please contact us at (817)664-3000 or email us using our contact form.