Risk Management |
Interview by Leah Thayer
From the July/August 2018 Net Assets magazine
Sarah Reichling, CPA, and Jennifer Tingley, CPA, are principals in the Public Sector Group of CliftonLarsonAllen LLP, a professional services network that provides tax, audit and other consulting services to organizations in a range of industries. Both have worked extensively with independent schools and other nonprofit organizations on issues including internal controls, auditing, accounting standards, planned giving, endowment management and risk management.
This interview is based on a presentation Reichling and Tingley gave at the 2018 NBOA Annual Meeting. All NBOA members can now view and download 2018 NBOA Annual Meeting materials.
Net Assets: You spoke about internal controls and fraud risks at the 2018 NBOA Annual Meeting. What kinds of questions did you get?
Tingley: A lot of what we heard was along the lines of, “I'm fairly new to the organization, and this was the way it's always been done. How do I present a big change to the head of school or the board or even to the accounting or development team?” Change is scary and often a roadblock in independent schools. I was also surprised to hear that some people felt they didn't have the support of their supervisor or the board to discuss where they thought there were risks or processes that might need changing. Not having that support internally, especially if you’re new to the school, puts you in a very uncomfortable position.
Net Assets: That seems to get to the issue of culture within schools — the discomfort that can come with calling for more businesslike ways of doing things.
Tingley: Good internal controls must start with the tone at the top. This commitment needs to be communicated throughout the organization to protect the school as well as employees. By speaking openly about the dual purpose for these processes, you can mitigate risk to your organization.
Reichling: Many independent school employees have worked there for decades. To Jen's point, staff may think you're accusing them of doing something wrong for all those years. No one really likes change, but the environment in which we live doesn't support what was done 15 or 20 years ago. Rather than putting people on the defensive, emphasize that this is to protect them. There are now electronic risks that require different controls to keep money from walking off, for example.
Net Assets: What do you see as the biggest risk areas for independent schools?
Reichling: I think the biggest risk involves going with the status quo and just adding layers to your current procedures. Schools need to be always rethinking and educating themselves and the entire team as to where the risks are. More specifically, many of the risks relate to information. Schools have a lot of donor information and family information, including financial information. That combined with students and visitors carrying around devices and having Wi-Fi access on a daily basis just makes for a heightened IT risk.
We've also seen a trend of schools trying to rein in functions like parent associations and booster clubs as part of the school rather than separate entities, as there has been fraud in fundraising activities and these separately run organizations. A third area involves one-off fees like athletic events and field trips. Are those dollars going missing? The risks aren’t always the bigger dollars, as even the smallest problems could put you in the newspaper in an unflattering light.
Tingley: I would say that’s right on. A school can’t afford to lose its reputation and the confidence it has among parents and donors. If a parent is skimming funds off a booster club, it can make a big impact on the community.
Net Assets: How would you rate the level of awareness within most schools? Are they aware of their vulnerability and proactive, or is there still work to do in this area?
Tingley: It's getting better, but there's a lot of room for improvement. People have a tendency to put a little too much trust in one person, which can not only be a financial risk, but also an operational risk. As with everything else, they don't know what they don't know unless someone brings it to their attention. Often the big awakening comes with turnover, in the finance or development department, or with the head of school. Many schools’ finance departments are as small as they were years ago even though operations are much more complex. Giving is more complex. Tuition is more complex. A school’s needs may have outgrown the departments that have been staffed by the same individuals for years.
Net Assets: What’s on the must-have list of key internal controls every school should have?
Reichling: The key control is that no one person can do everything in a transactional process. One person shouldn't own any transaction from beginning to end — for instance, no one person should get the bill, enter the bill, get the check, sign the check and pay the bill. You want someone else involved to make sure the bill is valid and you're paying the correct amount. The same goes for money-in, account reconciliation and access to the general ledger.
Tingley: We also feel there’s room for improvement in contributions. You want to be sure the development and finance departments are on the same page and have a centralized process for tracking contributions and updating the donor database. Otherwise contributions and checks can go missing and easily be deposited in separate accounts.
A lot of risk also involves the fact that everything's done online. The ability to do ACH transfers, for instance, brings the risk of others being able to transfer funds out of your accounts, hack into your system or perhaps take donor information. The threats are hard to keep up with, to be honest.
Reichling: We’re focusing more on how schools set up vendors. It's very common for a school’s vendor list to keep building over time. If someone is savvy enough, it can be easy to change a vendor’s address or create a fictitious vendor or create a new direct deposit account for payments. Keep an eye on changes to your vendor list, like small name changes or an address change. Do you have a bunch of PO boxes? Most organizations have a physical address. How often are you cleaning the list to make sure nothing slips through the cracks?
Tingley: I would wrap payroll in there too, even if you outsource it. Someone can create a fictitious employee or keep on a former employee for a few more pay periods, but with a new direct deposit number. Don’t rely on a third party as being the internal control. You still need an internal control to mitigate any risks involving payroll. Payroll is tricky for schools because besides teachers on contracts and full-time administrative staff you have seasonal coaches and other part-time staff. There are a lot of moving parts.
Net Assets: In your presentation, you said education is one of the top five industries impacted by fraud. Why do you think education itself is so vulnerable?
Tingley: Education is a trusting environment. The primary focus involves educating students, not running a nonprofit business. Trustees and others are driving the new focus to preserve their reputations and meet their governance responsibilities.
Reichling: And as Jen said, you just have a lot more people coming into the school, including volunteers and parents who may visit on an almost daily basis. There's just more exposure in a school environment compared to many other nonprofits.
Net Assets: Let's talk a little bit more about reputational risk. How does fraud or embezzlement become public information?
Tingley: Independent schools are a close-knit and tight community in which information can spread quickly. It is important to not only have a protocol or procedure in place when events do occur, such as a public relations plan to combat potential reputational risk. Parents and the broader community can lose trust in an organization when events, large or very small in nature, are brought into the public eye.
Reichling: I think reputational risk can have an even bigger impact on schools with long legacies of alumni who are still attached to the school. Tuition dollars don't alone pay for 100 percent of a school's operations, and often the first hit from reputation risk is to these other kinds of support dollars.
Net Assets: Should background checks apply to volunteers and parents?
Reichling: Absolutely. The best way to make volunteers feel connected to and responsible for the school is to make them feel as much like an employee as possible. That may mean having them go through a background check, helping them understand conflicts of interest and internal controls. If they're collecting money or handling cash, help them understand their role as it relates to the school and the impact they can have.
Tingley: Background checks need to be robust, whether they’re for staff or volunteers. There was a case where a CFO had been convicted of fraud years before, but the background check didn’t pick it up because it only covered the state the CFO currently worked in.
Net Assets: Dig a bit deeper on the risks that may exist with trusted long-time employees.
Tingley: That's always a tough one, especially if they've been there forever. Everyone trusts them; you feel their information has been timely and accurate. One very simple recommendation we make is to ensure they're taking vacations and then have another person help with their responsibilities while they’re gone. May times, fraud is detected when an employee is on leave or has left the organization, and the interim or replacement notices that something doesn’t seem right. Sometimes schools discover that fraud has gone on for years.
Net Assets: Great tip. What else do you recommend for checking in on trusted long-term employees?
Tingley: Maybe somebody else does payroll once or twice a year. They can also review general ledger journal entries or accounts payable, or even just have read-only access to your bank account. You just want someone to see what kinds of transactions are going through and make sure there's nothing suspicious or unusual. This system for checks and balances will help key employees keep in mind that somebody has the ability to review their work even if it’s not occurring every day.
Reichling: On an annual basis, we recommend that schools take a close look at some component of their operations and internal control. Ask, Is how we're doing things still beneficial? Is it efficient from a time-saving standpoint? Are we overlooking a key control that could potentially open the way to a bigger problem down the road?
Tingley: And have a strong whistleblower policy for reporting. As an external auditor, we are not a school’s internal controls. You can't rely on us to detect fraud. More often than not, a tip from within the organization leads to discovering fraud, and you want people to know there won’t be a backlash if they report on something that feels inappropriate. Consider an anonymous tip line as well as a direct chain of command to the board — the audit committee chair for financial concerns, or the full board plus the HR director for personnel matters. Sometimes the cues are as simple as having concerns about someone’s way of life, like, How do they afford a car like that when we must be making about the same amount of money?
Net Assets: Finally, let’s talk about external review. Do you recommend working only with an auditing firm that is familiar with independent schools?
Tingley: I would say it’s best practice to do due diligence in ensuring that your auditor or any other professional service provider has industry-specific expertise regardless of what industry you're in. Being a generalist doesn’t work in this day and age because the environment in which we live is much more complex. The standards and compliance requirements are much more complex, as many of the reporting standards are changing significantly within the next year. I understand that many schools are under budget constraints, but they’ll lose more money in the long run if something goes wrong.
Internal Controls and Fraud Risks (2018 Annual Meeting presentation, including an mp3 and executive summary)
The Inside Job: Mitigating the Risk of Fraud (March/April 2016 Net Assets)
COSO: Don’t Get Left in the Dark (September/October 2016 Net Assets)
Sign in to leave a comment
Get Net Assets NOW
NBOA's free twice-monthly newsletter
1400 I Street, NW, Suite 675Washington, DC 20005www.nboa.org