The ability to make and accept online payments and maintain databases (with detailed constituent profiles) offers obvious benefits to nonprofits under time and financial pressures. But it may also be subject to fraud attempts that can dodge your traditional internal controls. Fortunately, measures are available to combat these risks.

Making online disbursements

Many nonprofits are now paying their bills online, rather than mailing payments. Of course, the ability to make online payments essentially makes the employee who does so a check signer who can, in turn, make unauthorized payments. Similarly, the employee who oversees direct deposit payroll transactions may choose to pay “ghost” employees, give unauthorized raises or otherwise divert funds.

If your nonprofit makes these types of online disbursements, ensure that all payments are subject to an independent review by a different employee. The reviewer can check payments online or examine the bank statements for discrepancies. The reviewer should also study payroll reports that come straight from the payroll system (vs. coming from the employee who oversees payroll). Of course, the reviewer should be aware that those two employees might be working together to commit fraud. Your bank also might offer verification services to confirm that payments are authorized before they clear.

Accepting payments

One of the most significant changes in how nonprofits conduct business in recent years has been the widespread adoption of systems that allow online payments for event registrations, membership fees, product purchases, and donations. These payments generally are deposited directly into an organization’s bank account.

The risk is that the employee responsible for the online payment system could redirect the ultimate destination of payments. If the accounting department records income based on bank deposits, this fraud could go undetected. To close this control gap, make sure you take the added step of reconciling the bank deposits against online income from the donor system.

Protecting privacy

Many nonprofits possess their members’ and donors’ credit card information and other personal data, making them potential targets for both internal and external hackers and fraudsters. Imagine the consequences if criminals were to access your constituents’ data. It would be disastrous in terms of remedial costs, legal liability, and reputational damage.

Perhaps the most effective privacy control is adherence to the Payment Card Industry (PCI) Data Security Standard (DSS). DSS applies to all entities that store, process or transmit credit cardholder data and outlines technical and operational system requirements to protect that data. Although DSS isn’t technically a law, several states have enacted legislation mandating compliance with some of its provisions.

The DSS requirements vary depending on the number and type of credit card transactions an organization conducts, both online and offline. It’s a good idea, though, to take steps to comply with the strictest requirements, including:

  • Installing and maintaining a firewall to protect cardholder data,
  • Encrypting the transmission of cardholder data,
  • Restricting access to cardholder data with unique IDs and on the basis of “need to know,” and
  • Using and regularly updating antivirus software.

Although it isn’t a requirement, PCI also strongly recommends “segmenting” (or isolating) the cardholder data environment from the rest of your network. (To learn more, visit https://www.pcisecuritystandards.org.)

Proceed with caution

There’s no turning back from the technological advances nonprofits are currently enjoying. We can help you determine the best measures to combat these risks. The key is to remain vigilant against the evolving risk of fraud.

About the Authors

Katie A. Allender

CPA
Manager, Assurance and Advisory

Keith J. Libman

CPA
Partner, Assurance and Advisory

Subscribe

Stay up-to-date with the latest news and information delivered to your inbox.

Subscribe Now