Woman Reviewing the Numbers

Employee theft is almost certainly occurring at your higher education institution. Confront it from both directions: before and after it occurs.

Reducing Risk

Tips for Preventing and Detecting Internal Fraud at Colleges and Universities

  • Christopher Knopik
  • Don Loberg
  • 2/13/2018

It’s always hard for honest people to believe that their own employees can steal from their organizations, but it happens at colleges and universities every single day — and almost always by the employees they trust the most. In fact, fraud has grown so prevalent that auditors have come to rightly assume it is occurring within every client organization.

We’ve seen this for ourselves, and we advise the higher education institutions we serve to confront internal fraud from both directions: before and after it occurs. Your best defense against fraud is to implement a combination of preventive and detective internal controls. Preventative controls work to thwart improper transactions prior to being processed. Detective controls root out both and fraudulent and unintentionally improper transactions after the fact, but can also be preventive because when employees know there are measures in place to find offenders, they are often cowed by that fact.

Here’s a list of several common types of internal fraud and the preventive and detective controls you can employ for each.

Fake vendor payments

One of the most common ways that an employee steals from a college or university is by issuing payments to a fake vendor (i.e., himself or herself). Too many institutions don’t effectively manage their vendor databases. We see many fail to put controls over basic things like address changes and vendor verification procedures. Or they neglect to remove inactive or duplicate vendors from their databases and systems. In our experience, the offending employee starts by issuing a small payment to a fake vendor, then as he or she gets away with it and confidence grows with success, the payments because larger and more regular.

Preventive controls include:

  • Establishing segregation of duties for vendor set-up procedures
  • Purging vendors that have not been utilized in the past two years from lists and systems
  • Controlling changes within the vendor accounts and limiting access to vendor databases
  • Testing the system for the ability to set up fake vendors

Detective controls include:

  • Reviewing vendor billings on a rolling six-month basis with an eye out for odd vendor activity
  • Isolating vendor activity in which only one person utilizes the vendor

Fraudulent employee expense reports

Fraudulent expense reporting almost always starts out gradually. Employees will add a few extra miles to their travel expenses, then toss in an unauthorized lunch or dinner, and before long they are purchasing things like companion flights and hotel rooms for conferences. You would be amazed at some of the fraudulent big-ticket purchases that can appear to be related to project or grant expenditures — liquor, clothing, jewelry, lawnmowers, and even cars and vacations. That may seem implausible, but it happens with alarming frequency.

Preventive controls include:

  • Ensuring every single expense report is reviewed by the reporting employee’s superior. In the case of presidents and board members (even high-ranking administrators commit such crimes), create a check-and-balance protocol that includes review by several individuals. Ideally, your finance committee, board, and audit committee should scour your executives’ expense reports and receipts
  • Implementing policies and training to assure proper use of employee reimbursements

Detective controls include:

  • Performing a year-over-year comparison of each employee’s expense reporting activity to look for anomalies
  • Conducting sample tests of expense reports every six to 12 months to seek out unreasonable or suspicious expenses
  • Requiring itemized receipts (not credit card statements) for proper review

P-card abuse

P-cards (short for purchasing cards) are simply corporate credit cards. They are indeed very efficient for making small purchases for things like supplies, meals, and other items necessary in the line of work, and often include perks like discounts and spending percentage paybacks.

The weakness with P-cards is that they operate similarly to expense reports and don’t necessarily require purchasing pre-approval. They extend a certain amount of authority and discretion to individuals — and that can be abused.

Placing controls on P-card usage and limiting the types of purchases they can be used for can help thwart the opportunity for theft.

Preventive controls include:

  • Determining the types and levels of employees authorized to use a card
  • Placing both daily and monthly limits on the amounts that can be charged to a card
  • Implementing clear policies on their proper use

Detective controls include:

  • Conducting rigid, detailed reviews of card purchases
  • Querying P-card users on the business validity of certain expenses. This also serves as a preventive control when employees know they will be held accountable for all purchases.
  • Performing a review of P-Card activity with comparison of each employees usage from year to year
  • Requiring detailed receipts for reimbursement and proper review
  • Sample testing expense reports every six to 12 months to look for unreasonable or suspicious purchases

Theft of donations

Donor payments are actually fairly easy for development employees to steal, and it can be fairly difficult for an institution to catch them. When you collect revenues for services or products, you have invoices to match them with. But that’s not always the case for donations, which often come in to the development office unsolicited, and the traditional thank-you acknowledgement from your institution can be forged very easily. This type of fraud can be substantial during capital campaigns and annual fundraisers.

Preventive controls include:

  • Requiring two staff members to open the mail together, log all donations, and sign the log
  • Putting strict protocols on pledge write-offs so that when outstanding pledges are paid, a staff member cannot take a payment and write off the pledge

Detective controls include:

  • Publishing all donors’ names in print or on your website. Donors like to see their names on the lists of contributors and will look for them. If their names fail to appear, they will likely inquire, and if you have no record of their payments, you can reasonably suspect that theft is afoot.
  • Sending courteous notes to donors who contributed in previous years but not in the current year, politely acknowledging their lapse in donating and asking them to consider giving in the coming year. This can weed out stolen contributions when donors who did indeed give protest the lapse’s occurrence. For this to work, however, the notes must be sent from outside the development office so that an offender can’t pull notes to the donors whom he or she stole from.
  • Providing gifts to donors of certain levels and aligning gift inventory with payments. If gifts are missing, it may be because one was sent to a donor whose money was pocketed. Gift inventory should be kept inaccessible to those who collect donation payments.

Off-site check, cash, or credit card fraud

Decentralized activity at your college or university is vulnerable to fraud. For instance, concession stands can have major cash shortfalls, class revenues at satellite campuses can vanish, checks can go missing at fundraising events. A student can pay for a class using a credit card, and an employee can issue a phony refund for that purchase to his or her own credit card. Or an employee can sell credit card information to more sophisticated fraudsters. It may sound unlikely to you, but it happens all the time. The good news is that this type of theft is easy to prevent and detect.

Preventive controls include:

  • Limiting off-site payments wherever possible. Funnel payment activity to a centralized location.
  • Employing strict cash and card controls
  • Implementing strong oversight and rigorous checks and balances

Detective controls include:

  • Doing a credit card audit for refund activities
  • For most transaction activities, there are a number of candy bars vended, tickets sold, students within a class, or other metric that could easily be inventoried and compared to the payments received. Many of the for-profit CPE companies have outstanding processes to control theft when they take payments onsite.
  • Using a point of sales system that can be audited and reconciling the activities with amounts

Fraud can cost you students, donors, and key stakeholders

The costs of fraud are bad enough on their face, but the cost in loss of trust and confidence in your institution can be even greater. To fight internal fraud, you really have to cultivate skepticism. Never assume your people are incapable of theft or that your college or university is invulnerable to it.

Keep these things in mind as you fashion your fraud control measures:

  • The longest-term employees are much likelier than newer ones to commit fraud. They are most familiar with the way things work and have built up trust over time.
  • The most trustworthy people within an institution have the most ability to perpetuate major fraud. When we investigate fraud, we ask a client to name the three most trusted employees, and that’s where we start (and usually end) our inquiries.
  • Doing periodic background and credit checks on employees — not just at the time of hire — can help you pinpoint those that may have a need to steal.
  • Making it easy for whistleblowers to come forward anonymously is very effective at catching fraudsters. Create an anonymous hotline and publish it everywhere. In nearly every case of major fraud, we have found that other employees suspected or knew of the theft but never said anything because they feared retaliation. Anonymity solves that problem.

How we can help

CLA’s higher education professionals can help your college or university implement preventive and detective controls, policies, and practices that work together to inhibit and root out fraud. Our people can assess your risk of fraud, conduct forensic investigations, and help you respond to incidences of theft and compromised security.