The potential for theft or unauthorized use of association funds should be one of the highest priorities of every director. Unfortunately issues dealing with governance, budgetary and financial concerns, repairs and maintenance, enforcement of house rules, policies, and other association issues usually take precedence.
Most boards assume that the funds handled by the association’s managing agent is safe and secure. Confirmation of this attitude comes from the annual audit that invariably gives a clean opinion to the prior year’s financial transactions.
The reality is that too many managing agents have a poor system of internal controls. A strong internal control system is the single most important factor in preventing or minimizing the unauthorized and illegal taking of association funds. Most managing agents that handle multiple associations easily deal with tens of millions of dollars of association funds.
Clearly, this lack of attention to what is one of the most important functions of a director is very disturbing. Is your association prepared for a loss of hundreds of thousands of dollars? What good is it to blame the managing agent after the funds are gone? What are the financial risks to the association? How does the Board prevent or minimize these risks?
This White Paper deals with these risks and how to minimize and/or prevent loss of association funds. In this paper, the terms, embezzlement, fraud and theft are used interchangeably.
The Problem is that Banks May No Longer Be Held Liable for Customer Losses
In the “old days” losses from a customer’s bank account were usually covered by the bank. However, in this age of electronic payments and receipts, fraud can occur from multiple sources, many of which the bank has no control. Many banks have changed their policy when it comes to losses from customer accounts. For example, if the fraud is significant and originated from the customer’s computer or negligence on the customer’s part, then the bank will likely take the position that the loss is the customer’s responsibility.
Consequences of Fraud Committed on Association Funds – A True Story
We attended a workshop on cybercrime sponsored by a bank. We were told that several managing agents’ computers were hacked and several million dollars were stolen from a number of associations on the mainland. The banks disavowed any liability for the losses due to negligence on the part of the managing agents. We understand that the negligence was due, in some cases, to a lack of internal controls and/or where internal control policies were bypassed by the managing agents’ employees for expediency.
We were not made privy to the details. However, we can only assume that in such an event, the associations will seek to recover the funds from the managing agent. If the total amount of claims exceeded the liability insurance and fidelity bonds carried by the managing agents, then one scenario is that one, or more, of the managing agents will file for bankruptcy protection. As a result, it is very likely that the associations will bear the monetary losses.
What Conditions are Present When Fraud Occurs?
- Incentive. Individuals may have an incentive to misappropriate assets because they may, for example, be living beyond their means or have an addiction problem.
- Opportunity. Individuals may believe that the internal controls can be overridden, for example, the individual may be in a position of trust or has knowledge of specific deficiencies in the system of internal controls.
- Rationalization. Some individuals possess an attitude, character, or set of ethical values that allow them knowingly and intentionally to commit a dishonest act. However, even otherwise honest individuals can commit fraud in a situation that imposes sufficient pressure on them.
What Are the Common Characteristics of Individuals Who Commit Fraud?
Several studies of individuals who commit white-collar crimes, resulting in losses of $100,000 or more, indicate that they had no prior criminal history. In addition, these individuals share the following characteristics:
- They are the most trusted.
- They have been employed for a relatively long time.
Sources of Fraud
- Thefts by association employees.
- Thefts by employees of the managing agent.
- Computer/Internet hacking of managing agents’ computers.
Preventive Measures to Guard Against Thefts by Association Employees
- Background Checks. Every new employee should undergo a criminal background (nationally, not just Hawaii) and drug test at the time of hire. In the case of the resident/site manager a credit check should also be performed. Thereafter, perform random drug tests of all employees.
- Credit Card. Use an association owned credit card instead of a revolving petty cash fund. The credit card should have no annual fee, be subject to a maximum amount of credit approved by the Board and require no personal guarantees.
- Approval and Authorization. Association employees should only be able to make and approve purchases. They should not be allowed to authorize purchases. The approval and authorization of purchases are two separate and distinct functions performed by two individuals. The authorization of purchases should typically be made by member(s) of the Board, not association employees.
- Signature Authority. Association employees should not have signature authority over the associations checking, savings or any other account owned by the association.
- Bank Statements. Bank statements should not be mailed directly to the association. All bank statements should be mailed to the managing agent.
- Kickbacks. The kickback is a collusion between a contractor/vendor whereby the resident/site manager agrees to purchase exclusively from the entity in exchange for a share of the invoice amount. Prevention involves using RFPs and outside consultants for all significant projects (i.e. painting, re-roofing, etc.); using licensed contractors whenever required; using vendors that have been in business for a period of time. Most managing agents maintain a “blacklist” of contractors/vendors.
- Actual vs. Budget Comparison. Directors should question significant over-budget expenditures. They should not rely on the auditor’s findings or lack thereof. As a matter of fact, most acts of systematic fraud are not discovered by an outside auditor performing a routine audit.
Preventive Measures to Guard Against Thefts by Employees of the Managing Agent
- Internal Controls. The most important safeguard against loss of monies maintained by the managing agent is a strong system of internal controls. This means that the process of handling financial transactions is performed by more than one individual so that risks to the financial system is minimized. The new Generally Accepted Auditing Standards now require that the outside auditor review and verify that the system of internal controls are sufficient and, in fact, is being followed.
- Background Check. The managing agent’s employees should undergo a criminal background, credit check and drug testing at the time of hire and randomly thereafter.
- No Authority for Acquisitions. Managing agent employees should not have authority to acquire goods or services on behalf of the association unless directed to do so by the Board and only for specific items. This should be recorded in the Minutes of the Board meeting.
- No Authority to Sign Contracts. Managing agent employees should not have authority to sign contracts binding the association unless directed to do so by the Board and only for specific contracts. This should be recorded in the Minutes of the Board meeting.
- Cash Receipts. All managing agents should use a lockbox or ACH/SurePay system for collection of maintenance fee payments. The collection of maintenance fees using a manual system is ripe for fraud particularly when there are several hundred units involved.
- Payment Authorization. A limited number of managing agent employees should be given authority to release payments to vendors. These individuals should not be in the “loop” of acquiring, approving, authorizing, processing, reconciling or accounting of financial transactions.
- Bank Statement Reconciliations. Accountants employed by the managing agent should not reconcile the bank statements for their own accounts. This should be done by another accountant in the organization.
- Accrual Basis Accounting. The association’s financial statements should be prepared on the full accrual basis of accounting as recommended by the American Institute of Certified Public Accountants. The cash basis of accounting lends itself to manipulation. For example, to show a “profit” don’t pay expenses; to show a “loss” prepay the expenses. Delinquencies and payables are not typically shown on a cash basis statement; usually, they are shown in separate schedules and there is no way to verify the details against the balance sheet. It is difficult to compare expenditures on a cash basis statement against the budgeted amounts. For example, many associations’ premiums for their insurance policies are quite significant. Prepaying the policies distorts the cash basis statement. On the other hand, an accrual basis statement would amortize the cost of the insurance over a 12 month period making comparisons with the budget relevant.
- Manual Checks. Preparation of manual checks should be kept to a minimum. This is the least secure way to make disbursements as opposed to an “electronic” payment system. Checks can be stolen, signatures forged and fraudulently used in a number of unauthorized ways.
- Pre-Printed Checks. Managing agents should not use pre-printed manual checks as these can be stolen. They should use check-writing software that encodes the name of the association, address, RTN (routing transit number) and account number on the blank check stock.
- ACH Payments and Wire Transfers. Disbursements by ACH (automated clearing house) and wire transfers should be verified by email or telephone confirmation between the bank and the managing agent’s employee who authorized the ACH payment.
- Paperless. Managing agents should adopt a 100% paperless system for all documents and financial transactions. Such a system is more secure, efficient and provides an easily accessible audit trail for financial transactions. The added benefit is that document retrieval can be done in less than a minute as opposed to many minutes or even hours if a hard copy has to be located, retrieved and copied. The records retention issue becomes moot as all documents can be kept “forever.”
- No Authority to Write-Off Balances. The managing agent should have no authority to write-off account balances, including late fees, interest, attorney fees, house rule violation fines, etc. This is to prevent the receipt of these items from a unit owner, writing off the charges without authorization, and keeping the monies.
Preventive Measures to Guard Against Computer/Hacking of Managing Agents’ Computers
- Software. Obviously, user ID’s, passwords, anti-virus, anti-malware software should be used without question and updated regularly.
- Wi-Fi. The Wi-Fi network should ideally be on a line separate from the managing agent’s server(s).
- The Cloud. Whenever practicable, software and backup data should be moved to the cloud as opposed to the managing agent’s server(s). Software upgrades and data backup are easier to deal with when in the cloud.
- Expenditure Limit. Whenever possible, the managing agent should have an agreement in writing that any expenditures from the association’s checking/savings accounts over a certain amount would require an email or phone call confirmation between the bank employee and the managing agent. If the bank is unable/unwilling to do this, then there should be an internal control policy in the managing agent’s office whereby an officer of the company and/or an association director must approve the payment in writing.
- Withdrawals. Whenever possible, the managing agent should have an agreement in writing that any disbursements from investment companies (i.e. Merrill Lynch, Morgan Stanley, etc.) can only be made payable to the association’s checking account.
- Internet. The managing agent should adopt policies and provide instructions to employees about downloading content from the internet, clicking on unfamiliar links, awareness of scams and other nefarious schemes.
The foregoing discussion on internal controls is by no means complete. Hopefully, this paper will at least start the process of reviewing where your association stands. We would be pleased to discuss this matter further.