This is the second installment in a series where we look at the various fraud schemes available to those who might do you or your business harm.
Technology is constantly evolving as industry experts find new and improved ways to do things. They have brought us banking by phone, transfers via texting, and mobile payments by Square. Even before these technologies became globally available, we were making on-line payments using service providers such as PayPal, SecurePay and Authorize.Net. As technology has evolved, the question you need to ask is–have my internal controls evolved, as well?
Take PayPal, for instance. PayPal provides individuals and businesses a quick and easy way to make and receive payments, and to transfer funds. It takes only minutes to set-up a PayPal account and link this account to your bank, credit card, and debit card accounts. Once you have done that, you can start transferring funds or making payments to any vendors that accept payments by PayPal. You can make payments through the Internet, via your phone, or using a PayPal debit card. You can even withdraw cash from ATMs using your PayPal debit card. Just add a PayPal button to your website, and you’re also ready to start receiving payments from others.
While these marvels in technology make our lives easier, they also present challenges that we must consider and address before implementing this technology. For instance, have you put into place the proper internal controls to help mitigate any risks associated with funds maintained in your PayPal account? Ask yourself these questions:
- Are we using PayPal accounts to receive or make payments?
- Who has access to these PayPal accounts?
- What bank, credit card, or debit card accounts are tied to the PayPal accounts?
- How are the PayPal transactions recorded in our accounting system?
- Is each PayPal account reconciled on a regular basis?
If you do not know the answer to each of these questions, your internal controls may be inadequate. To protect your organization from misuse or misappropriation of funds held in a PayPal account, you may want to consider implementing the following internal controls:
- Capture information about your PayPal account in your Chart of Accounts to ensure that the PayPal account is visible and receives proper attention.
- Establish and implement policies and procedures for the management, use and transfer of funds held in your PayPal account.
- Segregate duties with respect to your PayPal account.
- Reconcile PayPal accounts when you reconcile bank accounts.
If you do not put the proper internal controls in place, your organization may face problems similar to those described below.
North Georgia Animal Shelter
The director of a North Georgia no-kill animal shelter diverted funds from their intended purpose, to be used, instead, for personal benefit. The director set up PayPal accounts to accept donations for a Lucky Dog and Lucky Cat program. These donations were to be used to sponsor pets that might otherwise have been euthanized. The director, however, did not use the PayPal funds in the manner advertised. Donations totaling $10,550 were, instead, transferred from the shelter’s PayPal accounts to the director’s personal bank accounts. Several animals, for which donations had been received, were euthanized. The following timeline shows the flow of cash from two of the shelter’s PayPal accounts to one of the director’s personal bank accounts, over a four-month period.
|Deposits from PayPal||$ 824||$ 2,053||$ 2,676||$ 2,317||$ 7,870|
|Cash Withdrawals||$ 700||$ 2,200||$ 2,700||$ 2,010||$ 7,610|
As demonstrated in the timeline, transfers from the shelter’s PayPal accounts to the director’s personal bank accounts, were frequently followed by cash withdrawals and subsequent trips to Harrah’s Cherokee Casino.
The shelter’s inadequate internal controls resulted not only in the misappropriation of shelter funds, but, more tragically, in the death of innocent dogs and cats.
The former director of the animal shelter was charged and convicted of numerous offenses and sentenced to 10 years in prison. As of April 2017, the former director remained incarcerated.
Over a 5 ½ year period, the operations manager of a not-for-profit organization diverted nearly $500,000 of funds from their intended purpose, to be used, instead, for personal benefit. The operations manager set-up a PayPal account through which individuals and other entities could make donations. These donations, collected through PayPal, were intended to further the mission of the organization. Rather than transferring these donations to the organization’s bank account, the operations manager, instead, used these funds for personal benefit, paying for, among other things, clothing, entertainment, meals, personal grooming, and travel. Purchases were made over the Internet at websites that accepted PayPal as a form of payment. Purchases were also made at brick and mortar establishments using a PayPal debit card or a mobile phone tied to the PayPal account. The operations manager also withdrew cash from ATMs at numerous locations within and outside of the United States.
Similar circumstances were present in each of the above cases:
- The director/manager had full control over the organization’s PayPal accounts.
- No other individual had access to these accounts.
- There was no segregation of duties.
- There were no policies in place defining the guidelines and procedures for managing PayPal accounts and the funds held in those accounts.
- The PayPal accounts were not routinely reconciled.
Is your organization adequately protected against misappropriation of funds from your PayPal accounts? If you have any questions or need assistance in a fraud matter, please call Pat Salem at 770-635-1698 or Karen Fortune at 770-635-1699. Initial consultations are offered free of charge.
Share this content with your friends and colleagues