In The People of the State of New York v. McEnerney, Brady and Company, LLC and Edmond Brady, Index No. 450796/2018, filed May 7, 2018, the AG alleged the defendants were instrumental “in perpetuating the existence of a sham charity,” the Breast Cancer Survivor Foundation, a not-for-profit corporation established in 2010, by:

• falsifying the charity’s financial statements in an effort to inflate the value of its charitable services;
• failing to report significant internal control failures; and
• issuing audit reports that falsely gave the charity an “unqualified audit opinion,” the clean bill of health necessary to solicit charitable contributions in New York.

Central to the complaint, which alleged fraud and false filings under New York law, is the allegation that the defendants had full knowledge that the charity was run by, and for the benefit of an external fundraiser, who was known to the defendants as not only a client of the accounting firm, but a source of referrals. According to the complaint, the accounting firm had provided accounting services to at least nine companies controlled by the external fundraiser, most either in, or associated with, the fundraising business. Indeed, it was the external fundraiser who selected the accounting firm to prepare the IRS forms and perform audits for the charity.  The AG alleged that the accountants were presented with “blatant red flags” such as:

• the Board of Directors of the charity never met (it was also noted in the complaint – and in the preliminary investigation report – that the only permanent Board members were the founder and his wife);
• the charity had no physical office or medical facility, yet reported donating substantial medical services; and
• all communication with the audit team was by and through the external fundraiser, not a director or officer, and there was no documentation authorizing his management.

Yet, as the AG asserted, even when faced with such indicators of potential fraud and failures of internal control, the auditors failed to either make a report to the charity’s Board of Directors or to “conduct the appropriate procedures and obtain audit documentation . . . relating to these indicators.”  Instead, the complaint avers that the principal accountant signed off on IRS forms that he knew contained false statements and authorized inaccurate audit reports, knowing the reports would be incorporated into state filings.  Concluding that such inaccurate reporting “deprives New Yorkers of access to reliable information,” the AG reasons that the defendant accounting firm “played an integral role in helping [the charity] to defraud New York donors.”  The complaint seeks restitution and damages, as well as civil penalties for the defendants in connection with the amount sourced from New York donors. A total of $18 million was solicited from 2010 to 2016; only $1 million was contributed from New York donors. We will be on the watch to see whether other states will also seek restitution in this manner.

See Something Say Something

This complaint delivers high praise and healthy affirmation for the members of accounting and auditing teams who speak up. According to the complaint, junior members of the audit team alerted senior auditors, in writing, about a number of concerns, warning that the external fundraiser “appears to be running the Organization . . .” According to the complaint, those junior members were removed from the audit team by the defendants who “willfully ignored  . . . professional standards” despite warnings from those who exercised professional judgment and skepticism.

Fiduciary Duty is not Delegable

This complaint is yet another reminder that officers, directors and trustees must exercise due diligence at all times and refrain from relinquishing oversight responsibility related to essential fiduciary functions.  That would include taking responsibility for not only selecting an accounting firm, but overseeing and understanding the compliance implications of its work product.

What emails should nonprofits watch out for?

The “Executive Director” sends an email to an employee in the finance, human resources, or payroll department and requests that the employee send W-2s or personal information, including SSNs, for all of the nonprofit’s employees. Except the email is not really from the Executive Director. It is from a criminal with a “spoofed” email account made to mimic the Executive Director’s. The email address will be very similar, but it may be off by a letter or it may add a number, or transpose letters, for example. Most people might miss it and may easily believe the email is from a trusted source. In the most egregious cases, the “Executive Director” sends a second email requesting that a wire transfer be made to a specified account.

The IRS reports that the spoofed email may contain these or similar messages:

• Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
• Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
• I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

What can nonprofits do to protect themselves?

The IRS urges all employers to alert their payroll, finance, and human resources staff and outside vendors to this new scam and suggests sending W-2 scam emails to phishing@irs.gov, with “W2 Scam” in the subject line. Do not open any links contained in these emails as the links lead to imitation (spoofed) sites, which may carry malware that can infect computers in order to gain additional information.

Proactive steps for nonprofits include:

1. Reviewing existing policies and procedures, as well as staff and vendor training, to ensure neither staff nor vendors send sensitive tax or personal information in response to unsolicited emails. Such a review and periodic training is within reach even for nonprofits with limited budgets.
2. Having policies in place requiring that employees and vendors limit the secured email transmission of sensitive tax or personal information only to known recipients.
3. Discussing with the IT department or IT vendor what steps can be taken to ensure that spoofed emails, especially those from publicly-identified threats, are caught by the nonprofit’s spam filter.
4. Discussing with your insurance broker the availability of insurance to cover the costs associated with an employee inadvertently responding to a spoofed email.

When was the last time your nonprofit reviewed its policies and procedures and insurance coverage? Does your nonprofit have policies and procedures relating to spoofed emails and other cyber threats?

We are here to help. Please call Cheshire Law Group at (267) 331-4157 to discuss a cost-effective review of your nonprofit’s policies and procedures.

Schools and other organizations that provide services for children, and that rely on volunteers, should review and update their policies and clearance procedures to reflect the requirements of this new legislation.  Thinking systemically about compliance, and involving legal counsel in the design and drafting process, can help streamline implementation efforts, minimize risks, and conserve resources.