Say hello to


CPA | Shareholder

Tom may well be our biggest fan. He has been at Clark Nuber since graduating and has built an incredible career for himself.

I recently heard a fable involving an elderly Native American warrior teaching a life lesson to his grandson. He said, “A fight is going on inside me.  It is a terrible fight and it is between two wolves. One is evil – he is anger, envy, sorrow, regret, greed, arrogance, self-pity, guilt, resentment, inferiority, lies, false pride, superiority, and ego.” He continued, “The other is good – he is joy, peace, love, hope, serenity, humility, kindness, benevolence, empathy, generosity, truth, compassion, and faith. The same fight is going on inside you – and inside every other person, too.” The grandson thought about it for a minute and then asked his grandfather, “Which wolf will win?”  The warrior replied, “The one you feed.”

Being a student of fraud risk management and internal controls, the concept of tone at the top came to mind.  If an executive team feeds positive cultural elements to its team and leads by example, that team will emulate their leaders’ behavior and replicate those elements.

However, if an executive team feeds negative cultural elements to its team, chances are greater that their team will project those attitudes into their daily work, which at a minimum can result in Fraud Trianglestrained relationships with co-workers, key suppliers, and customers, and at worst can lead to fraud. I also started to think of one of the cornerstones of occupational fraud – rationalization – and if you feed the “bad wolf” how rationalization can begin to creep in and then completely infect an organization. Executives are in a critical position to curb the tendency to rationalize behavior by creating and committing to influential messaging. They have the ear of the entire organization and their messages will be heard and followed –  positive or negative.

The recent scandal involving Volkswagen is a perfect illustration of tone at the top and rationalization. The Association of Certified Fraud Examiners recently published an article about the Volkswagen case  that overlays the fraud triangle into the case fact pattern. The troubling thing about this scandal, apart from the fact that it happened at all, is that the attitude of certain key management members condoned the behavior that ultimately led to the “defeat device” being installed.

It wasn’t a rogue operational employee who developed this work-around on their own. The decision came directly or indirectly, from the top and made its way down several levels of the organization. If teams or individual employees in the finance and accounting departments observed this behavior, you can see how they could rationalize their way into believing that committing fraud against the company, or against one of its customers or vendors, is perfectly acceptable.

The ACFE article makes an excellent point about tone at the top:  “Is it difficult to create ethical cultures? Yes, it’s a huge challenge for any organization. However, it should be a goal worth achieving. If you’re serious about ethical behavior, then make it your No. 1 priority. Not in the top 10. Not even No. 2 or 3.”  They go on to say “make your success, and that of your organization, dependent on reaching a level of ethical decision-making that makes you proud to be associated with your organization and reflects the basic moral values that we as human beings strive to achieve. Once you do that, the program comes as second nature and will become an inseparable part of the organization’s DNA.”

Tone at the top really comes from not only the top people in the organization, but the top objectives of the organization as well.  Make ethics and integrity a cornerstone of your mission and vision. Incorporate it into the objectives of key departments and the charters of governing committees. If the wolf represents your company, let ethical behavior and strong integrity be the meal that feeds it. That wolf will win…and so will your company.

© Clark Nuber PS and Focus on Fraud, 2017. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Focus on Fraud with appropriate and specific direction to the original content.

Keep Reading

Articles and Publications

IRS Data on 1023-EZ Approvals Raises Questions

To conduct their research, the IRS employed a streamlined, online process, which allowed them to collect data from over 105,000 organizations. The 1023-EZ data the IRS collected, however, has raised some questions. The simplified application process does not require organizations to file supporting documentation with the IRS, such as articles of incorporation or bylaws. Further, the Form 1023-EZ does not require a narrative of the organization’s activities, financial data, or any other substantiating documents or explanatory material. The IRS gathers all information for its determinations through the attestations individuals supply when completing the application. The IRS stated it will conduct compliance follow-ups on attestations made during the application process. During their follow-ups, the IRS will conduct examinations to ensure that eligible organizations used the Form 1023-EZ properly. Eligible organizations include those that reasonably expect to be under the $50,000 gross revenue threshold and are categorically eligible. Organizations that are not eligible to use the Form 1023-EZ include organizations such as churches. In 2015, the Taxpayer Advocate Service (TAS) conducted a study of a representative sample of corporations in 20 states. TAS’ Fiscal Year 2017 Objectives Report to Congress notes that, of those whose Form 1023-EZ was approved, 37% did not satisfy the organizational test for qualifying for exemption. While TAS brought this finding to the IRS’ attention, discussions with the then-Acting Director of Exempt Organizations, and a follow-up approximately six months later, showed that all but seven of the 149 noncompliant organizations remained exempt. One online blogger ran a query on the data released in February and noted that, of the 105,000 approved organizations, 623 had the word “church” in the name. This indicates a high likelihood of these organizations using the 1023-EZ impermissibly. We conducted an informal analysis of the TAS’ 2016 data and agree with the blogger. It is likely that most of these organizations are churches. The real question is, why did the IRS not screen out these applications based on name and stated purpose, which are part of the online application process? In our 30+ years of assisting organizations with the application process, it is clear that most organizations would benefit from professional advice when setting up their organizational structure and operations to meet the organizational and operational tests required for exemption under Code Section 501(c)(3). Many organizations do not understand the questions in the Form 1023 (or 1023-EZ). Before the Form 1023-EZ, the complexity of the Form 1023 prompted many organizations to seek professional advice in the application process. The overall benefit to the industry was that organizations were able to receive advice on organizational structure, private foundation status, proper exemption code section, and even advice as to whether they would be better off operating as a taxable non-profit. The tax and legal professionals in the industry thus provided a first-level review of organizations before the IRS received their applications. Now, however, many organizations are filing the Form 1023-EZ without seeking legal or tax advice from a professional. The Taxpayer Advocate Service Report to Congress at least appears to agree there is a problem that needs to be addressed. For fiscal year 2017, TAS will continue to evaluate and report based on:
  • the results of IRS’ post-determination audits of Form 1023-EZ filers,
  • the extent of noncompliance, and
  • whether simple revisions to Form 1023-EZ could alleviate identified problems.
Though the IRS consistently states that the 1023-EZ effectively improves processing times for applications for exemption, its 2017 Work Plan includes consideration of future adjustments to the application, instructions, and pre-determination program. This appears to acknowledge the age-old rule that you can achieve only two of the following qualities: good, fast, and cheap. You cannot have all three at once. If you have questions on this matter, or another matter related to application for exemption, please contact the authors or your Clark Nuber tax team members. © Clark Nuber PS, 2017.  All Rights Reserved

Fraud: It’s Not Just For Insiders

  • Being unable to login to your bank’s online banking system;
  • Pop-ups or unexpected requests to change your password;
  • Computer slows, locks up, reboots or won’t shut down;
  • New toolbars or icons;
  • Requests for payment with no, different, or duplicate invoices;
  • Transaction requests with out-of-country banks;
  • Immediate or email payment requests;
  • Wire requests that say,
    • “Strictly confidential financial operation”
    • “Only communicate with me through this email”
    • “Do not speak to anyone by email or phone regarding this”
  • Emails or email links with domain names that are similar to, but not the same as, current employees or vendors; and
  • Requests that bypass normal procedures.
If you have, these are all warning signs of potential fraud from outsiders. We’re currently seeing a growing number of fraud schemes that target smaller organizations, such as nonprofits, governmental entities, and small businesses. Here is information about some of the schemes we’re seeing and insight on how to protect yourself.

Small donations on stolen credit cards

By now, we’re all aware that we need to check our personal credit card statements for small charges we didn’t make. These charges are the work of fraudsters, who are testing the credit card number. If their charges go through, they sell the number to someone who then goes shopping with the credit card number. The new twist on this scheme occurs when a fraudster tests a batch of stolen credit card numbers by using each card to donate a small amount to a charity. Through using the method, the fraudster hopes that the cardholder will be less likely to challenge a donation, as it’s to a good cause, or perhaps because the cardholder believes their spouse made the donation. This increases the quantity of stolen card numbers the fraudster is able to sell. Unfortunately, this scheme negatively affects both the cardholder and the charity. At first, the charity gets excited for the increase in donations. Once the scheme is exposed, however, the charity has to give the donations back and, for some credit card companies, pay a transaction fee on each refunded fraudulent donation. To protect your organization, be alert for any spikes in small donations, especially if they are not from an area where you are targeting your fundraising efforts. If you see such a spike, contact your bank immediately.

“Spear Phishing”

Spear Phishing is another new take on an old scheme. Everyone who has ever gotten an unprompted email from Nigeria has experienced a phishing scheme. These emails are the result of fraudsters casting a broad net via email (SMiShing if they use texts), trying to get people to take the bait and respond. Spear Phishing occurs when fraudsters send targeted emails trying to trick specific individuals into providing sensitive information, clicking on a link, or sending them money. The fraudsters use personal websites; social media sites, like Facebook or LinkedIn; and Google searches to identify whom to target in an organization. The following are common examples of professionals who may be targeted in a Spear Phishing scam:

IT Director—Fraudsters spoof emails from the Executive Director requesting username and password information. This allows them to escalate their network access rights and gain access to sensitive data and systems.

Finance Director or CFO—Fraudsters spoof an email from the Executive Director requesting that money be wired to a certain account controlled by the fraudsters.

In a recent meeting poll, over half the CFOs in the room had received these requests. One organization was currently working with their CPA firm to improve their internal controls after falling victim to this scam and losing $80,000.

In that instance, the finance person wired the money out after receiving a spoofed email from the head of the organization, but then became suspicious when they received another spoofed email the following day instructing them to wire more money.

Another Spear Phishing method is to target the finance person to get them to click on a link, which downloads a key logger so they can monitor the key strokes on the finance person’s computer. This allows the fraudster to gain access to sensitive systems, including the online banking function, where they can directly send funds to themselves.

HR Director—Fraudsters spoof an email from the Executive Director instructing the HR Director to send a list of all employees and their W-2 forms or social security numbers to a specific email address or recipient.

How can your organization protect itself from these scams? The answer is, good IT practices. Staff need to know not to click on strange links, or pick up strange USB storage devices and plug them in. Your organization also needs good firewalls, anti-virus protection, and internal controls over your cash accounts and wire transfers.

False invoices

Another scam takes the form of fraudsters sending false invoices to you from vendors with whom you currently do business. The fraudsters determine who you do business with from your website, google searches, and LinkedIn and other social media sites. They then create a phony invoice from that vendor, but with their address and payment information. Often, these invoices look nothing like the legitimate invoices you receive from the vendor, but still may sail through the accounts payable process if not closely scrutinized. To avoid falling victim to this scam, your organization needs to review all received invoices rigorously prior to payment. A purchase order system for larger organizations can also be a deterrent.

“Oops I Gave You Too Much” Scam

This fraud is becoming a real problem in Washington and Oregon, as we’re seeing it more and more each year. In this scam, the fraudster sends a bogus check or money order to the organization under false pretenses, such as a donation or unsolicited grant. They then contact the organization a few days later, say they sent too much, and convince the organization to send a portion of the funds back. Only after the funds have been returned does the organization realize that the original check or money order was fraudulent and rejected by the bank. A recent example was a local nonprofit that, according to a Seattle Times article, received a check for $39,850 and returned $9,850. You’ll notice the amount returned was under $10,000. This was likely intentional by the fraudster, as it allowed them to avoid the government and banking scrutiny of all transactions over $10,000. To prevent your organization from being the focus of the next Seattle Times article, be on the lookout for this “money from heaven” and be skeptical. One organization went so far as to ask their attorney if it was okay and the attorney gave them some bad advice saying “go for it.”  Be aware that this scam is out there.


In this scam, fraudsters gain access to your network through an employee clicking on an infected link, or plugging in an infected USB drive. Once inside the system, the fraudsters poke around to see how much access they can gain to the organization’s data, then lock portions or all of the organization’s data and hold it for ransom. One organization hit by this scam paid the ransom. Another just had one laptop locked and decided to scrap the laptop rather than pay the ransom. The way to prevent this scam is, again, through good IT practices. These good practices include training employees not to click on suspicious links or insert strange USB drives, having good intrusion protection procedures, and regularly backing up data so losses will be minimized if this occurs. The FBI also suggests contacting them if this happens to you, as they may be familiar with the ransomware used and have the password to unlock your computer or network. The goal of this article isn’t to make you lose sleep, though that may be an unintended consequence.  Instead, the goal is to create awareness about the scams that seem to currently be in vogue. It is worth noting, however, that this article does not provide a comprehensive list of all current schemes. Rather, we have excluded schemes that organizations have become familiar with and are typically already detecting and preventing through software or internal control procedures adjustments. If your company has not yet taken actions to address avoiding fraud, we recommend using this article as a means through which to think about your internal control system. What modifications could you make to strengthen your security and avoid falling prey to fraud? © Clark Nuber PS, 2017.  All Rights Reserved

Drop Shippers Beware: Should you be Collecting Sales Tax?

Generally, sales for resale are not subject to state and local sales taxes - provided that a purchaser supplies proper exemption documentation. As a result, wholesalers who deliver taxable products directly to their customer’s customer do not typically worry about collecting sales or use taxes. This is because they assume their customer can give a valid resale certificate. But, as explained below, that is not always the case. Figuring out when a purchaser can give a resale certificate can be challenging. No more so than in the case of a drop shipment. States’ sales tax rules on drop shipments can be complex, depending on the locations and circumstances of the parties involved. Failure to comply with these rules can lead to an expensive surprise on audit. A typical drop shipment transaction involves at least two sales. First, a consumer purchases a product from a retailer who does not have the product on hand. In order to fulfil the sale to the consumer, the retailer places an order for the product with a supplier, along with instructions to ship the product directly to the consumer. Drop shipment transactions may involve multiple intermediate sales, where someone in the supply chain ships the product directly to someone other than their customer. If the supplier has a taxable presence, or “nexus,” in the destination state and the product is taxable there, the supplier will want to collect a resale certificate (or similar exemption documentation) from its customer. The question then arises as to whether the customer can give a valid resale certificate to the supplier. If the supplier’s customer is registered in the destination state, the supplier should have no difficulty obtaining a valid certificate. However, what happens if the customer is not registered in the destination state? Can the customer give valid resale documentation? This is where the rules can get tricky. States have lost significant revenue from being unable to require that out-of-state retailers collect and remit sales tax. Consequently, some states have reacted by shifting collection obligations to suppliers that make drop shipments when they are registered, or do business, in those states. The complexities involved in determining the taxability of drop shipments are due to state nexus considerations. Generally, nexus with a state exists when a business has a physical presence in the state.  The state may then legally impose sales tax reporting and/or collection obligations on the business. Typically, an out-of-state supplier will have sales tax nexus in a state if they have a business location or an employee in the state. However, merely sending independent salespersons into the state, or engaging in other types of promotional activities, is enough. The following is a common example of how the rules apply to multi-state suppliers. Suppose a consumer in Connecticut purchases a product from a retailer located in Georgia. Suppose that retailer purchases the product at wholesale from a supplier located in Washington, who drop ships the product directly to Connecticut. The Washington supplier is registered for sales tax purposes in both Connecticut and Georgia.

Drop shipment graphic

  Under all states’ sales tax laws, an interstate sale of goods is deemed to occur at the shipment destination. Therefore, both the retail and wholesale sales in our example are considered Connecticut sales. Here are the questions to consider:
  • Since the product never ships to the Georgia retailer, should the supplier obtain resale documentation from the retailer pursuant to Connecticut’s rules, or Georgia’s rules?

Resale documentation usually includes a resale certificate, or permit number, issued by a state. During an audit, the supplier takes on the burden of showing that they collected “proper” resale documentation. What is considered “proper” varies by state.

Often, a retailer will do business in a number of states. This mean that the supplier should obtain the appropriate documentation for the state in which the sale occurs. In our example, that state would be Connecticut. While some states allow suppliers to accept retailers’ home-state resale certificates (Georgia in our example), some do not.

Further, more than twenty states that are members of the Streamlined Sales and Use Tax Agreement accept a “SST Exemption Certificate” to document resales. Washington allows suppliers to accept a valid reseller permit issued by the state, an SST Exemption Certificate, and certain other documents under appropriate circumstances.

  • Suppose the retailer does not have nexus in Connecticut and does not collect sales tax from the consumer. Since the supplier is registered in Connecticut, do they have an obligation to collect sales tax and remit it to Connecticut?

The answer is yes; the supplier must collect sales tax from the retailer. This is because, under Connecticut law, the supplier may only take a valid resale certificate from a retailer registered in Connecticut. In this way, Connecticut insures the sales tax will be collected and remitted to the state. This is the case in a number of other states as well.

  • If the supplier has an obligation to collect sales tax, is it collected from the retailer or the purchaser? Further, should sales tax be calculated based on the price of the wholesale sale, or the retail sale?

The majority of states, including Connecticut, require suppliers to collect sales tax from retailers based on retail prices, if known, or based on wholesale prices if retail prices are unavailable.

In the case of California drop shipments, the drop shipper is liable for sales tax based on the retail selling price. If the drop shipper does not know the retail price, California tax regulations provide a safe harbor that allows suppliers to calculate the amount of the tax due, based on a 10% markup of the wholesale price.

In summary, while the structure of a multi-state drop shipment may be simple, the sales tax consequences are complex.

In addition to dealing with resale documentation issues, suppliers making drop shipments must also be aware of, and comply with, the various tax collection requirements in each state.

Given the complexities involved, we encourage suppliers to contact their tax advisor or Clark Nuber for assistance in complying with each state’s drop shipment rules.

© 2017 Clark Nuber PS All Rights Reserved

Featured Resources