Go To Search
Click to Home
Fraud Risk in a Community Agency
By Erin Mullin

The City of Berkeley contracts with many community agencies every year to deliver essential services to residents. Easy Does It is a small nonprofit organization that provides 24/7 emergency services to Berkeley residents with severe physical disabilities. They received $1.2 million in city grant funds in fiscal year 2017, making up more than 95 percent of their annual operating budget. Of the $1.2 million they received, $1.19 million was from Berkeley’s Measure E fund. Berkeley voters approved the Measure E parcel tax in 1998 specifically to raise revenue to provide emergency services and incidental case management for severely physically disabled persons. The objective of the audit was to determine if Easy Does It is using city funds as intended by the tax measure and City contract. 


Significant deficiencies in Easy Does It’s operations left the agency unable to show that it had used taxpayer money appropriately, and exposed the funding to the risk of fraud. During the planning phase of the audit, we determined that Easy Does It’s program, by nature, is vulnerable to fraud and misuse because staff work alone, off-site, and without direct supervision. We designed audit steps to obtain reasonable assurance of detecting any such fraud in service delivery and expenditures.

In fieldwork, we obtained service data and examined a statistical sample to determine compliance with the tax measure and city contract. Fifty percent of the records lacked clear and sufficient information to substantiate the purpose of the service and funding compliance and an additional 11 percent were for services outside the scope of the contract and tax measure.

Because personnel costs were by far the largest expenditure, we spent some time looking at those particular transactions. We reviewed the registers for overtime, double time, and bonus pay codes, and looked for erroneous hours and possible fraud. In our review, we found significant irregular transactions that raised red flags, including:

  • 240 hours of overtime in a two-week period for one employee whose position does not warrant overtime
  • 336 hours of regular time and 149 hours of overtime in a two-week period for one employee 
  • Manual checks for employees for one pay period although the normal process is to use direct deposit

We found that Easy Does It did not have any segregation of payroll duties. The person that approved time sheets processed payroll and issued paychecks. There is no evidence that anyone else reviews timesheet calculations or payroll entries.

We expanded our testing of payroll transactions, including attempting to trace payroll transactions back to employee timesheets and service records. Staff provided explanations for the discrepancies. For example, one of the irregular transactions was six months of back pay, and the manual checks were to pay employees their wages without processing payroll taxes. Easy Does It lacked sufficient funds to pay them. We were able to confirm some statements, such as circumventing payroll taxes through the use of manual checks. However, Easy Does It could not provide documentation or other corroborating evidence to support all of their statements. Due to these limitations, we were unable to verify that fraud did not occur, but we were able to make recommendations to improve internal controls in order to deter fraud from happening in the future.


The major challenge we faced in this audit was the lack of documentation. When we started the audit, we assumed they would have a database that tracked service delivery and client information. While the organization had a database, the entries were incomplete and we had to trace the electronic records back to the original paper files. Twenty-three percent of the records in the database were missing a service assessment code that indicates what service was performed for a client. Without this information, we could not determine the appropriateness of the service.

Additionally, it became clear early on in the audit that the board and management lacked the knowledge and skills they needed to implement a sufficient control environment in order to detect and deter fraud. They were not managing risks because they were not aware that there were any risks to manage. We had to educate the organization’s leaders about the risks that we were aware of, and their responsibility to mitigate those risks.


Our first recommendation was to recruit and cultivate board members with the business and financial skills necessary to serve and effectively lead the organization. We recommended that the board should conduct a risk assessment of the organization and establish a strategic plan. The plan should be used to guide the changes needed for implementing an adequate system of internal controls, including the audit recommendations. These recommendations are to address the visible deficiencies they have in their control environment.

We also recommended that they create policies and procedures for their payroll processes that allow for some segregation of duties and monitoring. Due to their small size, they are not able to have full segregation of duties; however, they can create processes ensuring that no single person performs all the tasks related to a single transaction cycle.
We recommended that they update all service forms with guidance for determining eligibility for services based on their contract with the city. We also recommended that they record all service transactions to their financial system to clearly account for expenditures that are funded by the city and those that are not. These recommendations would allow them to demonstrate that they use city funds in accordance with their contract.


Erin Mullin is a performance auditor at the City of Berkeley. She holds a Bachelor of Science in Community and Environmental Sociology from the University of Wisconsin-Madison and a Master of Public Policy from Mills College.