It seems there’s a new story about it every day: hackers breaching the security systems of multi-million (or billion) dollar corporations and making off with credit card numbers, social security information, and other private data about customers. The Heart Bleed virus has everyone on edge, frantically changing passwords to prevent identity theft and worse. While not as big a target as banks or retail chain giants with billion-dollar bottom lines, many associations could be major targets for this type of breach. After all, in many cases the information you’re storing about your members, donors and volunteers is just as valuable as anything hackers may be swiping from the likes of Target or Wal-Mart.
But what do you do when the threat comes from within? Some associations and nonprofits are learning the hard lesson—we may think we’re secure from outside threats by installing top notch security systems and updating firewalls regularly, but we must also be vigilant against a more insidious type of theft – employee embezzlement.
There is an in-depth examination of this phenomenon in the association and nonprofit world currently on Associations Now. The piece focuses on several recent cases, including a large-scale embezzlement (to the tune of $5 million) that took place at the Association of American Medical Colleges over the course of several years. A trusted employee had been diverting funds for years before being caught and brought to justice (pleading guilty in federal court).
The case and others like it prove that even organizations with processes in place to defend against this type of theft are not immune, and that all associations and nonprofits need to re-examine their fraud protection practices. Experts recommend taking steps such as segregating financial duties, requiring double approval on expenses, and conducting diligent background checks on all current and potential employees. It may seem like overkill, but as AAMC executives learned, it’s better to be overly cautious and risk offending than end up in a situation where a “trusted” employee quietly defrauds your organization for millions.
What other steps can you take to prevent fraud? From the Associations Now coverage:
Since the embezzlement case, AAMC has focused on standardizing processes, says Jarvis. It has also added monthly mandatory departmental budget reviews, a stronger vendor-authentication process, fraud-prevention training for staff, new electronic financial-management workflows, and an upgraded third-party compliance reporting hotline. Regardless of the organization’s size, an association executive must strike a balance between trust and control. “Establishing a culture of stewardship and accountability is very important for the top executive,” Kirch says. “And one of the things this has actually helped us to do is reinforce the notion that we do have accountability to one another to use our resources very wisely.” That culture must envelop the board, as well. Board members should be trained on fiduciary duty, and directors with financial expertise should be recruited. Says Wyland: “It’s entirely appropriate for a board member to act a bit like a third-grade math teacher and say, ‘Show your work.’”
While a lot of these practices may feel like overkill, particularly for smaller associations, remember that even the “little guy” is not immune. And far too many nonprofits have seen embezzlement rise as an issue due to wanting to be “nice”. It is important to not take cautiousness to the point of making employees feel they are acting out scenes from “1984,” but diligence is mandatory to prevent ending up in the position AAMC found itself in last year.
Is your association practicing fraud prevention? Are there any methods we have not discussed that you would like to share? Let us know in the comments!