Risk Management

Managing the Risk of Insider Theft

This article first appeared in the June 1, 2004, Nonprofit Risk Management e-news and is reprinted with permission. The Nonprofit Risk Management Center, www.nonprofitrisk.org, is a nonprofit serving other nonprofits through articles, books, online training, workshops, conferences and consulting with a nonprofit's slant on managing risk.

By Melanie L. Herman

One of the most difficult risks to assess and address in a nonprofit is the possibility of theft of financial and other assets by insiders-the people the nonprofit depends on to achieve its mission. None of us want to view our trusted employees and volunteers as potential thieves, nor do we want staff to view the nonprofit as distrustful, suspicious or paranoid. Yet, we know that insider theft represents a serious exposure for even the best-run nonprofits.

One starting point for preventing workplace theft is understanding why and how people steal from their employers.

Why

Most thieves' motivations fit into one of four categories:

1. Greed-some people steal simply because they need money to purchase basics or luxury items they want and can't afford.
2. Personal financial loss or pressure-others steal after suffering a personal financial loss or while under an unusual financial strain.
3. Denial-some employees steal without believing they are doing so. An example is the employee who regularly takes office supplies from the supply room for use at home. The employee may believe that she's entitled to the supplies, that the items won't be missed, or that they are of minimal value.
4. Revenge or thrill seeking-some thieves steal from their employers as a way of getting revenge for actions the employer has taken that the employee believes to be unjust, discriminatory or corrupt. And others steal to see if they can get away with it. Once they do, the desire to steal more frequently or larger quantities may become an uncontrollable impulse.

How

Some of the most common ways in which funds are misappropriated include the use of fictitious vendors, check forgery or theft, credit card fraud, theft of incoming receipts, and identity theft.

Fictitious vendors or consultants-A common embezzlement scheme is the use of fictitious vendors or consultants. This plot can be perpetrated by any employee with authority to approve the payment of invoices. In most the nonprofits the CEO is always in position to perpetrate this type of scheme, while in larger organizations a mid-level employee may be able to do it. The thief creates fraudulent vendors and deposits checks written to pay the false invoices in his personal bank account. In a recent case involving a large DC-based trade association, the CEO is alleged to have embezzled $2.5 million from the association over a 13-year period through recurring payments to phony consultants. In this case, the consultants were real people (including one public figure), but no services were provided and the payments were received by the CEO. While any theft of resources is disturbing, this case extracted a particularly heavy price as the association had undergone a painful downsizing process-before the theft was discovered-due to its weak financial condition.

Check theft-In a recent case involving a chapter of a prominent national youth-serving group, an employee obtained one of the nonprofit's blank checks, created counterfeited copies, forged the signature of an authorized signatory, and attempted to pass the checks. An observant bank employee recognized the phony checks and stopped the embezzlement scheme. Although no dollars were stolen, the nonprofit has spent thousands of dollars on legal expenses and countless hours to investigate the theft and take steps to prevent its recurrence. According to one source, 500 million checks are forged annually in the United States generating losses in excess of $10 billion. The odds are against you.

Credit Card Fraud-In another recent case, a nonprofit's accountant was caught applying customer refunds to her own credit card account. Credit card fraud can also occur with respect to use of the nonprofit's corporate credit card. A dishonest employee may believe that the nonprofit won't notice the use of the card for a personal, unauthorized purchase. In some cases the employee may view the use as a loan, and intend to pay the nonprofit back in the future.

Theft of Cash Receipts-Perhaps the simplest form of fraud committed by insiders is the pocketing of incoming cash receipts. Countless nonprofits have been victims of theft by staff who pocket cash receipts at the bake sale checkout or special event ticket booth.

Identity Theft-Although the principal victim of identity theft is an individual, nonprofits can also suffer when the workplace provides the setting for these schemes. The organization could be held liable for failing to adequately protect the personal information of its employees. Despite the widespread belief that identity thieves are principally computer hackers working out of dark basement offices in far-off locations, each year thousands of Americans are victimized by co-workers. According to the director of security at an international pharmaceutical company, a common scheme is for a support staff member to respond to a credit card offer addressed to his or her boss, simply changing the address to which the card is mailed. Other workplace-based identity theft schemes involve theft of human resource department reports that contain employee names, social security numbers, annual salaries, addresses and more-documents that were left lying around, such as on the desk of a management employee.

All of the schemes described above can be perpetrated on a larger scale, and by volunteers in addition to paid staff members. A larger-scale embezzlement might involve a wire transfer of funds from the nonprofit's to the thief's bank account. Some thieves believe it's safer to drain their employer's bank account in small but regular amounts. Others make bolder attempts, stealing large sums in one or more transactions.

Protect Your Assets From Theft
To protect their assets from theft, nonprofits should take steps to deter thieves from attempting to steal from the organization, to make it extremely difficult or impossible to steal, and to promptly detect recent thefts and enable the prosecution of the thief. The following strategies address two of the schemes discussed: phony vendors and identity theft. For more information on preventing check theft, credit card fraud and the theft of cash receipts, plan to attend one of the Center's upcoming financial risk management seminars (see the end of this article for details).

Guarding Against Phony Vendors
One of the most popular embezzlement schemes receives scant attention in many guides to internal controls. Much of the advice on the topic of internal controls focuses on the risk of theft by employees involved in the accounting function. Too little attention is paid to the risk of theft by senior staff members.

* Consider requiring that all invoices (particularly those for consulting services) be approved by two staff members before they are paid. Both staff members should be able to affirm that the goods or services were received by the nonprofit before they affix their signatures to the invoice or purchase requisition.

* Require vendors to submit detailed invoices. Don't pay invoices that indicate For services rendered without a further explanation of what services were provided during what period.

* On no less than an annual basis, have a staff member review the list of vendor names and addresses against the current staff list. The purpose of this simple exercise is to determine whether any vendor addresses coincide with staff addresses. A clever thief may not be clever 100 percent of the time.

Preventing Identity Theft
* Shred incoming offers for pre-approved credit cards upon receipt.

* Keep locked up any and all documents containing personal information about employees.

* Discipline any employee who fails to adhere to your nonprofit's policies concerning the protection of client or employee personal information.

Do the Right Thing
When greed and arrogance motivate a thief, even the most compassionate nonprofit manager is likely to want to see the thief prosecuted. Yet when the reason for the theft hits closer to home, such as the need for funds to pay medical bills or support an aging parent, a nonprofit's leadership may be less inclined to report the thief and participate in a criminal investigation. It's critical that you treat theft of financial and property assets consistently. Your nonprofit should have a no tolerance policy for workplace theft. Make it clear to employees and volunteers that taking office supplies isn't allowed. Make it clear that anyone caught stealing the nonprofit's resources for personal gain or use will be subject to dismissal and criminal prosecution.

Melanie Herman is executive director of the Nonprofit Risk Management Center. For more information on the Center, visit www.nonprofitrisk.org or call (202) 785-3891.