Impact of Fraud and ybercrime on Nonprofit Organizations ... · The Impact of Fraud and Cybercrime...

Impact of Fraud and Cybercrime on Nonprofit Organizations

Fall 2017 Authors

Bridget Hartnett, CPA, PSA James G. Mottola, MS, CISM, CPP

Synopsis

In this white paper, we will share first-hand experience and research regarding the negative impact on

nonprofit organizations as a result of financial fraud and cybercrime. Specifically, we will discuss the

direct economic effect on the financial bottom line as a result of lost time, litigation, fines and penalties

as well as the eroding of public confidence, which has a causal effect on donor contribution. Nonprofit

organizations provide critical social services to our communities in need, including healthcare and

education. However, in spite of these organizations mission-driven approach, they often find themselves

the victims of a wide range of financial crimes ranging from financial fraud and embezzlement to cyber

crime. We will provide background information and document case studies that demonstrate how

organizations can assess, mitigate and transfer risk to respond and recover quickly through proactive

processes to protect critical business resources as part of business continuity plan to serve their

communities.

http://sobel-cpa.com/about/people/james-mottola

The Impact of Fraud and Cybercrime on Nonprofit Organizations

Table of Contents

1. Understand the Inherent Risks and Vulnerabilities to Fraud for Nonprofits and Explain Why They Should be Concerned

2. Identify and Define Fraud Schemes Committed Against

Nonprofit Organizations Traditional Financial Fraud Cybercrime/Technology Driven Fraud

3. Discuss the Implementation of Controls to Limit the

Likelihood and Impact of Fraud Committed Against an Organization

4. Cyber Insurance: 101

5. Case Study

6. Conclusion 7. Citations and Reference Resources

8. About the Authors 9. About Sobel & Co., LLC


Today, nonprofit organizations operate in an inherently challenging environment where they are vulnerable to threats from financial fraud and cybercrime. According to the 2014 Report to the Nations by the Association of Certified Fraud Examiners (ACFE), nonprofits are increasingly falling victim to fraud, accounting for 10.8% of total frauds in 2013, which is up from 9.6% reported in 2010. Nonprofit organizations lost a median $108,000 per fraud in 2013, up from $90,000 reported in 2010, in large part because of some unique internal operational weaknesses which may be easily exploited by fraudsters. What are some of the common challenges leading to the risk of fraud? One operational challenge that nonprofits frequently deal with is the segregation of duties, usually due to limited staffing. Our experience in conducting fraud assessments and audits often reveal this as a vulnerability, especially in instances of an embezzlement of a nonprofit. We have found these organizations to be at risk due to lack of effective internal controls. Often, because of budgetary constraints, nonprofits are short-staffed in managerial and operational positions, leaving inadequately supervised employees and reduced oversight to monitor internal financial controls. Limited budgets can also deter nonprofits from having the basic information security policies, procedures and incident response planning that could lessen the eventual impact of financial fraud and cybercrime. A second challenge for nonprofit organizations is the lack of emphasis on creating a culture of fraud prevention and detection as well as a clear understanding of the consequences for offenders. According to Bob Carlson in his 2011 article in The Chronicle of Philanthropy, ‘although an employee committing fraud may significantly impact the organization, employers have been reluctant to fire or prosecute employees. Again, we continue to see this position taken by management in similar circumstances, but one that deserves consideration when looking at the downstream effect on future employee action versus immediate harm to reputation once stakeholders receive notification.’ Another common issue is that leaders of nonprofits, board members, and volunteers may have a sense of complacency supported by a feeling of well-being that they are not likely to be a target for fraud. This confidence is not born out by facts. We should review by the ACFE and the cybersecurity threat analysis of Verizon, Ponemon, and IBM which found that small businesses and nonprofits are equally deemed to be

1. Understand the Inherent Risks and Vulnerabilities to Fraud for

Nonprofits and Why They Should be Concerned


likely targets for a cybercrime as are larger corporate organizations. Therefore, eschewing these findings is akin to hiding in plain sight with one's eyes closed, an act that may blind an organization and prevent it from recognizing the importance of enforcing responsible financial processes and safeguarding critical business information. A sound nonprofit organizational infrastructure built to prevent and respond to fraud should be based on policies design and processes implementation, which include both internal and compensating controls supported with frequent oversight. Therefore, it is critically important for all nonprofits to segregate duties and limit access to key processes and information depending on organizational roles. Likewise, internal controls that are established on the “right of least privilege” for information security systems can significantly limit the unauthorized theft of data by fraudsters or the accidental release of data by employees. It is the fiduciary responsibility of the Board to ensure that the tone from the top clearly defines the importance of fraud prevention and data security, according to reasonable industry standards, in order to prevent liability and reputational exposure. In our experience, organizations that have a strong Board or an internal champion within senior management seem better prepared to recognize a potential fraud related event. This is especially true for organizations that educate their employees to recognize fraud through ongoing training. Accordingly, Information Systems Audit and Control Association (ISACA), strongly recommends that security awareness training is the most cost-effective preventative measure to secure critical data. Lastly, a typical challenge for nonprofits occur when working with staff members who may not possess essential competencies in financial management or who are underemployed and perhaps poorly paid. Unlike many small for-profit companies, a small or medium size nonprofit may not have a dedicated or full-time CFO whose business savvy and financial experiences can lead to greater awareness of the potential for fraud, thus spotting it more quickly. The “call to the mission” of a nonprofit volunteer may be based on their passion for the group’s goals, not wholly on their ability to serve a technical function. As such, they may not be well-equipped in some of the areas of administering key functions with satisfactory business acumen. This lack of expertise may not bode well for today’s nonprofits where it is so critical for everyone to be alert to the barrage of fraudulent behavior that is trending upwards every year. For those employees who are underemployed, or not well compensated, opportunities for theft may present themselves in a weakly controlled financial environment, providing an opportunity


compounded by financial pressures at home and therefore a perceived rationalization to steal. For those familiar with sociologist Dr. Cressy’s “fraud triangle,” it comes as no surprise that individuals are fallible and, when given the opportunity, may commit a crime in a moment of weakness that they may later regret. Research conducted by the ACFE in 2007 indicated that individuals who committed fraud did not fit one specific profile. The demographics of fraudsters included men, women, managers, volunteers, full-time employees, and even groups of employees. Moreover, as recently as 2014, the ACFE reported that 46% of fraud cases involved multiple persons within an organization. All of this is particularly troublesome because most nonprofits do not have the deep pockets that are required to recover from a major financial/fraud loss, which is estimated at 13% of donated funds by the ACFE. Therefore every dollar that is stolen by a fraudulent scheme limits their organization’s ability to fund much-needed public services. Also, because the sector has been scrutinized for not keeping relevant books and records in the past, many donors are now demanding increased public scrutiny. Knowledgeable contributors are insisting on an accurate picture of the financial and social impact that the organization is having on its constituents. Marketing the nonprofit’s reputation as a group that accomplishes “good” without any proof to substantiate their claim is simply not going to work in the current climate. Nonprofits that have experienced fraud have an increasingly hard time assuring donors that their investment is safe and well spent. Why does it matter? According to the ACFE study of fraud cited here which took into account 58 nonprofit cases, the losses ranged from a low of $200 to $17 million, with a median loss of $100,000. Four nonprofits realized losses of more than $1,000,000! An equal number of organizations saw losses of $2,000 or less. The total loss from all nonprofit frauds was near $30 million. (If the estimated annual loss of $40 billion is correct, the cases reported in the survey represent less than one percent of all losses.) But all is not hopeless. As nonprofits begin to assess where fraud opportunities may lurk within their organizations, they will address the areas where their weaknesses are most prominent.


A self-assessment will enable nonprofit organizations to examine their own culture of accountability and transparency, the resilience of their financial and organizational processes, systems of checks and balances and their information technology infrastructure. For example, the Board members may ask whether there is a credible whistle-blower policy. They may also ask if the leaders reward honesty and respond well to challenges from staff and volunteers. These tough conversations must take place to avoid or limit the possibilities of fraud. The facts bear out the assertion that no matter what barriers are in place, people steal from nonprofits. Education, engagement, and training help to combat the instances of fraud by talking about why people commit fraud against a nonprofit, understanding the profile of who is likely to do so, and identifying the red flags that may indicate a serious problem. Periodic review of internal controls and thorough background checks can also help mitigate the potential for fraud.

A. Financial Fraud Compared to the corporate world where fraud detection efforts have focused upon the misrepresentation of financial information to investors, regulators and the public, nonprofit fraud tends to involve the unauthorized theft of funds for personal use. It might be less sophisticated in some cases, but it is just as harmful, not only in bottom line costs but also in reputational damage. Studies indicate that 25% of nonprofit fraud cases are attributable to managers while 9-10% are carried out by executives. The same study, conducted by the ACFE, finds that the typical nonprofit fraud is conducted by a female with no prior criminal record, earning about $50,000 annually, ranging in age from 20 to 62 years old with a median age of 40 and with an average tenure of seven years with the organization. As one would be suspect, the greatest losses generated by those who have been with the nonprofit the longest and who have built up the most confidence, and have the most authority and financial responsibilities. Payroll and check tampering, false invoices, expense reimbursement fraud and cash misappropriations, such as fraudulent disbursements and skimming, were found to be common methods for compromise in the nonprofit community. Here is a brief description of each. Understanding what this may look like helps increase fraud prevention and awareness for a nonprofit:

2. Identify and Define Fraud Schemes Committed Against Nonprofit

Organizations


Financial statement fraud: Financial statement fraud is most often perpetrated by overstating revenues, understating liabilities or expenses, recognizing revenue in the wrong period, reporting assets at less or more than the actual value and failure to disclose significant information. Cash misappropriations: Skimming - which occurs when cash, checks or credit card payments are stolen

before being recorded by the organization for which they are intended. Larceny - which exists when cash is stolen after it is recorded. Fraudulent disbursements: Fraudulent disbursements occur when the organization pays an expense that it does not owe, such as: Payroll or vendor fraud occurs when a check is issued based on overstated hours

worked by employees, services not rendered by a vendor or to fictitious “ghost” employees or businesses.

Expense reimbursement fraud occurs when employees submit falsified claims for expenses for such things as their travel reimbursement.

Check tampering occurs when an organization’s check is stolen or altered. Fraudulent register disbursements occur when false entries are made in a cash

register, or cash refunds are made from the register without documentation.

B. Cyber Crimes According to 2017 Verizon Data Breach Reports, these types of cyber-attacks accounted for the majority of the incidents that occurred in the past year to steal data, leverage computing power or demand payments: Crimeware and Ransomware – defined as Malware or a malicious program that

compromises systems such as servers and desktops. 99% of Malware is sent via email or web server.

Insider and privilege misuse - defined as the misuse of computer access privileges by inside employees.

Physical theft and loss – defined as employee loss or theft of laptops, USB drives, or printed documents.

Web app attacks - defined as defacement and use of nonprofit website to launch attacks on other users.


Denial-of-service attacks - defined as having the ability to grind business operations of systems and applications to a halt by overwhelming the system, resulting in performance degradation or interruption of service.

Cyber-espionage - the theft of intellectual property, processes, and procedures through compromise and continued surveillance of systems.

The Point of Sale (POS) intrusions - remote attacks against the environments where card-present retail transactions are conducted. POS terminals and POS controllers are the targeted assets.

Payment card skimmers - incidents in which a skimming device was physically implanted (tampering) on an asset that reads magnetic strip data from a payment card.

Miscellaneous errors – occur when information is disseminated by security mistakes, such as accidentally sending private data to a public site, sending information to the wrong recipients, or failing to dispose of documents or assets securely.


3. Discuss the Implementation of Controls to Limit the Likelihood and

Impact of Fraud Committed Against an Organization

Financial Fraud The goal of any organization should be to reduce inherent risk to an acceptable level in order to continue business operations. An organization must conduct a risk-based assessment to understand the potential overall impact of a fraud. Once a fraud assessment has been conducted, then an organization can determine the resources needed to mitigate risk through various control implementations and transfer part of it through applicable insurance. When mitigating risk, a defense-in-depth approach using preventative, detective and corrective controls is the most effective at limiting the likelihood and impact of a fraud event. One way to prevent fraud is to start with a strong tone from the top which demands a culture of zero-tolerance. For the team to get the message that fraud will not be tolerated, a ‘Progressive System of Discipline’ must be executed through Human Resources or senior management to ensure fairness. Human nature and common sense dictate that we all ‘push the envelope’ in the absence of consistent oversight, especially if we believe that we will not be held accountable for our actions, intended or otherwise. We have discussed the fact that implementing segregation of duties as a preventative control for key financial processes in a small nonprofit organization is a challenge. However, this measure is essential in defining designated roles and responsibilities for oversight of co-workers, subordinates, and supervisors. Again, if the number of employees is small, Board members, consultants or other trusted volunteers with a particular skillset can assist with essential tasks. Performing a self-assessment to identify the weakest links in the internal chain of the process can help a smaller organization focus their sparse resources on the most critical elements. In our experience, where fraud has occurred in smaller businesses and nonprofits, it is because segregation of duties and managerial oversight were non-existent or lacking. In one matter, fraud continued for years and eclipsed over $1,000,000. In another forensic accounting matter, in which the organization was better prepared and therefore aware, they were able to limit the overall cost to the business and lessened operational disruptions by resolving the situation in short order and limiting the damage to under $150,000.


A nonprofit can take steps to be better prepared. It can, for example, require two signatures on checks; have the bank reconciliation performed by someone who is not involved in check writing; and have the Chairman of the Board review payables to make sure the vendors are legitimate and the expenses are reasonable. According to ACFE, stakeholder awareness and the ability to report suspected fraud are more effective in detecting fraud than audits. Identifying and correcting issues quickly is part of a best in class fraud prevention strategy. Once a fraud event is discovered, the first thing to do is for senior management to meet with internal staff to jointly assess stakeholder concerns and communicate the necessity of a “one voice policy.” During this first stage, a designated spokesperson has the responsibility to deliver the organizational message internally and externally. During this stage the organization begins to take the appropriate steps to rectify the situation, minimizing financial loss and, as a result, instilling public confidence. During my time in government service, despite challenging inquiries from the media on matters of interest, the “one voice policy,” was an effective strategy for controlling the message and dispelling misinformation. Covering up, evading or having varying pieces of information denied to the public from a myriad of employees and surrogates is never an effective or acceptable course of action. Recent history of organizations from the Red Cross have proven the financial and reputational fall out of ill-crafted, untimely or factually distorted reality. Cybercrime Cybercrime is growing exponentially and now represents one of the most significant threats to nonprofits. This threat cannot be taken lightly. The loss or theft of critical information affects the confidentiality, availability, and integrity of data as it also adversely affects operations, reputation, and the financial bottom line. The senior management of nonprofits must be prepared to deal with the risk of exposure to cyber threats. However, these organizations are often unaware or underfunded, and most are without a dedicated technology professional who can institute the adoption of best practices to lower their risks.


Cybersecurity, like fraud prevention, must be a top priority for nonprofits. Just as financial fraud can wreak havoc on a nonprofit, perhaps causing as much as a 13% loss of revenue, cybercrime also has a major financial impact. The 2017 Ponemon and IBM Report, which is the gold standard in cyber crime financial analysis, offered some encouraging news this year, determining that the global average cost of a data breach is actually down 10% over previous years to $3.62 million. In addition, the average cost for each lost or stolen record containing sensitive and confidential information also significantly decreased from $158 in 2016 to $141 in this year’s study. However, despite the decline in the overall cost, this year’s study indicates larger breaches. The average size of the data breaches in this research increased 1.8% - to more than 24,000 records. (If you can consider $3.62 million as a ray of sunshine, you can calculate the potential cost to your own organization by multiplying every individual record (Name, Date of Birth, Social Security Number, etc.) your organization retains by $141 to calculate the total cost of a data breach, remediation, legal fees and reputational fallout.) Protecting the various classes of data sets, is a legal and fiduciary requirement. Hackers target valuable information from organizations that have weak controls, misconfigured systems, and unpatched software. Many nonprofits fit this profile due to lack of awareness, lack of funds, and sometimes lack of expertise. Some of these vulnerabilities may be attributed to the use of free, open-source software and inexpensive hosting sites. These practices provide criminal organizations with an opportunity to exploit an organization’s information technology environment and to steal valuable information such as donor names, addresses, and credit card information as well as personal data on program participants or names and information on recipients of assistance, educational and medical data and more. The consequences of a cyber-attack for the nonprofit is difficult to quantify exactly, but operationally debilitating just the same. Best practices for good cyber hygiene include many of the same steps as used for financial fraud prevention, detection, and response which were discussed in the previous section #2. The process begins with understanding regarding which data is critical to business operations, which is accomplished by conducting a data classification exercise. Not all information can be treated equally by an organization. Personal Health Information (PHI), Personally Identifiable Information (PII) and Payment Card Information (PCI) each comes


with its own set of rules and responsibilities. Reviewing data privacy regulations, developing and ensuring implementation of proper policies integrated into a resilient information technology and security architecture, updating patches to software and keeping employees alert to attempts to exploit their good nature is integral to every nonprofit’s defense-in-depth approach. Preventive Controls Widely accepted information security practices include the some of the following preventive controls: Timely file backups Data retention and storage Firewalls rule implementation Web filtering Updating access control lists Application whitelisting Security awareness training It is critically important to use a secure source for processing online payment of donations and dues. Likewise implementing a password management plan and enforcing clean desk and clean screen policies by securing laptops and paper is effective when enforceable. Detective Controls Detective controls include the use of Intrusion Detection Systems (IDS) and review of user logs and browser history. Corrective Controls These include Intrusion Prevention Systems (IPS), properly configured, next generation firewall solutions, anti-virus software and business continuity planning and incident response planning.


Cyber insurance can't protect a nonprofit organization from cybercrime, but it can maintain stable financial footing should a significant security event occur. In an article by Kim Lindros and Ed Tittel published in CIO in 2016, the authors shared insights regarding the key roles played by technology, social media and other transactions over the Internet in the way most organizations connect with donors, volunteers and supporters. But those vehicles also serve as gateways to cyberattacks. As part of a risk management plan, organizations routinely must decide which risks to avoid, accept, control or transfer. Getting started According to Lindros and Tittel, the first step is to create a cyber risk profile for the organization and to create a list of expenses to be covered in the event of an incident. Then the organization can determine an estimate for third-party costs. (Many insurers provide an insurance calculator on their websites to help organizations create a list of coverage and estimate costs to help them begin researching cyber insurance providers.) Additionally many insurers also offer a checklist of coverage items to compare against their competitors. Transferring risk is where cyber insurance comes into play. Here are some ideas they present to help nonprofits seeking information: What is cyber insurance? A cyber insurance policy, also referred to as cyber risk insurance or Cyber Liability Insurance Coverage (CLIC), is designed to help an organization transfer risk by offsetting costs involved with recovery after a cyber-related security breach or similar event. With its roots in Errors and Omissions (E&O) insurance, cyber insurance began catching on in 2005, with the total value of premiums forecasted to reach $7.5 billion by 2020. Many nonprofit organizations are seeing a need for cyber insurance, but what does it cover? Cyber insurance typically covers expenses related to first parties as well as claims by third parties. Although there is no standard for underwriting these policies, the following are a brief summary of some common reimbursable expenses: Investigation: A forensics investigation is necessary to determine what occurred,

how to repair damage and how to prevent the same type of breach from occurring in the future.

Business losses: A cyber insurance policy may include similar items that are covered by an errors and omissions policy (errors due to negligence and other

4. Cyber Insurance: 101


reasons), as well as monetary losses experienced by network downtime, business interruption, data loss recovery and costs involved in managing a crisis, which may involve repairing reputation damage.

Privacy and notification: This includes required data breach notifications to clients, donors, volunteers and other affected parties, which are mandated by law in many jurisdictions, and credit monitoring for customers whose information was, or may have been, breached.

Lawsuits and extortion: This includes legal expenses associated with the release of confidential information and intellectual property, legal settlements and regulatory fines. This may also include the costs of cyber extortion, such as from ransomware.

Keep in mind that cyber insurance is still evolving partly because the true risk of cyber attacks is not completely understood. What to look for as a cyber insurance buyer Many well-known insurance companies already offer cyber insurance policies, and the expectation is that clients will soon assume that cyber insurance is part of every insurer's product line. But today cyber insurance coverage varies by insurer and policy. When comparing policies among insurers, here are some frequently asked questions: Does the insurance company offer one or more types of cyber insurance policies

or is the coverage simply an extension of an existing policy? What are the deductibles? What are the exclusions? How does coverage and limits apply to both first and third parties? For example,

does the policy cover third-party service providers? Does the policy cover any attack to which an organization falls victim or only

targeted attacks against that organization in particular? Does the policy cover non-malicious actions taken by an employee? (This is part

of the E&O coverage that applies to cyber insurance as well.) Does the policy cover social engineering as well as network attacks? Does the policy include time frames within which coverage applies?


What do insurance companies look for when deciding on proper coverage? An insurance company wants to see that an organization has assessed its vulnerability to cyber attacks (created a cyber risk profile) and follows best practices by enabling defenses and controls to protect against attacks as much as possible. Employee education in the form of security awareness, especially for phishing and social engineering, should be part of a protection plan. A boost to best practices may include organizations that have had threat assessments performed. Threat intelligence and ethical hacking services may be beyond the reach of small or even larger nonprofits. As cyber insurance coverage becomes more standardized, an insurer might request an audit of an organization's processes and governance as a condition of coverage. Making a case for cyber insurance Attacks against all nonprofits are increasing. Any organization that stores and maintains information or collects online payment information, or uses the cloud, should consider adding cyber insurance to its budget. Also, consider the proliferation of devices that now connect to business networks -- there are simply more opportunities to access an organization's assets. For further information, there are several websites listed in the citations section to visit.

The Impact of Fraud on Nonprofit Organizations

5. Nonprofit Case Study: The Virginia Scholastic Rowing Association

Nonprofit organizations are known for not wanting to report bad news such as being the victim of a financial fraud. This is because they know that ‘theft’ and other such activities do not sit well with donors who may already be skittish about the organization’s weak infrastructure and shaky security processes. So the best a nonprofit can often do is to try to keep their troubles out of the headlines and under the radar screen. But not documenting fraud does not mean it is not occurring! Now and then a nonprofit comes forward to share its situation in order to help others avoid the same trap. There is a well-documented story that is available to the public, especially for learning purposes. Author Amy Wilson openly discusses her path to embezzling over $300,000 so that other nonprofits and small businesses can learn from her errors. The first thing Amy Wilson says in her article is that no matter what the situation, her warning is the same: “Trust is not an internal control - it is just a feeling”. As she shares her story, “One Accountant’s Journey Through Fraud, Jail, and Rebuilding,” which can be found at https://attestationupdate.com/2013/03/11/one-accountants-journey-through-fraud-jail-and-rebuilding, there is a solution. She suggests the implementation of internal controls and additional procedures that can enable a nonprofit to reconcile these two opposing challenges by putting structures in place to both protect their data and at the same time trusting their employees.

Nonprofit Case Study: “The Virginia Scholastic Rowing Association,” as

reported by Joe Stephens and Mary Pay Flaherty in the Washington Post on October 30, 2013. Setting the Stage Lela W. West had been known as the “queen” of regattas for many years. In fact, she was one of the most respected leaders in the sport of rowing. For more than a decade she served as the treasurer of the Virginia Scholastic Rowing Association, and Alexandria-based nonprofit that was underwritten by fees and donations from thousands of high school athletes in Northern Virginia. In her role, she collected, counted and deposited cash receipts, balanced the books and wrote checks as well. All the while, though, this highly regarded and trusted volunteer was quietly spending tens of thousands of dollars on NFL tickets, vacations, airfares, clothing, passes to Disney World, flowers, cash withdrawals and even her cable television bills.


John D. White, the Association’s secretary at the time, discovered the fraud when he went to the bank to clear up an outstanding bill for a vendor and was informed that the account showed a balance of less than $16,000 – instead of the $200,000 that should have been there. What the Case Means for Nonprofits: The Association will never know how much it actually lost, but they estimated nearly a quarter million dollars in losses, and anticipated that the final amount could actually exceed $500,000. “You don’t want to believe it and therefore you don’t, until there is unmistakable evidence, and then it comes down on you like a ton of bricks,” White conceded. West pleaded guilty to two of the 24 counts of embezzlement and in March 2012 she was sentenced to 10 years in prison. All but eight days were suspended. The court ordered her to pay the Association $250 a month, meaning full restitution could take longer than 50 years. But the Association did not announce the embezzlement outside of its board meetings and the scandal never made the local news nor the rowing publications and magazines. There was an accounting of the crime in the Association’s 2011 fiscal federal disclosure report but no one ever asked about it. Even so, some Association members heard of the loss and began questioning whether Michael Mutter, President at the time, White or other officers could be trusted to handle the nonprofit’s finances. Donations dropped from $9000 in some past years to $360 in 2011. The Association would struggle to recover its significant financial loss– but even more so, from its diminished reputation and status along with the time lost while dealing with the situation and energies diverted from developing the rowing team. To those nonprofit leaders who believe that valued, long standing volunteers and staff will never commit fraud against their beloved organization, or who think the organization is too small for anyone to bother embezzling from it, or who otherwise ignore the potential for a criminal situation as occurred in Virginia, White shares a powerful warning, ”Don’t trust anyone. I’ll guarantee you, we are not trusting now.” Just as Amy Wilson emphasized when she recounted the story of her own $300,000 embezzlement, “Trust is not an internal control.”


Today's nonprofit organizations operate in a challenging economic environment to serving their communities where federal and local governments are unable or unwilling to care for some of their most unfortunate citizens. Performing many necessary business functions to render critical assistance on limited budgets makes them vulnerable to insider threats and external actors. Specifically, money, in the physical form of checks and cash, digital form, credit, and banking transactions, can be exploited by someone with access and motivation, opportunity, and circumstances. The stakeholder information, which nonprofits use to fund operations and provide services to clients as part of the critical business process, are monetarily valuable to criminals. Although nonprofits serve the “greater good,” that promise does not relieve them from their fiduciary and regulatory responsibilities to safeguard and protect financial information and personal data. Astute Boards have become increasingly aware of the inherent risks of this type of information, and so they are putting greater emphasis on fraud prevention and the protection of data. However, the majority of nonprofits remain unprepared for the eventuality of an internal theft or cybersecurity incident. Although incident reporting has been typically difficult to aggregate, recent studies by the ACFE, Verizon, and IBM indicate that for any organization that processes payments and handles personal data, the challenges to address the ever-evolving threat will be with us for a very long time. The National Institute of Standards and Technology (NIST) and U.S. Department of Commerce, pointedly encapsulate an approach or a mantra for the near future: “Know, Prevent, Detect, Respond, and Recover.”

6. Conclusion


“How to Steal from a Nonprofit: Who Does it and How to Prevent It.” Nonprofit Quarterly.

Janet Greenlee, Mary Fischer, Teresa P. Gordon, Elizabeth Keating. December 21, 2007.

“Embezzlement Happens. It’s What Charities Do Next That Matters.” Philanthropy.com. Bob

Carlson. January 12, 2011.

“Fraud Risk is On the Rise for Nonprofits – and the Impact Can Be Fatal.” Finance.yahoo.com.

Marketwired. April 14, 2015.

“Nonprofit Fraud” It’s a People Problem, So Combat it with Governance.” Nonprofit

Quarterly. Gerry Zack and Laurie de Armond. June 24, 2015.

“Preventing and Recovering from Cybercrime.” The State of Security. www.wiretrip. Pierluigi

Paganini, Chief Information Security Officer at Bit4Id.

“What are the Top Cyber Security Threats to Nonprofits?” Optimal Networks.com

“Nonprofits and Cyber Security: Understanding and Managing the Risks of Cyber Threats.”

Exemptorgresource.com. July 23, 2015. Tomer J. Inbar and Megan E. Bell.

“Financial Impact for Organizations from Cyber Crime Increased.” October 9, 2013.

“Is Your Nonprofit a Prime Target for Cybercrime?” Switchfast. Wednesday, April 26, 2017.

“Nonprofits Guide to Cyber Security.” Switchfast.

Verizon’s 2017 Data Breach Investigations Report

Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview

“American Democracy Demands Increased Nonprofit and Philanthropic Transparency” Non-

Profit Quarterly, May 10, 2012.

“Target's Biggest PR Mistake With Credit Card Security Breach.” Forbes. Anthony Wing

Kosner, December 2013.

7. Citations and Reference Resources


Bridget Hartnett, CPA, PSA. Member in Charge, Nonprofit and Social Services Practice

Bridget Hartnett, Member in Charge of the Nonprofit and Social Services Practice, has many years of experience in public accounting that she draws on to provide high-level services for clients. Bridget spends most of her time working closely with clients in the social services and nonprofit areas, including educational institutions. As a Member in the firm’s Nonprofit and Social Services Practice, Bridget supervises the audit engagements conducted by Sobel & Co. for the Cerebral Palsy Association of Middlesex County, the Youth Development Clinic of Newark and Catholic Charities of the Trenton, Metuchen and Newark dioceses, Freedom House, and C.J. Foundation. In addition, she handles all of the firm’s education audits and holds a Public School Auditor’s

license. Bridget is also responsible for reviewing and overseeing the preparation of nonprofit tax returns.

Credentials and Professional Associations

Member of the American Institute of Certified Public Accountants (AICPA) Has a New Jersey Public School Accountant's (PSA) license Member of the New Jersey Society of Certified Public Accountants (NJSCPA) Member of the Allinial Global’s North America Nonprofit Community of Practice Active member of the New Jersey CPA Society’s Nonprofit Interest Group Instructor at Seton Hall University’s Nonprofit Certification Program Instructor at the FDU Center for excellence Nonprofit Certificate Program

Community Involvement and Philanthropy Bridget carries her commitment to social services beyond the work place to include:

NJBIZ Best 50 Women in Business - 2016 NJBIZ 40 under 40 Board Member of the State Advisory Board of the Salvation Army St. Benedict's School in Holmdel where she is always available for volunteering New Jersey Chapter of Make-A-Wish A volunteer with professional business groups in the New Jersey community,

including the Monmouth Ocean County Nonprofit Committee

Education Graduated with her Bachelor of Science degree from Montclair State University

8. About The Authors


James Mottola, MS, CISM, CPP Director, Forensic Investigations & Risk Mitigation Services

James is the Director of the Sobel & Co. Forensic Investigations and Risk Mitigation Services practice, bringing an extensive background spanning nearly three decades in leading and managing personnel in both criminal and civil investigations in national and international environments. Jim’s unique forensic investigation skills were honed during his years serving in the United States Secret Service, evolving from his earliest experiences as a Special Agent in the New York, Phoenix and Frankfurt, Germany office and culminating in his role as the Special Agent in Charge of the Newark Field Office in New Jersey. Jim adds significant value for the firm and its

clients combining a hands-on approach with a strategic perspective and a wide range of investigative situations covering multiple scenarios including white-collar investigations, financial fraud prevention, and cyber-crime threat mitigation. His expertise in investigative, protective and administrative operations complements the training and expertise of the professional team in place in the Fraud and Forensic Practice and broadens the scope of services we can provide.

Credential and Professional Associations

Certified Information Security Manager, Information Systems Audit and Control Association (ISACA)

Certified Protection Professional (CPP), American Society for Industrial Security

Overseas Security Advisory Council (OSAC), US Department of State

International Association of Financial Crime Investigators, IAFCI

Advisory Board Member, Vigitrust

Association for Corporate Growth, ACG

Adjunct Professor, Caldwell University, School of Business

Member of Business Resource Council Lead Advisory Member for Metro One Security Solutions

Community Involvement and Philanthropy

Chairman, Charity Golf Tournament – Marine Corp Law Enforcement Foundation

Education

Whittier College, Whittier, CA – Bachelor of Arts in Political Science College of Saint Elizabeth, Convent Station, NJ – Masters of Science, Management


Sobel & Co. is a regional accounting and consulting firm located in Livingston, New Jersey that has been providing nonprofit and social service organizations in the New Jersey/New York metropolitan area with audit, accounting, tax and advisory services since its inception in 1956. The firm is distinctive in its approach to the nonprofit community because of its sincere passion for serving this sector. As it says on the Sobel & Co. website, “We work with the nonprofit sector because we feel good helping those who do good; we have a passion for helping nonprofit organizations achieve their mission of helping the world's most vulnerable.” The firm currently works with more than 250 nonprofit organizations with revenues ranging from $100,000 to over $75,000,000. Based on this depth of experience, the professionals in the nonprofit group are keenly familiar with the issues facing nonprofits and they will apply this knowledge to bring added value to every engagement. As a further demonstration of the firm’s commitment to the nonprofit community, several complimentary programs are offered throughout the year. These include quarterly webinars, roundtable discussions and an annual symposium on timely and relevant topics. We also encourage you to visit our website at www.sobel-cpa.com and click on the Not-For-Profit niche page. Once there please browse our resource library where you will find published white papers along with a variety of articles. We provide a Desk Reference Manual for Nonprofits, a Survey of Nonprofit Organizations that contains interesting insights on nonprofits, a wide range of tools and benchmarking data, a monthly e-mail newsletter that offers relevant information to organizations like yours and links to other key sites that are valuable for the nonprofit community.

9. About Sobel & Co., LLC

Impact of Fraud and ybercrime on Nonprofit Organizations ... · The Impact of Fraud and Cybercrime...

Documents

Transcript of Impact of Fraud and ybercrime on Nonprofit Organizations ... · The Impact of Fraud and Cybercrime...