Internal Control

Wessel Accounting and Portfolio offer free security reviews for non-profits in 2016

By Laura Haight

There is no way to know for certain how many nonprofits were hacked in 2015 or are in the process of being hacked right now. But many security organizations and cyberthreat analysts believe it is at least as high — if not higher — than the rate for small business.

Like small businesses, nonprofits are disproportionately victimized by fraud and hacking as well as underprotected by controls and detection measures. This assessment from the Association of Certified Fraud Examiners is a wake-up call for nonprofits that do not realize how at risk they are. To support the nonprofits serving critical needs in the Upstate, Portfolio and Wessel Accounting are offering to provide their BizSafe Security Review for free to one local nonprofit each month through 2016.

BizSafe is a scalable tool to help assess, identify and mitigate the veracity of internal controls and security procedures that could be leaving a business or nonprofit vulnerable to hacking, cracking or fraud. The service is jointly provided by Laura Haight, a former IT executive and president of Portfolio, and Kelly Wessel, former director of internal audit for the Greenville Health System and president of Wessel Accounting.

Although periodically news of a hack or exposure of a nonprofit comes to light in the news, there is a shortage of hard data to analyze. Experts like the the ACFE and the Hauser Center for NonProfit Organizations at Harvard University, see this not as a lack of risk but a lack of public reporting.

In the small business sector both the National Small Business Association and Symantec reported that in 2014 more than 60 percent of small businesses in the US. were hacked. That trend only expanded in 2015, every cyber expert admits. Across the board, the ACFE estimates that 6 percent of revenue for all businesses is lost to fraud or hacking. In many cases, attacks and embezzlement that the business is unaware of. When it comes to cybercrime, the FBI has stated that most businesses have a hacker in their systems for 18 months before they even realize it, and most find out when the FBI comes knocking at their door.

Experts believe nonprofits are at least as vulnerable - and most more at risk - than other small businesses. In addition to detailed donor databases including names, addresses, donation amounts, banking information and even in some cases credit cards, nonprofits have information about grants given and received, as well as clients they serve. They may have health records or family information. All of these are important data points that hackers or cybercriminals will use to build a profile and hack identities. Additionally, websites are particularly vulnerable because they are often not regularly updated or have support staff to fully monitor their security.

“Kelly and I are very concerned about the vulnerability of nonprofits and we hope that by offering our BizSafe service to some local organizations we can raise awareness about the risks, the availability of solutions and the importance of educating and protecting ourselves, our businesses, our donors and our sustainability,” noted Haight.

You can learn more and nominate your favorite nonprofit by visiting the BizSafe website: http://www.bizsafesc.com/nonprofit-program/.

For more information, contact laura@portfoliosc.com or kelly@wesselaccounting.com.

 

Praise the Lord and Pass the Internal Control

Do you go to church? Have you ever been to a church? I’m not asking because I’m worried about your soul. Have you ever wondered what happens to the collection that is taken during the service? You should find out. If you tithe, do you carefully check your record of tithes against the statement sent to you by your church? If not, you need to start.

THE METHADONE CLINIC THAT WAS.

If the objective of this newsletter series is achieved (and assuming you read my newsletters BEFORE you delete them) you will all become so fraud -savvy I will eventually write myself out of a job. Maybe I should think this over.

I realize that your business probably doesn’t have the type of problem illustrated by this case.  However, if you know someone who might benefit from this information, please forward this newsletter to them.

THE METHADONE CLINIC THAT WAS.
 This story was donated  by a contact in law enforcement.

I’m not going to assume that  you know what a methadone clinic is.  According to Wikipedia,  “A methadone clinic is a clinic which has been established for the dispensing of methadone, a schedule II narcotic analgesic, to those who abuse heroin and other opiates.”  I’m not going to be a smart-ass and say that the business-type is the first red flag.  We would assume that the employees of said clinic don’t necessarily have the motivation to obtain funds illegally. But there are all sorts of motivations — a topic for another newsletter.

THE FRAUD
The only front office employee at this clinic was receiving  payments from patients and diverting some of the cash to his wallet.  When patients came in, their name, patient number, service date and time would be logged into the accounting system.  The perp  (I love cop-speak) would delete the patient visit and payment from the accounting system and pocket the cash.  There were  so many procedural no-no’s found in this situation my head spun. In fact, I think the only thing that was right was the mission of the clinic.

RED FLAGS
The first actual red flag probably wasn’t considered a red flag, it may have even seemed a blessing:  the clinic’s patients only paid in cash.  And what business is going to say “Sorry!  Your cash isn’t accepted here because one of our employees might steal it “?   Cash is cash is cash and when a business accepts cash as a payment there needs to be extra accountability. The red flag? CASH.  Why do mail order companies ask you to not send cash in the mail?  Because eventually, someone is going to open the envelope. You fill in the blanks. It’s CASH!

Cash can be the cheapest form of currency for a business because it incurs no processing fees, NSF, or collection fees.  But it can be a pain because it’s impossible to track and therefore,  it’s easy to steal (NOOOOO, you think, not MY employees!)  There’s no electronic record, check number, or copy in the bank vault.  When a business takes in a lot of cash payments, it must have additional checks ( pun intended) and balances.  For instance, don’t let the same person collect the cash AND enter the payment into the accounting system.  An employee who handles cash probably shouldn’t have  log-in credentials for the accounting system.

The other red flag?  Doses dispensed > income.  The owner noticed that methadone doses dispensed were plentiful but income was not.  This might have been a “notice” in hindsight.  My details here are a little sketchy.  But the owner either noticed the inconsistency and didn’t act,  or he noticed it after  the fraud was uncovered.  Either way, SHAME ON HIM for either 1) looking and not acting; or 2) not looking; or 3) looking AND NOT KNOWING WHAT HE WAS LOOKING AT.  No excuse. Sheeeesh.

DEFINING MOMENT (for the perp)
One of the patients called in after  his visit and asked for a receipt for his payment.  He must have talked to  someone other than the perp (who probably took the day off to spend his money).  They couldn’t find a record of the payment. They couldn’t find record of the service in the accounting system.  For all I know, they couldn’t find the patient’s name in the accounting system. But the pharmacy had a record of the methadone being dispensed.

BIG BLACK HOLES (i.e. , CAUSES)
I could write an encyclopedia on how this could have been prevented.  I’m sure the detectives who actually investigated this case DID school the owner.  The basics, since we don’t have time for everything:

  • They didn’t separate duties;
  • They didn’t carefully check behind an employee that had too much responsibility;
  • They weren’t smart about assigning log-in credentials. Every employee doesn’t necessarily need access to the accounting system.  NO ONE should be able to delete records;
  • They didn’t understand the controls available in their accounting software. They used QuickBooks but they didn’t use it well;
  • Someone wasn’t paying attention;
  • No meaningful account analysis was being performed;
  • Did they run an employee background check?  I don’t know.  It may have helped.

THE FALLOUT
This little not-for-profit clinic paid the ultimate price: it lost $73,000 and had to close its doors. I don’t know what happened to the perp.  But even if he was arrested, prosecuted and found guilty, I’m sure he eventually got another job (or will).  Does your business run background checks on employees?

‘Til next month…..

Summary Block
This is example content. Double-click here and select a page to feature its content. Learn more

Improving Data Security for Your Business: A 12-Step Program

In the wake of the data breach at the South Carolina Department of Revenue, I would like to mention some steps that businesses can take to protect themselves, their customers, and their employees from possible intrusions from this breach and other potential breaches or disasters.

1) All individuals  should  take advantage of the free credit monitoring being offered by South Carolina through Experian.  The link to get this protection is:  www.experian.com/scdor. The access code is scdor123. Also, place a fraud alert and a credit freeze on your credit report with the Experian, Equifax, and Transunion credit reporting agencies.

2) South Carolina businesses should take advantage of the free credit monitoring offered by Dun & Bradstreet.

3) Monitor banking and credit card accounts on-line  daily.

4) If you (or your business) have  provided your banking information (account and routing number) to the state, talk to your banker about how your bank is protecting its customer accounts.  If you are not comfortable with protection provided by the bank, discuss changing your account number.

5) If your business does not already have a written security policy that sets up the company standards  and responsibility for security of on-line data and off-line documents, get one.  Be sure to address secure document disposal,  data back-ups and the security of the back-ups.  The policy should also include consequences for violations and it must be enforced.

6) Know what kind of consumer and employee information you are collecting, where it is, and who has access to it. Access should be limited to as few as possible on a need-to-know basis. Likewise, know who you are giving YOUR information to, why they need it, and how they protect it.

7)  If you accept credit cards make sure customer credit card information that is stored  in your system is encrypted by you or your processor.  For recurring charges, it is preferable to store those card numbers in a data vault provided by your processor. Customer credit card numbers and other consumer information  should never be stored on unsecured  documents .   And don’t blow off the annual PCI questionnaire (SAQ).  Complete it honestly.  This questionnaire should show you where you may be exposed.  Your merchant account provider should be willing to help you with this.

8) Develop a strict password policy that addresses assigning passwords, levels of access, routine password changes, prohibits password sharing, and sets up procedures for immediate password deactivation when appropriate.

9) Hire an IT security specialist to review your system security if you don’t have a qualified employee to do this.   If an employee designed the security, the review should be independent.

10) If you keep hard/paper copies with sensitive employee or customer information, they should be adequately protected, secured, and  protected during disposal.

11) Restrict access to your facilities.  Know who can enter and what they can access. Restrict key distribution and change locks/keys in appropriate situations (lost keys, employee termination, etc.).

12) Have a disaster recovery plan.  This plan should specifically address each step to  be taken, and by whom,  in the event you have a data breach or a physical disaster (e.g., your building burns down).  A data breach will require notification and damage control procedures for your employees and customers.  A physical disaster plan will address steps and responsibility  to work with your insurance company,  acquire an alternate facility and equipment,   and restore the data from back-ups.

I realize that the above procedures can be costly and sometimes cumbersome.  Each business needs to weigh the costs of implementing such procedures against the benefits that will be derived from the protection provided. The State of South Carolina is going to spend at least $12,000,000 repairing the damage from the recent data breach. That doesn’t include what they’ll spend to prevent it from happening again.  I’m sure many are wondering if the State would have been better served by spending that money years ago to strengthen system security.  But hindsight is 20/20.