forensic accounting

Wessel Accounting and Portfolio offer free security reviews for non-profits in 2016

By Laura Haight

There is no way to know for certain how many nonprofits were hacked in 2015 or are in the process of being hacked right now. But many security organizations and cyberthreat analysts believe it is at least as high — if not higher — than the rate for small business.

Like small businesses, nonprofits are disproportionately victimized by fraud and hacking as well as underprotected by controls and detection measures. This assessment from the Association of Certified Fraud Examiners is a wake-up call for nonprofits that do not realize how at risk they are. To support the nonprofits serving critical needs in the Upstate, Portfolio and Wessel Accounting are offering to provide their BizSafe Security Review for free to one local nonprofit each month through 2016.

BizSafe is a scalable tool to help assess, identify and mitigate the veracity of internal controls and security procedures that could be leaving a business or nonprofit vulnerable to hacking, cracking or fraud. The service is jointly provided by Laura Haight, a former IT executive and president of Portfolio, and Kelly Wessel, former director of internal audit for the Greenville Health System and president of Wessel Accounting.

Although periodically news of a hack or exposure of a nonprofit comes to light in the news, there is a shortage of hard data to analyze. Experts like the the ACFE and the Hauser Center for NonProfit Organizations at Harvard University, see this not as a lack of risk but a lack of public reporting.

In the small business sector both the National Small Business Association and Symantec reported that in 2014 more than 60 percent of small businesses in the US. were hacked. That trend only expanded in 2015, every cyber expert admits. Across the board, the ACFE estimates that 6 percent of revenue for all businesses is lost to fraud or hacking. In many cases, attacks and embezzlement that the business is unaware of. When it comes to cybercrime, the FBI has stated that most businesses have a hacker in their systems for 18 months before they even realize it, and most find out when the FBI comes knocking at their door.

Experts believe nonprofits are at least as vulnerable - and most more at risk - than other small businesses. In addition to detailed donor databases including names, addresses, donation amounts, banking information and even in some cases credit cards, nonprofits have information about grants given and received, as well as clients they serve. They may have health records or family information. All of these are important data points that hackers or cybercriminals will use to build a profile and hack identities. Additionally, websites are particularly vulnerable because they are often not regularly updated or have support staff to fully monitor their security.

“Kelly and I are very concerned about the vulnerability of nonprofits and we hope that by offering our BizSafe service to some local organizations we can raise awareness about the risks, the availability of solutions and the importance of educating and protecting ourselves, our businesses, our donors and our sustainability,” noted Haight.

You can learn more and nominate your favorite nonprofit by visiting the BizSafe website:

For more information, contact or


Praise the Lord and Pass the Internal Control

Do you go to church? Have you ever been to a church? I’m not asking because I’m worried about your soul. Have you ever wondered what happens to the collection that is taken during the service? You should find out. If you tithe, do you carefully check your record of tithes against the statement sent to you by your church? If not, you need to start.

Case Studies: Fraud, Forensics, and other Random Felonies, Flaps, and Five-FInger Discounts.

The best way to protect yourself from crime is to learn the lessons of other victims.

That’s what I hope to do in a monthly newsletter which will focus on case studies. The cases will be actual frauds or cases of intentional regulatory non-compliance.  In each one I will look at what happened, what the red flags were, how the frauds were uncovered, and what the fallout was. The names will be changed to protect the innocent. Seriously, the victim.  Many of the frauds in our case studies could have easily been prevented. And as much as I’d love to throw the perpetrator under the proverbial bus, I don’t want to name names when illustrating the stupidity, in some cases, naivete, of the victims.

Before I start analyzing case studies,  I’m going to explain the most common red flags of fraud.  Some of the red flags are no-brainers but are still repeatedly overlooked by management and business owners for all sorts of reasons.

  • Employee lifestyle changes.  If the minimum-wage mail room clerk drives to work in a new Bugatti, it’s time for an audit.
  • Employee with significant credit problems.  Are debt collectors showing up to see an employee? Yikes!  Use discretion, but listen to the talk around the water cooler.
  • Refusal to take a vacation.  And you thought the bookkeeper was really dedicated, or had no life.  There’s a reason banks require their employees to take week-long (or longer)  vacations.
  • Lack of separation of duties. This is difficult for very small businesses.  But should your secretary (or anyone, really)  be opening the mail, posting customer payments, taking the deposit to the bank, reconciling the bank statement,  answering phone calls, making collection calls, or any two of the above?  The same goes for inventory.
  • Management (or a manager) operates “fast and loose” with rules, details, procedures, etc.  and gets away with it.
  • Unreconciled bank statements. Or unusual reconciling entries: something other than outstanding checks. But take a close look at outstanding deposits. Yes, last Thursday’s deposit really should be on the bank statement that was printed four days later.

I could go on and on. But you get the idea and if you don’t unsubscribe from my newsletter, you’ll learn a lot more. Even better, forward it to someone you think may need a “heads up.”