Category

Fraud

Simple Steps You Can Take to Prevent Cybercrime

By | Fraud | No Comments

If you’re not taking steps to reduce your risk of cybercrime, you should. Nonprofits aren’t immune to attacks from criminals, and, in fact, the opposite may be true. Many cybercrimes target small businesses and nonprofits because criminals know that these organizations lack resources, such as insurance or IT specialists, to fight back. Instead, they often submit to the criminals’ demands and pay the ransom. The criminals can then head to their next victim without punishment.

It’s time to reduce cybercrime risk by taking proactive steps. While you cannot eliminate the threat from attacks, you can certainly take steps to minimize risk. It’s like installing sturdy locks on the door of your home, an alarm system, and a webcam; it won’t stop someone determined to break in and steal your possessions, but it sure makes it harder for them to do so, and easier to catch them.

Five Tips to Reduce a Nonprofit’s Risk of Cybercrimes

  1. Improve password strength: Please, say goodbye to using “password123” or “namename123” as your passwords. Yes, according to MetroNews, people still use passwords like 1234567. Despite news of security breaches affecting millions of people (and their credit rating), people continue to use weak passwords. Don’t allow this within your organization. Insist that everyone choose strong passwords and change them monthly. Strong passwords are difficult for the average person to guess, do not include common words or phrases, and include capital letters and lower case letters as well as symbols and numbers. Think that’s a tall order? It could save you a great deal of trouble later by making the proverbial “lock on the door” very strong and keep attackers from easy entry into your database or website.
  2. Review your cybersecurity strength: Conduct a cybersecurity audit or work with us to conduct one. A cybersecurity audit examines all areas of your organization where attackers may gain entry and cause trouble. It also helps you pinpoint things you’re doing right so you can replicate them. AICPA provides a free guideline to help you conduct your audit.
  3. Update your software and website: All software needs to be updated to patch known problems and fix gaps that hackers exploit for nefarious reasons. When your software prompts you that it needs to update, please don’t ignore the message or quiet it and forget it. Websites also need to be updated frequently. WordPress, a common framework used to build websites, typically includes codes called plugins, which are areas hackers are known to exploit. These should be checked and updated regularly, which can be done from the administrative panel in WordPress. Other site providers and frameworks have similar places to update software.
  4. Provide training: Train employees to recognize attempts to gain access to systems. Some common things to watch for include phishing schemes, which trick people into revealing passwords through phony reset messages or similar emails; scams that encourage you to click on a link, thus infecting your computer with a virus or similar code; or downloading a ‘free’ item that includes malicious code embedded in it. Another method that criminals use to gain access to company systems is to pretend to be the CEO or another public-facing executive and request information from someone about the system or their password. By teaching your staff all of these methods, you help raise awareness of what they may encounter and encourage the appropriate steps to confirm any requests for passwords and confidential information. Write and document all procedures and provide training to both new employees and refresher training for current employees.
  5. Back up everything: If a security breach occurs, you may be locked out of your systems. It’s a nightmare that some companies face, and it can be costly to fix it. By backing up your systems, you’ll be able to access and replace any information that may be compromised by an attack.

Take Cybercrime Seriously

Take cybercrime seriously. An ounce of prevention is always worth more than a pound of cure.

If you need help with a cybersecurity audit or more information, please don’t hesitate to contact Welter Consulting for information.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.

Cyber Defense – Five Steps to Improve Your Peace of Mind

By | Fraud | No Comments

If you think you’re immune to cybercriminals because you run a nonprofit organization, think again.

Cybercrimes against nonprofits are more common than you think. According to the Nonprofit Quarterly, there has been a 270 percent increase in the number of attacks against business, with small businesses and nonprofits at higher risk than ever before.

Why? It’s simple: easier targets. Criminals know that nonprofits and small businesses are less likely to have the time, patience, and resources to fight back when they’re the target of an attack. They pay up rather than risk the resources, capital, and reputation that might be spent defending against the attack.

It’s been said that the best defense is a good offense. That certainly goes for cyber defenses. There are five things a nonprofit can do to defend against the most common cyber-attacks. Taking these steps may mean the difference between sending an “I’m sorry” email to your constituents and business as usual.

Five Steps to Defend Against Nonprofit Cyber Attacks

There are many things you can do to prepare for and defend against cyber-attacks, but the following stand out as being simple, easy to implement, and within the abilities of most nonprofits.

  1. Educate employees about threats: Keep up to date about the latest types of cyber threats and educate your employees about the signs of such attacks. Employees may not know about ACH attacks, for example, which target them through emails pretending to be from the CEP to gain access to company bank accounts. These and other attacks pose serious threats to nonprofits but can easily be thwarted through education and vigilance.
  2. Encourage reporting of potential attacks: Encourage your employees to ask for help if they think they’ve accidentally clicked on a bad link or given out information to potential cyber thieves. Make it safe to do so and avoid repercussions that could discourage them from reporting. Early reporting of possible breaches enables you to take swift action to batten down the hatches against further problems.
  3. Establish offline ways to confirm financial transactions: Ensure that employees can confirm transactions or the release of vital information offline through a phone call to a senior executive. Offline ensures that a link in a phishing email won’t take the employee straight back to the scammer for confirmation. It also puts in place a series of checks to stop possible mistakes.
  4. Create backup systems and files: The use of cloud-based software such as cloud-hosted fundraising and donor management software protects files against viruses on your network by hosting them off network and onto a more secure cloud system. Other software such as Abila Cloud Accounting secures valuable financial detail through controlled access to accounts and financial systems.
  5. Prioritize updates: It’s tempting to click “ignore” when a pesky update notice pops up on your computer. Patches and updates close gaps in software codes that can be exploited by thieves, so don’t neglect updates. Conduct regular software updates on all of your systems. Cloud-based software updates automatically and in the background so you don’t have to remember to update it. That’s another reason for choosing cloud systems for accounting, financial management, donor and fundraising management, and more.

Do you remember a television commercial featuring Smoky the Bear? Smokey’s slogan was, “Only you can prevent forest fires.”

Well, only you can prevent cyber-attacks by taking the appropriate steps to protect and defend your organization. If you believe in your mission, then you know it is worth the time and effort to secure valuable resources against external threats like a cyber-attack.

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.

12 Steps to Improve Internal Controls

By | Accounting, Audit, Fraud, Internal Controls, MIP Fund Accounting, Nonprofit | No Comments

There’s no better time than now to review and analyze your organization’s internal controls. We’ve broken up the intimidating task of updating and maintaining proper internal controls while being slightly more focused and productive, with these 12 simple yet necessary steps.

Step 1: Map out your current processes and workflows. Detail out internal accounting procedures with a simple step-by-step checklist or list of rules. Clearly identify how long each step of authorization should take to process.

Step 2: Identify clear separation of duties. Open your workflow documentation back up and assign owners for each procedure, and other process owners who may be involved in authorizations, approvals, or reviews.

Step 3: Bring in an outside expert to review your current processes. Leverage outside expertise like certified fraud examiners (CFEs) or attorneys specialized in evaluating and improving internal controls. They can help identify any gaps or vulnerabilities.

Step 4: Find a new home for your documentation. You’ll want to maintain documentation of your processes in a commonly-used location that is easily accessible by staff. It will need to be continually updated as needs shift throughout the year.

Step 5: Review security permissions in your fund accounting system. Your technology should fully support your desired workflows encompassing your separation of duties. Update your security settings to limit system access, based on defined roles and security groups.

Step 6: Set up monitoring alerts. Ideally, your fund accounting system can be set up with active monitoring alerts to quickly notify other staff about key activities, such as when checks are printed, but not recorded, or vendor hold payment status is changed.

Step 7: Create a digital audit file. Here you’ll organize and maintain artifacts for future audits, including bank statements and reconciliations, investment summaries, fixed asset and depreciation schedules, documentation of donor pledges and grant funds received, and year-end accounts payable and expenses.

Step 8: Update your employee onboarding. Now that your documentation is up to date, you’ll need to update your new employee onboarding to reflect the changes. It’s important to promote a shared commitment of financial responsibility from the start with a new employee.

Step 9: Set a reoccurring monthly budget review. The budget is not just a planning tool – this is a key internal control. Schedule monthly budget reviews for reconciliation, explaining variances to the budget keeps proper checks and balances across departments.

Step 10: Recruit for an audit committee. You’ll want to institute a strong audit committee of independent members (typically from the board) who are familiar with finance and accounting. They should select and review the independent external auditors and help monitor for fraud.

Step 11: Schedule an internal audit. The best prepared organizations perform internal audits to ensure key control activities are being followed, and to identify any reconciliation discrepancies. Find an appropriate time for your team and stick to the date.

Step 12: Set up quarterly staff trainings. You must reinforce your controls with periodic trainings. Take the time now to get these on the calendar and build into the agenda time to discuss any shifting accounting standards for which you may need to adjust.

Remember, the objective of internal controls is to put “checks and balances” in place to help manage and preserve the charitable assets of the organization. It builds a foundation of policies and procedures that ensures employees act responsibly and ethically and prepares the organization for expected scrutiny (for example, audits and budget reviews) and tough to predict events (for example, staff turnover).

Here are a few resources to help you implement the 12 Steps to Better Internal Controls:

 

Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.

Trust, But Verify: Avoid Fraud by Maintaining Internal Controls

By | Accounting, Fraud, Internal Controls, MIP Fund Accounting, Nonprofit | No Comments

Trust, so the experts tell us, must be earned over time. In the workplace, it is earned by consistently performing one’s duties well and by successfully accepting ever-increasing responsibilities.

The nonprofit workplace, like the for-profit workplace, works best in an atmosphere of trust and mutual respect among one’s colleagues. Without it, the workplace can be hostile, unfriendly, and uncomfortable.

But there is a fine line between suspicion and performing due diligence. Nonprofit organizations should guard against allowing trust to blindside them to the potential dangers of fraud and theft in the workplace.

A Cautionary Tale of the Ramifications of Blind Trust

One story that stands out is the story of Marge (not her real name), who worked at a large nonprofit organization. She was like a second mother to the staff. Honest, always willing to work extra hours, diligent in her job duties in the accounting department, Marge was trusted with managing many areas of the organization’s finances.

Although the organization had internal controls in place, they were often waived for Marge and other senior staff members who were so well-regarded and trusted that they weren’t questioned when they dodged the procedures. Marge was especially trusted and valued and did not have anyone present when she counted out petty cash or handled the checkbook.

One day it was discovered that money was missing from the petty cash. An audit revealed that small amounts of money had been taken from the petty cash box as well as from the checking account. Because Marge controlled both, she could make slight adjustments in the entry ledgers to avoid suspicion for a long time. It took the auditors only a short while to uncover the discrepancies and for Marge to confess that her lottery ticket habit had become a necessity and that she had been stealing ever increasing amounts to fuel an obsession with gambling.

Is Marge an isolated case? We think not, and a quick survey of the various nonprofit journals reveals similar patterns of fraud. Fraud doesn’t occur in isolation. It tends to occur when gaps are left within the internal controls that are intended to prevent such situations. In this case, trust and friendship overrode common sense. Exceptions were made that should not have been made. The result was an organization poorer for the loss of both money and a trusted employee who had to be let go when the truth was revealed.

Preventing and Identifying Fraud

Trust is a wonderful thing and a valued commodity in the workplace. That said, it should not preclude the use of standards, internal controls, and audits.

  • Preventing Fraud
    • Standards are the accepted norms for an industry. Accounting standards, security standards, and workplace standards can be codified and recorded in written manuals provided to all employees. Everyone can then be held to the same shared standard of conduct and behavior.
    • Internal controls are the processes and procedures put into place around access to the organization’s finances. These controls should be written down and shared among staff. Training sessions and refresher training session are also important to ensure consistent understanding of the controls among everyone.
  • Recognizing Fraud:
    • Audits bring in outside consultants such as CPA firms, well-versed in accounting for nonprofits to examine your organization’s financial records, provide recommendations, and discover discrepancies.
    • Provide staff with an anonymous method to report incidences of fraud to their supervisors or to the managers in your organization.

Trust doesn’t have to be blind. Assuring people that their work matters, listening to their ideas, implementing their suggestions and other positive examples of trust can build bonds among workers that engender loyalty to your organization. Don’t leave your nonprofit open to fraud or theft due to blind trust. Trust, but verify, and stick to accepted norms and standards of behavior and internal controls to prevent problems before they occur.

About Welter Consulting

Welter Consulting bridges people and technology together for effective solutions for nonprofit organizations. We offer software and services that can help you with your accounting needs. Please contact Welter Consulting at 206-605-3113 for more information.