I read that a nonprofit employee recently committed suicide after being confronted with evidence that she had defrauded a nonprofit. Was the nonprofit ethically responsible for leading her into temptation?
The responsibility for wrongdoing always rests primarily with the wrongdoer. Others in the same situation would have resisted temptation. The media coverage did not mention any mental illness so severe that she could not tell right from wrong. It is truly unfortunate she chose such a drastic and tragic means of handling the situation when most people would have used the justice system, but the nonprofit is not responsible for that choice.
However, there is a related question – was the nonprofit ethically wrong for exposing its assets to fraud? The answer there is yes. One of the key duties of a nonprofit board is protecting the assets of their organization. This organization failed to safeguard its financial assets appropriately (assuming the media coverage is reasonably accurate). If it had been a charity, it would have also endangered an even more critical asset – its reputation. Why would a donor want to give to a charity that does not keep the monies safe until they are used to further the mission?
What did the nonprofit do wrong? First, they did not have a policy of due diligence in hiring. Falsifying credentials is not uncommon, but hers were not checked. Her subsequent employer also did not check. Admittedly, the credentials were not critical to the positions, but credential checking is a fairly easy way to catch a liar before they join your organization.
Second, even if this individual had signing authority, the second signatory should have noticed payments totalling $600,000 to $700,000 for services the organization did not receive! The second signatures should not be rubber stamps; invoices should be spot-checked. This organization has about 35 staff, in a single location, so senior people should be familiar with all major activities. And the monies represented more than 16% of the annual income for general operations, not some tiny fraction.
I am assuming here that the organization did have the simplest and absolutely key control – a second signature after the payee and amount are filled out. But I continue to be amazed at how many organizations ignore this basic control because it can cause minor inconvenience or delay. Having complete cheques ready for signature requires that whoever writes the cheques be organized, that is all. By the way, I have handled the multiple signature issue in several organizations, including a national one where both signatories were volunteers and lived across Canada, so do not think I am being unrealistic. And when I became an executive director, the prior one had quit partly because a new treasurer wanted to sign actual cheques (which would have revealed or ended some unusual financial transactions, to say the least). He had a full year’s worth of signed blank cheques from the prior treasurer, and the accounting person had every intention of using them up! To make the controls work, give two office staff authority to sign for minor amounts, so the photocopier can be fixed.
In this case, the staff size was easily large enough for a good division of duties, so that payments to suppliers involve both purchasing and accounting staff, as well as senior oversight. I acknowledge this is difficult in small organizations, but even some organizations with four staff manage better than this one did. And the individual committing this fraud was the Chief Information Officer, not usually a position involved in accounting at all.
By the way, the current CEO was hired after this dishonest executive left, so he carries none of the blame. During his tenure, a new employee reported the evidence of past fraud, and a special audit was arranged. I congratulate the organization on this; too many sweep fraud under their rugs.
There are numerous other controls that can be considered to protect assets, and some are essential to protect privacy as well. If your organization has a good auditor, ask for their assistance; reviewing controls is a normal part of an audit assignment. You can also ask other respected organizations for copies of their financial control documents to see if yours measures up. Make sure you have also implemented risk management practices in related areas such as facilities (e.g. key controls, access cards, checklists for employee terminations); information technology (e.g. open ports, firewalls, password controls, restrictions on data on laptops and smart phones); and privacy (e.g. data access, retention and disposal).
The most important risk management activities you can undertake relate to ethics. Hire ethical people, promote and model an ethical culture, deal with transgressions, and have safe methods available for seeking ethics advice and reporting possible wrongdoings.
Even ethical people can succumb to easy money in some circumstances. They can become mentally ill, need huge amounts of money to take a terminally ill family member to another country where recovery is promised, or become temporarily unbalanced as a side effect of medication.
So every board and all senior executives should make sure their organization is both rewarding ethical behaviour and reducing temptation. There are no guarantees, but these actions will make it much less likely that your organization has to deal with fraud and its consequences.
Since 1992, Jane Garthson has dedicated her consulting and training business to creating better futures for our communities and organizations through values-based leadership. She is a respected international voice on governance, strategic thinking and ethics. Jane can be reached at jane@garthsonleadership.ca.
To submit a dilemma for a future column, or to comment on a previous one, please contact editor@charityvillage.com. For paid professional advice about an urgent or complex situation, contact Jane directly.
Disclaimer: Advice and recommendations are based on limited information provided and should be used as a guideline only. Neither the author nor CharityVillage.com make any warranty, express or implied, or assume any legal liability for accuracy, completeness, or usefulness of any information provided in whole or in part within this article.