Financial Management Workshop for CILs…Regulations and Beyond IL-NET presentation on May 25-27, 2016 Module 13: Management of Risk in Nonprofit Organizations JOHN HEVERON: I would like to ask whether anybody has a story and can share it about any internal control failures or problems with your agencies or others. I know sometimes these are things you're not as comfortable discussing but if there is anything we can share, so. AUDIENCE MEMBER: Not my agency but there is an agency in our town that does a lot of personal assistance, and they, one of their, they were one of their accountants was doing paychecks to nonexistent people. They had an audit, had went through an audit, audit was clean, did not catch it. But someone inside the agency realized something was wrong. By the time it all went through, it was over $200,000, had been fraudulently, she was had made up people and all and was sending out paychecks and luckily their fraud insurance kicked in, because they're a nonprofit, and they didn't suffer that total lost. But it was over $200,000 worth of fraudulent billing. AUDIENCE MEMBER: Several many years ago, not at a center for independent living but I worked for another social service agency, where it was huge. Umbrella one-stop shop. And there was a little bitty program that had money coming in and just needed periodic checks written. The accountant didn't want to deal with it, so he gave it to the community service program to manage through QuickBooks, and the individual that was cutting the checks was kept complaining that the printer would screw up and didn't print checks correctly. Oh, well, it happens sometimes. Nobody when we earlier talk about, if you have to void a check, keep it, keep backup. They didn't. They just assumed it was a screw up. In reality, she was walking away with $5,000 out of this program, because it wasn't a screw up, she printed it to herself, document. AUDIENCE MEMBER: Before I had somebody to help me keep my books, I was the director and it was me. And I had a contractor that needed a check for $2,100 pretty quickly. And we had a policy that said a board member has to sign anything over a thousand. So I wrote her three, $700 checks. And she was very happy but my auditor gigged me for it he catches everything. JOHN HEVERON: All right. Thank you, and if other circumstances come up as we're talking, maybe you can share them. Let me grab my clicker here. Our speaker this morning talked about the two bodies of information on internal control. He referred to the Green Book, which is called standards of internal control in the Federal government, and you might say I'm not the Federal government, why would I care? And then also known as the Green Book, committee on sponsoring organizations or the COSO report. You might remember that yesterday I said you've got a must and a should, and the must is you must have internal controls over administration of Federal awards. They should comply with one of these two. The good news is, they say almost the same thing, and also, it's good news that they were both very recently updated to take into account how we all do things in a much more electronic way these days. So one thing that they both have in common is there are five elements to an internal control system and you need to have all five of them. So the first one is called the control environment. And that just means your board and senior management's commitment to competence and there are a lot of different ways. We'll talk about some illustrations, but your commitment to proper controls, clear roles and responsibilities of the various partners involved in the oversight of funds. So that's the control environment. The next thing is called risk assessment. There I did it again, Paula. Risk assessment. And that basically, what could go wrong? It is simply saying, what could go wrong? A careful look at your organization's operations in saying, what might get in the way of accomplishing your purpose? What might expose you to risk with funders or regulators, and what else could cause financial risk or embarrassment. So that's the risk assessment, that's item two for both of these internal control systems. Item three is your control activities. Policies, procedures, that are fully implemented and we're going to go through several examples, but typically they're segregation of responsibilities. We usually want to separate custody of money from record keeping for that. Policies are fully implemented and there are reviews and reconciliations. The fourth category of controls is information and communication. So now you set the standard at the top of the organization. You've assessed your risk. You've put into place policies and procedures. Now, you tell people about this on a regular basis so they're familiar with it. That's the information and communication. Clear communication for management and staff about the policies, procedures, and controls that are in place. And obviously this would include some staff training. The fifth and final category is monitoring activities. Monitoring is an important part of any internal control system. It's a key part of both COSO and the Green Book and really any other comprehensive thing that you will read on internal controls. It's the checking back process. Things change over time. People come and go. Programs come and go. So monitoring basically says, are the controls that we have in place the right controls for what we're doing now and for our staffing now? And are they working? Are they continuing to function? So it's a periodic follow-up to reassess risks to make sure controls are still appropriate. This would be the internal audit function, if you're a great big organization, but that's probably pretty rare, if not almost unheard of, for most of you. In smaller organizations, your audit or Finance Committee might do this. Keep in mind that monitoring is not a big demanding process. It's just some periodic double checking to make sure that things are working, but it's not an ongoing thing. So you can have an audit committee or a Finance Committee that once a year addresses monitoring and I'm going to give you some examples of things that they might consider doing. They won't do everything that I'm going to list, it will be too tedious, but they'll have a nice punch list to start with. Also want to point out the controls are a system and an ongoing process. So as we go through this to determine whether these procedures are appropriate for your organization, keep these principles in mind, these five standards, and remember it's a system and an ongoing process, not an event. Any comment on that, Paula? PAULA MCELWEE: One comment would be when you're looking at this risk management issue of what could go wrong, this is when you apply disaster fantasies. This is the time for that person who always sees the negative side of things to help you figure out what could go wrong, because there are things that could go wrong that are errors, mistakes, but there are also people who will find you, and who will want to work for you, and whose goal it is to steal from you. And they're out there and it's a terrible thing to think of, but you have to realize, you need a system strong enough that you're going to discover them quickly and get rid of them And so your system has to do that. This is the time to think about it, what are your risks? Let me give you an example. I knew one of the centers I worked with had a Section 8 program, in a rural community, and the vouchers Section 8 program was something they administered. And they had a good system, but the boss who was doing the checks and balances went out on a very extended, serious extended leave and during the time he was gone, the person under him created landlords, created renters, got the checks from three or four of each, made up places, because he was gone. He was her check and balance. Now, there was no backup, though, to the check and balance, so nobody picked up his job while he was out on leave, and she was determined to triple her salary for the period she could and she did. JOHN HEVERON: We're going to talk more about this in a little bit, but let me just pose a question. Do you think these people that want to steal from you are ornery and ugly or sweet and smart? Sweet and smart, aren't they? PAULA MCELWEE: Almost always seem like really nice people. JOHN HEVERON: You love them. PAULA MCELWEE: This was a soccer mom, you know? JOHN HEVERON: I've got a little update here, something that came out after I wrote this, but it's still pertinent, and it's very interesting, a comment we just heard here. You'll see how it applies. But this is the Association of Certified Fraud Examiners who really study fraud and thefts and all sorts of organizations for profits, nonprofits. And in the report that they gave from their 2014 studies, so the report they gave in '15, they said that typically organizations lose 5% of revenues to fraud. I mean, that's a mind boggling number to me, because we're not talking about 5% of profits for commercial organization. We're talking 5% of revenue. Wow. That's a lot. You got a $2 million agency, do the math, that's a lot of money. Most fraud involves stealing assets. In other words, we worry about identity theft, but it's really about money. You know. Stealing stuff or money. Most fraud is uncovered by tips from employees and others. Anti-fraud controls significantly decrease the cost and duration of fraud. Hotlines increased tips and reduced fraud. 58% of organizations didn't recover any fraud losses, and only 14% collected everything. And nonprofits and other small organizations suffer disproportionately large losses. Now, I've got some notes from their report that just came out. And the bad news is, the same 5% of revenue is lost. The median loss in small firms is $150,000. Not too different from what you said. But the different tone in this report was that fraud can be reduced. The median loss went from 200,000, your number, to $92,000 when fraud controls were in place. The average duration of a fraud, how long it lasted before it was uncovered, was cut in half. So the amount of the loss was cut in more than in half and the duration was cut in half when there were controls in place, and the most commonly named controls were management reviews, fraud framing, codes of conduct and policies, and telephone hotlines. Can I ask, now, I assume everybody has a whistle blower policy, right? Because PAULA MCELWEE: Required to. If you don't, talk to us. JOHN HEVERON: It is a requirement, one of the things from Sarbanes-Oxley that applies across the board. Sarbanes-Oxley doesn't apply to you but that one does. But how do you facilitate it? Does anybody have a hot line? Nobody. So it's all done internally. And I don't know whether we're going to see some changes in the availability of these. Of course, much larger organizations just find it more practical to have hotlines. But I'm surprised that nobody is doing that. PAULA MCELWEE: I know there are some larger centers that do. I don't know, some of you might want to take a look at doing it in a collaborative manner, if you feel like it's too costly for you. There are clearinghouse groups that will do that for a whole set of nonprofits. Doesn't even have to be the other centers. It can be a whole bunch of nonprofits in your community and there are some nice co-op type arrangements where somebody takes all of those calls from a phone that's installed in their house and 800 number and they have a process for getting those back out to whichever nonprofit it was that the call was about. And that's a really nice way to resolve, you know, resolve the fact you maybe can't afford that toll free number yourself but you could work with some others and if you had enough other nonprofits you can make it happen. JOHN HEVERON: I wouldn't be surprised to see some of the payroll service bureaus do this as an add on. It seems sort of logical for them. Maybe they'll become more readily available. Hopefully they're not getting used all the time. But here's the reality, the Association of Certified Fraud Examiners say that employees uncover more fraud, thefts and abuse than any other source. You know. I'd like to tell you that auditors do but it's just not the case. Employees uncover this. So communicating to them clearly and regularly that you want to know about these problems is really key. And a hot line can help facilitate that. Okay. So let's just talk about some of the things that can go wrong in your organizations. Improper transactions can include things like the following: Incoming receipts can be taken or deposited into an unknown account. Unexpected receipts, like contributions, pose more risk. So that's why we always look for that separation of record keeping and custody. Somebody other than the person who receives the money should be the person acknowledging the contribution. We had a nonprofit, a different kind of nonprofit, but they got a big check, one big check each month, from an organization. They were actually a school bus drivers' union, and so they got a single $8,000 check once a month, or something like that. Went right to the organization. Well, the treasurer set up another account in the name of the organization with herself as signer coming to her house. And what she would do is to when the check came in, she deposited it into her home account, the 8,000 and then she wrote a check for 7,000 into the organization's account. Now there was still just the one check so it really went quite a while before it got uncovered. Being a union the Department of Labor got involved. I don't know the final conclusion of that one but it wasn't a happy ending. We were brought in because they had a suspicion of some problems, and we found it, but like I said, the Department of Labor finished the job for us. So that's why we need a separation there. Refunds can be generated and diverted by overpaying a bill or paying it twice. That's why we said, you know, mark invoices as paid, once they're paid. Kick backs are actually the number one fraud, but not in our industry. Unfortunately, much more prevalent in the construction industry, but still something to watch out for. When somebody is making a payment to an employee to do business with them, and so you just need to be sure that that isn't happening. We're going to talk about procurement policies later and they will provide a pretty good answer for that. Check signatures can be forged and improper payments can be made. Banks aren't great about verifying signatures. But if you don't review bank statements promptly and identify these improper charges that the bank's liability diminishes, so you really need to stay on top of this. PAULA MCELWEE: As you know, you don't get the paper canceled check back, but it is online, and someone should be looking at it, because it doesn't stay there forever. Somebody should be looking at it, printing it if you want a copy of it. I think there are lots of times when you would recognize immediately that the signature is different. Someone other than the person who issues the checks should be signing the checks and someone other than that should be reviewing that bank statement. JOHN HEVERON: I shouldn't ask anybody to hold their hands up, but is there anybody who doesn't get images of checks? I'll pretend you all said no and we'll talk about the other people who are in that situation. I run into this way too frequently. It's simply not acceptable. In some cases, banks will provide them for an extra fee of something like $20 a year. Believe me, it's an important internal control to be able to review those checks, so if you're not getting check images electronically or right with the bank statement, then change the process or change the bank. PAULA MCELWEE: Get them and save them. Because if you don't save the electronic copy, it will at some point disappear from your bank's records and the access becomes more difficult. So make sure that you either get a paper copy in the mail, print a copy, or save the electronic file. You need custody of the file. JOHN HEVERON: Phony invoices can be generated and submitted for payment. That's why we said we don't want the check preparer, to get the check back, because if it goes right on to wherever this place is, then it's much more likely if somebody else is mailing it out. Payroll checks can be prepared for employees who no longer work for the organization or are fictitious, and we had an example of that. Fundraising events. You know it's a lot more fun to plan the event than it is to plan the controls around it but any fundraising event should have some controls built in, very often cash is collected at events. My daughter is a CPA out in Colorado, she works with the peach festival in Fort Collins. Where is our Colorado group? Are you near Fort Collins? The peach festival, Jamie takes a very active role in every year, they have a lot of cash payments. It's good there's a CPA involved with that because you really need to think about the internal controls, through an account person and the likes. Any rate, build internal controls into these. PAULA MCELWEE: Sometimes it's true with somebody who is helping you with your event. I know of a situation where this is a different nonprofit. But they did a soccer tournament and the soccer league agreed to do all the parking for half of the parking proceeds. But there wasn't anybody checking on whether it really was half of the parking proceeds. It took a while to realize they were skimming off more like three-fourths of the parking proceeds and just didn't see any problem with it at all. Because they could, so they did. JOHN HEVERON: Credit cards can be used for improper charges, but also watch for improper credits. We had an organization in Rochester where the finance director was issuing credits to his to his personal credit card statement. You know, as time went by, it got away with us for quite a while. It grew and grew. And there were some months where the credits he issued to himself exceeded the total charges that this organization received. Still, because he was the trusted finance director, nobody picked up on it. Very sad outcome for everybody with that one. Inactive investment accounts are risky because they may not be carefully reviewed. Improper withdrawals may be noticed. I told this to a group in Pittsburgh, but somebody shared with me in a conference, not one of these, but another conference where we were talking about internal controls. About a situation where there was a building campaign, money was being put into a separate account, it was extremely inactive. Money was going in regularly but nothing was coming out because the intention was to build it up and up and because of the lack of activity, there was very little oversight. At any rate, apparently, the finance director was gambling, and taking money out of there, with the best of intentions to pay it back, but you know how that always works, and nearly depleted this building fund account, so those inactive accounts need to be watched as well. PAULA MCELWEE: That does not please your donors. JOHN HEVERON: No. Huh-uh. So nonprofits face various risks in the form of fraud, theft, errors on the part of insiders misusing technology to steal assets and personal information. And we know that technology creates opportunities for fraud. Falsified checks, bank account hijacks can be reduced with technology counter measures. It is saddening to know how many people are out there phishing all the time to get into your bank account, to hijack your bank account. There are, you might have somebody send in a job application and the job application has a program attached to it, when you download a PDF or something like that, there's a program in there that will crack your entering of your password. And then the next thing, they're able to do, is to go right into your bank account. If you don't catch that fairly quickly, it would be a problem. Maria would catch it right away because she checks every day. I wouldn't catch mine every day. But Maria would catch it. Secure checks. Remember the movie, Catch Me If You Can, Leonardo DiCaprio. That was really fun. The person who he portrays, Frank Abagnale, so what he does now, he works for the FBI and for banks to tell them how to catch guys like him and he's actually got some really nice videos online that you can download, just some YouTube videos. If you want to do some fraud training, share some of those. But one of the things that he does now is he consults with banks on secure checks. Checks that are much tougher to alter. Does anybody know the term positive pay? So that's a process do you use it or just know of it? Just know about it. Okay. Again, I think as the threats become more common, we may go with things like this more often. It's a situation where you would send an e-mail to the bank and say, today we sent out these 30 checks. This number, this amount. And when the checks come in to be cleared, the bank always double checks them against your list. If they have a check coming through that wasn't on your positive pay list, then they won't pay it until they get approval. They'll send you an e-mail saying this wasn't on your list, was it okay to pay? So that's one thing. There's a thing now called reverse positive pay. Basically you get that list of checks and you have the responsibility to review them before they get paid, so you would reject any that are apparently improper. And then you can use a secure font and asterisks above the payee name to prevent adding another name to a check if one of your checks goes missing. Bank liability for improper checks, as we said, diminishes if you don't let them know about this right away. If 30 days passes, then their liability is greatly diminished. If a check forgery is not reported to the bank, that also reduces the liability, even for subsequent forged checks. And mobile banking fraud is becoming much more common, and so those mobile devices that are tied into your computer need to be secure. PAULA MCELWEE: When you're at a place like this on a public Wi-Fi, it gives you that little warning your device might be discoverable. That is one of the places where some of this stuff takes place, on a public network you've signed into and oh, yeah, you wanted to deposit this check or take this money and pay this bill. As soon as you're doing this on a public network, you are exposing your password, your bank account number, all that stuff to potentially being discovered by someone else who is on the network for a negative reason. JOHN HEVERON: Not really the main stream internal control thing but I really wanted to add this because it has become almost an epidemic. Warnings from IRS that your payroll tax payment wasn't processed, coming in by e-mail though. They just don't do that by e-mail. They might prey on your clients, although most of what they are doing now is looking for clients that haven't been in this country for a long time and may have some difficulty with language that are very concerned about continuing to be in this country and insecure about that, and they get calls that appear right on the screen to be from IRS saying, your tax payment did not go through, you need to do this or your driver's license will be revoked and sometimes they'll even follow up with a second call and it appears the DMV is calling. They really know how to use this technology to scare people. So just keep in mind that any message from IRS that comes by e-mail is no good. Don't trust it. PAULA MCELWEE: To some extent, that's true of other things too, like your credit card, your bank account. If you get that e-mail, it may be legitimate, because some of those do, but never call back the number that's in the e-mail. You have their number. If you want to talk to your bank, call your bank directly. Don't click on or call back on the number in that e-mail because it might not be legitimate. So somebody tells you your credit card has been hacked, you don't call that number. I look on my credit card and I call that number, if I want to know if it's real, because that's the only way you can protect yourself from those things that are buried in those e-mails that are there to get you, and then they're going to ask you for your social security number, your account number, verify this, verify that. Then they're off and running with your information. JOHN HEVERON: And if you get an e-mail that looks like it's from your mom, but you wonder about it, click reply. That doesn't get you in any trouble and see where it's really going. Sometimes that's all you need to know that it's bogus. Some of the other common schemes that are happening right now, one is there's a federal express package sent to you, got misdirected, and they look for password information from you. Or there's a question about your bank account. You know, they want to know what your personal bank account information is. Name, account number, and passwords that you have. But these programs also add malware and can disable your computer. Cryptal lock virus? Anybody run into that? A horrible thing that has become much more common. Now, in the CPA industry, they like going after us because I think they know we are quicker to pay up, if we get locked out of our own computers. But this Cryptal lock virus is a virus that gets installed on your computer that blocks you from all of your accounts and actually starts deleting accounts if you don't make a payment to them. We've got a question. Hang on just a second. AUDIENCE MEMBER: Is that the same scheme as the ransomware, because we got hit with ransomware. JOHN HEVERON: It is the same sort of a scheme of ransomware. I think it is a version of it. AUDIENCE MEMBER: Encrypted everything, my computer, the server, everything. But rather than pay the ransom, our IT people came back in and rebuilt our programs, we didn't lose very much but we did lose some information. Yeah, it was scary. PAULA MCELWEE: A good backup process will help protect you from that. Because you can just reset it to natural, and then reload your stuff. Otherwise you're stuck with the ransom. I think that's why they win that way. She said she had the same thing happen. Is that right? JOHN HEVERON: She described it as ransomware. PAULA MCELWEE: Now you have to wait for a mic. I was repeating but I can't repeat everything. AUDIENCE MEMBER: Yeah, it was last year, we had that happen, crypto, whatever, the IT people that we had come in, they were able to recover most everything but not everything. JOHN HEVERON: Scary stuff. Be suspicious of any e-mail coming from financial institutions, especially the Bank of America. I don't know why they pick on that one, but I guess people know that there are a lot of Bank of America accounts out there. So watch for that one. Watch for the Better Business Bureau. Federal courts and as I said, even compromised e-mail from people you know. If you want to do some training on this, you might want to Google FBI fraud advisory. They've recently issued a fraud advisory which provides tips and recommendations to educate yourself and your employees and to strengthen the security of your computer. So that's a good resource and tool. Just continuing here. So the people that have been close to frauds that have occurred or have a close awareness of them probably already know this. But fraud affects an organization in several ways. There's a financial loss. There's an emotional effect. There's a long-term effect that may impact donors or funders who are concerned about the problems that led to the loss of assets. Now with the new federal rules that mandate controls over administration of Federal awards, you can almost plan on some problems resulting from this. In the best of cases, it distracts time, energy, and money from your mission. And fraud that isn't detected and dealt with properly almost always becomes bigger and more frequent. PAULA MCELWEE: When you're receiving federal funds you have some specific requirements about reporting fraud. You can't keep the money that was fraudulently taken. You can't recoup it through your federal grants, but you have to report it to your federal grants. They may press charges. It may end up in the paper. That's what happened with the organization with the rent subsidy grant, you know. They reported it as they needed to. She went to jail, which is not always the case, especially nonprofits often don't follow through. But it was federal fraud, and the Housing and Urban Development came in and took over the investigation and the process, and it was very damaging to that organization for a while, because people just lose trust. They think, well, look, they're in the paper for, you know, losing this federal money, so can we trust them? JOHN HEVERON: Yeah. It really is a serious problem. The situation I described about the person who was issuing credits to his charge account, the Executive Director of that organization shared with me, I've never felt so betrayed, we had a close relationship, I had just gone to his daughter's wedding. This is this was my partner. You know, my finance director, somebody I was close to and trusted. So there really is a very big emotional impact here. And like I said, the final comment was, if you don't catch it quickly, it grows. People become bolder and bolder. We saw a situation where somebody was routinely preparing checks, this was in a business organization, but preparing checks to vendors. She told different employees that the vendors wouldn't accept checks, they needed to be paid in cash. So she'd send the employees to the bank to cash these checks purportedly to pay the vendors. Needless to say she was taking the money, but I think it almost became a game, because when it was uncovered, checks were written like one, two, three, four, five, and you know, these sequential numbers just to sort of say, are you folks stupid? You know, just to put things out there that seem so ridiculous, they should have been picked up, but they weren't. PAULA MCELWEE: There is a level of arrogance that goes along with this kind of theft. I'm smarter than everybody else, that's why I think I can get by with it. You'll never catch me because I'm too smart. JOHN HEVERON: Can I first ask Michael, who is an IT specialist in his organization, to share something with us that he shared with me? I think this is really important. Not just for everybody here, but for you to share with people back home. Michael, can you tell everybody what you told me? AUDIENCE MEMBER: One of the problems I have in our agency, the users are usually reluctant to talk to their IT department if they have something wrong with their computers. I have had three computers that have been attacked by viruses that locked [cough] excuse me, that locked them out. And one of them was like a week after they had first was infected by that virus. And they lost everything on the computer. Luckily we have backup systems that we were able to recover it. But if you have any problems with your computers, don't be ashamed or afraid that the IT or your supervisor, somebody is going to get down on you. They want you to tell us. Immediately, that way you don't lose any time. We don't have any problems and everything runs nice and smooth. That's just the biggest problem that we see in the IT Departments. JOHN HEVERON: Thanks, Michael. Can I ask Maria to also tell us what happened with her, and when. MARIA STEPANYAN: Well, I was born in Armenia, just kidding. So John said, made a comment that if something happened to our bank account I would notice and catch. And I had to share with him that ironically it actually did happen while I was here. I checked our bank account, just like I always do, even when I'm away, and I did see some charges in our bank account that were not recognizable. And I noticed that it had some name that was not our board member name or our Executive Director's name and so it certainly looked wrong, and definitely there was some money coming out of our savings account, which is also not the operating account that we do business all the time, so it's often neglected. Those accounts, the savings accounts that are there and no transactions happen, always get forgotten. Because I checked it, I did see some transfers out of our account that were not ours, and called the bank right away and put the freeze and closed the account fully to have the new one reopened and they did confirm that they would reimburse all of the money of the so, yeah, that happened. But I also want to say, since I have the mic, that that's why I think it's important to invest in the administration and have more than one person in there, because you have to have checks and balances and have more than one person in charge. Because most of the time those people that do start the fraud process, as far as I am aware, they don't really think of the strategies. There are some that do too but often in nonprofit it happens because one person is in charge and there's nobody else looking at what these person is doing, and in nonprofits, when we're all not paid as much as for profit organizations. Sometimes this financial person who is in charge and in need of money decides to help her or himself, like John say, thinking they will return the money but then they don't and they realize that nobody even catches what's happening. So they just continue doing. So often, by not having enough people in administration is also putting the person in that position and opening the door, so that's why it is important to have more than one person looking and being in charge of the finances. PAULA MCELWEE: If I might add, one of the things, some of the smaller centers will say, well, we can't. We can't afford it. Well, you can contract with someone to help you with some of this separation of duties. We're going to go into a little more detail on some processes you can use, but think about that, think about could we contract with someone, in some communities the centers go together and they contract with somebody who understands all the centers and becomes, you all educate that person together and then you share that person's expertise and they stay up to speed and you're all able to have another set of eyes looking at all that information. So think about some creative ways to do it. If you're not very big, you still need to find a way that you're looking, you know, cross checking and looking, keeping your accountability straight. JOHN HEVERON: And thanks, Maria and Michael for sharing your stories, because it really proves that we're not talking about theoretical problems, we are talking about very real things that can be at your doorstep and you need to be very proactive here. PAULA MCELWEE: I'd like to say two quick word, about credit cards. The first one is: Those credit card applications that come into the mail at your center that have your name on it, if you just throw them in the trash, somebody who has got the desire to do so can take that application, apply with your name, and sometimes are successful, especially if they have access to your social security number or some of the other information that is asked for at the time that the application is done and we've seen that happen. Somebody stole their boss's identity, got the credit card, changed the address to her house as soon as she could but she handled all of that person's mail anyway, why couldn't she do that? So she began to charge that card and maxed out that card and she was not liable for it. The boss whose identity was stolen had to deal with it. So it's really it can really happen and one of the people here shared just a minute ago, that had a problem with the points on a card, which in American Express at least with some of them can be transferred into cash. Fiscal manager applied for the card, his name is on the card as the authorized user, and then all the points were transferred from that card, all the bills from the center were passed through that card, all the points were transferred to his personal card and then he could use those points as cash to pay for some of his expenses on his personal card. Tens of thousands of dollars running through this card, and the points going over here. So yeah, you just kind of have it's not that points can't be used sometimes by employees. You may have a policy for that around travel or travel accounts or whatever, but this is probably a cash transaction. JOHN HEVERON: Thanks, Paula. The next section talks about how to identify the potential embezzler, and I said, she's going to be smart and sweet, and really, there's no set of criteria that describes the person. There's really not age, race, or anything else that is significant. What is significant is a lack of integrity, financial pressures, and opportunity. Financial pressures are more a matter of perception than reality. I know in Pennsylvania I talked about a friend of mine who had a beautiful home in a suburb of Rochester where we live. He had horses, plenty of acreage. You know, just very, very successful. He started a business and the business failed miserably, and after a few years, he was, he really had lost everything. You know, he lost his home. He was living in an apartment over a liquor store in the inner city. And it was devastating to him. But I can tell you there would have been an awful lot of homeless people that would have loved to have that apartment. So financial pressures are more a matter of how you see things. But financial pressures can also sometimes be a byproduct of change in your life. So not that we need to pick on anybody who has gone through a tough change like a divorce or illness, but these things create financial pressure. It just means our awareness needs to be there. But really opportunity is the biggest area that influences this. If you convince somebody that they won't get caught, then you're encouraging them to do dishonest things and opportunity is really the only thing that you can control. You can't control somebody's integrity. You can't control their perception of their financial situation. You can't control the changes in their economic circumstances. opportunity that they have to take money from your organization. So you need to evaluate risk based on your organization's operations and activities.