|Well, some folks are. Reading my clipping services from Google Alerts the other day, I see an office manager for a YMCA coping a plea bargain for embezzling 25K from her employer. One of the jobs of software like ours is to place a few hurdles in front of people trying tricks like this. These hurdles - barricades that auditors simply refer to as internal controls - involve business procedures that make everything a little harder for everyone... but much harder for the bad guys.|
A brief history of some of the tricks played by bad apples at a few of our clients, and what we did to close the barn barn door behind these particular horses sheds light on these control issues.
A long time ago - way back in the days of DOS - a major trade association we were working for discovered that its departments were providing falsified reports of membership counts and receivables to upper management. Many of these reports were user configurable, and the users had purposefully configured them to be quite misleading. The reports also created their output as files that could be edited in a word processor - something we had been selling as a feature.
The auditor employed by our client wised us up fast. He wanted us to create reports that he vetted, and that were then locked down so that no-one at the company could alter them. He also wanted the output to go straight to the printer, so there was no chance to "pretty up" the results in a word processing program. Our current assessment is that this remains a valid lesson - which is why in the next service pack, we are responding to users requests to output reports in a more widely accessible file format by adopting not DOC or XLS as some people were urging - but PDF files.
We were so naive back then. Around the same time, at a professional certification agency that used our software, a young woman set up a simple scam to enrich herself by $695.00 a week. That was the fee for the certification exam this group offered. This lady set up a bank account in the name of the organization, with herself as signer. Once a week she simply pocketed a check from the mail she opened, without recording the check anywhere, and deposited it in her phoney account. When the unfortunate applicants showed up to take the test, there would be no record of them. This woman - who also proctored the exams - would argue that the database just sometimes lost people, and they should be allowed to take the test.
When we got suspicious, we verified that the cash receipts report from Members Only had been balancing to the bank deposits all along.. and that they still did - so it was clear these checks were not being entered and vanishing later. They were simply never being entered.
We learned from this that it was not in anyone's interest to let easygoing users forgive what seemed to be flaws in the database. We learned that a pattern of customer complaints about record keeping should set off alarms. And we learned that even the smallest association needs to have payment handling controls in place - the person responsible for entering the applicant in MEMBERS ONLY should not be the one opening the mail, and certainly not the one deciding to seat the customers in the testing room.
The clue here was that customers were complaining. Eventually this did get everyone looking for some malfeasance. But really clever scams short-circuit customer complaints.
A young man working part time at the front desk of one of our YMCAs came up with an innovative way to steal from his organization. Instead of stealing money, he stole service - which we realized we were not controling for as tightly as we were for the green stuff.
At all YMCA's, one of the possible membership plans is a family plan, where an entire household pays a single fee for membership. This enterprising young fellow belonged to such a membership, being paid for by his parents. So when his friends inquired about joining the Y, he simply added them to his parents membership. The customer was never going to complain - since their bill did not change - and the customer was the crook, after all. Now there is a report in place in our YMCA software to control for this scam. But I'm sure there's something else we haven't thought of.
The Moral of the Tale
In these three tales we see three different modes of malfeasance utilizing software in a non-profit or association. One involved theft of money, one theft of service, and one the manipulation of data to achive political goals within the organization. In all the cases, modification of the software was able to prevent repitition of the deceit. But most importantly, we were sadder but wiser developers, who recognized the need for internal controls in what appeared to be the most benign business environments - not-for -profit organizations.