The former director of a North Carolina Central University program designed to help minority students used an unauthorized bank account to divert more than $1 million from the program over six years, according to a state audit (WRAL News Story). What can we learn from this story? It’s usually easier and cheaper for companies and organizations to be proactive rather than reactive when it comes to security.
According to the audit report, “The University Consortium operated without adequate oversight from University management.” Without addressing the details of this specific case, the administrators of the program should have taken a number of proactive steps. These steps could include background investigations for employees who would have access to finances as well as the creation and implementation of rules for managing accounts. There should never be a single point of failure or a single person in control that operates without oversight. Periodic audits – including audits conducted in response to a suspicion of wrongdoing – should be conducted by a reputable and informed third party who is trained to recognize the signs of fraud.
What would it have cost to implement these and other proactive steps? Would it have cost less than $1 million, the amount diverted? What about the costs and time associated with conducting the investigation, including the time of internal employees as well as outside auditors? What about the legal fees for outside counsel when coordinating with local law enforcement and prosecutors and as part of the recovery and restitution process? How much future earning potential for the organization will be lost due to a damaged reputation?
Security practitioners are often faced with justifying the cost of security. This story illustrated one example where a dollar spent on prevention would have been worth thousands of dollars of cure.