When Funds Go Missing, What Can You Do? What Must You Do?


Money Savings

One of the most difficult situations I’ve encountered while counseling nonprofit boards over the years is when they have discovered that the organization’s funds have been embezzled, most commonly by an insider. Two real-life situations are particularly noteworthy. In the first instance, the executive director stole more than a million dollars; in the second case, a former executive director and board member conspired to steal $4,000,000 from the organization. In each instance, the other board members approached me after the thefts had been discovered to ask about their fiduciary duties and potential personal liability.

While there are few precedents for establishing the limits of a board’s liability when organizational funds have been embezzled, it is generally clear that if board members have acted within their fiduciary capacity and have not been grossly negligent in their oversight of the nonprofit’s funds, they cannot be held liable for the stolen funds. That does not prevent a state’s attorney general from laying the blame on a board, however. I recall an assistant attorney general contending that the organization’s treasurer (an unpaid officer) had been negligent in his responsibilities because he should have discovered the fraud much sooner than he had.

So what should a board do once it suspects or has discovered evidence of embezzlement?

Determine the Extent of the Embezzlement 

The board’s first responsibility is to investigate the alleged crime. The organization’s treasurer, legal counsel, and forensic accountant and/or auditor should make a good faith attempt to determine the extent of the theft, examining all records available to marshal whatever evidence there might be. Although the initial instinct may be to call the police when a criminal activity is suspected, such early reporting raises the risk that the report may turn out to be an unsubstantiated accusation against an innocent employee. It is therefore a good idea to undertake a diligent audit of the firm’s records (even if it will require incurring some expenses to do so) prior to getting law enforcement involved.

Confront the Perpetrator(s)

Once the organization has sufficient evidence that there has been a misappropriation of funds, the alleged perpetrator must be confronted and given an opportunity to give his or her side of the story. If the individual cannot fully explain the missing funds, the suspected employee(s) should immediately be removed by placing him or her on an unpaid leave (if the organization is still unsure if a crime has been committed, a decision to place the employee on paid leave may be preferential) or by termination of employment. If there is serious concern that the employee will attempt to cover up the misappropriation, the board may want to delay the confrontation with the employee while more evidence is established. Each situation will call for a careful review of the facts and circumstances in order to determine the appropriate confrontation strategy. In either event, the organization should consider limiting the employee’s access to funds prior to the confrontation.

Report the Incident to the Authorities

Once the board has concluded that there has been a defalcation, it should consider contacting the appropriate legal authorities. This could be the local police precinct or the district attorney’s office. The FBI and U.S. Attorney should be notified if the alleged criminal activity occurred in more than one state or if it violates a federal law.

Organizations need to carefully consider any decision to report the incident to governmental authorities. Such disclosure could potentially lead to significant negative media publicity for the organization. Some organizations have been able to quietly have the stolen funds returned by the perpetrator, averting the risk of bad press and undue harm to the organization’s reputation. In situations where there are no funds available to be returned, the board or executive staff may have no choice but to report the crime.

Even if the organization does decide to report the incident to a legal authority, it may find the agency to be unresponsive or unwilling to take on the case. This could be due to the difficulty in prosecuting these types of cases, the limited resources available within the agency, the relatively small amount of money stolen (too low to devote resources), or any other number of reasons. If no criminal charges are filed, the organization may have to hire a lawyer to sue for the return of the stolen funds, which can be an expensive and time-consuming process.

Aside from reporting the incident to law enforcement and criminal prosecutors, the organization will also need to disclose in its annual Form 990 whether it became aware during the year of any significant diversion of the organization’s assets. The organization will need to disclose the nature and amounts of the diversion and any corrective actions taken, although the person who diverted the assets should not be identified by name.

Attempt to Recover the Misappropriated Funds

The board has a fiduciary responsibility to attempt to have the funds returned. But it is also incumbent on the board to do its best to determine which of the following options make sense, given the facts and circumstances at issue. Some of the common considerations include:

  • The cost of seeking the return of the funds outweighs the amount of funds that were stolen;
  • There is significant risk that filing a lawsuit or otherwise speaking publicly about the incident may lead to negative media coverage, and cause significant reputational harm; or
  • The likelihood of recovery is very small. The board’s conclusion that recovery is unlikely should follow appropriate due diligence to determine whether the perpetrator has any assets to go after.

After considering all of the facts and circumstances, and the various options for recovering the funds, the board may, in good faith, elect not to pursue expensive options such as bringing a lawsuit, hiring investigators, etc. The board may instead choose to take alternative reasonable, private, and/or cost-efficient actions to recover the stolen funds, such as by offering the perpetrator a repayment plan.

Most organizations, thankfully, will never face the unfortunate situation of embezzlement. Good governance and board oversight can go a long way to protect against that remote possibility. But should it befall your organization, moving systematically and cautiously may significantly improve your organization’s chances of recovery.

This article was originally posted on September 12, 2013. Clifford Perlman is a founding partner at Perlman & Perlman, LLP, a New York law firm specializing in regulatory compliance and general legal counsel for the not-for-profit sector.

  • Todd

    This is great guidance. I’d love to see your strategy go further, especially as concerns communication with donors (to retain confidence), media (to maintain reputation), other staff (to retain people or gauge the extent of the violation). Are there other operational things that should be done like securing data or the office? Also, is this strategy spearheaded by the executive committee or is every action taken a full-board endeavor?

  • William Henry, CIMA Volunteers Insurance

    If your organization has employee/volunteer dishonesty coverage, be sure to put your insurance company on notice as soon as you become aware of the embezzlement. The insurance contract requires that claims be “timely,” and you do not want to be arguing with your insurer about whether your claim was timely. Your insurer will provide guidance from that point.

  • Margot Haliday Knight

    As the victim of a serial embezzler, i decry the decision to “keep it quiet”. If the non-profits (yes plural) who had hired my embezzler had been more forthcoming (and I made reference calls) I would not have had one of the most difficult six months of my non-profit life.
    I went public, insisted on prosecuting, reached out to donors, etc in order to stop this man from victimizing anyone else.
    Also, a communications strategy is critical when this happens or the press will create it for you.

  • Linda Gola

    I want to suggest that by “quietly have the stolen funds returned ” an organization may be saving themselves bad publicity which is fine, but does open up the possibility that the person will go on to another organization and commit the same crime. There have been cases in my city of serial embezzlers who drifted from business to organization to business. When they were found out by one place, they just went to another and because it was handled quietly, yet another organization suffered the same fate. I personally know of one craftsman who had his business wiped out by such an embezzler who then moved on to a nonprofit and nearly did the same thing.

    So while it’s one thing to protect your own reputation, it might be good to consider the overall impact of having such a person out their reeking havoc on the community.

  • John Gear

    Nonprofits should also quickly call their insurance broker and review their general business liability policy; such policies often have an employee theft coverage provision, integral or as a rider. That can be helpful in providing the funds to do the audit.

    I read the post as nearly outright suggesting that, if the organization can be made whole, there is no need to call the cops. I strongly disagree, because that is how embezzlers get away with repeating the conduct — no one calls the cops because the organization wants to keep it hush-hush; this sets up the next victim nicely. It’s bad for the nonprofit sector as a whole.

    I strongly feel that any business needs to have a simple standard for calling the cops:

    The one I propose is that you ALWAYS call the cops when management (or the board, in certain cases) reasonably thinks that a crime has been committed against the organization — whether by a donor, a volunteer, or an employee. If there’s a clear policy so that everyone knows that, it also helps deter embezzlement in the first place.

  • Diana Kern

    Great information however, I would add that the Board has a responsibility to critical stakeholders (donors, foundations) to contact them with a statement on how they are handling the situation and their plan for taking a leadership role in the matter. Funders should NEVER hear about theft by an insider at a large level from media, staff or anyone other than the officers of the Board of Directors.

  • Boris Frank

    Maybe I missed it, but I saw nothing in this posting that discussed preventative measures…including carrying appropriate dishonesty insurance or bonding for any person in the agency involved in having access to organizational assets.

    It is the responsibility of the Board to be certain that assets are protected BEFORE the horse escapes the barn.