When newly elected Hacker Dojo board member Sudarshana “Sophie” Banerjee asked to review the financial records for the popular Silicon Valley hackerspace in 2016, it was clear almost immediately that something didn’t add up.
The nonprofit's credit card “appeared to have been used to pay for Las Vegas trips, hotels, gym memberships” and other non-Dojo-related expenses, according to Mountain View Voice, a Silicon Valley newspaper.
Banerjee reported her findings to the rest of the Hacker Dojo board, which triggered an audit. The day after the board gained full access to the organization's accounts, Hacker Dojo's longtime office coordinator came forward and confessed to using the company card for personal expenses.
The employee was promptly suspended and pledged to pay back the unauthorized charges, which amounted to as much as $30,000. But the Hacker Dojo community was left asking itself how the misappropriation happened. Known for its transparency and utopian vibes, Hacker Dojo was especially taken aback by this breach of financial trust.
Hacker Dojo in context: Employee theft by the numbers
Employee embezzlement is a devastating breach of trust for any organization, and it’s more common than some might realize. Workplace theft costs businesses an estimated $51 billion per year, according to Statistic Brain.
In Hacker Dojo’s case, the amount the employee spent—approximately $30,000—was likely the organization's second-highest expense after rent. But the data tells us that it could have been much worse.
According to the 2018 Global Study on Occupational Fraud and Abuse, by the Association of Certified Fraud Examiners (ACFE), the median amount lost in a fraud case in 2018 was $130,000. Among nonprofits like Hacker Dojo, the median was $75,000: a significantly smaller amount, but one likely to be even more crippling for organizations where finances are often already tight.
Small organizations feel the pain of employee fraud significantly more than larger ones. According to the ACFE study, businesses with fewer than 100 employees suffered the greatest percentage of fraud cases (28%). Businesses with fewer than 100 employees also lost almost twice as much per incident as businesses with more than 100 employees ($200,000 vs. $104,000, respectively).
The fact that it was a female administrative assistant who perpetrated the fraud makes the Hacker Dojo case something of an anomaly. Sixty-nine percent of fraud cases are perpetrated by men, and 85% are committed by someone in management or higher, according to a 2018 study by insurance agency Hiscox.
In terms of how the theft was accomplished—with a company credit card—the Hacker Dojo case is more typical. According to the Hiscox study, the three most common methods of embezzlement are
- billing fraud — inaccurately reporting spending, creating fictitious vendors, and overstating payments made;
- cash on hand — theft of cash the business keeps for day-to-day operations; and
- check and payment tampering — diverting payments made to the company into personal accounts or writing company checks to personal accounts.
As for how employee theft is typically detected? The majority (40%) of cases come to light via tip, according to the ACFE report, followed by internal audit (15%). Management review, like the one triggered by Banerjee at Hacker Dojo, accounts for 13% of cases.
Data can help us set the Hacker Dojo story in context. But employee fraud doesn’t happen in a vacuum, and no individual case adheres perfectly to the neat outlines of data. It’s worth considering how the dynamics of an individual organization can leave it vulnerable.
In the case of Hacker Dojo, a few factors stand out.
Nobody had eyes on Hacker Dojo's finances
Hacker Dojo is a hackerspace in the true sense of the word, with a culture that embodied the core values of the hacker ethos: openness, trust, and decentralization.
One thing Hacker Dojo didn’t have: a point person tasked with overseeing the organization's finances.
At the time of the incident, Banerjee told the Mountain View Voice that the position of board treasurer at the Dojo was “essentially an honorary title,” and no one had requested to review the organization’s financial records “in months.”
“The people who are [at Hacker Dojo] get things done; they're bad-ass — but they just don't want to manage things,” another Dojo member observed.
The hackers at Hacker Dojo may have equated financial discipline with the staid establishment that they were rebelling against. But effective oversight doesn't block progress and innovation; it enables it. When organizations have the right financial controls in place, they free everyone to focus on the work that will move the team forward.
Hacker Dojo has made efforts to improve its financial oversight since the incident. A few weeks after the theft surfaced, the board appointed a new treasurer to improve the Dojo’s processes. But by the time the Dojo realized that their financial oversight was lacking, the damage had already been done.
Lack of financial controls left Hacker Dojo vulnerable
Hacker Dojo had a vacuum of financial leadership, and that left the door wide open for abuse of the Dojo's culture of trust. With no one taking point on Hacker Dojo's financial protocols, there was no system to monitor expenses and no notification or alerts set up around suspicious or out-of-the-ordinary purchases.
The data suggests that Hacker Dojo is in good company. According to the ACFE report, weak internal controls were responsible for nearly half of all frauds studied.
Simply having controls in place goes a long way toward mitigating the damage of fraud cases. In an analysis of 18 common antifraud controls, the ACFE study found that all 18 correlated with some reduction in the total amount of the theft. Among the most effective preventive measures: a code of conduct (56% reduction), proactive data monitoring/analysis (52% reduction) and surprise audits (51% reduction).
The data monitoring and analytics warrant particular attention because there are so many tools available today that make that kind of oversight possible. With the right financial tools in place to monitor what money is being spent, by whom, and where, team members in finance and across the organization can focus on strategic initiatives that will move the company forward knowing that the administrative labor of monitoring the money is covered.
A shared credit card led to less transparency, not more
A shared credit card may have seemed, at the time, like a good idea to the Hacker Dojo team, in line with the hacker values of transparency and accessibility. But the reality is that shared credit cards often lead to less transparency, not more, and they further widen the window for potential fraud.
That was certainly the case at Hacker Dojo. By the time the board began their investigation, they had difficulty determining how much money had been spent and which expenses were or were not legitimately tied to the Dojo's operations. Speaking to the Mountain View Voice a month after the incident had come to light, Banerjee said that Dojo staff had been able to locate “only a fraction of the receipts and cashier's checks written over the last years.”
Banerjee also called the Dojo’s bookkeeping methods into question, stating that the records featured “inexact approximations or in some cases what she believed could be outright falsified numbers,” according to the Voice.
It's not just Hacker Dojo: spending decisions are becoming more decentralized at organizations across the board, with more and more purchasing decisions being made outside of traditional billing departments.
It isn't practical—or even desirable—to unring that bell. There are plenty of benefits to individual employees having the power to make spending decisions on their own. But the increase in financial agency has to go hand in hand with financial transparency that holds individuals accountable.
The irony of the Hacker Dojo incident is that it happened in the heart of the tech community, which has spent years producing tools aimed at increasing financial transparency and control. With the right tools in place to monitor the Dojo's overall financial situation and with purchasing decisions going on across the organization on a day-to-day basis, the whole incident could have been avoided.
How to protect your organization from employee fraud
Three years after the incident, business is back to normal at Hacker Dojo. But what happened in 2016 serves as a cautionary tale. Openness and trust are a necessary part of any healthy organization, but they cannot take the place of clear financial policies and processes that limit fraud risk. These include:
- A clear expense policy outlining what purchases are and are not allowed with company cards
- Proactive approval controls that designate specific individuals to approve or deny purchase requests before any money is spent
- Virtual credit cards, rather than physical ones, so each purchase is traceable to the person who made it
- Real-time spend monitoring, not only during an audit
In addition, the ACFE report includes a checklist that organizations can use to assess their theft-prevention measures and develop a procedure for reporting fraud.