Thursday, June 13, 2024

Wayward Nonprofit Fiduciaries Come in Bunches. The Heinz Endowments Sues One of Them

The most intriguing check box on a nonprofit's disclosure form - The  Washington Post

The Heinz Endowments sued its former IT Director on Monday seeking to recover about $1 million embezzled over a ten year period.  We sometimes blog about nonprofit fiduciary theft and embezzlement on this blog.  These cases come in bunches, it seems. Last week we reported on the allegation that an insider embezzled $40 million from the Detroit Riverfront Conservancy.  Yesterday, the Washington Post reported on a case where a fiduciary stole $2.5 million from his nonprofit clients:

After a client confronted Graham Hauck about missing funds in 2019, the management executive who lived in Washington’s comfortable suburbs paid the money back — then kept stealing. In 2021, after FBI agents warned Hauck that he was under investigation for embezzling funds, he kept stealing. Two years later, after federal prosecutors laid out all of the evidence against him, Hauck kept stealing. And in March, after being offered a deal to plead to wire fraud, Hauck kept stealing. Before pleading guilty, he took his family on a vacation to Hawaii. Then he stole some more. On Wednesday, Hauck, 51, was sentenced to 5½ years in prison and ordered to repay his victims, which include a cancer-research nonprofit, a museum association and an international trade lobbying group.

There is a recent case in Oklahoma involving a couple that embezzled from an addiction nonprofit. And another reported this week in Tacoma, Washington. That case involved an insider siphoning funds intended for job training for native Americans.

People are flawed, some deeply, so nonprofits will occasionally experience a betrayal at the hands of a once well-meaning fiduciary.  There is a slew of public domain advice about how to guard against the inevitable and also how to manage the crisis when it happens anyway.  But reactive remedies don't entirely absolve the people responsible for safeguarding charitable assets, not even under the Volunteer Protection Act and similar state statutes in all 50 states.  Those statutes are surprisingly detailed and contain enough exceptions and hoops to jump through that the possibility of personal liability can’t be easily dismissed.   

I’m sure the folks at The Heinz Endowments don’t need this blog to tell them what they already know.  General advice can only be a guide anyway.  Specific responses must be tailored to specific circumstances.  Probably the only constant is that keeping things quiet and hoping the problem goes away is the riskiest response. Can a board just have the wrongdoer sign a promissory note and await repayment? As much as it would like to rehabilitate and welcome home a once loved prodigal fiduciary -- and avoid reputational damage -- that approach is hardly ever a good one.  Said the Attorney General on cross examination, “So after you learned that he misappropriated funds and you couldn’t trust him, you had him sign a promissory note and kept it quiet, is that right Trustee Jones?”    

Still, it’s gotta be a sad and disappointing task cleaning up the mess.  Especially when cleaning it all up requires resort to civil and criminal courts.  Right before Christmas last year, the Heinz Endowments discovered that its long term trusted IT guy, a ten year employee, may have embezzled or stolen nearly $1 million.  Far less than the amount allegedly stolen from the Detroit Riverfront Conservancy, but enough to require a surgical response and some introspection anyway.  Introspection because the embezzlement inevitably causes stakeholders to wonder about the Board’s performance of its oversight obligations, never mind any legal liability.  Not only must the Board exercise diligence in mitigating the loss, it must also look backwards to determine the extent to which it met its fiduciary oversight obligations. In big outfits like The Heinz Endowments or the Detroit Riverfront Conservancy, the Board has to incur the expense of forensic accountants and law firms to determine the depth of it all, plus the structural flaws, if any, that allowed the theft to go unnoticed usually for years. And what about the outside accountants?  In Detroit, the accounting firm has declined comment, but its gotta be sweating bullets right now.  These things are uncomfortable and costly for everybody.

Here is what the Times reported about the Detroit Conservancy's oversight:

The case highlights an enduring problem among nonprofits. A lax or informal approach to financial management can leave groups that handle millions of dollars in public and private funds vulnerable to waste, runaway costs or, in the worst cases, insider theft. When this happens, it’s often hard to catch. While the Internal Revenue Service has oversight over nonprofits, the average annual audit rate by the agency is less than 1 percent.  Brian Mittendorf, a professor who studies nonprofit accounting at Ohio State University, said that the conservancy’s official documents show that it took steps to safeguard its finances — including oversight from its board of directors and annual audits. “All these things sound as if it’s an organization with a pretty robust review in place. On the other hand, only one person can access the money, and provides paper copies in a Honey Baked Ham parking lot?” Mr. Mittendorf said. “Those sound like the opposite of a robust governance mechanism.” “It’s a story we’ve seen over and over again” in the nonprofit world, he said. “We don’t enter financial circumstances with enough skepticism.”

No doubt Heinz and the Detroit Conservancy are doing some navel gazing right now, even as they pursue recovery of the stolen charitable assets.  It might be a day late and a dollar short for the Conservancy trustees and their accountants.  Six months into its investigation, and no doubt after many costly meetings with legal counsel and accountants, Heinz decided to go public with a civil suit while simultaneously referring the matter to criminal authorities.  So these things create distractions from the charitable mission for as many years, at least, as the time it took the wrongdoer to siphon charitable assets.  You can read an extended excerpt from Heinz's federal complaint below the fold. 

darryll k. jones

Here is an extended sample of the allegations The Heinz Endowments made in a federal complaint against a trusted employee on Monday:

14. In or about December 2023, The Heinz Endowments began an investigation regarding the propriety of certain purchases made by Richardson using financial resources of The Heinz Endowments.

15. As part of this investigation, on or about December 19, 2023, at approximately 11:21 a.m.., The Heinz Endowments caused its third-party IT services provider to disable Richardson’s administrative access rights to the system and to remove his access to his email. At this time, The Heinz Endowments caused its third-party IT services provider to make a digital copy of Richardson’s email box on The Heinz Endowments’ system.

16. On or about December 19, 2023, at approximately 12:42 p.m., The Heinz Endowments’ President, Chris DeCardy, informed Richardson that it was performing an audit of certain computer-related expenses of The Heinz Endowments. At this time, DeCardy further advised Richardson that during the pendency of the audit, Richardson would not be allowed access to the IT systems of The Heinz Endowments and that his access to The Heinz Endowments’systems would be suspended during the pendency of the audit. After DeCardy’s communication with Richardson on or about December 19, 2023, Richardson had no authorization to access The Heinz Endowments’ servers and IT systems.

17. Despite these instructions, on or about December 19, 2023 at approximately 3:11 p.m., less than two hours after DeCardy’s communication with him, Richardson improperly, surreptitiously and without authorization accessed The Heinz Endowments’ servers and IT systems, upon information and belief, via a company-provided computer and/or via a device that was purchased using funds from The Heinz Endowments.

18. Richardson improperly, surreptitiously and without authorization remained in The Heinz Endowments’ servers and IT system for approximately 12 hours, during which time he improperly accessed another user account for himself and assigned it global systems administrative privileges.

19. During this 12-hour period, Richardson also improperly, surreptitiously and without authorization accessed his email and deleted (or attempted to delete) thousands of emails and documents. Upon information and belief, Richardson’s unauthorized access to The Heinz Endowments’ network and servers was intended to impede and hinder The Heinz Endowments’ investigation into the propriety of Richardson’s use of its financial resources.

20. Among the more than 1,000 emails Richardson deleted or attempted to delete from the account were emails applicable to The Heinz Endowments’ investigation of Richardson’s purchases.

21. Between on or about December 19, 2023 and on or about December 21, 2023, Richardson accessed or attempted to access The Heinz Endowments’ servers on several occasions. None of these accesses or attempts to access were authorized by The Heinz Endowments or any other entity.

22. While accessing The Heinz Endowments’ servers without authorization, Richardson also accessed and misappropriated files from The Heinz Endowments’ IT infrastructure and then deleted these files, thereby depriving and attempting to deprive The Heinz Endowments of the ability to investigate fully the complete scope of Richardson’s misdeeds.

23. On or about December 21, 2023, Richardson admitted, via text message to a Heinz Family Office employee, that he had accessed the servers for an allegedly innocent purpose, despite DeCardy’s clear communication that he was not authorized to do so.

24. Richardson’s nefarious actions while having unauthorized access to the servers, including his deletion of more than 1,000 emails directly related to the investigation being undertaken by The Heinz Endowments, refute Richardson’s alleged innocent purpose for accessing the system.

25. Following these unauthorized intrusions, on January 5, 2024, Richardson’s employment with The Heinz Endowments was terminated.

26. Upon information and belief, Richardson’s consulting relationship with the Heinz Family Office and/or the Heinz Family Foundation was also terminated.

27. Following Richardson’s termination, The Heinz Endowments continued its investigation and discovered additional acts of wrongdoing by Richardson.

28. The investigation revealed instances where Richardson had misused The Heinz Endowments’ resources, including:

a. From 2016-2023, Richardson embezzled significant funds of The Heinz Endowments to pay an IT-related company he owned and/or operated, called Operations Unlimited, Inc. (or Ops Unlimited) for services that were either never performed or were actually performed by another third-party IT vendor. In furtherance of his scheme to defraud The Heinz Endowments, Richardson submitted invoices for work that was never performed by Ops Unlimited. During the course of its investigation, The Heinz Endowments discovered that as part of his effort to hide his embezzlement, in or about April 2021 Richardson submitted a report actually prepared by the third-party vendor.  However, Richardson changed the report to create a new version that was intended to make it appear that it was actually authored by Ops Unlimited, the company owned and/or operated by Richardson.  In total, Richardson embezzled at least approximately $960,000 of The Heinz Endowments’ funds to himself through Ops Unlimited for IT services that were never provided.  Between in or about December 2016 and in or about July 2023, The Heinz Endowments either mailed or wired through interstate commerce approximately $960,000 to Ops Unlimited, that was deposited in accounts of either Ops Unlimited or Operations Unlimited.

b. As a further part of his scheme to defraud The Heinz Endowments of its property, in or about March 2018, Richardson sold certain computer servers, which upon information and belief were property of The Heinz Endowments, to a third-party purchaser and directed the purchaser to pay Operations Unlimited.

c. In yet another part of his scheme to defraud The Heinz Endowments, on several occasions between 2022-2023, Richardson submitted expense reports for IT hardware and software he allegedly purchased using The Heinz Endowments assets that upon information and belief were never received by The Heinz Endowments. Upon - 5 - Case 2:24-cv-00838 Document 1   Filed 06/10/24   Page 6 of 15 information and belief, Richardson’s practice of submitting manipulated receipts to support expense reports was not limited to purchases made in 2022-2023 or from the Apple Store.

d. Despite being requested to do so on multiple occasions upon his termination of his employment, Richardson never returned the plethora of IT hardware and software purchased by him for The Heinz Endowments using assets of The Heinz Endowments. Additionally, some of the equipment that was returned by Richardson was returned in a manner that suggests that it was “wiped” of data or intentionally damaged.

29. On or about December 20, 2023, in an effort to cover up his scheme to defraud The Heinz Endowments, Richardson also misappropriated data by logging into The Heinz Endowments’ IT system without authorization and exporting a copy of his Outlook file. Richardson attempted to delete and/or destroy the evidence of his scheme to defraud The Heinz Endowments on December 19, 20 and 21, 2023.

30. Even as late January 7, 2024, two days after he was terminated, Richardson continued to make unauthorized access into the IT system and computers of The Heinz Endowments by logging into The Heinz Endowments’ IT system without authorization.

| Permalink


Post a comment