Fraud is a problem in all types of organizations, but it can be especially tough for performing arts organizations and museums since we’re frequently dealing with temps for most of the front desk work. As consultant Leslie Bradford discussed in her Blackbaud Conference session To Catch A Thief, there are a lot of ways you can get ripped off. Since not everyone was able to make the conference, I’ve decided to do a series of posts on some things you can do to prevent fraud at your organization.
Restrict Access to the system
Every user should not have a System Administrator profile, and every user should belong to a user group. If a cashier’s only function is selling tickets, he should not have access to Administration or reports at all. Think carefully about what users need what level of permissions.

Give everyone a unique login and cash drawer
Your login should be treated as your signature. I know logins like User1, User2, User3 are a lot easier to manage than dealing with creating new logins every few months. But it becomes a lot harder to track down where the money went at the end of the day when everyone is using the same generic login.

Use secure passwords
Require a password that’s different from the login (there is a setting in Administration>Company that can enforce this). Make it have at least eight characters and consist of both letters and numbers. Most importantly, never share your password. It does no good to give everyone their own login if they can all log in as Supervisor or as each other. Be sure to change passwords at least every 90 days.

Change the Supervisor password
There are two default login/pass combinations that come with PE, depending on how long you’ve had the program. I can’t tell you how many people my analysts get onto screenshare with and see the user enter pe/1 or Supervisor/admin. If your database still uses this default, change it immediately. Ideally, only one or two people at the organization should have access to this password and if the login is used frequently then the same 90-day password rotation applies here.

Next time I will discuss using the Drawer Cash Out feature and how it helps in combating fraud at your organization. How are you handling access to the system? Leave a note in the comments.