Finding No. 2023-001: Cash Management and Subrecipient Monitoring Controls
Material Weakness
Finding:
Cash disbursements of federal funds intended for subrecipients of the federal program were
misappropriated due to a man-in-the-middle email scheme perpetrated by a TechnoServe program
manager. The intended subrecipient was paid and TechnoServe was able to recover most of the losses
through the bank and insurance.
Corrective Actions Taken or Planned:
Responsible Official: Jeff Chrisfield, Chief Financial Officer
Anticipated Completion Date: December 31, 2024
View of Responsible Individuals:
Between March and September 2023, an employee serving in a trusted position as finance manager
perpetrated a man-in-the-middle scheme to alter payment details relating to a sub-awardee, diverting
payments worth $331,127 for personal gain. This was a sophisticated scheme involving multiple fake
domain names and a methodical process to hijack and control all communications between TechnoServe
and the subrecipient relating to payments. The sophistication of the scheme, coupled with the employee’s
direct access to all involved parties, allowed him to evade detection by both TechnoServe and the
subrecipient for an extended period.
Immediately after the incident, TechnoServe verified payments will all subawardees and other major
vendors to ensure receipt of funds. No additional diversions occurred.
To ensure no similar scheme goes undetected, the following internal controls will be implemented:
1. Formalize subrecipient bank instruction changes: When a subaward is drafted, subrecipient bank
details are recorded in the subaward agreement. In this situation, the offending employee created
fake email correspondence, coupled with counterfeit bank letters, to initiate a change in bank
account information for the subrecipient and evade detection within TechnoServe. To mitigate this
risk, TechnoServe will require that all changes to subrecipient bank instructions be documented
with a formal subaward modification, signed by authorized representatives of both TechnoServe
and the subrecipient.
2.Verification of vendor data changes: TechnoServe already has in place a control over vendor records
requiring internal approval for changes to key vendor data, such as bank instructions. In addition,
payment offices regularly verify bank instruction changes with vendors. In this case, the controls
failed because the offending employee supported fraudulent changes with counterfeit bank letters
and falsified email chains such that they appeared to include the payee via a man-in-the-middle
scheme. To overcome this risk, TechnoServe will ensure that change to vendor banking information
is verbally verified with the vendor by the relevant financial controller. In addition, we will implement
an automated process that sends email notification to vendors regarding changes to the vendor’s
key data (name, address, phone, email, tax identification number, primary contact, and bank
information). Notification of changes to a vendor’s on-file email address will be sent to both the old
and new email addresses.
3. Automated notification statements of account: In this instance, the offending employee utilized a
man-in-the-middle scheme to intercept inquiries from the subrecipient regarding missing
payments, which delayed TechnoServe’s detection of the payment diversion. To mitigate this risk,
TechnoServe will institute a weekly automated statement of account detailing payments
transacted during the preceding period with instructions about who to contact in the event of a
discrepancy.
These actions, taken together, will help TechnoServe to prevent or rapidly detect similar schemes going
forward.