The Importance of Effective Financial Governance and Internal Controls in the Wake of Reported Embezzlements at Prominent Nonprofits

By Charles Tate, CPA, MS

Click to open the exhibit

Exhibit A. Sample of Senator Grassley’s Information Requests

Exhibit A. Sample of Senator Grassley’s Information Requests

On November 1st, 2013, Senator Charles Grassley (R-IA) requested that the American Legacy Foundation Board Chair Lawrence G. Wasden provide context and understanding for Legacy’s actions concerning the alleged $3.4 million embezzlement. Grassley also believes that Legacy’s Form 990 contains several entries regarding fundraising, administrative expenses, travel expenses, and salaries that raise more questions. The following is a sample of the 30 information requests to which Legacy was asked to respond.

  • Please provide a list of all your board meetings and the locations of those board meetings from 2008 to the present.
  • Please provide the attendance for all board meetings from 2008 to present including, who attended the entire meeting, who attended part of the meeting, and who was absent.
  • When did the Board of Directors last do a self-evaluation of the Board's work and performance? Please provide a copy of that evaluation.
  • When does the board intend to conduct another evaluation?
  • When has the board last conducted an evaluation of the effectiveness of the American Legacy Foundation's operations? Please provide a copy of the evaluation.
  • When does the board intend to conduct another evaluation?
  • Please provide the names of the audit committee and how often they met from 2008 to the present.
  • Please provide the attendance for all audit committee meetings held from 2008 to present, who attended the entire meeting, who attended part of the meeting, and who was absent.
  • Please provide all justifications (including compensation surveys) for the salaries of Legacy's senior executives.
  • Legacy's most recent form 990 says that Legacy spent $964,693 on travel. Please provide detailed accounts of this travel.
  • The National Association of Attorneys General currently occupies the 8th floor of 2030 M Street. Given the close ties between the Association and the Legacy Fund, what steps are taken to reduce conflicts of interest when negotiating rent?
  • Legacy's 2011 form 990 shows $5,459,035 in investment management fees, more than the $4,689,641 Legacy made in charitable grants. Please provide details regarding these management fees.
  • Please provide the names of Legacy's investment committee, how often they meet, and where they meet.

The Washington Post recently reported that an administrative assistant admitted to stealing more than $5 million from the Association of American Medical Colleges (AAMC) in one of the largest embezzlement schemes at a Washington area nonprofit organization. AAMC said it would "apply the lessons we have learned from this experience, as well as share them with others in the nonprofit community." A few days earlier the Post reported on an alleged embezzlement at the Progressive Policy Institute (PPI). A month earlier the Post reported that the American Legacy Foundation (Legacy) had allowed a $3.4 million diversion of assets to go unreported for three years and then minimized its impact on its Form 990. Following the Post report, Senator Charles Grassley (R-IA) requested that Legacy provide context and understanding for its actions concerning the alleged $3.4 million embezzlement. Beyond the embezzled funds, Grassley says that Legacy's Form 990 contains several entries regarding fundraising, administrative expenses, travel expenses, and salaries that raise more questions. In fact, Grassley's letter contains 30 requests for information (Exhibit A) to which Legacy was asked to respond. Many of the items relate to Legacy's financial governance and, therefore, the underlying internal controls.

Why Does This Happen?
A primary responsibility of management and the board is to ensure that an organization is accountable for its finances to contributors, members, the public, and government regulators. All too often, however, internal controls are poorly designed, misapplied, and misunderstood. According to the Post, PPI's CEO stated "We didn't have our systems up and running, and it didn't cross folks' minds at that point as something that needed to be watched." AAMC's CEO told the Post "We are truly stunned," while acknowledging that "nonprofits have lacked some of the rigor that is enforced in for-profit organizations on monitoring finances." So why is this lack of rigor prevalent in even the largest and most prestigious nonprofits? The problem stems from a lack of understanding about the controls that support effective financial oversight, as well as insufficient resource allocation for those controls.

Lessons Learned The recent exposés of Legacy, PPI, and AAMC illustrate the consequences of poor internal controls. Nonprofits should take this opportunity to review their governance and financial reporting activities, specifically the completion of the Form 990, the intake process for whistleblower reports, and the approach to internal controls. The following paragraphs provide further detail.

Take your Form 990 seriously. The IRS' instructions require that if a "significant diversion" (defined by the IRS as "including but not limited to embezzlement or theft") of assets has occurred, an organization is required to "explain the nature of the diversion, amounts or property involved, corrective actions taken to address the matter, and pertinent circumstances." PPI's CEO said that until contacted by the Post, he did not realize the organization's accountants had included a reference to the financial loss on the Form 990 and that the incident had not been made public elsewhere.

Think of the Form 990 as a mini-version of the Form 10-K filed by publicly traded companies to disclose information about governance, compensation, and finances. A publicly traded company would never release its Form 10-K without a thorough review by management. What is reported on the Form 990 is there for the taking by friend and foe, and that foe may not be the IRS. Every organization must understand its Form 990, answer questions honestly, and use Schedule O to expand or clarify a "yes" or "no" response.

Develop and enforce a whistleblower policy. According to the Post article, Legacy failed to take action on a whistleblower report in 2007 and waited nearly three years before launching an investigation. In November or December of 2007, a foundation executive — Legacy officials called him a whistleblower — approached the foundation's CFO and said that he was unable to locate computer equipment listed in the foundation's inventory. The CFO did not refer the report up the line at Legacy. In August 2010, the same employee again raised an alarm, bypassing the CFO and taking his concern to a staffer close to Legacy's chief executive. Legacy then retained a forensic accounting firm and by November 2010 concluded that a fraud had occurred.

Surveys conducted by the Association of Certified Fraud Examiners (ACFE) revealed that fraud in nonprofits is detected nearly 50 percent of the time by tips, which is the leading method for detecting fraud in all types of organizations. The American Institute of Certified Public Accountants (AICPA) recommends that whistleblower complaints be reported directly to the audit committee rather than to members of the organization's management team. Nonprofits must think carefully about to whom whistleblower complaints should be reported. Factors to consider are the size and complexity of the organization, as well as the accessibility and objectivity of the parties to whom such reports should be made.

Understand your responsibility for internal controls. In the Post report, AAMC stated that the perpetrator exploited every gap in their system, employed various methods of deception and cover-up, and that while outside auditors conducted reviews of the group's balance sheets, they were not intended to detect fraud. To be clear, establishing and maintaining internal controls is the responsibility of management and board—not the outside auditor. These controls should be documented to ensure that management and the board know they exist and should contain the five components of COSO's1 Internal Control — Integrated Framework described below.

Click to open the exhibit

Exhibit B provides examples of COSO's Control Environment component.

Exhibit B. Examples of a Control Environment

  • Demonstrating a commitment to integrity and ethical values in a monthly newsletter to employees that emphasizes key aspects of the organization's mission statement and ethical values, including examples of ethical dilemmas with suggested resolutions.
  • Reminding employees that as part of their annual performance review they must certify that they have read the organization's mission statement and code of conduct and that they are in compliance with those policies.
  • Promoting the reporting of misconduct by providing an anonymous means for employees to report potential fraud occurrences and other ethical concerns without fear of reprisal. Potentially illegal acts or financial reporting improprieties reported through the helpline are communicated directly to the general counsel and audit committee.
  • Actively monitoring the actions of departmental managers and utilizing the services of an outsourced internal audit firm to review high-risk activities.
  • Reminding employees through ongoing oral communications and reinforcing through the organization's actions that unethical behavior will not be tolerated.
  • In executive session, discussing the audit committee's assessment of the risks of management override of internal control, including motivations for management override and how those activities might be concealed.
  • Determining if there is a significant economic benefit to having an outside service firm perform certain functions, to improve segregation of duties and enhance access to qualified specialists.
  • Determining if the finance staff, hired to perform basic accounting and bookkeeping functions, has the expertise needed for the associated financial reporting responsibilities.
  • Structuring the finance department and assigned levels of authority and responsibility for specific positions based on need and skills. The organization chart depicts the assigned responsibilities at all levels and references written job descriptions for all employees. Employees are evaluated based on their performance of those responsibilities.
  1. Control Environment is the tone of an organization, which influences the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The control environment is:
    1. The integrity, ethical values and competence of the entity's people;
    2. management's philosophy and operating style;
    3. the way management assigns authority, designates responsibility, and organizes and develops its people; and
    4. the attention and direction provided by the board of directors.

  2. Click to open the exhibit

    Exhibit C provides examples of COSO's Risk Assessment component.

    Risk Assessment is a process for (1) identifying and analyzing risks relevant to the achievement of the organization's mission and (2) forming a basis for determining how external and internal risks should be managed. Because economic, industry, regulatory, and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

    Exhibit C. Examples of a Risk Assessment

    • Considering external factors such as economic, competitive, and industry conditions; the regulatory and political environment; and changes in technology, supply sources, customer demands, or creditor requirements.
    • Evaluating risk based on potential impact and likelihood of risks.
    • Conducting a comprehensive fraud risk assessment to identify the various ways that fraud and misconduct can occur.
    • Mapping controls in flow charts to target activities that might generate accounting errors.
    • Meetings with IT managers and departmental heads to consider IT-related risks; mapping the related applications to the operating systems, databases, and supporting IT processes; and considering inherent risks, needed improvements, and opportunities to automate manual controls to improve efficiency.

  3. Click to open the exhibit

    Exhibit D provides examples of COSO's Control Activities component.

    Control Activities are the policies and procedures that help ensure management directives are carried out. Control activities may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, security of assets, and review of operating performance. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.

    Exhibit D. Examples of Control Activities

    • Documenting key business processes in the form of policy statements, which are approved and communicated to staff through the organization’s intranet. The policy statements deal with spending authority, revenue recognition, expenditure requests, code of conduct, whistleblower reporting procedures, and fixed asset acquisitions, depreciation, and disposition.
    • Using templates and matrices to make informed decisions as to which processes need additional detailed controls.
    • Flowcharting control activities with accompanying narrative to document control procedures in the context of business processes, identifying individuals responsible for performing control procedures, and testing control procedure effectiveness.
    • Evaluating and designing IT controls, including:
      • Systems Development: Controls over design and implementation of systems that help ensure systems are appropriately developed, configured, approved, and migrated into production.
      • System Changes: Controls over modifications to systems – whether applications, supporting databases or operating systems – helping to ensure that changes are approved, properly tested, and implemented. (In less complex environments, system changes and systems development procedures are often combined for ease of implementation, training, and ongoing maintenance.)
      • Security and Access: Controls over critical applications, supporting databases, and networks that help management ensure access is properly authorized and data is appropriately used, maintained, and reported.
      • Computer Operations: Controls over day-to-day operations that help ensure processing errors or improprieties are identified and corrected in a timely manner.
      • Application Controls: Controls built into applications to help ensure completeness and accuracy of transaction authorization, validity, and processing, as well as related manual user controls.
      • End-User Computing: Controls over spreadsheet and other user-developed applications that address potential input, logic, and interface errors.
      • Outsourced Operations

  4. Click to open the exhibit

    Exhibit E provides examples of COSO's Information and Communication component.

    Information and Communication involves pertinent information about internal controls that must be identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication must flow down, across, and up the organization. All personnel must:
    1. Receive a clear message from top management that control responsibilities are to be taken seriously;
    2. understand their own role in the internal control system, as well as how individual activities relate to the work of others; and
    3. have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as members, donors, customers, suppliers, and regulators.

    Exhibit E. Examples of Information and Communication

    • Using matrices to describe processes, persons, and/or functions responsible for creating, modifying, approving, using, and monitoring information in each process and sub-process.
    • Meeting monthly with the CFO and department heads to validate and document key assumptions that drive the organization’s finances.
    • Documenting the accounts payable process using information maps that depict the contract management process, authorizations, and software used. Information/business process maps help identify the inputs and outputs of a process, related activities and controls, and supporting information systems/documentation.
    • Semiannual meetings with departmental staff which the CFO uses as a forum to provide an update on key objectives for the next six months, reinforce policies related to ethics and integrity, review the importance of internal controls, and discuss changes to the internal control structure.
    • Surveying members, donors, customers, vendors, and others on their perception of the integrity and ethical values of organization personnel. This survey process is controlled by personnel independent of the primary member/customer/vendor contacts.
    • Communicating at least annually with key members/customers by a member of management independent of the primary contact. These discussions not only provide a sounding board for the members/customers, but also enable the organization to update its understanding of their business and external factors affecting the member/customer.

  5. Click to open the exhibit

    Exhibit F provides examples of COSO’s monitoring component.

    Monitoring is a process for assessing the quality of internal control performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs during the course of operations. It covers regular management and supervisory activities, as well as actions taken by personnel in performing their duties. The scope and frequency of separate evaluations depends on the results of the risk assessment and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

    Exhibit F. Examples of Monitoring

    • Using operating measures and key control indicators (KCIs) for major accounting and financial processes, including accounts receivable, payroll, accounts payable, and financial statement preparation. Accounts payable KCIs, for example, focus on the accuracy, timeliness, completeness, and compliance of documents received for vouching and checks prepared, with performance tracked to targets. Results are shared with the management team and used for performance appraisals and related development programs.
    • Dedicating approximately 30 minutes per month in departmental meetings to discuss ways to address control deficiencies and improve the internal control structure. Team leaders report deficiencies and recommendations to the CFO, based on the nature and materiality of the issue.
    • Maintaining a weekly revenue target report whereby the controller reconciles actual sales reported by the accounting system with targets. Significant variances are investigated with the assistance of departmental managers.

Although the COSO Framework has been around since 1992, it was not until the enactment of Sarbanes-Oxley (SOX) in 2002 that it gained renewed prominence. SOX requires a public company's CEO and CFO to sign an assessment of the effectiveness of the company's internal controls, to which an independent auditor must attest. The COSO Framework is the commonly used tool by public companies to develop and enhance internal controls. While nonprofits are not required to issue an internal controls assessment, COSO's 2013 update clearly states that the internal control framework applies to nonprofit organizations. COSO is an effective guide for nonprofit leaders who wish to improve their approach to risk management, strengthen internal controls, and deter fraud.

In the wake of these recent reports, every nonprofit organization should ask a few simple questions:

  • Do we have documented internal controls?
  • Are our internal controls cost-effective?
  • Do the internal controls reflect changes in technology?
  • Do the internal controls focus on high risk financial processes?
  • Are internal controls communicated throughout the organization?
  • Are we monitoring our internal controls?

The implementation and monitoring of effective internal controls, as overseen by sound financial governance, is imperative for nonprofits hoping to avoid the mistakes and reputational damage of Legacy, PPI, and AAMC. Nonprofit organizations can minimize the risk of loss, adverse publicity, and imposition of rigid mandates from Congress, the IRS, and other governmental agencies by taking a serious look at their internal controls.

Charles Tate is the Managing Martner of Tate & Tryon, a public accounting firm that specializes exclusively in serving tax-exempt entities, including associations, professional societies, cultural, educational, scientific, research, and advocacy organizations. He can be reached through the company's website at or by email at

1The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992 issued the Internal Control — Integrated Framework to help businesses and other entities assess and enhance their internal control systems. The Framework was updated in 2013 and is recognized by executives, board members, regulators, standard setters, professional organizations, and others as an appropriate comprehensive framework for internal control.