District Associate Judge Lee Card asked Karen Kardaleff what she had done. "Took money," she responded. "How did they catch you?" "The audit." He asked her why she had done it. "It was too easy," she said. "I didn't buy anything big." She said she used the nearly $80,000 she stole to pay bills and give to friends. Card sentenced the former treasurer of Healdton, Oklahoma, to a year in jail and ordered her to pay back the full amount to the city. (See "Former Healdton city clerk pleads guilty to embezzlement," by Michael Pineda, The Daily Ardmoreite, May 29, 2014.) Lack of controls and an oblivious city council and city manager allowed Healdton to freely loot the coffers.
Losses at nonprofit organizations are rampant. A Washington Post report states that a thousand nonprofits in the U.S. recorded losses of $250,000 or more from 2008 through 2012. (See Inside the hidden world of thefts, scams and phantom purchases at the nation's nonprofits, by Joe Stephens and Mart Pat Flaherty, Oct. 26, 2013, The Washington Post. The Washington Post's website also contains data from IRS filings, and shows the amount of nonprofit losses by name of organization.)
The CB Wealth Advisory reports that fraud is found in 20 percent of philanthropic organizations. The ACFE 2014 Report to the Nations on Occupational Fraud and Abuse states that nonprofits made up 10.8 percent of the fraud cases analyzed, and the median loss for these organizations was $108,000.
Of course, such losses are significant in these small organizations. The Report to the Nations indicates that the major forms of fraud are billing schemes, fraudulent reimbursements and check tampering. The major organizational weaknesses that lead to fraudulent activity are a lack of both internal controls and management oversight. Independent auditors don't detect most of these fraud schemes. The Report to the Nations shows that auditors detect only 3 percent of frauds compared with 7 percent of the frauds detected by accident. Accidents trump audits.
Now let's get back to our opening case. Healdton, a small city in south-central Oklahoma with a population of about 3,000, is probably best known as the birthplace of the actress Rue McClanahan from the "Golden Girls" TV sitcom.
In 2012, the Oklahoma State Auditor's Office issued an investigative report that identified the extent of Kardaleff's fraud. (See Investigative Report, City of Healdton, July 1, 2009 through June 30, 2012, Oklahoma State Auditor & Inspector, Jan. 22, 2014.) Investigators from the state auditor's office estimated that she had been committing fraud since almost from when the city hired her in October 2000 until questions arose about the city's financial procedures in 2010.
Fraudsters seldom use three different ways to commit crimes, but Kardaleff did. The estimated $80,000 she stole was close to 7.5 percent of the cash available to the city in 2011. Yet the accounting records were so disorganized that investigators couldn't determine the actual amount she stole. (See "State Audit Finds Thousands of Dollars Missing from Healdton Utility Billings," Helen Headlee, News 12, KXII, Jan. 23, 2014.)
We'll discuss the three methods she used to commit her frauds.
Method 1: Utility billing misappropriation. This was the primary method she used to steal the city's funds. Kardaleff substituted checks for cash to steal approximately $43,000 from customers' utility payments. (The major proprietary activity for the city is providing sewer and water services to the community through the utility fund.) Utility customers paid their bills with cash at the city offices, or they mailed in their checks. The customers who paid in cash received receipts, but those paying by check didn't.
The receipts weren't pre-numbered so receipt numbers weren't recorded in any sequence; actually the office didn't record any receipts at all. Kardaleff would substitute unreceipted checks for receipted cash payments to make the cash balance appear correct at the end of each day. This procedure causes a difference in the percentage composition of the aggregate balance between cash and checks collected and deposited in the bank although the total appears correct. Therefore it appeared correct when the revenue receipts journal was reconciled at the end of every day with cash collections. Kardaleff didn't record these checks in the revenue receipts journal; as the city treasurer, she was responsible for making bank deposits and preparing the bank reconciliation, so she was able to hide the composition of the deposits. The chart below, "The Healdton check-for-cash substitution fraud," depicts the steps.
Of course, strong internal controls require that no one person should be responsible for receiving, depositing, recording and reconciling the accounts. Also, no one person should be responsible for authorizing payments, disbursing funds and reconciling bank statements. Clerks collecting payments also shouldn't use a single cash drawer. Each clerk collecting payments should be responsible for his or her cash drawer and balance it against receipts at the end of the day. Obviously, these internal controls weren't in effect in Healdton. And a basic violation of any internal control system is not sequentially numbering receipts for cash payments.
Method 2: Stealing of cash from the vault. The city clerk would place revenues received from collections in the vault; the next business day the city clerk would open the vault, and Kardaleff would remove the cash. Some days she would deposit some of the cash in the bank, and other days she would keep all of it.
During the day, the department imposed no controls over the unsecured vault; they kept it completely open for easy access. So Kardaleff was able to cover up her theft of about $37,000 in cash. Of course, bank deposits often were significantly less than the amount of cash recorded in the revenue receipts journal, which Kardaleff had already reconciled at the end of the previous day and wouldn't reconcile again. Bottom line: no one detected these thefts because Kardaleff was responsible for both depositing the cash in the bank and preparing the balance reconciliation.
Obviously, minimum internal controls demand that an organization's cash needs to be kept in a locked secure location — not in an open bank vault. Authorized access should be limited to one person and a second designate for emergencies. No personal checks should be cashed out of any cash on hand. To avoid large amounts of cash held in an office, an organization must make bank deposits several times a day if the amount reaches a specified dollar level.
Method 3: Manipulation of computer records. The city used a computer system and billing software that recorded receipt numbers on revenue payments to the city for various services. Investigators reviewed computer printouts and determined that the computer records related to the utility office had been corrupted.
Kardaleff had complete access to the billing system and was allowed to make changes to it without oversight. Consequently, she removed or altered receipts that had been previously recorded in the billing system to cover evidence of the fraud. Because the receipts weren't pre-numbered, it was impossible to determine if receipts were properly sequenced. Therefore, it was easy for Kardaleff to make changes to the billing system without arousing suspicions although it did leave date gaps in the receipt sequencing. But no problem; no one checked that anyway. Kardaleff would alter receipts in the billing system by lowering the amount received to cover the fraudulent theft of cash.
The Healdton financial fraud illustrates the need for strong internal controls in even the smallest nonprofit organization.
Good internal controls demand that computer systems must log unauthorized access. Also, each employee should have a password with restricted levels of approved access to the network. [See the Committee of Sponsoring Organization of the Treadway Commission (COSO) 2013 Internal Control — Integrated Framework, p. 91, AICPA.] When employees are away from their computers for a set period of time, organizations should require automatic shutdowns and require those employees to access the systems again with their passwords. But Healdton had none of those controls. Any employee could access and manipulate its computer system.
The city council's faulty oversight of the financial system was a major reason Kardaleff could commit her frauds for close to 10 years. During her time as treasurer, she seldom submitted timely financial reports to the council, and the council didn't penalize her. The audit report for the fiscal years ended June 30, 2011 included these statements:
We were unable to obtain sufficient records supporting financial statement amounts because of discrepancies in the records. The resolution of these discrepancies is not presently determinable. Because of the significance of the matter discussed in the preceding paragraph, we are unable, and we do not express, an opinion on the financial statements referred to in the first paragraph.
Apparently, the city council and the city manager ignored or didn't understand the meaning of the auditor's report of "no opinion" because of missing records and discrepancies in the financial records. According to Principle 2 in COSO's "2013 Internal Control — Integrated Framework," a council has an obligation and fiduciary responsibility to safeguard the assets under its control. ("The Council of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.")
City managers and city councils must realize that their negligence or ignorance could contribute to the loss of city resources and violate their fiduciary responsibilities. They need to understand that audits, by themselves, aren't expected to catch frauds, so they need to closely review audit opinions and disclosures in audit reports.
Many small nonprofit organizations foster a trusting "we are all family" attitude among employees. This approach, coupled with relaxed internal controls and the belief that audits will catch any frauds, make these organizations easy targets for financial fraudsters. City councils that lack members with no financial backgrounds only compound the problem.
Organizations should produce accounting policies and procedures manuals to reduce the possibilities of fraud. A manual should include clear descriptions of internal control procedures to be followed in requisitioning, authorizing, verifying, recording and monitoring governmental expenditures such as invoices, for example.
This manual also should include proper procedures for computer systems access, inputting data, authorization for changing records and procedures for archiving electronic data. Clearly written job descriptions should explain functions of council members, officers and employees of the organization. If an organization is too small or employees don't have the backgrounds to develop a manual, they should adapt a similar nonprofit's manual. (See Oklahoma Statutes – Title 11. Cities and Towns.)
The Healdton City Council abandoned, ignored or misinterpreted its management responsibility. Healdton operates under the council-manager form of city governance. Guidelines for the city come from state statutes. According to the Oklahoma statutes:
… All powers of a statutory council-manager city, including the determination of matters of policy, shall be vested in the council. Without limitation of the foregoing, the council may: ... 4. Inquire into the conduct of any office, department or agency of the city, and investigate municipal affairs, or authorize and provide for such inquires. (Laws 1977, c. 456, S10-106, eff. July 1, 1978).
From a legal perspective this statement gives a council the authority to ask questions about the city's financial reports received. It doesn't have to pass its authority on to auditors or to the city manager.
The public accountants' lack of opinion for two years should have caught the Healdton council's attention. A new city manager, hired in 2010, attempted to address the auditors' concerns, but the council's members were indifferent and were unwilling to raise questions about the issues. Council members believed the financial issues raised by the auditors weren't the council's problem.
Responsibility for financial fraud hasn't always left boards and council members legally unaffected. Board members at the Educational Housing Services (EHS), a New York nonprofit that rented housing to students, were required to repay $1 million in personal funds as part of a fraud settlement at EHS. The fraud was considered a breakdown in governance because the board was negligent in reasonably accessing a fraudulent contract. (See ‘Stunning' Negligence: Trustees Must Personally Pay $1M in Fraud Case, by Ruth McCambridge, Nonprofit Quarterly, Dec. 11, 2012.)
The Healdton financial fraud illustrates, once again, the need for strong internal controls in even the smallest nonprofit organization. Although the amount of stolen funds doesn't appear to be huge, the damage was sizable. The actual amount of the loss is still undetermined because of corrupted financial records and reports. The audit report findings for the city of Healdton in 2011 should have immediately alerted the city council and city manager to the financial problems the city was facing. It didn't.
G. Stevenson Smith, Ph.D., CPA, CMA, is the John Massey Endowed Chair and Professor of Accounting in the School of Business at Southeastern Oklahoma State University in Durant, Oklahoma. His email address is: sgsmith@se.edu.
Theresa Hrncir, Ph.D., CPA, is a professor of accounting in the School of Business at Southeastern Oklahoma State University in Durant, Oklahoma. Her email address is: thrncir@se.edu.
A cohort of high-level executives — a state legislator, a former mayor of Albuquerque, an architectural project engineer, a project administrator and his wife — ran this false-billing fraud. Marc Schiff, the main architect on the project (item 1 in my chart below, which illustrates the flow of payments in the seven-year scam) submitted inflated invoices for architectural services. Sandra Martinez, owner of a new information software consultancy, submitted additional false invoices for audio-visual equipment and wiring (item 6 in the chart), which her husband, Toby Martinez, the project administrator, approved.
The conspirators tried to hide the money transfers via a circuitous routing through various bank accounts and by keeping the billings below the state’s threshold for review. (See Four indicted in Courthouse Conspiracy, by Sue Holmes, Albuquerque Journal, March 29, 2007, and Metro court architect sentenced to 366 days in prison, by Heath Haussamen, NMPolitics.net, July 8, 2009.)
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 5 mins
Written By:
Roger Seifert, CPA, ABV, CFF
Jamal Ahmad, J.D., CFE, CPA/CFF
Read Time: 5 mins
Written By:
Mandy Moody, CFE
Read Time: 5 mins
Written By:
Sandra Damijan, Ph.D., CFE
Read Time: 5 mins
Written By:
Roger Seifert, CPA, ABV, CFF
Jamal Ahmad, J.D., CFE, CPA/CFF
Read Time: 5 mins
Written By:
Mandy Moody, CFE
Read Time: 5 mins
Written By:
Sandra Damijan, Ph.D., CFE
