Mary Schaeffer
Mary Schaeffer

Internal Control Breakdown Case Study

Cause, effect and solution revealed.

October 8, 2009
by Mary Schaeffer

Readers of a certain age may associate Haight Ashbury with the peace movement of the ’60s, youthful exuberance and caring nonprofits such as the Free Clinic — not fraud perpetrated by one of its executives. What makes this story even more disheartening is the fact that the embezzlement occurred at the Haight Ashbury Free Clinic and could have been avoided if even the simplest of accounts payable best practices had been observed.

Cause and Effect

According to published reports, what happened at the clinic is typical of the types of employee fraud that happens day in and day out at many organizations. It was nothing overly sophisticated and demonstrated how insiders who know the peculiarities of differing requirements use their knowledge for their own enrichment.

A former CFO of the clinic took advantage his knowledge that requires nonprofits receiving federal grants to return any unspent money. This money is supposed to go directly to a federal office. However at the free clinic, authorities claim the CFO created an account at a Sacramento bank under a name similar to the federal office. For over two years he had clinic workers return these checks, which he deposited into this account that he actually owned.

He allegedly set up several accounts with names similar to legitimate vendors. The CFO had payments intended for these legitimate vendors be sent to his dummy corporations and later cashed the same checks.  

These schemes began in June 2001 and went on for over two years. After the irregularities were uncovered and investigated, the CFO was fired and the case was turned over to prosecutors, who miraculously prosecuted and got a conviction. We say miraculously because white-collar crime is rarely prosecuted. Even more amazing is the fact that he was convicted. He was sentenced on April 30, 2008 to serve four years in prison, make restitution and pay back taxes and fines.

Returning checks to anyone besides the intended payee is a break in best-practice procedures. What happened here demonstrates clearly why returning checks to anyone but the payee is such a bad practice.

Clearly the process for setting up new vendors was lax at the clinic.

If one of your employees is determined to steal from you, you probably can’t stop them from trying. But, you can stop them from succeeding. And even if they get away with it once, you should be able to catch it early on — not two years and $700,000 later.

By following these best practices, financial executives can avoid and prevent most internal fraud:

  1. Never, ever, return checks to requisitioners.
  2. Use appropriate segregation of duties including master vendor file responsibilities.
  3. Limit access to the master vendor file.
  4. Get W-9s from every new vendor before making the first payment.
  5. Run W-9s against the IRS TIN (Taxpayer Identification Number) Matching Program before making the first payment.
  6. Check to see if duplicate vendors have the same TIN.
  7. Do some sort of verification of new vendors, checking TIN and phone numbers to ensure you are not dealing with a phony vendor.
  8. Use coding standards for master vendor file data entry and be suspicious of vendors with similar names.
  9. Have a corporate policy restricting transactions with company employees unless there is a specific written contract approved by senior management not involved with the case.
  10. Require dual approvals before a new vendor is added to the master vendor file.

Be wary of executives who request or require access to everything. This makes fraud all the easier to commit. No employee should have such access, regardless of their level within the organization. Remember, trusted employees are the ones who are most likely to steal from you successfully — so put safeguards in place to ensure it doesn’t happen on your watch.


While very few organizations will employ all the practices described above, the more you can incorporate into your policy and procedures, the more difficult it is for a fraudster (either an employee, former employee or someone else) to steal from you.

How many of these practices are in place in your organization?

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Mary S. Schaeffer is the author of over a dozen business books including The Controller & CFO’s Guide to Accounts Payable (2007 John Wiley & Sons) and Fraud in Accounts Payable: How to Prevent It (2008 John Wiley & Sons). She is the publisher of the CFO & Controllers Accounts Payable Management Journal, a quarterly electronic journal for senior executives concerned about internal controls and cost control in their payment function, writes a monthly newsletter, a free weekly ezine e-AP News, speaks at accounts payable webinars, seminars and conferences and directs the organization’s consulting practice. She is making available for free a complimentary copy of her new journal for a limited time exclusively to AICPA Corporate Finance Insider readers. If you are interested, please send her an e-mail at: marys@ap-now.com with AICPA Corporate Finance Insider in the subject line. Readers should note that neither AICPA nor AICPA Corporate Finance Insider will receive any revenue proceeds from this journal.