A clergyman recently pled guilty to criminally mishandling (or “borrowing” as he put it)  over $516,000 of his congregation’s funds. This is a crying shame in and of itself, but let’s take a thoughtful, clinical  look at what went wrong with the internal controls over the church funds. What are the lessons an NFP organization can learn from this all too typical event?

An effective  system of internal controls consists of layers.  The further you penetrate into the layers the less effective the controls often become. In this case, the internal controls operating at the local church level are generally more effective than controls operating at the diocesan (headquarters) level. Nevertheless, controls at higher levels are important to have in place as they too can often catch errors, omissions, and fraud. It is the application controls at the local level that would have had the greatest chance of preventing the fraud.  That being the case, let’s begin by looking at the internal control failure at the parish level.  These were the first line of defense for the organization  against material fraud, and they failed.  What were the controls that failed and why?  Here are some possible reasons: 

  • A lack of professional skepticism.  NFP officers must always keep a healthy professional skepticism about the control environment and those who have access to the organization’s funds. The pastor in question had been in place for 27 years and was well-liked by his congregation. You may have heard the old saying “familiarity breeds contempt.” However, in the world of accounting and internal controls familiarity breeds a lack of caution. Maintaining a healthy skepticism does not mean being paranoid about the possibility of theft. It means keeping an eye out for signs of fraud. Who was responsible for that on the local level? The parish had a finance council composed of volunteers appointed by the pastor. While in theory this is a structure providing sufficient controls at the local level, that is often not the case. It would take extraordinary courage and devotion to duty for a member of the council to challenge the longtime, trusted pastor.  The parishioners composing body also may not have been sufficiently instructed in their duties and responsibilities. 
  • Smaller frauds committed over time are harder to detect.  While the public information about the case does not indicate when the funds were stolen, one can guess the amounts were taken over an extended period of time. The typical fraudster pattern begins with small thefts. The number of thefts and the  amounts then grow as the fraudster becomes bolder.  This is probably what happened here, given the pastor had 27 years to do so.  This particular congregation was very large and operated a grammar school.  The annual budget for the entire organization may have run into the millions of dollars.  The fraud per year was over $19,000 ($516,000 divided by 27 years).  It is conceivable that smaller amounts fraudulently taken over time were not noticed every year.  Conceivable?  Yes.  Should they have been noticed?  Yes 
  • Lack of or failure of segregation of duties. Many churches require the pastor and at least one lay trustee to approve a disbursement.  In this case, the pastor could either initiate and complete payments by himself or the trustees were simply not diligent in performing their duties. They may have approved disbursements with insufficient or fraudulent purposes.  One commonly seen but awful financial  practice is to have the trustees sign a blank check and leave them with the pastor “just in case something comes up”.  Another sad practice is the lack of control over parish credit cards. Both of these and similar practices should simply be banned outright. 
  • Lack of local oversight.  While the typical parishioner may not have sufficient expertise in understanding parish finances, one would hope the finance council (which may or may not include the parish lay trustees) would be vigilant enough to ask what expenditures are for. Apparently this was not the case.  The parish financial council should also do a periodic review of the financial statements and question every expenditure. It seems this review, if done, was not vigorous enough. 
  • Structural failure of the accounting staff.  An organization of this size would ordinarily have a bookkeeper. Either the bookkeeper did not know what to do with the knowledge defalcations were occurring or did not know who to report this to.  If a report was made to the responsible parties (the diocese or the parish finance council for instance), no action was taken. The very accounting control process was structurally flawed. 

There were some other lapses in internal control on the higher diocesan level:

  • An additional  lack of skepticism.  The diocesan finance office noticed potential problems with the finances of the parish and attempted to schedule an audit. This audit was apparently pushed back  several times due to the “ill health” of the clergyman. Again, this was a popular pastor who had been in his position for nearly three decades. There was no reason to suspect such a person. The diocesan officials did not display the professional skepticism needed in this situation. It is precisely the most trusted person in the organization who can do the most damage to it. Also, the reasons for postponing the audit made no sense.  A preliminary financial audit can be conducted without the pastor being present. If the pastor was absconding with funds over time, the parish may have been left vulnerable to more theft during the time the audit was postponed.  The news releases about this sad episode do not say such a thing happened, but it is entirely possible.  The responsible parties at the diocese should have heeded the ringing alarm bells and forced the audit to begin earlier.   
  • Other oversight failures on the diocesan level.  To the credit of the diocese, it appears to have learned a lesson. The diocese announced  a more robust audit of parish finances.  Auditing is the highest level of internal control, the last line of defense.  The diocese will also be instituting a “whistleblower” line.  Business organizations have long known anonymous tips are the single most important way to catch fraudsters.  There will also be a new office dedicated to helping parishes with their finances. While clergy are often very highly educated ( for instance, it often takes at least seven years of full time study to earn an M.Div.) they often lack rudimentary management and financial control skills.  Such an organization will be invaluable to the volunteers on the local finance councils. 

What  generalized lessons can NFP organizations can be learned from this episode? 

  • Everyone responsible for internal control needs to maintain a professional skepticism. 
  •  It is the trusted employee who can beat you for the most money.
  • No one who handles the funds for an organization or does its financial reporting should be afraid of an audit. An audit is a normal consequence of handling cash.  Alarm bells should ring anytime someone wishes to push off an audit. 
  • Volunteers placed in oversight positions need to be properly trained on what their responsibilities are and who to report illegal or unethical actions to. 
  • The same holds true for those responsible for bookkeeping and financial reporting. 
  • Application controls over cash are critical:
    • Absolutely no signed blank checks
    • Rigid control over credit cards
    • Effective, dual controls over cash disbursements, even electronic
    • Check stock should be controlled without access to the check signers. (Archaic I know, but some places still do pay via check.)