The Salvation Army recently dismissed Mr. David Rennie, its executive director of its toy warehouse in Toronto, where there was an alleged “massive” theft of $2M in children’s toys. This amount of toys, which were recently located, along with Mr. Rennie surrendering to police, cannot be carried out under one’s arm. It likely involved inadequate internal controls over the segregation of duties, over the safeguarding of assets, and over restricted areas. Perhaps paper rather than IT controls were being used (still not uncommon), which is more capable of manual override.
A qualified audit opinion was offered by the Salvation Army’s external auditors, KPMG, over the last three years (see here and here). According to Stanford researchers, the external audit process (see slide 10) should include fraud evaluation, a review of opportunities for fraud, and an examination of incentives for fraud. Auditors should use “professional skepticism,” but it is not the explicit objective of the audit to identify fraud (slide 9).
It is unclear, judging from the Salvation Army website, whether the Governing Council of the Salvation Army has adequate independence from management or financial expertise (see page 31 here), where independence or financial background is not mentioned). There is an advisory board, but there is no indication that the Salvation Army has a proper, functioning board of directors, that oversees risk and controls. Advisory committees advise, but cannot direct.
Theft happens when there is opportunity, incentives and lack of internal controls. A board, or lack thereof, controls and approves all of these factors – and in particular, controls. I was in Calgary after the XL Foods crisis, lecturing to a room full of directors on beef association boards in Alberta. “Do you approve the internal controls over food safety?” I asked? Not many hands went up. “Do you take tours of the plant, seeing the line, and talking to workers? Do you have an internal audit function that tests the design and effectiveness of internal controls, and reports directly to you?” Again, not many hands went up.
A proper board will want to see validation over the internal controls over all material risks – in the form of real time risk registers with individual accountability and mitigating actions. Material risks are not just financial, but non-financial. This includes operational controls, such as the line in a meat plant, or the warehouse with toys in it. I did a review of a diverse, complex NFP operation last week where documented risk management and operational control oversight by the board was inadequate. I am recommending 45 governance enhancements including a compliance committee of the board and proper risk oversight. I am designing a not for profit and governmental governance accountability course within York University’s Masters of Financial Accountability (MFAc) degree program this January given the importance of not for profit organizations to the economy, and the presence of governmental corruption.
Internal controls basically constrain management. No one likes to be controlled and there is an obvious aversion to management controlling itself or dedicating resources for this. In not-for-profits and charities especially, there are stretched resources, volunteers, and a tendency to trust people. However, fraudsters exploit these areas of vulnerabilities. Controls need to be person-proofed and require a diligent board with authority and competency to require adequate reporting, controls and follow up. Sadly, this was not the case at the Salvation Army and the board (or lack thereof) is at fault. Donations may suffer but more importantly, so may children at this time of year.