In July 2022, news broke that David Ostrove allegedly stole approximately $8.4 million from the Schechter School of Long Island (the “School”), where he served as the School’s Chief Financial Officer, Chief Technology Officer, and Director of Operations. Ostrove oversaw all of the School’s financial matters from accounting to tuition assistance and building maintenance and security. The alleged fraud spanned some eight years from 2014 until his termination in April 2022. Ostrove reportedly used the School’s PayPal and Stripe accounts to transfer school funds into his own personal PayPal account. He allegedly tried to conceal this money by transferring it to personal accounts he held at various banks and buying properties through shell corporations. Unfortunately, this is just another in a long string of embezzlements that have rocked local schools over the last couple of decades.
If you consider the private school world today, enrollment is down, there are staff shortages, inflation is driving up costs, and investment declines are impacting contributions, so budget cuts must be made in order for many of the schools to make ends meet. Unfortunately, trust is not a substitute for an effective system of internal controls. While we don’t have all the fact pattern as to how Ostrove allegedly embezzled the funds, we do know that if proper controls and oversight were in place, complete with segregation of duties, reconciliations, and a formal review process, the likelihood that his alleged activities would have gone unnoticed for eight years would have been greatly diminished.
There are two main categories of controls, detect controls and prevent controls.
Prevent controls:
Prevent controls, as the name suggests, are put into place to prevent errors and irregularities from occurring. They tend to be more expensive, because they rely more heavily upon strong segregation of duties, which means a higher level of staff. They are implemented to catch issues before they occur. While most smaller organizations are not going to have a robust level of segregation of duties, there are certain places where the investment in appropriate segregation may make sense:
- The human resource (“HR”) function and payroll functions should be segregated. HR is responsible for on-boarding staff and ensuring personal files are up to date, including having properly authorized salary notices/pay rates. As such, it should be the HR department’s responsibility to enter all new employees and terminations within the payroll system and to modify staff salaries. Payroll should have no access or authority to perform these duties. Conversely, payroll’s responsibility is to ensure that proper approved time records exist for all staff. It is payroll’s job to ensure that all time is properly entered into the payroll system and the hours are properly charged against time worked, overtime, paid time off, etc. Under a system where HR enters employees and salary with no access to hours and payroll enters hours, with no access to enter employees or salary, without collusion between the two departments, it would be very difficult for a fictitious employee to be created and paid.
- The recordkeeping and check signing functions should likewise be segregated. Individuals with the access to record invoices into the system should not be able to sign checks. Having an extra individual who doesn’t have the ability to create the invoices scrutinizing those invoices before they are signed to ensure that the invoices are appropriate, the goods or services were received, and the purchases were authorized, makes it more difficult for someone to generate a fictitious invoice, sign it, and cash it.
- Similarly, a person who has access to funds (cash, checks, and electronic payment) should not have the ability to record such payments into the accounting records and the ability to generate write-offs. In a strong control environment, the person who receives payments should be independent of the person who records the payments. The person receiving the payments should create a log of the payments or develop the deposit slip and send a copy of the log or deposit slip to the individual responsible for reviewing the bank reconciliation. In this way the person who is responsible for recording the receipts in the accounting or other systems (e.g. fundraising) would not be able to abscond with funds as there is already a log of what came in and the person who is receiving payments cannot take any of the funds because the person “accounting” for these funds will also be following up with the customer/donor if the funds don’t arrive. This system only works if there is a reconciliation whereby the person performing the bank reconciliation review is reconciling the deposits per the log/deposit slips created by the receiver of the funds to an original copy of the bank statement either received directly by the reviewer or on-line. This is equally important for funds received under electronic payment systems such as Stripe and PayPal. These systems create logs of funds received and it is essential for the bank reconciliation reviewer to ensure that the funds received from these sources are properly finding their way into the school’s bank account. Furthermore, the ability to generate credit memos or other system write-offs should be segregated from the person responsible for recording and collection activities, especially if they have access to the funds. By segregating these functions, it provides for independent follow-up/verification before an account is written-off, lessening the likelihood of theft.
Detect controls:
These controls may also be referred to as compensating controls, and are put in place to catch an error or irregularity after it occurs. These controls are cheaper than prevent controls and often rely on a head of school, board member, or someone else that may not have the training or time to ask the right question and identify issues. Detect controls can be effective, as long as the person who is performing them is diligent in his/her responsibility. Some examples of effective detect controls are:
Payroll:
The Head of School reviews the final payroll register and a payroll edit report showing any edits made to the payroll (addition/deletion of staff and pay changes) and signs approval.
Cash Receipts:
A person independent of the recording function, cash receipt function, and bank reconciliation function reviews the bank reconciliation. As part of that review, they should receive an original bank statement or have access to the statement online, and as noted above, they should reconcile the cash receipts to the monies coming into the school either through the mail or through electronic means.
General Ledger:
A monthly reporting package should be created that shows: budget to actual (with explanation of fluctuations), tuition revenue and scholarships/discounts per student showing a five-year trend, days in cash, accounts payable and accounts receivable turnover, bad debt as a percentage of revenue, etc. This will help management and the Board identify fluctuations that don’t make sense.
Reconciliations:
Monthly reconciliations should be performed on accounts receivable (general ledger to the control account), accounts payable (general ledger to the control account), and donations (development records to accounting records). These reconciliations should be reviewed by someone independent of the preparer.
General Journal Entries:
General journal entries provide the greatest opportunity to cover up some ones “financial fingerprints.” All journal entries should be reviewed by an authorized person before they are recorded, and on a monthly basis, the authorized person should get a report of all journal entries posted to the system to ensure that they reviewed all of the entries and determine if any additional follow-up is necessary.
In addition, other control procedures can be implemented to further ensure financial accuracy and limit risk of theft:
- Ensure all checks are written out to the full name of the organization and not an acronym. It is much easier for someone to steal checks written out to an acronym by setting up a company with the same acronym.
- Maintain strong control over checks/check stock and the corporate seal. Many an organization have been embezzled by employees using the corporate seal and letterhead to open an account in a bank not used by the school with them as the authorized check signer.
- Consider an internal audit function, even on a limited basis. This can be outsourced and may be worth the investment for the piece of mind it brings.
- Require new vendor approval before they are entered into the system and any purchases are made from them. This will allow management to understand why the school is utilizing a new vendor and determine if they are appropriate and at arms-length.
You can never eliminate the possibility of errors or irregularities within your school, but with proper implementation of an effective control environment, diligent oversight, and establishment of a proper tone at the top, you can dissuade wrongdoers and potentially catch them early in the process. Organizations over the years have been plagued by those who didn’t walk into an organization looking to steal, but the opportunity presented itself, and the dark side of human nature took over. The goal is to lessen or eliminate the opportunity through proper detect and prevent controls and not rely solely on a system based upon trust.
Kelly Mehr, CPA
Senior Accountant
Kelly is a senior accountant of Cerini & Associates’ audit and consulting practice. She works with nonprofit, special education and school district clients.