Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Guilt by Association

A membership organization pays a hefty price after handing over too much control to its management company.

Comments Views

​Olivia Munro, a hospital chief financial officer (CFO) and former pharmacist, was approached about the treasurer position with her state's pharmacy organization, which was experiencing sustainability issues. The organization's finances and membership numbers were in decline, and the board was struggling to lead through these challenging times. Out of a sense of professional obligation, she agreed to serve in the role. Never having served on a professional board, Munro did not know what to expect.

The small association of approximately 750 members charged an annual fee of $350, which included educational programming to satisfy mandatory continuing education requirements for professional licensure. Most of the revenues, however, came from an annual educational meeting that charged a registration fee to attend. The meeting was poorly attended, so most revenue came from pharmaceutical manufacturer grants for advertising.

After joining the board, Munro quickly realized that the organization had exhausted the available and willing volunteers within the state. Subsequently, it recruited fewer qualified people into leadership roles and recycled previous leaders. With the focus of the organizational leadership on the professional mandate, the financial affairs had been placed in the hands of underqualified individuals with limited fiscal acumen. As a result, this once-healthy organization became insolvent and contracted with an external professional management company specializing in turning around professional organizations.

Historically, the organization had several decades of financial success, accumulating $500,000 in reserves for operating purposes and an additional $250,000 in restricted funds to support scholarships for students in underserved communities. Although the organization previously had a treasurer, his limited financial expertise was evident in the lack of financial controls in place.

Munro wanted to determine the status of the organizational books that she was inheriting, so she conducted a review of them to make sure transactions had supporting paperwork, there were not any unusual transactions, and that the bank balances reconciled. She had several questions regarding the language in the contract with the management company and learned that it was signed without legal review. In particular, the contract contained a confusing evergreen clause perpetuating the relationship on a mandatory three-year cycle, rather than typical one-year extensions. Further, the contract did not contain a termination clause. The fee structure was equally complicated, with various a la carte upcharges that were poorly defined. This made it difficult to clarify which services were included in the initial contract and what was added on.

Lessons Learned

  • Outsourcing relationships and contracts should be reviewed by internal audit for control weaknesses before implementation and before any significant changes. There is an opportunity for internal audit associations to share guidelines with nonaccounting associations to improve financial practices and protections.
  • Internal audit should ensure management has processes in place to monitor contract requirements on a regular basis. The absence of these reviews leads to undetected issues and the inability to optimize the value of the relationship.  
  • Organizations that don't segregate financial duties open themselves up to misappropriation of funds and fraud.
  • Failure to maintain signatory authority can prevent organizations from legally accessing their own banking information for audit.
  • Regardless of the professional nature of an organization, knowledgeable financial people should be assigned to monitor its finances.
  • If the outsourced relationship fails to produce financial statements and banking documents regularly, it should prompt an immediate review and rigorous follow-up.

The relationship had been positive and the organization eventually transitioned additional authority to the management company, which was not reflected in a contractual amendment and instead was governed by email communications. This included managing the organization's website and membership database and organizing the annual meeting. As part of this transition, the organization's official mailing address was also changed to that of the management company, and the company was given signatory authority on the organization's bank accounts. It appeared that the management company had complete control of the organizational finances and operations.

Over time, the management company's level of service began to decline. The assigned management representative failed to attend board conference calls and provide contractual information such as monthly financial reports. In addition, bank statements were no longer being provided for review and reconciliation by the treasurer, and requests for status updates were responded to with increasingly vague answers.

Munro feared that the organization's funds had been fraudulently misappropriated and requested access to the organizational paperwork. Requests were repeatedly ignored or incompletely fulfilled. The management company was located in an adjacent state, so a local accountant was hired and law enforcement was notified to gain access to the records. Records were limited and those that were available had sloppy documentation, making it impossible to track payments and expenses accurately. Bank statements showed that $300,000 of the organization's funds were spent and current hotel expenses of $120,000 from the annual meeting had not been paid.

The organization obtained legal counsel and additional discovery followed. During the previous year, the management company had systematically billed the organization $100,000 for a la carte fees associated with ill-defined activities not specifically outlined in the contract. Because the management company was given authority to pay itself directly from the organization's bank account, and had used the a la carte provisions to generate repeat charges not reviewed by organizational leadership, legal counsel did not think it would be possible to recover these damages. The fact that the organization had not received the monthly bank statements to question these practices was considered gross negligence on behalf of the organization.

The remaining $250,000 from the restricted funds was also missing. When challenged, the management company refused to supply it, citing that the original contract had auto-renewed for an additional three-year period under the evergreen clause. The organization had failed to exercise the contractual 90-day notice period and, as a result, the remaining funds were due to the management company to satisfy the three-year extension on the contract. The organization's board concluded, with input from legal counsel, that the legal fees would be more than the organization could potentially gain. The management company filed for bankruptcy and subsequently reopened under a new name.

The management company had control of the organization's website, domain name, and membership lists, and ultimately, it agreed to return control to these proprietary operational elements and both sides walked away. The organization began to rebuild, and Munro set up appropriately designed financial controls. Shockingly, the membership reelected the same board, and Munro made the decision to step down from her role as treasurer.  

Scott Mark
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Scott MarkScott Mark<p>​Scott Mark, PharmD, is vice president at Craneware Healthcare Intelligence in Pittsburgh.​</p>


Comment on this article

comments powered by Disqus
  • IIA GRC_July 2020_Premium 1
  • AuditBoard_July 2020_Premium 2
  • IDEA_July 2020_Premium 3