We have worked with AbilityOne not-for-profit (NFP) entities before. We have a lot of respect for their mission, which is to provide jobs and other vocational opportunities for individuals with disabilities. We need more entities like them.

Which makes it difficult to write about how lax internal controls at one AbilityOne NFP allowed an accounting manager to embezzle $1.3 million. That’s $1.3 million that could have gone to the programs that enable people with disabilities to find meaningful work. Instead that money was used to support the lifestyle of REGGIOUS SANCHESTER BELL, age 30, who embezzled the money over a period of about four years and used it to pay for personal expenses at such places as Best Buy ($95,000), Louis Vuitton ($22,000), Dillard’s ($21,000), and various other establishments.

There’s a DoJ press release to tell us that Bell pleaded guilty to one count of federal program theft and two counts of federal income tax evasion. The press release tells us that the maximum penalty for federal program theft is 10 years in prison and a $250,000 fine. The maximum penalty for tax evasion is five years in prison and a $100,000 fine.

The press release relates the following story:

According to information presented by the government at today’s hearing, Bell went to work for Phoenix in 2008 in its accounting department. He worked in accounts payable, accounts receivable and fixed assets management. [Phoenix is the AbilityOne entity; it receives about $20 million annually in contract revenue for providing Redstone Arsenal with custodial support.] As it did with other staff members, Phoenix provided Bell a credit card to use for business expenses only. Bell, however, began using his Phoenix credit card for personal expenses in at least 2009, and continued to do so until he was caught in the summer of 2013, according to his plea. [In addition to running up thousands of dollars of personal charges on his own corporate credit card] Bell also had Phoenix issue a credit card in a fictitious name with a fictitious Social Security number, which he also used for personal expenses.

Bell deleted unauthorized purchases from the credit card monthly statements and manipulated Phoenix’s account ledgers so that they would balance with the bank’s spreadsheet that showed what Phoenix owed for its staff credit cards, according to the plea.

Bell also established an accounting firm, called Bell-Pete Associates. Although Phoenix never did any business with the firm, Bell invoiced Phoenix for $58,133 in accounting services in 2011, and for $235,740 in 2012, according to his plea. Bell did not report the fraudulent income to the IRS, resulting in an underpayment of taxes of $15,132 in 2011, and $66,636 in 2012.

So what do we learn from this sad story?

We learn that Mr. Bell was able to approve fraudulent invoices. He created a fictitious company and paid that company nearly a quarter million dollars in one year but apparently nobody noticed. We learn that Mr. Bell had the ability to delete certain purchases from credit card monthly statements and he had the ability to “manipulate” Phoenix’s general ledger so nobody would notice the manipulations. Apparently he had the full run of the accounting department with minimal oversight. The (apparent) lack of segregation of duties coupled with (apparent) lax oversight coupled with (apparently) a lack of basic anti-fraud activities allowed him to embezzle more than a million dollars in roughly four years.

What might a company do that wants to avoid a fate similar to that which Phoenix experienced?

• Split roles; don’t give one person too much authority. For example, don’t let the person who cuts the checks also approve invoices for payment. Another example: don’t give people the ability to manipulate the general ledger. Make sure your accounting software keeps a record of who made every entry. Review the records periodically to ensure that each person is staying within their “swim lane” of authority.

• Rotate people. Make sure everybody takes a vacation each year. During a person’s vacation, review areas in the ledger for which they are responsible.

• Every quarter run a report to review your largest vendors—the 20% that make up 80% of your A/P activity. Then run another report to review your smallest vendors—the 80% that make up 20% of your A/P activity. Make sure you know exactly what goods/services every one of those vendors provided.

• Review check runs thoroughly. Select a sample and do an independent match of supplier invoice and purchase order and payment. Identify who approved the invoice for payment; make sure it isn’t your A/P accountant. Select a sample of approved invoices and call the approvers to make sure they actually approved the invoice.

• Have copies of corporate credit card statements sent to supervisors and managers; have them review the monthly transactions for propriety. Yes, some employees will use their corporate cards for personal expenses. Ensure they pay for their personal expenses and counsel them. Take away the cards of repeat offenders.

• Do not have the company pay the credit card bills; ensure each employee is responsible for paying off their own cards each month. Yes, some employees will run up balances that aren’t cleared timely. Counsel them and help them to pay off their balances through submitting expense reports. Take away the cards of those employees who can’t manage them.

The above list of tasks is not burdensome. Not really. Not if you are looking to keep your money.