Inside the hidden world of thefts, scams and phantom purchases at the nation’s nonprofits

For 14 years, the American Legacy Foundation has managed hundreds of millions of dollars drawn from a government settlement with big tobacco companies, priding itself on funding vital health research and telling the unadorned truth about the deadly effects of smoking.

Yet the foundation, located just blocks from the White House, was restrained when asked on a federal disclosure form whether it had experienced an embezzlement or other “diversion” of its assets.

SEE ALSO: Read about how a trusted bookkeeper was embezzling money from a nonprofit rowing club in Virginia, plus how this story was reported.

Legacy officials typed “yes” on Page 6 of their 2011 form and provided a six-line explanation 32 pages later, disclosing that they “became aware” of a diversion “in excess of $250,000 committed by a former employee.” They wrote that the diversion was due to fraud and now say they believe they fulfilled their disclosure requirement.

Records and interviews reveal the full story: an estimated $3.4 million loss, linked to purchases from a business described sometimes as a computer supply firm and at others as a barbershop, and to an assistant vice president who now runs a video game emporium in Ni­ger­ia.

Also not included in the disclosure report: details about how Legacy officials waited nearly three years after an initial warning before they called in investigators.

“We’re not innocent in this,” said Legacy chief executive Cheryl Healton. “We are horrified it happened on our watch. . . . The truth hurts — we screwed up.”

A Washington Post analysis of filings from 2008 to 2012 found that Legacy is one of more than 1,000 nonprofit organizations that checked the box indicating that they had discovered a “significant diversion” of assets, disclosing losses attributed to theft, investment fraud, embezzlement and other unauthorized uses of funds.

The diversions drained hundreds of millions of dollars from institutions that are underwritten by public donations and government funds. Just 10 of the largest disclosures identified by The Post cited combined losses to nonprofit groups and their affiliates that potentially totaled more than a half-billion dollars.

While some of the diversions have come to public attention, many others — such as the one at the American Legacy Foundation — have not been reported in the news media. And The Post found that nonprofits routinely omitted important details from their public filings, leaving the public to guess what had happened — even though federal disclosure instructions direct nonprofit groups to explain the circumstances. About half the organizations did not disclose the total amount lost.

The findings are striking because organizations are required to report only diversions of more than $250,000 or those identified as having exceeded 5 percent of an organization’s annual gross receipts or total assets. Of those, filing instructions direct nonprofits to disclose “any unauthorized conversion or use of the organization’s assets other than for the organization’s authorized purposes, including but not limited to embezzlement or theft.”

send a tip: Has your nonprofit experienced a significant diversion of assets? Contact the reporter.

As part of its analysis, The Post assembled the first public, searchable database of nonprofits that have disclosed diversions, available at ­wapo.st/
diversionsdatabase. Groups on the list were identified with the assistance of GuideStar, an organization that gathers and disseminates federal filings by nonprofits.

Examples of financial skullduggery abound in the District, throughout the Washington region and across the United States.

A few blocks from Legacy’s offices on Massachusetts Avenue, the nonprofit Youth Service America reported two years ago that it discovered a diversion in 2009 of about $2 million that had been “misappropriated” by a former employee. After The Post asked about the incident, he was charged in federal court and in June was sentenced to four years in prison for theft.

A few blocks in the other direction is the Alliance for Excellent Education, which disclosed four years ago that investment manager Bernard L. Madoff’s Ponzi scheme had wiped nearly $7 million from its balance sheets. In a statement to The Post, officials there called the figure a “paper” loss.

A deeper look at disclosures

A few blocks farther is AARP, the national charity that advocates for older Americans. In 2011, it disclosed two incidents with losses totaling more than $230,000, attributed to embezzlement and billing irregularities. An organization spokesman said no one has been charged in those incidents.

And just outside the Beltway, the Maryland Legal Aid Bureau, with offices throughout the state, disclosed two years ago that a former finance director and an accomplice had been convicted of making off with $1.1 million; officials there said in interviews they now think the total loss was closer to $2.5 million.

Investment fraud was blamed for some of the largest losses identified. Funds linked to Madoff’s scheme, which bilked investors across the country for decades, reportedly drained $106 million from Yeshiva University and its affiliates, $38.8 million from the Upstate New York Engineers Health Fund and $26 million from New York University, according to the disclosures they filed.

But hefty sums disappeared in many other ways, too:

●The Global Fund to Fight AIDS, Tuberculosis and Malaria, based in Geneva but registered and largely financed in the United States, reported in 2012 that it had found evidence of misuse or unsubstantiated spending of $43 million in grant funds.

●The Conference on Jewish Material Claims Against Germany, a New York-based charity for Holocaust survivors, reported in 2010 that it had been bilked out of $42 million in an elaborate, decade-long conspiracy by swindlers who created thousands of fake identities. A spokesman said the estimate has since been raised to $60 million.

●The Vassar Brothers Medical Center in Poughkeepsie, N.Y., in 2011 reported a loss of $8.6 million through the “theft of certain medical devices.” A medical center spokeswoman said a confidentiality agreement prohibited her from explaining further.

●The Miami Beach Community Health Center in 2012 reported losing $7 million to alleged embezzlement by its former chief executive, later convicted of theft.

● Columbia University disclosed in 2011 that it had been defrauded of $5.2 million in “electronic payments.” A university spokesman confirmed that the disclosure referred to an incident involving a former university accounting clerk and three associates, later convicted of redirecting $5.7 million meant for a New York hospital.

●And the 140-year-old Woodcock Foundation of Kentucky, which awards scholarships to students in need, disclosed that alleged fraud by a former chairman drained more than $1 million from its accounts, leaving the charity with assets totaling just $8.

“You go out of your way to trust a nonprofit. People give their money and expect integrity. And when the integrity goes out the window, it just hurts everybody. It hurts the community, it hurts the organization, everything. It’s just tragic.” The Rev. Raymond Moreland, Maryland Bible Society

Each year, larger registered nonprofits file a form with the federal government that lays out their mission, leadership, revenue and expenses. The question about diversions was added to the forms with little fanfare in 2008, one of several changes meant to make it easier for the public to gauge how well nonprofit organizations manage money.

While the losses identified in The Post’s study total hundreds of millions of dollars, they represent only a fraction of the total. The new question was phased in over three years and appears only on forms submitted by larger nonprofit groups. Private foundations and many smaller groups fill out alternative forms or no forms at all.

The Internal Revenue Service has said little about what information it has gathered from the responses, beyond reporting last year that 285 diversions totaling $170 million had been disclosed in one year alone, 2009.

Chicago lawyer and governance consultant Jack B. Siegel, an early proponent of adding the diversions question to the disclosure forms, said he had hoped it would allow the public to discover for the first time just how much theft was taking place and would discourage organizations from covering up problems.

“People should follow up and ask, ‘Are you properly monitoring the money I’ve given you?’ ” Siegel said. “If I’m giving you my money and you’re wasting it by allowing people to steal it, why should you be allowed to hush that up? Why shouldn’t I know that?”

More than 1.6 million nonprofit groups are registered with the federal government, and they control more than $4.5 trillion in assets. An additional 700,000 organizations, such as churches and smaller groups, need not register.

From 2000 to 2010, the number of registered nonprofits increased by 24 percent, according to an Urban Institute study. Annual revenue at such organizations, adjusted for inflation, grew by 41 percent.

Those nonprofits perform vital work in the community and depend on public goodwill, volunteers and donations. But the public’s stake in the organizations is even greater. Tax benefits extended to nonprofit organizations and their donors cost the U.S. Treasury about $100 billion a year in foregone revenue, according to the Congressional Research Service — a form of subsidy meant to further the organizations’ good works.

As it has grown, the nonprofit sector has repeatedly run into accountability problems, prompting congressional inquiries over the past decade into groups as varied as the Nature Conservancy and the Smithsonian Institution.

“We need to seek out and stop those who are hiding behind tax-exempt status for their own gain,” Senate Finance Committee Chairman Max Baucus (D-Mont.) said in 2007 after a string of high-profile financial scandals.

Little comparative data are available about the prevalence of fraud across business sectors. But a 2012 study by Marquet International, a Boston-based security firm that conducts an annual study of white-collar fraud, concluded that nonprofits and religious organizations accounted for one-sixth of major embezzlements, placing second only to the financial-services industry.

John D. White, president of the Virginia Scholastic Rowing Association, says his group is trusting of no one after its longtime treasurer embezzled money that has prevented the association from making needed improvements. (Matt McClain/The Washington Post)

“I come across these cases all the time,” said Christopher T. Marquet, who heads the firm. He said oversight at nonprofits is often thinner and supervisors more trusting. “The control structures in these organizations are much weaker,” he said.

In Legacy’s case, its report not only failed to disclose the total of its estimated loss but also did not reveal that multiple diversions had occurred over seven years and that they were not discovered until more than a decade after they began.

Roughly half the organizations examined in the Post study did not appear to have revealed the full amount lost, even though federal filing instructions direct charities to disclose the amounts or property involved.

Some organization officials said in documents and interviews that they chose not to alert police, instead settling for restitution, which often meant they also avoided public attention.

In interviews, some organizations said estimates of their losses had changed since their filings. The Post also found that a small percentage of groups chose to disclose financial restructurings, mergers and other types of financial losses, even though they involved no apparent wrongdoing.

The groups filing the reports were as varied as the nonprofit sector itself.

Locally, Georgetown University reported in 2012 that an unidentified administrator paid himself $390,000 in “unapproved compensation” over four years from a bank account the university did not know existed. No one was charged.

The Virginia Scholastic Rowing Association in Alexandria said it lost as much as $223,000 — an estimate the association president now has raised to $500,000 — to a longtime bookkeeper, later convicted of embezzlement.

“People are going to say, ‘You stupid people,’ ” said the group’s president, John D. White. “They’re exactly right. You have to pay attention.”

The Virginia Scholastic Rowing Association says it had no idea the “queen” of regattas was quietly spending tens of thousands of dollars on things such as NFL tickets, vacations and cable TV. The Post’s Lee Powell explains how a nonprofit group got taken. (The Fold/The Washington Post)

And the 200-year-old Maryland Bible Society of Baltimore disclosed that it had been defrauded of an undetermined amount by an unnamed former employee.

“It’s sadder when it happens to a nonprofit,” said the Rev. Raymond More­land, a Bible Society official who said in an interview that a former secretary took $86,000 by falsifying checks and misusing credit cards, then concocted fake audit reports to cover her trail. “You go out of your way to trust a nonprofit. People give their money and expect integrity,” he said. “And when the integrity goes out the window, it just hurts everybody. It hurts the community, it hurts the organization, everything. It’s just tragic.”

The former secretary was convicted of theft, Moreland said, but “the scar is still there.”

Legacy’s big loss

The American Legacy Foundation is a revealing case study. While some challenges it faced were uncommon, fraud examiners said many resemble those they see time and again.

Legacy was founded as a nonprofit organization in 1999 out of the Master Settlement Agreement that resolved health claims brought against cigarette companies on behalf of the public by authorities in 46 states and the District.

With $50 million in annual expenditures and $1 billion in assets, Legacy is perhaps best known for its edgy anti-tobacco advertising campaign known as “Truth.’’ In one high-profile stunt, Legacy filmed young people piling hundreds of body bags outside a cigarette company’s headquarters in Manhattan, graphically depicting the daily toll of tobacco-related illness.

“Being an honest and dependable source of information is our bread and butter, because the minute we start bending and manipulating the truth, we’re no better than the tobacco industry,” the organization says on its “Truth” Web site.

Its board includes Idaho Attorney General Lawrence Wasden (R), its chairman; Missouri Gov. Jay Nixon (D); Utah Gov. Gary R. Herbert (R); and Iowa Attorney General Tom Miller (D). Janet Napolitano, the recently departed U.S. secretary of homeland security, served on the board, and Sen. Thomas R. Carper (D-Del.) was Legacy’s founding vice chairman.

When first asked by The Post about gaps in their disclosure report, Legacy officials declined to provide full details. But they said they had a change of heart when they later learned that authorities did not plan to seek charges against the man they thought was responsible for the group’s loss.

After discussions with The Post, Legacy officials supplied copies of some documents and financial data related to what they allege was a fraud committed by one of their most beloved former employees.

Deen Sanwoola, they said, was a charismatic computer specialist who was Legacy’s sixth hire. He was tasked with building the organization’s information technology department.

No one realized, during Legacy’s frenetic early days, that the department had been formed without adequate financial controls, Legacy officials said. Or that Sanwoola had been placed in charge of both ordering electronic equipment and logging it as having been received — a mix of responsibilities that an outside auditor later described as a classic error that placed Legacy at risk.

“He had the keys to the kingdom of IT,” said Healton, who as Legacy’s president and chief executive received a compensation package worth $729,000 in fiscal 2012.

Reached by phone recently, Sanwoola, 43, told The Post he has had no contact with Legacy for six years and had no idea that anyone had raised questions about his department’s operations. “You’re kidding, right?” Sanwoola asked.

Sanwoola promised to call back with additional information. He did not and did not respond to numerous subsequent attempts to contact him by telephone and e-mail about Legacy’s allegations that he defrauded the organization.

After Sanwoola’s arrival in October 1999, Legacy’s IT department began spending freely on computers, monitors and software, much of it purchased from a single company in suburban Maryland, Healton said. Thanks to the court settlement, Legacy enjoyed a tremendous flow of cash, with revenue exceeding $320 million.

The first questionable purchase came in December 1999, according to a forensic audit conducted years later. “The fraudulent billing started almost immediately on his arrival,” said Wasden, the board chairman.

In that first transaction, the foundation paid more than $18,000 for a computer processor and related equipment that auditors concluded should have retailed for less than $7,000.

Data, documents and a summary of findings that Wasden provided to The Post show that questionable purchases of printers, software and servers steadily increased in size and frequency, peaking with 49 charges in 2006. In some instances, Legacy appeared to have paid many times an item’s worth, auditors said. In others, auditors said Legacy paid an inflated price for “phantom purchases” of equipment that apparently never arrived.

Anthony T. O'Toole, executive vice president and chief financial officer for Legacy.

Over years, Sanwoola is thought to have generated as many as 255 invoices for computer equipment sold to the foundation, Legacy officials said; 75 percent of them later were deemed by the foundation to have been fraudulent. During that period, the officials said, Sanwoola developed close personal ties to Legacy’s chief financial officer, Anthony T. O’Toole.

“Everybody loved Deen,” O’Toole acknowledged.

In early 2007, Sanwoola, by then an assistant vice president with a $180,000 compensation package, announced he was leaving. It jolted Healton, who said she “begged” him to stay. O’Toole recalled Sanwoola saying that his wife wanted to raise their children in Nigeria and that the move would allow him to help his ailing mother.

And that appeared to be the end of it.

Until six months later, when an executive at Legacy approached O’Toole and told him he was unable to locate computer equipment listed in the inventory. O’Toole said he waved away the complaint without bothering to investigate.

“He just pooh-poohed it,” Healton said of O’Toole, who received current and deferred compensation totaling $568,000 in fiscal 2012.

Three years later, the same employee — Legacy officials describe him as a whistleblower — again raised an alarm. This time, he bypassed O’Toole and took his concerns to a staffer close to Healton.

The response this time was different. Within days, Legacy hired forensic examiners to investigate and Healton notified the board.

One of the outside auditors’ first reactions, Healton recalled, was, “There’s no way an organization like yours could spend this much on IT.”

Auditors interviewed employees, reviewed invoices and recovered deleted files from a backup computer server in Chicago. Auditors found a template for invoices from the outside supply company, Legacy officials said, as well as computer code that showed the template had been designed and generated by someone using Sanwoola’s log-in.

Officials concluded that of $4.5 million in checks and credit card charges associated with the Maryland IT supply company, $3.4 million had been fraudulent.

Full document

Explanation from Legacy’s disclosure form

See more examples of nonprofit reporting patterns

Legacy officials and their auditors did not provide The Post with any documentation showing how Sanwoola, who is not named as a director on the supply company’s incorporation records, personally benefited from the sales. In a written statement, Legacy officials said, “we have no information or opinion regarding whether anyone other than Sanwoola had any involvement in any fraud or other improper activity.”

“We stumbled,” Wasden said. “There are kids out there we could have touched that we didn’t, because this money was taken from our coffers.”

In late 2010 or early 2011, foundation executives asked Miller, the Iowa attorney general on Legacy’s board, to call the office of the U.S. attorney.

From Legacy to Fun City

Legacy officials said they had made no attempt to contact Sanwoola, based on a request from federal prosecutors. In a statement for this article, the U.S. Attorney’s Office responded that they had made no such request.

The Post located Sanwoola in Lagos, Nigeria, where he said he continued to work in IT and owned a business — he is “mayor” of Fun City, a brightly painted children’s amusement center featuring refreshments and a variety of video games. “I love games,” he said in a brief telephone conversation.

Sanwoola said that there were no problems during his tenure at Legacy and that he had heard no complaints since his departure. He initially questioned whether a reporter’s call was a trick orchestrated by tobacco companies.

“Are you serious?” he asked when told of the investigations. “Wow. . . . I’m kind of bothered and concerned. Why couldn’t they just call me up and say, ‘Hey, we’re doing an audit. This is what we found out. What’s going on?’ ”

American Legacy Foundation board member Tom Miller, center left, who is Iowa’s attorney general, and Legacy Chairman Lawrence Wasden, the attorney general of Idaho, sit on a panel discussing the 1998 tobacco settlement Wednesday at the National Press Club. (Mary F. Calvert/For The Washington Post)

“It’s way more than a shock to me, coming to me after more than six years,” Sanwoola said. “If they are putting it on me — I don’t get it. . . . Using the word ‘defrauded’ is just frustrating my head. I need to sit down and get my head together.”

The invoices that auditors identified as questionable purported to have come from Xclusiv, a Maryland company that appears to no longer be in business. Some invoices used the slightly different spelling of Xclusive.

Contacted by The Post, neither of the men listed as corporate directors said he knew Sanwoola. One of them, Mack Adedokun, said he had never heard of Legacy and that Xclusiv had been a barbershop, not an electronics supply company. The other, Abdul R. Yusuf, said that the company had sold computers to Legacy but that he was unsure how many or who had arranged it. He declined to say who controlled Xclusiv.

Yusuf said he did not know how personal papers bearing his name and Social Security number had ended up on documents that Legacy said were recovered from Sanwoola’s computer, but Yusuf speculated that he may have been the victim of identity theft.

Told that property records showed Sanwoola had once bought a home in Greenbelt from a man bearing Yusuf’s name, Yusuf said that probably was his brother, who had the same name, shared the same address and has since died. “I’m just hearing all of this for the first time,” Yusuf said of details about Legacy’s claims. “I don’t know what you’re talking about. It’s so scary.”

Disclosure

Word that millions of dollars were thought to be missing remained largely within Legacy until it came time in 2011 to file its annual disclosure, a public document signed under penalty of perjury.

The disclosure said that the “fraud” of more than $250,000 did not “meet other materiality tests for financial reporting” and that the organization had told its board and law enforcement. It also said Legacy had filed an insurance claim that had been “successfully settled.” The document did not reveal that the settlement fell far short of the loss.

When first approached by The Post, Legacy general counsel Ellen Vargyas said the organization had no obligation to identify the full estimate of the loss and stressed that more information was in the foundation’s 2012 filing. That filing included a reference to $1.3 million in miscellaneous revenue from an insurance settlement, without saying what it was for.

“I do think it was a full and appropriate disclosure,” Vargyas said.

Legal specialists consulted by The Post disagreed. “Those suffering a diversion are obligated to report the dollar amount,” said Gary R. Snyder, a charity consultant who tracks fraud.

Legacy’s board has included prominent public officials such as former U.S. homeland security secretary Janet Napolitano.

Former Utah governor Jon Huntsman Jr. also has served on Legacy’s board.

Federal filing instructions direct nonprofits to “explain the nature of the diversion, amounts or property involved . . . and pertinent circumstances.” Charity specialists said there is no established penalty for a nonprofit that fails to follow the instructions.

A day after declining to disclose the amount to The Post, Vargyas reconsidered. “Our best estimate of the full loss comes to this: $3,391,648,” she wrote in an e-mail. She said her initial reluctance to disclose an amount was because Legacy’s number was based on estimates that had “never been tested in a court of law.”

Wasden added that the absence of a total dollar figure in its public filing was the foundation’s way of being restrained in describing its loss, in deference to the then-continuing federal investigation. The U.S. Attorney’s Office stressed, however, that it did not suggest that Legacy play down the size of the loss in its disclosure.

Legacy officials said they were told in March, for the first time, that there would be no charges. The U.S. Attorney’s Office disputed that, saying the FBI informed Legacy in February 2012 that the investigation had been closed because, despite warnings, Legacy had taken more than three years to report the missing computers and lacked reliable records of what it owned.

Healton said she had expected the criminal case to clear the way to recover its money. But now there also will be no civil lawsuit seeking repayment, Legacy officials said; as with the criminal case, the statute of limitations has passed.

“No excuses. It’s a terrible loss, and it shouldn’t have happened,” Healton said. “If we lost $3.4 million, that’s $3.4 million that did not go to save lives.”

Vargyas said officials had taken the discovery “enormously seriously” and are dedicated to avoiding a recurrence.

“Obviously, we have to do better,” Vargyas said. “We do view ourselves as holding a public trust.”

Dan Keating and Jennifer Jenkins contributed to this report.