How Aptly Prevents Delegation of Authority Failures: Stopping $12.75M Fraud Before It Starts

When One Person Can Do Everything: The Hidden Governance Flaw Behind a $12.75 Million University Fraud

In a university medical practice in the United States, an accounting manager quietly stole more than $12.75 million over five years using nothing more exotic than procurement cards and journal entries. The mechanism was simple; the underlying governance failure was not. One person had effective control over initiation, approval, and recording of financial transactions, with signatory authority and delegated power that lived more in habit than in verifiable systems.​

This case is not an outlier. It is a textbook illustration of how vague delegation of authority and weak signatory governance create fertile ground for fraud, abuse, and loss in universities, public companies, and government entities worldwide.​

The illusion of control: policies without enforcement

Most institutions can produce a delegation-of-authority (DoA) document on demand. It may span dozens of pages, listing titles, dollar thresholds, and approval responsibilities. The problem is that this governance often exists in static documents while day-to-day approvals flow through emails, spreadsheets, and disconnected financial systems, versus leveraging an enterprise governance of authority platform like AptlyDone.com.

In the university medical practice case, the accounting manager supervised procurement card activity, oversaw recording of expenses, and had the ability to disguise fraudulent charges as legitimate business costs. There were, ostensibly, policies against such concentration of duties. Yet when controls live only on paper, they become aspirational rather than operational.​

Over time, informal workarounds, “just send it to me, I’ll push it through”, replace formal authority. Delegations shift as people cover vacations, vacancies, or urgent projects, but the official record of who may sign or approve does not keep pace. That divergence is where risk quietly accumulates.​

Three structural weaknesses that open the door to abuse

Across public organizations and higher education, three recurring structural issues appear in fraud and abuse cases involving signatory governance:

1. Concentrated roles and overlapping access
   The same person can request, approve, and post transactions in the general ledger—often rationalized in the name of efficiency. When staffing is lean, segregation of duties is treated as a guideline rather than a non‑negotiable principle.​
2. Ambiguous or outdated delegated authority
   Delegations are granted informally (“you can sign for me while I’m out”) or never rescinded when staff change roles or leave the organization. The result is a shadow network of authority that no one fully understands.​
3. Lack of real‑time visibility into who is doing what
   Leaders see aggregate spend and budget-to-actuals, but they do not see approval patterns: which individuals appear on which workflows, how often exceptions are granted, or where thresholds are routinely skirted. By the time anomalies emerge, the losses are sunk.​

The university fraud demonstrates all three. Over several years, fraudulent P‑card charges were routed and recorded by the same individual who was responsible for their oversight. Without enforced segregation of duties or transparent audit trails, the institution was effectively trusting a single gatekeeper with both keys and locks.​

Turning governance from policy into practice

For governance to work, delegation of authority and signatory rules must live inside the workflows where money actually moves. That is where platforms like Aptly are designed to operate—bridging the gap between policy and daily practice.

Aptly approaches the problem with four intertwined capabilities:

1. Living delegation-of-authority maps
   Instead of static PDFs, Aptly maintains a dynamic, role‑based map of who can approve what, at which thresholds, for which entities and cost centers. Authority is explicit, searchable, and time‑bound. Temporary acting roles are captured with start and end dates, and they cannot silently morph into permanent power.
   In the university scenario, the accounting manager’s scope of authority would have been tightly defined and visible: they could not simply “help out” with approvals in ways that contradict the embedded DoA framework.
2. Enforced segregation-of-duties controls
   Aptly encodes segregation-of-duties rules directly into approval flows—such as “no one can both administer procurement cards and post journal entries for the same cost center,” or “initiator and approver must be different people for all transactions above a given threshold.”
   Transactions that violate these patterns are automatically blocked or rerouted, not merely flagged after the fact. If such rules had been in place, the accounting manager would have encountered hard stops when attempting to both manage card activity and post camouflaging entries in the ledger.
3. Real-time visibility and anomaly detection
   Governance failures often surface first as patterns, not single events: one approver touching an unusually high percentage of spend; repeated use of “miscellaneous” account codes; approvals consistently just under dual‑sign-off limits.​
   Aptly’s dashboards and alerts expose these patterns to finance leadership, internal audit, and compliance. Rather than scanning thousands of transactions, leaders can focus on a small list of high‑risk combinations—such as an individual repeatedly appearing as both processor and approver across multiple workflows.
4. End-to-end audit trails that connect authority to action
   When an auditor or investigator asks, “Who approved this, and under what authority?”, Aptly can show not only the human approver and timestamp but also the underlying rule or delegation that allowed the action.
   This linkage between formal authority and specific decisions does two things: it simplifies investigations and, just as important, it deters abuse. People behave differently when they know their approvals are transparently tied to defined authority rather than buried in opaque system logs.

Why universities and public entities are uniquely exposed

Universities, public companies, and government bodies face some of the toughest constraints in financial governance. They manage large budgets with complex funding sources, must comply with strict regulations, and operate under intense public and political scrutiny. At the same time, they often run lean finance teams where “doing more with less” is the operational norm.​

This combination can unintentionally incentivize shortcuts that erode control:

• Staff are given broad system access “just to keep things moving.”
• Approval hierarchies are flattened to speed up procurement or grant spending.
• Turnover leaves outdated delegations in place, because updating them everywhere is administratively painful.

In such environments, the difference between a robust control framework and a catastrophic failure often hinges on whether governance is systemic or manual. Systems that enforce policy, rather than merely document it, are critical risk mitigants.

From case study to call to action

The lesson from the $12.75 million university fraud is not merely that one person exploited a broken system. It is that the system was built on an assumption that policy was enough—that a delegation chart, a training slide, and a set of written procedures would reliably govern human behavior over time.​

The more constructive question for boards, CFOs, and audit committees is this:

• Where, today, can one person in your organization both initiate and approve financial transactions without encountering a systemic control?
• How quickly can you produce a single, authoritative view of who is allowed to sign or approve at each level, and does that view match reality?
• When exceptions are granted—because they sometimes must be—how are they tracked, time‑bound, and monitored?

Aptly exists to make those questions easier to answer and to close the gap between intended governance and actual practice. By embedding delegation of authority into workflows, enforcing segregation of duties, and illuminating approval behavior in real time, Aptly helps organizations transform signatory governance from a static compliance artifact into a living, protective mechanism.

The stakes are not just financial. For universities, public entities, and mission‑driven organizations, every dollar lost to fraud or abuse is a dollar that cannot serve students, patients, citizens, or shareholders. Strengthening delegation and signatory controls is not only good governance—it is an act of stewardship.