How Internal Controls Can Reduce Fraud

Content originally posted on CUToday.info.

KOLOA, Hawaii–Ann Davidson said she recalls her early days in investigating theft from credit unions and it typically involved something simple, such as an employee taking something from another’s desk. Now, it’s not so simple. Last year, theft cost credit unions more than $40 million—which is why she spent time here offering strategies for stopping fraud, making it clear a lack of simple internal controls is often the expensive culprit.

Speaking to Rochdale Paragon Group’s Volunteer Leadership Institute here, Davidson, VP-risk consulting with Allied Solutions, asked for a show of hands among attendees for those whose CUs had seen an “employee gone bad.” About a third raised their hands.

“It’s not fun to hear as a board member that someone just embezzled from our credit union,” said Davidson. “The first question is how did this happen? If it was over 20 or 30 years, it’s how did we not catch it? How did it continue to happen? Not a day goes by that an employee who was trusted doesn’t commit theft. We think it could never happen to us. We trust our employees. We don’t employ thieves. We think we don’t have weak controls.”

But, stressed Davidson, in nearly all cases that proves not to be the case.

“How many of you know as a board member or supervisory committee member that you have excellent separation of duties in your credit union?” asked Davidson. “Everybody in the room, right. But how do you validate that?”

Davidson said in nearly every case the scenario is the same when it comes to those who commit theft against a credit union.

“The first question I would ask when meeting with an embezzler is, ‘Why?’ I will never forgot one woman who embezzled from a credit union in Kansas. I was sitting at her kitchen table in her home—which I probably wouldn’t do today—and I asked why did you do this to your credit union? And she said, ‘My daughter needed braces, my son was in the band, and I just got divorced and didn’t have the money and I was going to pay it back.’ They don’t think they are a thief, that they are stealing—they are going to pay it back.”

 

Weak Controls

Davidson walked her audience through the various issues that lead to embezzlements and theft, and stressed again and again weak controls is a consistent problem.

For instance, Davidson said one credit union allowed the employee who disbursed checks to leave the payee blank.

Download the White Paper: "Best Practices to Prevent Employee Fraud" and learn the internal controls financial institutions can implement to reduce exposure to these losses.

“Shouldn’t your controls block that? That check came off the system and then they made the check payable to themselves,” said Davidson, noting in that case the thefts amounted to $196,000. “Think of the number of times they could do that. There is a solution there—you don’t allow a blank check to be generated.”

 

How to Detect

The best ways to detect fraud, said Davidson, include:

  • Tip from employee, member or anonymous
  • Management review
  • Internal audit review
  • External audit review. “Do you have an external auditor check your internal auditor?” asked Davidson.
  • By accident
  • Account or document review
  • IT controls
  • Confession
  • Law enforcement

Davidson shared other situations she has uncovered.

“One employee came in early and had sole control of the vault with no one else there. She was able to go into the vault for seven years and take money,” related Davidson. “I was in another credit union doing a risk assessment and the CEO said, ‘We have one loan office, so when loans are disbursed that employee approves the loan and receives the disbursement. We’re small and that’s all we can do.’ And I said why don’t we put the computer in your office so that loan officer would have to come into your office to get those checks?”

“We need to be on top of our game. There needs to be dual controls and segregation of duties,” Davidson continued. “We don’t want your name across the front page of the news. It doesn’t matter if you’re small, medium or large.”

 

Why Embezzlement Happens

Davidson said embezzlements take place for a number of reasons:

  • Poor internal controls
  • Lack of separation of duties
  • Inactive supervisory committee
  • Ineffective internal audits
  • Inadequate background checks

“We had one case where had brought in cards that needed to replaced. The member’s old cards were cut in half. An employee taped the card together and put her thumb over the tape and asked another employee to put a cash advance on the card for the member,” said Davidson.

Obviously, that employee took the cash for herself.

Davidson also urged much more care be taken with instant issue cards.

“You have to treat those cards just like cash,” said Davidson. “Make sure they are locked up in the vault. Card fraud in credit unions was the number-one fraud last year.”

 

Beginning On First Day

Davidson said it’s critical every credit union’s HR package for new employees include documents fresh hires must sign stating they will not commit fraud. “It creates awareness,” said Davidson.

Other provisions should address talking about members away from the credit union (not permitted), and mobile device usage policies (including banning use of employee cellphone cameras to shoot pictures of any documents).

“We see a lot of embezzlements at the teller line,” said Davidson. “One credit union doesn’t allow tellers to take a purse or wallet to the teller line in cases where cash recyclers are not used. But I saw one case where the teller was putting the cash in his shoe.”

 

Behavioral Risk Characteristics

Davidson urged credit unions to watch for the following behaviors:

  • Defensive or nervous during audits and questions
  • Living beyond one’s means
  • Someone who is experiencing financial difficulties
  • Someone who never wants to take a vacation. One employee got sick in an emergency and had to leave and while she was gone the credit union discovered 78 unauthorized loans she had made that she was pyramiding,” said Davidson.
  • A person close with vendors and members
  • Someone with control issues—unwillingness to share duties/hoards data

 

Lack of Internal Controls

Issues related to a lack of internal controls, according to Davidson, include:

  • Lack of management review
  • Override of existing internal controls. “Can’t tell you how often I see this,” said Davidson.
  • Poor tone at the top
  • Lack of competent personnel; in oversight roles
  • Lack of independent checks/audits
  • Lack of employee fraud education

 

How to Prevent Exposure/Employee Account Procedures

Davidson recommended the following steps be taken by every credit union:

  • Prohibit employees form performing transaction on their own and family member accounts
  • Have employees disclose family member accounts annually
  • Payment of “on us” checks at the teller line. “Don’t forget they can still perform transactions through the ATM,” said Davidson. “Bad guys love non-face-to-face transactions.”
  • Audit sample. Obtain account history for last three months.

“Cash recyclers will help mitigate a lot of cash problems. But the key then is who is loading and unloading the cash recyclers from the vault,” she cautioned.

 

More Steps to Take

Davidson further recommended more caution around ATM cash withdrawal by employees, saying it’s one of the biggest fraud trends. She called for CUs to implement segregation of duties/dual control over:

  • Vault cash
  • Verifying currency shipments
  • Replenishment of ATMs
  • Replenishment of cash recyclers and dispensers
  • Card control inventory for instant issue plastics

Davidson also offered the following advice and checklists:

Control Employee Access To:

  • Checks (corporate and cashier checks)
  • All cash
  • Credit union data and information

Other Steps:

  • Maintain an active supervisory committee/audit team
  • Conduct frequent surprise cash audits at least monthly
  • Establish dual controls over expenses for credit union and employee
  • Employee Dishonesty Prevention and Detection Checklist

Finally, Davidson offered this checklist for preventing or limiting losses from employee dishonesty:

  • Perform file maintenance report reviews by someone who does not have the authority to perform file maintenances
  • Mandate employee time off for all employees
  • Internal controls review by management and internal and external audits
  • Confirm every employee has signed a fraud policy and the fraud policy is complete and comprehensive and maintained in the employee’s HR file
  • Provide fraud training for all employees and volunteers
  • Emphasize fraud prevention and maintain a comfortable whistleblower policy
  • Never allow the person approving the loan to disburse the loan proceeds
  • Conduct audit review of the loans made in the lending area

 

Stay Informed on Resources from Allied Solutions: Join our e-newsletter list!

You Might Enjoy Reading

January 04, 2023 | Allied Insights
Round Up: Hot Topics Every FI Should Know
Read More
October 18, 2022 | Allied Insights
Is Crypto a Bust with Zero Trust?
Read More
April 04, 2023 | Allied Insights
Piecing Together the Digital Evolution Puzzle
Read More