In a guilty plea deal with federal prosecutors in Santa Ana during the week of Sept. 15, the 41-year-old Lugo admitted to ordering IT equipment that was neither needed nor authorized by SchoolsFirst and wired funds from a credit union account to pay for the equipment. After arriving in the mail at his office in Tustin, Lugo sold the equipment to resellers in Orange County, court documents showed.

For more than a decade, Lugo lived a lavish lifestyle with his family, spending the embezzled credit union's funds on a family trip to Hawaii, a European vacation with his wife, family trips to Disney World as well as multiple trips to Las Vegas and other local casinos and resorts, according to court documents.

Lugo also used the stolen money to pay vehicles for his wife and himself, jewelry for his wife and daughter, cosmetic dental work, expensive lunches and dinners, tuition for his daughter's education at the University of Southern California and medical bills for a family member.

In a prepared statement, SchoolsFirst said it has strong controls in place to monitor fraudulent activity both on members' accounts and within the organization, and it has implemented additional internal and external controls to ensure this doesn't happen again.

"Because of his executive position, this employee had the unique ability to abuse the privileges he was entrusted with," SchoolsFirst said.

Read more: Feds say SchoolsFirst lacked IT controls …

However, federal prosecutors pointed out in court documents that Lugo got away with the fraudulent scheme from 2003 to July 2014 because the inventory in the IT department was not well monitored and other employees were not in a position to understand the company's IT equipment needs. Lugo also erased computer entries relating to the multiple purchases of the IT equipment, according to court documents.

An IT security officer at a billion dollar credit union, who spoke on the condition of anonymity, raised questions about how Lugo was able to order the equipment, how did the credit union track general ledger numbers or other purchases and didn't these expenditures need to be tied back to a purchase order or budget?

He also noted that the IT equipment Lugo ordered and sold was expensive. For example, earlier this year, Lugo ordered two Cisco Catalyst 6500s, which cost more than $33,000 and $66,000, respectively, according to court documents.

"In organizations that I've worked for or been involved with, something like (a Cisco Catalyst 6500) would be verified by accounting," the IT officer said. "They would want to know what budget general ledger to count the purchase against, they would want to asset tag the equipment, and they would want to set it up for depreciation."

He added, "This is nothing against SchoolsFirst. I'm just finding it hard to understand what the environment was that allowed an average of $260,000 a year to be spent by one individual [even given that he was a vice president] without kicking in checks and balances."

Visconti, who owns an IT consulting firm in Austin, Texas, speculated that Lugo may have had administrative access to critical systems such as the core system or ACH processing. He also said Lugo's long tenure at the credit union might have allowed him to secure access to these systems as part of his work requirements. Lugo joined the credit union in 2000 as a systems administrator.

"With administrative access of that nature, he did not have to concern himself with any type of procurement requirements established within the organization," Visconti said. "Access control reviews are a key element in assuring that staff members have permissions they need to perform their duties and nothing more. No executive, unless it is the smallest of credit unions, should be a systems administrator or have any operational authorities."

Visconti also pointed out that the IT equipment Lugo sold is big, bulky and heavy. He was puzzled about how Lugo took delivery of all of that equipment and how he moved it off site.

Federal prosecutors said SchoolsFirst discovered the fraud after conducting an internal audit.

Kurt Lykins, former vice president and chief technology officer for Corporate One Federal Credit Union in Columbus, Ohio, said he is surprised there hasn't been more fraud discovered because in his experience, he has found a lot of IT departments that lack controls. Lykins said he left Corporate One last year to take over his father's accounting business.

"A lot of credit unions get in trouble because IT tends to speak in a kind of a different language," Lykins said. "So, a lot a people don't necessarily understand where the risks of IT are. So, if you don't know where the risks are, you don't know where to put the appropriate preventative controls and then the audit controls to uncover mistakes or fraud."

Lykins recommended that credit unions consider hiring an independent third party that is knowledgeable about IT and can help identify the risks and implement appropriate controls.

"I think a lot of people don't understand what the risks are in IT and don't pay attention to them until something bad happens," Lykins said. "I think people want to just understand IT at a top level and hand it over to someone to just take care of it. So people can abuse that privilege and it sounds like that is what happened."