“At one credit union, this individual was transferring money from dormant accounts to her daughter's account and then taking out the money,” Legge said. “It had been going on for three years and I’m sitting there asking, God, why didn't anyone check these accounts?”

A review of employee accounts and those of their relatives by supervisory committee members, the board treasurer or an outside auditor would have raised concerns and questions.

But sometimes these accounts are not reviewed because of laziness or some managers’ assumption that employees would never commit fraud, Legge said.

While credit unions have the ability to prevent employees from performing transactions on their own accounts, that doesn't prevent employees from conducting transactions on accounts for which they are the joint owner.

“There are additional controls that can be put into place to prohibit that, but a lot of credit unions say that's kind of treating employees like second-class citizens,” Legge said. “To me, that's just doing common sense controls.”

Fraud can also be commonly detected in suspense accounts. When an account is not balanced, it is typically labeled as a suspense account and flagged to be reconciled, but in many cases, they aren't.

“Because they are not reconciled or looked at, that's an area where you can dump [fraudulent] transactions and hide them because nobody is going to reconcile that, and that builds up over time,” Legge explained. “Someone should be going through and identifying what's in there and then deciding if it's something that needs to be looked into further or reconciled.”

Another problem area is cash missing from a credit union's vault, said Joette Colletts, a senior manager in business protection risk management for CUNA Mutual Group in Madison, Wis.

A lot of credit unions have the misconception that they have dual control, where two people have access to cash in the vault at all times.

“So credit unions think they have dual control because they say that two people have to go together to the vault, but it's not what we call forced dual control,” she explained. “If each person knows the entire combination to the vault, that's not forced dual control because one person could get in the vault alone. Credit unions need to divide that combination or have a combination key so that nobody has both components. Even if they have a camera monitoring the vault, there have been instances where a person covered the camera if they were in the vault alone so that no one could see what they’re doing. If you have forced dual control it is unlikely that you would have a loss because two people would have to conspire.”

Unannounced cash counts can also help reduce incidents of missing cash. Counts of cash items should be conducted by supervisors, auditors and/or supervisory committee members at least on a quarterly basis.

Fictitious loans are another common area where embezzlement occurs. This typically happens when one employee approves and disburses the loan. To minimize this exposure, credit unions should separate loan approval from disbursement responsibilities.

“Even in larger credit unions where they may have only a few people working in a branch, a loan officer may have total authority, but the credit union really needs to think about having someone else involved in that loan process,” she said.

What's also very important, however, is for an employee who does not have transaction authority to regularly review the credit union's file maintenance transaction report to look for red flag transactions, Colletts said.

An embezzler can manipulate the data on the file maintenance report to ensure phony loans never post as delinquent or the next payment due dates are advanced to conceal fake loans. Other red flags include changing interest rates on any account, changing the payment amount, several address changes to the same address, changing the payment frequency and changing the collateral codes.

Securing the verification of the credit union's assets such as balances and other financial information with its corresponding bank may seem like a no brainer, but when it's missed, it can be a big miss, NCUA Executive Director Mark A. Treichel said.

NCUA material loss review reports showed there was no actual verification of assets of some credit unions that became insolvent and were closed because of fraud.

It's important for auditors and supervisory committees to use the trust-but-verify principle so as not to overly rely on management assertions, Treichel said. To do this, they can implement a process to independently verify that assets exist within the audit steps.

“Those steps to verify those assets are a huge part of the whole puzzle because if the assets are there, then there's no loss,” he said.

Treichel also recommended credit unions use the NCUA's Supervisory Committee Guide, which is available for free on the federal agency's website.

“The Supervisory Committee Guide has 22 chapters with tons of checklists, including internal control checklists with yes and no type questions,” he said. “If you answer no to any questions, it means you have to take additional steps to improve your internal controls. So it is a training module, if you will, but it also can help develop an audit procedure that walks the supervisory committee through it and the steps they need to follow.”

Mike Sacher, a CPA who worked as a credit union consultant and was recently named CFO for the $947 million Xceed Financial Credit Union in El Segundo, Calif., said he's investigated many frauds over three decades and they all had one common thread.

“I saw that if only employees had the ability to, in a non-threatening way, express their concerns, so many of these frauds could have been either prevented or detected much earlier,” Sacher explained.

What's more, Sacher said he believes employees can serve as a frontline of defense against fraud because they can see control weaknesses at the workplace that may be overlooked by managers.

About three years ago, he established a web-based and telephone whistleblower service, Protect My Credit Union, which allows credit union employees to anonymously report suspicious activity and critical internal control weaknesses. Employees can also choose to provide their contact information.

To provide an incentive for employees to report fraud, Sacher recommends offering a financial reward that identifies actual fraud or abuse. Credit unions also may consider offering a periodic reward for the best internal control recommendation made by an employee.

Other ways credit unions enable their employees to anonymously report suspicious activity is with a post office box controlled by the supervisory committee. The NCUA also has a hotline that allows employees to anonymously report fraud at 1-800-827-9650 or 703-519-6550 within the Washington area. The federal agency said it receives about one call per month.

Requiring all employees to take at least one week of vacation every year can help detect fraud, Colletts said. Typically, embezzlers don't take time off because they have a constant need to monitor and manipulate internal information to keep concealing their fraud. An employee who is excessively controlling also can be a red flag, but not always. During an employee's vacation, his or her records should be reviewed by management.

Thoroughly screening prospective job candidates is another important step that may weed out potential fraudsters.

In addition to conducting a background check, drug test and personal and professional reference check, it is also essential if allowed by state law to review a person's credit report. A bad credit report is a red flag.

“I think you have to be a little bit concerned when somebody can't manage their finances and whether they are going to be able to work at the credit union,” Colletts said.

She also recommended credit unions do an FBI fingerprint check.

Finally, every credit union should have a written fraud policy document, which every employee should be required to read and sign every year. Credit unions also should review their fraud policy during training or educational sessions.