"To me, I think that was the thing that struck me the most — how the long running schemes can impact companies," Karpp said. "The study found that the longer the embezzlement went on the larger it got."

The Hiscox Embezzlement Study was based on publicly available data regarding nearly 400 U.S. federal court cases in which employee fraud was alleged that either became publicly known or were active in the federal system during 2016.

The study found that the average loss from embezzlement schemes that continued for five years or more was $2.2 million, and for fraud schemes that ran for 10 years or more, the average loss totaled $5.4 million. Although companies of any size are at risk for embezzlement, small and midsize organizations that employ fewer than 500 people continue to be disproportionally victimized by theft. The study found 68% of embezzlement cases occurred at small to midsize companies and their median loss was $289,864. While 32% of embezzlement cases occurred at large companies that employ more than 500 employees, the median loss totaled $452,025.

In the financial services industry, where customers and members would expect tight internal controls to detect fraud, 37% of the schemes in financial services lasted longer than five years. Most of the bad actors worked alone to carry out their theft and the most common methods of stealing for long-running schemes included check fraud and stealing from funds in which the fraudsters take cash or deposits and transfer the money to an account they control.

The financial services industry accounted for more than 17% of the embezzlement cases, the most of any industry for the third year in a row, according to the Hiscox study. This sector had the highest single loss of $54 million and the highest total loss at more than $120 million. However, the median loss was $273,843. The IT and telecommunications industry represented just 3.3% of embezzlement cases but its median loss was $2.4 million.

Interestingly enough, Karpp noted, external auditors that organizations hire to check their books, typically don't catch the thief. He cited a 2014 global fraud study conducted by the Association of Fraud Examiners that showed only 3% of embezzlement schemes were detected by external auditors.

While most would assume financial institutions would have strong internal control to prevent embezzlement, the truth is that the fraud is typically carried out by an employee who has been at the organization for a long time and has a lot of trust with employees.

"A lot of times we've seen them overriding internal controls and a lot of their underlings will just do as they say and even help them cover it up," Karpp said.

Such was the case in one of the largest credit union embezzlement cases in 2013 that led to the collapse of the Taupa Lithuanian Credit Union in Cleveland and a loss of more than $30 million to the NCUSIF.

However, in the Taupa Lithuanian case, the NCUA decided to sue the credit union's external auditor, Skoda, Minotti & Co., a Mayfield Village, Ohio CPA firm.

Alex Spirikaitis joined Taupa Lithianian in 1987, and in 1995 became president/CEO. Sometime after that, he began to conspire with three former employees and members to embezzle millions and managed to conceal that theft from auditors, the board of directors and members. He was sentenced to 10 years in federal prison and ordered to pay restitution of $15 million.

In the NCUA $10 million civil lawsuit against the CPA firm filed in May in U.S. District Court in Cleveland, the federal agency alleged Spirikaitis' fraudulent conduct was able to go undetected for so long because the auditor failed to properly confirm the credit union's corporate cash accounts. What's more, the NCUA lawsuit also alleged that in February 2010, Skoda, Minotti & Co. received Taupa Lithuanian's actual account statements from the corporate credit union, which were overstated by approximately $13 million. However, the NCUA claimed the CPA firm ignored this overstatement and was "grossly negligent by its inaction."

In court documents answering the NCUA claims, Skoda, Minotti & Co. denied these allegations. Unless an out-of-court settlement is reached, this case is set to be heard before a jury in 2019, according to court documents.

Christopher Pippett, a partner at Fox Rothchild LLP in Exton, Pa., and a credit union fraud expert, said internal fraud can be prevented with an active supervisory committee of the credit union's board of directors.

"In my experience, I'd say about 50% of supervisory committee members whom I've talked to really understand what their function is and a good number of supervisory committee members seem to think that their duty is to hire the auditors and read the audit report," Pippett said. "I don't think that's a best practice. I think a best practice is really engaging with the auditors and maybe setting the scope of the audit each year by making sure the audit is different each year."

Pippett explained that supervisory committees need not be "super sleuths," but they need to work with their auditor to review and verify information supplied by management that can go a long way to detect fraud schemes sooner rather than later.

For example, the supervisory committee should be participating in periodic and unannounced cash counts of teller stations and the vault, and verify those cash count totals against a reliable source. Along with its auditor, the supervisory committee on a rotational basis should also be reviewing transaction documents and reports to look for unauthorized transactions, account manipulations, dishonest purchase orders, and fictitious or unauthorized loans. Many of these internal fraud issues can be detected by reviewing the accounts of employees and their family members – though credit unions should have policies that should prohibit employees from conducting transactions on their own or family members' accounts. But even if these policies are in place, supervisory committees should routinely review employee accounts.

Pippett said it's also important for the supervisory committee to independently verify the account balances of the credit union's corporate account balances and the amount of investment balances.

Supervisory committees don't have to do all of this work at once, Pippett explained. Rather, supervisory committee members should focus on different internal functions within the credit union on an annual rotational basis with their auditor.