Shutting Down Internal Fraud Schemes Before They Begin
Seasoned internal fraud expert David Legge explains a few possibilities for enhancing internal controls.
Frequently when I’m teaching on fraud, performing a fraud risk engagement or investigating an embezzlement to work up the information for filing a claim with an insurance company, I get asked, “Can employee fraud be eliminated?” Unfortunately, the answer is no. Then I am asked, “Can the effects be minimalized?” The answer is maybe, depending on the level of commitment.
Let me explain a few possibilities for enhancing controls.
Overview of the Fraud Triangle
The conditions that enable employee internal fraud have not gone away. A quick discussion of the fraud triangle will point out the three elements that need to be present for fraud to occur. These elements or stages are used to try and explain the reasoning behind an employee’s decision to commit workplace fraud. These three stages are pressure, opportunity and rationalization. Sometimes, motivation and incentive are substituted for pressure.
If you have done your due diligence when hiring your staff, you will not hire individuals with a thought pattern that can lead to committing fraud when they start to work for you. That however does not eliminate the possibility. When financial or situational pressures occur, thoughts on how to solve these problems can often move to considering embezzlement.
Pressure That Generates Motivation
When financial difficulties arise, such as not having enough money to pay for college, retirement, family medical or marital problems, or uninsured accidents; or those stemming from gambling, drug or legal problems, many times the situation becomes overwhelming. When the financial ability to resolve these situations is not available, or there is no other remedy to relieve the pressure of the situation, one’s thought process can get steered in other directions. The inability to obtain funds from other family members or borrow can kick start the fraud process. And as I indicated, unless the person already has criminal tendencies, they don’t go into their jobs planning to do this.
Rationalization
The next step to making this decision is rationalization. The prospective embezzler will think, “How can I justify obtaining funds through illegal means to myself?” The employee can overcome this step quickly, or it may be something they wrestle with for days or even months. Thoughts of rationalization can include: The penalties associated with the act are not severe, everyone else is doing it (this indicates the lack of a strong ethics policy and tone from upper management), no one else has ever been caught, I will just take what I need and pay it back, and/or I did not get the raise or promotion I wanted, so I am entitled to it.
I do not profess to know all the rationalization processes that individuals go through, but they need to be able to justify their scheme to themselves in order to move forward with it. In some cases, their justification can involve “keeping up with the Joneses” or the desire to project an enhanced image.
Rationalization Controls/Cases
Some of the key controls that can help prevent an employee’s rationalization that committing an embezzlement is acceptable have seriously eroded. Corruption has continued to increase. A strong tone from the top is hard to implement and even harder legally to enforce. Recent national events have made anyone who becomes aware of questionable activity within their credit union less than eager to report it or become a whistleblower. The majority of credit unions do not have any whistleblower policies, and if they do, they do not provide assurance of protection to the whistleblower.
Credit unions can attack the rationalization part of the Fraud Triangle with policies, procedures and swift follow-up actions when situations occur. Unfortunately, a credit union’s structure can prevent this from happening. In my career as a partner to credit union audit firms, I have been fired from an engagement only a few times. In 75% of these cases, it happened when I discovered a fraud, illegal act or evidence of kickback by the CEO. As per the American Institute of Certified Public Accountants (AICPA) policy, this was reported to the credit union’s supervisory committee.
Supervisory committee members are appointed by the board. In one case, because the board was also participating in the benefits of the CEO’s illegal actions, the board convinced the supervisory committee to overlook the items. In the other cases, supervisory committee members were removed from the committee because they were requesting action.
CUNA Mutual Group has an employee bond coverage review program. Some credit unions, after discovering improper activity, submit information to the bonding company to see if they will make the hard decision of making an employee no longer bondable. I can give many examples of times when even after illegal acts occurred, the insurance company said bond ability could still be in force. The next year during the subsequent audit, bond claims in excess of $100,000 were filed on these individuals.
In one situation, an individual made an illegal loan to themselves. During the process of preparing the bond claim, the individual paid the illegal loan off. The credit union no longer had a reason to file a claim as it had not suffered a loss. After the credit union filed formal paperwork, CUNA Mutual Group said this employee could still be bonded. In this case, the credit union did not care about that decision and terminated the individual. Later, it denied the individual’s filing for unemployment. This entitled employee continued to fight, but the credit union prevailed. While the credit union incurred additional legal expenses, there was no doubt a strong tone from the top had been established and enforced. Employees were made aware and could not use “no one else gets caught” as a rationalization for committing fraud.
Opportunity
The last part of the fraud triangle is opportunity. It can be argued that opportunity can be the first, second or third step in this process. An employee realizes an internal control in their area of work is weak, causing them to believe an opportunity exists. They do not have any pressure or need to commit fraud, and do not have to rationalize their actions at this point. However, if pressure comes into play later, they will already believe they know how to manipulate the system to obtain funds.
Some people will argue that rationalization does not come into play until an opportunity is discovered. In all the credit union bond claims I have filed, I believed the rationalization hurdle had already passed, and the opportunity aspect was then researched, unless it was already known to the employee. There is no way to develop statistics to reveal how many individuals have contemplated stealing from their employing credit union. Some do not identify a method without being discovered, and therefore decide to do nothing.
The embezzlement cases we hear about are those that began with an opportunity and continued for a long time. The amount of the loss exceeded the bond coverage limit and the credit union was forced into liquidation or a merger. In the embezzlements I have been called to after their initial discovery to help determine the amount stolen and assist with recovery, there have always been warning signs that were ignored. My two favorites were when state examiners had reported that loan files were missing, and when a suspense account that appeared to be growing should have been reconciled. Both of these cases led to bond claims in excess of $1 million and the credit union being merged out of existence.
Prevention Steps
I have written several articles over the years discussing what credit unions can do to strengthen controls to prevent fraud from occurring. As performing a fraud risk assessment can be time-consuming, it should be an ongoing effort and not just a one-time occurrence. I can understand, but not rationalize, that the credit union might see this exercise as having a limited cost benefit. I have also heard credit unions say they do not have any problems, or that they are reluctant to have an assessment performed because something might be found, and then they would need to blame someone. Credit unions with a strong tone at the top do not think this way.
In every fraud risk assessment I have performed, I found current suspicious activity. In a few of these cases, two or more individuals were working together to steal funds. When collusion is involved, it is significantly more difficult to locate the occurrence, especially when one of the participants is part of the control element over the other. One way to identify a heightened risk of collusion is to find out about employees’ family relationships, whether employees are sharing the same apartment, or if there are rumors of beyond-work relationships that violate written human resources policies. Relationship identification procedures can cause a few items to be rated a higher risk, which when researched can lead to the discovery of the fraud.
Another process I have found effective is holding a joint meeting of mid-level operational managers to discuss how their departments would catch fraud. Before doing this, you need to get buy-in from upper management that you are not teaching the employees how to commit fraud, but demonstrating that opportunities that might appear to be available would be quickly discovered by processes or procedures put in place in other departments. If an opportunity does not appear to be protected by an appropriate discovery control, mid-level managers typically know of a process that can be put into place.
As a concluding suggestion, I would ask the internal auditors, risk managers and supervisory committee members of credit unions reading this article to lobby their trade organizations or NCUA contacts for user-friendly data analytics tools to be put into place as part of the Automated Integrated Regulatory Examination System (AIRES) upgrade or re-write. Over the years, my staff have developed various sorting routines using AIRES data to see if they can identify anything unusual. The routines can identify errors that are in the credit union’s database, but because of the sorting process and knowledge of how prior fraud schemes occurred, staff can also kick out accounts that should be reviewed for questionable activity.
This would be a very useful process for the NCUA’s examination teams, and even more useful for credit risk managers to incorporate as part of their standard routine. If the staff of a credit union is aware this is being done, it closes a huge potential opportunity gap – shutting down many fraud schemes before they even start.
David Legge is President/CEO of Legge Group in Springfield, Va.