The Key to Internal Fraud Controls? Get Back to the Basics

Learn key strategies for evaluating your CU's internal mechanisms from a 30-year industry veteran.

Source: ptnphoto/Shutterstock

In 2019, the credit union industry was baffled by yet another high-profile case of embezzlement by a credit union CEO. How could an employee of the $21 million CBS Employees Federal Credit Union pilfer an incredible $40 million? Finger pointing at all the individual areas of failure may provide some relief to those involved, but it does nothing to deter future malicious actors from achieving similar results. But with a few simple steps, the industry can get on the right track and it starts with one thing: Getting back to the basics.

As a 30-year veteran of the industry, including time spent as an examiner and audit and compliance specialist, I’ve taken it upon myself to help credit unions safeguard themselves against these kinds of situations. In reviewing the case at CBS Employees, it became clear that basic internal controls were being ignored. Now’s a great time to evaluate your own internal mechanisms. Some of these may seem self-evident, but based on this embezzlement case and many others, they may simply have been forgotten.

Financial Statements Are the First Line of Defense

Reviewing your financial statements is an absolute must, and it’s the first place to start for preventing embezzlement. Start by comparing the full financial statement to the financial configuration on the core and verify it against the member trial balance – your goal here is to see if you can detect a second set of books.

You’ll also want to reconcile the trial balance against control general ledger (G/L) accounts to ensure no hidden accounts are lurking. When it comes to printing your financials, don’t skimp by electing not to include zero balance G/Ls. Malicious actors might be conducting activity in those knowing the activity might be missed.

Another important item to check for is whether there were any reversing G/L entries for the prior quarter after the Call Report has been filed. Every big embezzlement case used this methodology for hiding activity from examiners.

The last item I’ll mention here (and this is not exhaustive!) is to audit the individuals performing reconciliations. Surprise them. Check manual entries. Pay particular attention to suspense and settlement general ledgers. Having a better grasp and backups for the financial statements will go a long way toward preventing disaster.

Don’t Let Member Accounts Be a Haven for Bad Actors

When it comes to monitoring member accounts, there’s a lot to watch for. Dormant accounts are the low-hanging fruit, but there are plenty of other areas to audit. I recommend verifying annually what accounts employees are on, and performing a monthly review of activity in accounts, being mindful of transfers from G/L entries.

Does your core allow the suppression of activity or entire sub-accounts from appearing on member statements? If so, you should be auditing those accounts and transactions to ensure the reasons were valid. This goes for base member account activity. Many members may have that account just for the membership, and never give it another thought – that’s an opportunity for fraud if you’re not monitoring for suspicious activity.

Be thoughtful when choosing individuals to do the reviews of file maintenance. Train them to be suspicious and give them the authority to research and report. They should have a firm understanding of those fields that could be used to cover up illegal activity. Always review changes against source documents.

Other Operational Areas to Keep an Eye on

There are other areas your internal auditors should keep an eye on outside of financial statements and member account activity. Has your cash accounting become predictable? Money can and has been moved from vault to cash in transit just prior to a surprise cash count. Do not develop a routine for cash counts. A surprise is just that. Unstrap bills and always count TCDs and ATMs. Review G/L postings to all cash-related G/Ls prior to and after the surprise cash counts.

I also recommend instituting a policy of requiring those responsible for maintaining general ledgers, posting items and generating financial statements to take five consecutive business days of vacation without access to the core. By having somebody else perform these duties, you might detect fraud by a single employee.

Other items include auditing your check register for checks cut out of G/Ls versus member accounts and reviewing your accounts payable vendors. The person approving an invoice should not also be the one cutting the checks. Watch out for fictitious vendors!

Lastly, are you making sure there is an appropriate segregation of duty? This can be a tough ask where one employee is asked to wear many hats. But improper segregation of duty elevates the risk of fraud.

Diligence Is Crucial

I’ll be the first to admit that performing internal audits is not always the most exciting job at the credit union. But uncovering suspect behavior before it has an opportunity to grow into something truly destructive should get us jazzed to do the work. Hopefully the above recommendations get you back into the spirit of doing the basics to prevent fraud. Although there are even more areas I can recommend to mitigate your risk of internal fraud, adding some of these to your routine if you weren’t doing them before can go a long way.

Jim Vilker

Jim Vilker, NCCO, CAMS, is Vice President of Professional Services for AuditLink, the audit and compliance division of CU*Answers, in Grand Rapids, Mich.