There have been a handful of high-profile embezzlement cases in the credit union industry over the last few years. The most recent one involving the embezzlement of more than $40 million from a California credit union may be drawing much more attention to the problem than ever before.
In my 30-year history of being an examiner, credit union executive, and audit and compliance specialist, I do not recall seeing so many instances in such a short period of time. And the blame is being thrown all over the board from examiners, to third-party auditors and supervisory committees. Here is the reality though: good criminals will always find ways to steal money and take advantage of poor processes and inadequate supervision.
In my opinion the old guard is the one that needs to look back and ask themselves if they taught the basics to the new leaders of our industry. Something as simple–and apparently not an industry standard–as reviewing the credit union check register by someone who doesn’t reconcile it. Trust but verify. (If this isn’t best practice, it definitely should be!)
This shortcoming was apparent in the latest case and in another for which I assisted in the forensics. Seeing these individuals’ lifestyles and not stopping to ask yourself how does a CEO of a $21 million credit union drive a Porsche and own a second home in Reno or how a CFO of a $60 million credit union who built a multi-million dollar home in rural Michigan is a mistake. It’s a difficult subject to breach, but we can’t be so politically correct as to not at least verify there’s nothing fishy going on at our institutions. I am not suggesting we pry into the lives of our leaders, but when something so apparent stares us in the face we need to ask those difficult questions.
Did we forget to teach the new leaders of our institutions the importance of thoughtfully reviewing file maintenance, analyzing employee activity, and understanding the third party auditor scope and de minis decisions? Did we forget to tell them to spot check financial statement configurations or do deep dives into the settlement and suspense G/Ls on a quarterly basis? Did we forget how to review general ledger transactions and test the numbers? Did we forget to train our supervisory committee members and staff, and in so doing, make sure they know someone is paying attention? The answer: it would appear so. And this is nothing to say of the internal controls offered to you by your core solutions built specifically to prevent this. (Don’t know about them? Give me a call!)
What floors me is the majority of these embezzlement cases were successful not just because those who carried them out were smart, but because they recognized and took advantage of weak internal controls. Controls that in my day were industry known and expected. It’s time for the old guard to ignite some memories of old and double check more, because what appears obvious may not always be the case.