Earlier this year, I wrote about the more than $40 million embezzled by a former CEO of CBS Employees FCU and how credit unions need to get back to the basics to prevent embezzlement. How did that much money escape the notice of internal auditors, supervisory committees, staff, and the NCUA? We’re talking about a credit union that was just over $21 million in assets! Unfortunately, these cases are not altogether uncommon, and in many cases can cost the credit union its charter.

As a 30-year veteran of the industry, including time spent as an examiner and audit and compliance specialist, I felt it was my duty to help credit unions safeguard themselves against these kinds of situations. In reviewing the case at CBS Employees, it became clear that basic internal controls were being ignored. Here are protections every credit union should be using. Some of these may seem self-evident, but based on this embezzlement case and many others, they may simply have been forgotten.

For my complete list of goals and tactics for each area of credit union operations, check out the AuditLink white paper.

Recommended controls for financial statements

Financial statements should be the first line of defense for preventing embezzlement. Here are some items to be on the lookout for:

Compare the full financial statement to the financial configuration on the core and verify against the member trial balance.

Reconcile the trial balance against control general ledger accounts.

Determine if zero balance G/Ls are suspended from printing on financials. Always print a full financial statement.

The individual who completes reconciliations should be audited on a surprise basis, paying particular attention to suspense and settlement general ledgers.

Review reversing general ledger entries for the prior quarter after the call report has been filed. Every big embezzlement case had this as methodology for hiding activity from examiners.

Perform a monthly audit of all manual entries made to control accounts.

Recommended controls for improper use of member accounts

Another major area to watch for is in the improper use of member accounts. Keep an eye out this type of activity:

Audit statements monthly for suspicious activity. Your credit union should also have a policy in place on exactly what should be allowed to flow through these accounts.

Annually verify what accounts employees are on. Perform a monthly review of activity in accounts and be mindful of transfers from G/L entries.

If the core allows the suppression of activity or sub accounts then audit those transactions and accounts which were set not to appear.

Be thoughtful when choosing individuals to do the reviews! Train them to be suspicious, give them the authority to research and report. Understand those fields that could be used to cover up illegal activity. Always review changes against source documents.

Ask questions when reviewing higher risk activity such as transactions on dormant accounts. Review file maintenance for accounts that were reset for dormancy monitoring and had other subsequent changes such as address or email. The one who monitors dormant account activity should not have teller line authority!

Recommend controls for other operational areas

Beyond financial statements and member account activity, there are a handful (but not an exhaustive list) of other areas internal auditors should keep their eyes on to ensure all activity is above board.

Review of G/L postings to all cash related G/Ls prior to and after the surprise cash counts. Money can and has been moved from vault to cash in transit just prior to a surprise cash count. Do not develop a routine for cash counts. A surprise is just that. Unstrap bills and always count TCDs and ATMs.

Require 5 consecutive business days of vacation with no access to the core for those responsible for maintaining general ledger, posting items, and generating financial statements. Have someone else perform the duties of the other staff member while they are on leave.

Audit the check register for checks cut out of G/Ls vs. member accounts to determine if they look appropriate.

Verify that the person approving an invoice is not the one cutting the checks. Audit new account payable records to verify the existence of the vendor.

Auditing employee access privileges to the core platform for appropriate segregation of duty. Reviews should be done quarterly.

Stay diligent

I’ll be the first to admit that performing internal audits is not always the most exciting job at the credit union. Although, uncovering suspect behavior before it has an opportunity to grow into something truly destructive should get us jazzed to do the work. Hopefully the above recommendations get you back into the spirit of doing the basics to prevent fraud. For the full list of areas I recommend, check out the complete white paper published by AuditLink.


  • Jim Vilker

    Mr. Vilker has been in the credit union compliance, regulatory, and audit space for over 30 years. Over that time he has served as a regulator, credit union executive, and currently as the leader of AuditLink, a division of cooperative CUSO CU*Answers. Jim achieved his NAFCU Certified Compliance Officer (NCCO) designation in 2009 and recently received his Certified Anti-Money Laundering Specialist (CAMS) certification from ACAMS.

  • Kamala Brody#1

    September 13, 2019

    As always, excellent material Jim. Your advice is not only timely for credit unions, but also for those of us in CUSOs. We have a duty to our member credit unions to ensure our shops have sufficient checks and balances in place. As CUSOs expand their services and regulatory scrutiny of CUSOs increases, executing sound internal controls just makes sense. Thanks for waving this rather unpopular flag.


Your email address will not be published. Required fields are marked *