Internal Fraud: Hear No Evil, Speak No Evil, See No Evil?
TROY, Mich. - The folks at the accounting firm Doeren Mayhew serve more than 150 credit unions throughout the United States, and they've learned when internal fraud is uncovered the credit union response usually zeroes in on keeping it quiet. Is it a question of, as the British quip, not wanting to frighten the women and horses? When Credit Union Times spoke with three members of the Doeren Mayhew staff, they laughed - then quickly agreed there does seem to be a desire not to stir up further trouble with members or regulators. The people we spoke with were Catherine Bruder, director of information technology assurance; Bob Parks, director of internal audit services; and Robin Hoag, director of the financial institutions group. All are CPAs, and they calculate they have a total of some 60 years experience working with credit unions. Bruder cited as a problem the fact fraud cases aren't publicized. "You don't realize the risks that are out there because you don't know what's happened to someone else," she declared. "There's a very strong initiative by the FBI to encourage financial institutions to confidentially relay to them suspicions they have along with specific incidents they've seen. "They can't seem to encourage that communication, even with assurances of confidentiality. It's a real struggle. It's not working as well as they'd like." Hoag added that information sometimes isn't provided, even confidentially, to the CEOs, the directors, the audit committees, the internal auditors or the external auditors. Parks also expressed concern about moving into a hush-hush mode. "You see at times within a credit union somebody may get caught doing something, maybe a small kite, and they would be reprimanded but wouldn't be terminated and the bond company wouldn't be put on notice. "It's important when something like that happens the person is terminated immediately and people within the organization know why they were terminated," Parks said. Bruder suggested today's technology works both for and against uncovering fraud. "It helps us secure information so there are fewer ways to conduct fraud than there have been in the past," she said. "There is actually a much better audit trail. When something does occur we have a much better opportunity to trace it. But in other ways it has made fraud easier, because you can do it without being seen." The fact a security feature is located in a system doesn't mean it is designed effectively, is being used effectively, or is being monitored to identify areas that have holes. "To improve member service," Hoag said, "credit unions have been required to do more faster on the lending side. Someone used to approve a loan. It would then be dispersed by another person. Now one person may take the application, run the credit report, create the documentation for the loan, approve it, and actually set up the funds for dispersing. "There's so much confidence and trust put into the top one or two technology people. There's not enough oversight and monitoring," said Hoag. Margins are squeezed at a lot of mid-size credit unions with perhaps $200 million to $300 million assets. They don't have the resources to manage risks and create adequate monitoring controls. Credit unions really need to assess any weaknesses. All three accountants emphasize an external audit alone doesn't provide a complete evaluation. A control system could operate perfectly one week, then fall apart the next week due to turnover, training or vacations. Hoag offered a familiar fraud recipe. "For a fraud to occur, a person has to have a burning financial need, an opportunity for access, a belief they won't get caught, and the ability to rationalize why it's an appropriate thing to do," he said. "`My mom is in the hospital, her bills are mounting up, I'm responsible for her, therefore I need the cash.' We have seen that exact scenario a couple different times. It's medical needs, gambling, alcoholism or drug abuse - some burning financial issue." Hoag pointed out every major fraud he has been involved in documenting has been carried out by people considered outstanding citizens who would have been on the Top Five leaders list in the community and in local credit union circles. He advises credit unions to establish hot lines for reporting fraud anonymously. The allegations can then be investigated by an independent third party. Parks added that in almost every major fraud he's seen somebody knew something was going on, something wasn't quite right. But they remained quiet for fear of risking their job or getting into trouble. "We worked on a fraud last year carried out by the person who managed the department," Parks recalled. "One of the employees later said, `You know, there were a couple things I thought were off. But he was my boss so I didn't question it.'" As they prepare for an audit, the entire Doeren Mayhew team gets together and brainstorms. Each one has different experiences with that client. They share those experiences and work to identify specific areas they need to examine. They are also required to talk to employees at various levels in the credit union, giving them an opportunity to share any information and insights they may have. The most difficult fraud to detect? Collusion, when two or more people have knowledge and access. One might have custody of assets. Another might have approval authority. One might have custody while another reconciles and monitors. As credit unions expand and technology grows, they need to make certain they have enough resources in place to evaluate the effectiveness of their internal controls. "There's a lot of reliance on the external audit," Hoag said. "If they don't have an internal audit department, an external audit alone may not always be adequate to identify weaknesses in their controls. "Sometimes when credit unions are growing quickly they don't add enough resources to make sure their internal control systems are growing with the institution and the size and complexity of transactions being created." -