The last five embezzlement reviews I have performed all hadsimilar characteristics. The embezzlement had been going on foryears, but was not detected. I was asked to assist in a review forwhat examiners thought were some minor irregularities. All thecredit unions had been examined by federal and/or state examinersat least three times, and contracted individuals performed agreedupon procedure exams at least twice or three times. Some of thecredit unions were getting their AUP exam every 18 months. All ofthe resulting bond claims filed were in the six figures. When westarted, we were told there might be a little problem. Two of theclaims exceeded the credit union's bond coverage limits. But thesimilar characteristic they all had, was that there were fraudwarning signs in a lot of different areas that were ignored, notfollowed up on or not discovered.

In all of these cases, if some basic minimum procedures had beenperformed by the supervisory committee, treasurer of the board, orsome responsible individual at each credit union, these activitieswould have been caught early on. For the credit unions that had tobe merged, these procedures may have saved the credit union and itsmembers from their merger fate. In most credit unions, some of theprocedures discussed below are being handled by the internalauditor or a contracted individual. The definition of a smallcredit union has been increased to $100 million in assets, andthese comments are geared toward the small credit union audience.However, they should be considered for inclusion in every creditunion's control procedures.

Small credit unions for many reasons do not have the benefit ofan internal control framework. Because of their lack of controls,or controls that can be easily overridden, the need for anindependent set of eyes by default gets delegated to thesupervisory committee. This oversight function is extremelyimportant and must be diligently performed.

Some of the warning signs that were ignored, and could have ledto the fraud being quickly discovered if it they had beenmonitored, are discussed below:

Corporate credit cards: All of these creditunions let members of upper management have a corporate creditcard. They also permitted personal transactions to occur on thecards. In a couple of the credit unions, they even had a policycovering personal use. But in all cases, the person misusing thecard was also the person responsible for handling and recording therepayments made. Receivable accounts were not set up for these“borrowings” and there was no supervisory committee or treasurerreview of the statements and original charge slips. If repaymentswere being made by payroll deduction, the amount being deductedapproximated 20% or less of the average monthly charge. In onecredit union, the supervisory committee did review the statementand identified the charges to be repaid, but there was no follow-upto see if these payments actually occurred. In all five creditunions, the misuse of the corporate card was the first area inwhich improper activity occurred. When no action was taken to curbthis, each individual then branched out to other areas to obtainfunds.

Employee accounts: Almost all credit unions letemployees have an account at the credit union. This by itself isnot a problem. Almost all data processing systems have flags thatcan be set to prevent an employee from performing a transaction ontheir account. However, for smaller credit unions, most of uppermanagement has the override privileges to negate this control. Ifan override is used, it is always captured on a control report. Inthese credit unions, no one was reviewing the override report,and/or the override report was not being printed or stored inoptical.

However, the override reports were not the only affected area –no one was looking at the actual statement of employee accounthistory or at other related accounts for family members. In most ofthese credit unions, just looking at the statement should haveraised concerns. Accounts were permitted to go negative, no feeswere being charged on accounts, loan due dates were being bumped,twice-a-week ATM withdrawals from the ATM at a casino or anotherinappropriate location had been occurring, loan payments were beingreversed, share drafts were being posted without check or referencenumbers, and transfers of funds from inactive accounts werecompleted using overrides, just to name a few of the incidentsobserved in the employee's account. Most of this activity had beengoing on for years with no discovery or investigation.

Reconciliations of bank accounts and/or corporatefederal credit union accounts: In most cases the personmaintaining the accounting records was also doing thereconciliation. There was no independent verification.Unfortunately, this also included the examiners and individualsperforming the agreed upon procedures. The outstanding check listdid not add up. Items listed as deposits in transit were false, andfalse miscellaneous adjustments were listed. When the “balancing”errors were becoming too voluminous, they were removed from thereconciliation to a suspense account. No reconciliations were beingprepared on the suspense accounts. One AUP report in which thesuspense account had a $400,000 balance did indicate an accountthat was not being reconciled. However, this auditor and thesupervisory committee did not conduct further follow-up to thiscomment.

Aires Download. The NCUA requires all federalcredit union data processing systems to have the ability togenerate an Aires download of member share and loan data in aformat prescribed by the NCUA. Obtaining this download and thensorting the data according to various fraud routines provides veryinteresting results. For the credit unions discussed in thisarticle, it resulted in easy identification of loans made outsideof policy, loan accounts being manipulated, and share accounts withhigh activity traits outside of what normally would beexpected.

Call report information: This procedure is notas good for catching fraud that has just begun, but it can provideadditional areas of review for fraud that has been going on for aperiod of time. It has been my experience that individualscommitting fraud or embezzlement realize that they cannot continueto do the same thing without being discovered. For fraud that hasbeen going on for a number of years, the pattern and areas ofactivity frequently change. Once again, the NCUA has created a toolavailable to anyone, which can be used for analysis of any creditunion. Once the quarterly call report information has beeninputted, the financial performance reports become available forreview on the NCUA's website. These reports have two components:Financial Summary and Ratio Analysis, which provide informationalcomparisons of quarterly data. In all five of these recent cases,review of these reports identified a change in ratios and/orbalances in the financial summary that did not make sense from anormal credit union operation standpoint. Researching thesequestions either provided additional supportive information, or ledto identification of a new area of fraudulent activity.

Finally, if your credit union is not going to perform an annualfraud assessment, or incorporate some of the procedures recommendedabove in your control process, then your management should not addto your losses. Management should ensure they understand coveragesub-limits, read the definitions and exclusions, and have themaximum coverage amount of audit claims covered on your bond.Locating and determining the amount, the various schemes used, andthen preparing the documentation for the bonding company to pay theclaim will cost more when the period of time covered is moreextensive. You also want to make sure that the job of prosecutionby the FBI or other jurisdictions are made easier. The bondingcompany will be much more willing to pay your claim if they knowthe FBI is readily willing to take on your case and pursueprosecution. It has been my experience, that in spite of theiralready heavy workload, if you provide the FBI a solid, detailedpackage to work from, they will diligently pursue prosecution andattempt to assist in recovering any available assets.

David Legge is president/CEO at Legge Group. He can bereached at 703-257-1364 or [email protected].