​The Lottery Loser

A credit union CEO's alleged multi-million-dollar theft spotlights the need for financial controls over executives.

Comments Views

​U.S. federal prosecutors have charged the CEO of New York state's oldest credit union with swindling the institution out of $6 million since 2013, CNBC reports. According to the U.S. Attorney for the Southern District of New York, Municipal Credit Union CEO Kam Wong deposited hand-written checks from the credit union into his personal account. He also allegedly obtained reimbursements for fake dental work and a long-term disability insurance policy. Prosecutors say Wong spent most of the money on lottery tickets by writing checks to local convenience stores. Moreover, he sought money from other sources to feed his lottery habit, prosecutors claim.

Lessons Learned

Previous articles have discussed the specific risks, types of employee fraud, and ways to detect and prevent fraud in the not-for-profit sector (see box at right). Given the significant amounts of money involved in this story, it is a good opportunity to review some of the most relevant lessons for internal auditors.

Laws and regulations for credit unions vary from state to state. Generally, they are required to have appropriate internal financial controls in place and regularly audit their financial statements and reporting. It appears that was not enough in the case of Municipal Credit Union.

Sidebar: Not-for-Profit Fraud

Here are additional stories about preventing and detecting fraud in not-for-profit organizations.

In the many cases and research about fraud in the not-for-profit sector, the most often cited critical control measures to help prevent fraud are regular and active board oversight and clear roles and responsibilities regarding financial controls. These include:

  • Oversight. In this story, it does not appear that the credit union's board exercised sufficient oversight. Boards should monitor financial assets, budgets, and expenditures, and question any large amounts, patterns, and irregularities in financial accounting activities. In particular, boards of not-for-profit and similar organizations should demand that the structure of financial controls and reporting be appropriate for the organization's mandate and business focus.

    The scope of these controls should include the financial activities of the organization's executives. Boards should require fraud risk assessments, or similar external assessments of the organization's financial situation and risk, to identify irregularities and unclear policies, procedures, or practices. Then, the organization should conduct regular audits that go well beyond the standard assessment of the reliability of information used in financial statements and reporting.
  • Financial controls. It seems that few controls existed or were followed governing the way in which money was handled by the credit union's CEO, nor did the organization have sufficient controls over invoices and receipts submitted. In addition to allegedly receiving and depositing $6 million in hand-written checks over five years, Wong was able to write checks to himself without sufficient documentation or receipts.

    Organizations should establish rigorous controls to govern access to bank accounts and to scrutinize withdrawals, including by executives. Measures should be in place such as requiring dual signatures for checks involving large dollar amounts. Such controls could have enabled the credit union to flag the $6 million involved in this case for further scrutiny, even if it was stolen over many years.
  • HR management policies and whistleblower mechanisms. It's nice to think that all long-term and senior employees doing the same job can always be trusted. However, for critical jobs where material assets are under their control, safeguards are needed such as regular background checks and updates to determine lifestyle changes that could have been driven by employee theft.

    In this story, Wong allegedly wrote close to 300 checks amounting to more than $3.5 million — an average of over $12,000 per check — to cover his lottery ticket purchases. This should have raised a red flag.

    Where fraudulent activity is discovered, circumstances might warrant a negotiated settlement, but it is better to act decisively to discipline, terminate, and prosecute the employees found responsible. This sends a message of deterrence and zero fraud tolerance to employees, clients, and stakeholders.
Art Stewart
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Art StewartArt Stewart<p>​Art Stewart is an independent management consultant with more than 35 years of experience in internal audit, financial management, performance measurement, governance, and strategic policy planning.​​​</p>https://iaonline.theiia.org/authors/Pages/Art-Stewart.aspx


Comment on this article

comments powered by Disqus
  • AuditBoard_Pandemic_May 2020_Premium 1_
  • Galvanize_May 2020_Premium 2
  • IIA CERT-Online Proctering_May 2020_Premium 3