U.S. federal prosecutors have charged the CEO of New York state's oldest credit union with swindling the institution out of $6 million since 2013,
CNBC reports. According to the U.S. Attorney for the Southern District of New York, Municipal Credit Union CEO Kam Wong deposited hand-written checks from the credit union into his personal account. He also allegedly obtained reimbursements for fake dental work and a long-term disability insurance policy. Prosecutors say Wong spent most of the money on lottery tickets by writing checks to local convenience stores. Moreover, he sought money from other sources to feed his lottery habit, prosecutors claim.
Previous articles have discussed the specific risks, types of employee fraud, and ways to detect and prevent fraud in the not-for-profit sector (see box at right). Given the significant amounts of money involved in this story, it is a good opportunity to review some of the most relevant lessons for internal auditors.
Laws and regulations for credit unions vary from state to state. Generally, they are required to have appropriate internal financial controls in place and regularly audit their financial statements and reporting. It appears that was not enough in the case of Municipal Credit Union.
In the many cases and research about fraud in the not-for-profit sector, the most often cited critical control measures to help prevent fraud are regular and active board oversight and clear roles and responsibilities regarding financial controls. These include:
Oversight. In this story, it does not appear that the credit union's board exercised sufficient oversight. Boards should monitor financial assets, budgets, and expenditures, and question any large amounts, patterns, and irregularities in financial accounting activities. In particular, boards of not-for-profit and similar organizations should demand that the structure of financial controls and reporting be appropriate for the organization's mandate and business focus.
The scope of these controls should include the financial activities of the organization's executives. Boards should require fraud risk assessments, or similar external assessments of the organization's financial situation and risk, to identify irregularities and unclear policies, procedures, or practices. Then, the organization should conduct regular audits that go well beyond the standard assessment of the reliability of information used in financial statements and reporting.
Financial controls. It seems that few controls existed or were followed governing the way in which money was handled by the credit union's CEO, nor did the organization have sufficient controls over invoices and receipts submitted. In addition to allegedly receiving and depositing $6 million in hand-written checks over five years, Wong was able to write checks to himself without sufficient documentation or receipts.
Organizations should establish rigorous controls to govern access to bank accounts and to scrutinize withdrawals, including by executives. Measures should be in place such as requiring dual signatures for checks involving large dollar amounts. Such controls could have enabled the credit union to flag the $6 million involved in this case for further scrutiny, even if it was stolen over many years.
policies and whistleblower mechanisms. It's nice to think that all long-term and senior employees doing the same job can always be trusted. However, for critical jobs where material assets are under their control, safeguards are needed such as regular background checks and updates to determine lifestyle changes that could have been driven by employee theft.
In this story, Wong allegedly wrote close to 300 checks amounting to more than $3.5 million — an average of over $12,000 per check — to cover his lottery ticket purchases. This should have raised a red flag.
Where fraudulent activity is discovered, circumstances might warrant a negotiated settlement, but it is better to act decisively to discipline, terminate, and prosecute the employees found responsible. This sends a message of deterrence and zero fraud tolerance to employees, clients, and stakeholders.