EVERETT, Wash.-Internal fraud is typically the result of three elements-incentives/pressures, rationalization and opportunities. But the only part of this "Fraud Triangle" credit unions can control is the latter.
That is the message from Dustin Birashk, senior manager for Moss Adams LLP, the 11th-largest accounting firm in the United States. Birashk has been in public accounting since 1999 and specializes in audits of financial institutions. He told Credit Union Journal troubles in the economy in recent years have caused an increase in the first two elements of the Fraud Triangle.
"People might be feeling pressure if their spouse lost a job," he explained. "The bills are the same, but there is less money coming into the household. And they might rationalize that they have not received a raise in a couple of years, so they'll just take a little off the top."
Moss Adams has identified eight Best Practices it said help limit the opportunities for stressed employees to give in to temptation:
1. "Tone at the Top." "A credit union needs to have a culture of communication," he said. "The CEO should have an open-door policy. The board and supervisory committee should know what is expected of them. If there are issues, board and management need to know how to respond."
For example, said Birashk, if a member service representative steals from his or her drawer and only gets a slap on the wrist, that would not set the proper tone for people who do follow the rules of the organization.
2. Segregation of Duties. At its essence, Birashk noted, segregation of duties separates those who have access to the certain processes within the organization from those responsible for record keeping.
"The best example is someone in accounting that has access to wires," he said. "If that person had an outside account they could send a wire and then cover up the transaction."
The More Eyes, The Better
A best practice is to have one person send a wire, while another person is responsible for recording the transaction. Better still: a third person would be in charge of reconciling the accounts.
"The more eyes on the situation the better," he said. "Segregation of duties goes a long way toward limiting opportunities for employees to steal, unless there is collusion. If two or more employees collude, that makes prevention a lot more difficult."
Many businesses, including credit unions, are running with fewer people than they had two years ago, Birashk acknowledged. He said in a situation where a CU might not have a large staff-and certainly in the case of small credit unions that might have five or fewer employees-creativity is necessary.
3. Whistleblower Policy and Hotline. Having a process in place for employees to anonymously report suspected fraudulent activity gained momentum with the passage of the Sarbanes-Oxley Act of 2002, Birashk recalled. Public companies over a certain size are required to have a hotline for employees to report fraud if they do not feel comfortable going to their supervisors.
"Many smaller financial institutions have adopted this as a best practice," he said. "The phone number could go to the board chair or the supervisory committee chair-someone outside of executive management. This works for credit unions of any size, is easy to implement and is cost-effective. If a teller sees his supervisor doing something that doesn't look right, he has the opportunity to make a call."
4 & 5. Rotation of Personnel and Mandatory Vacations. These two "go hand in hand," Birashk said. The reason: often times in the financial services industry fraud is perpetrated by an employee who is "super helpful" and single-handedly takes care of everything.
"That person is the first one there and the last one to leave," he said. "In hindsight, after fraud is discovered, that person always had to be there to monitor transactions. A mandatory one-week or two-week vacation, that includes no access to the system, allows fraud to be uncovered."
Rotation of personnel also helps in cross-training, which avoids situations where one person does the same job for 10 years, leaves, and no one knows how to do an important function, he added. "In some accounting departments one person always handles payroll and one always does accounts payable-they should switch off at intervals," he advised.
Due to the widely varying number of employees at CUs of different sizes, Birashk said it is up to the organization how often and how much notice is given before mandatory vacations are taken or personnel are rotated.
6. Reconciliation and Review Process. Every CU should have a standard reconciliation and review process in place to ensure the subsidiary and general ledgers agree, Birashk said. "The people performing the reconciliation should be separate from those who processed the transactions during the review period."
Limiting Access
7 & 8. Setting of Accounting System Privileges, and Reviewing and Adjusting Access Levels. Another pair of best practices that go together, Birashk said, adding the important concept is who has access to which parts of the system. "Setting access is a front-end control. One way to limit opportunity is to limit system access. Access should be commensurate with job responsibilities," he counseled. "Tellers do not need access to accounts payable. Loan officers do not need access to share account files, or at most they should have inquiry-only access."
The core systems most credit unions use have "pretty robust" access privilege abilities, Birashk said, making the setting and/or adjusting of access levels a matter of "executing." He added that CUs can save time by setting access by job title. For example, all loan officers would have pre-defined access privileges.
Of all the best practices, Birashk singled out one: "Tone at the top sets the foundation for all other aspects," he declared. "A credit union can have controls in place, but if management does not set the tone it will not matter."
