How Does a Finance Director Steal $800K?
The short answer is that it is much too easy if basic controls are missing.
Cincinnati.com summarizes the missing controls in the case of Covington, Kentucky’s former Finance Director Bob Due in the lead paragraph of the story:
The city of Covington gave complete control over millions of taxpayers’ dollars to one man for more than a decade – an “inexcusable” error that resulted in nearly $800,000 embezzled, the Kentucky auditor said.
This is a classic story about an opportunist who defrauded his employer of almost a million dollars, yet avoided detection for years until he made a mistake in the summer of 2013. All of this loss could have been prevented with standard controls.
For 13 years, Bob Due was able to take money from the city right under the noses of four different mayors and four city managers. All told, he wrote 68 checks to himself, relatives, or fake vendors. In the aftermath, the audit revealed a slew of red flags that should have signaled danger:
- Mr. Due was the IT system administrator with control of financial software, with no oversight.
- General IT security was inadequate, with Due as system administrator.
- Payables procedures were lax, such as the lack of a check register to compare beginning and ending check numbers.
- The Finance Department had no written policies for revenue and collection.
- The city did not have a credit card policy or track issued cards.
As Auditor Edelen put it, “What we have here is a breakdown in oversight. Mr. Due did not have a boss.”
Internal Control Concepts
The Kentucky Auditor recommended a list of specific actions the city should take. But in general, there are some important types of controls that are relevant for Covington and many other organizations.
These are common controls intended to eliminate the solo opportunists like Due. Procedural dual control means a second person will be involved in the verification of values or balances before it moves to the next step. Physical dual control may involve two independent people having keys or access to a file or program, or physical asset such as a checking account.
Separation of duties.
This control is especially important because if separation of duties is missing, other controls may not be effective. Due was able to conceal his fraud because he controlled certain types of transaction from end to end. Separation of duties requires the action of more than one person to complete a process, even at two different points of the process. For example, Due was able to create fake vendors, submit invoices, and cut checks, all without another person’s review. The separation of duties principle would require different employees to perform and/or review these actions.
Do Your Diligence
The important lesson from this and similar type frauds is to take the need for controls seriously. Organizational fraud imposes enormous costs on all types of organizations, amounting to 5% of top line revenue every year, on average.
Do you think it can’t happen to you? Kentucky auditor Adam Edelen has investigated five other frauds in public agencies in northern Kentucky just since 2012. And in 2003 in the nearby town of Florence, a very similar fraud to the one Due perpetrated cost that city $2.8 million.
Auditor Edelen admonished other cities to review their procedures. Amen. And we’d add that other organizations should be looking closely at the opportunities they may be presenting to fraudsters, too.