It seems as if every day we are witnessing massive fraud in corporate America and across various branches of our government at both the national and state levels. The latest example is the alleged fraud in Minnesota. The preliminary findings indicate this involves billions of dollars. The question at hand is how this fraud occurred and how it escalated to include billions of dollars.
In the wake of this and other high-profile scandals, organizations, whether in the government or the private sector, must foster an anti-fraud culture to minimize fraud and misconduct. One way management addresses these issues is by assessing risks within its organization and implementing the necessary controls.
While having controls in place is vital for fraud prevention and detection, it is not sufficient for creating an adequate control environment. Leaders must monitor and assess these controls on an ongoing basis to maintain their effectiveness.
In my view, a control environment sets the tone for an organization, shaping how employees think and act. It is the foundation for all other components of internal controls. The control environment provides discipline and structure to an organization’s control system. Reporting structures, ethical values, and accountability are embedded in this component. Suppose the leaders of an organization do not maintain an adequate control environment; the result is most likely what happened in Minnesota. If this happens, the organization will not be able to function effectively and will most likely suffer unintended losses or, at worst, fail. These same results will most likely persist if controls are not continually scrutinized.
I look at the control framework as consisting of the following two components.
The first component is called Administrative Controls. These controls are policies and procedures that a business follows in its operations. Administrative controls include determining segregation of duties among departments and employees, determining which departments are authorized to conduct particular activities, and developing independent verification systems. The latter means that the departments oversee one another’s activities, providing a system of checks and balances.
The second component consists of Accounting Controls. The finance and accounting department typically establishes these controls, including measures to protect a company’s finances and financial records. Other controls, determined by the accounting department, provide for financial review and appraisal through auditing and evaluation of the company’s finances. Documents used for keeping financial records, such as invoices and time cards, are another control that the accounting department determines. Maintaining source documents is an integral part of this process, as I will demonstrate later.
Management should continuously assess the organization’s exposure to fraud risk by identifying potential fraud schemes and any other issues it might need to address. One way to do this is through a fraud risk assessment, a process designed to proactively identify and address an organization’s vulnerabilities to both internal and external fraud. According to COSO, an effective fraud risk assessment includes the following actions:
- Establish the fraud risk assessment team, including appropriate levels of management and all organizational components.
- Identify all types of fraud schemes and risks, including both internal and external factors, and the risk of management override.
- Estimate the likelihood and significance of each fraud scheme and risk.
- Determine all staff and departments potentially involved in a fraud scheme, considering all aspects of the Fraud Triangle: pressure, opportunity, and rationalization.
- Identify existing controls and assess their effectiveness to determine whether any residual risks require mitigation.
- Assess and respond to residual risks that require mitigation by strengthening existing controls, adding controls, and using data analytics.
- Document the fraud risk assessment.
Many corporate leaders assume that their organization is not susceptible to fraud because they have implemented what they consider adequate anti-fraud controls; however, my experience does not support this assumption. Here are several examples of what I have uncovered during my career.
- During my work as a federal banking regulator, I discovered a fraud scheme involving more than $100 million in a construction loan disbursement. The institution suffered this loss because the loan administration staff never conducted a visual inspection to determine whether the funds were being used as outlined in the loan agreements. During a collateral inspection, it was revealed that none of the proceeds were being used to develop the infrastructure. The bank had to write down over 90 percent of the loan’s book value.
- On one of my international assignments, I discovered an embezzlement scheme that exceeded 100 million Deutsche Mark. The money involved a reparations payment for WWII crimes. A single bank employee was assigned the responsibility of distributing these funds to the intended victims. However, this responsibility was carried out without oversight by anyone at the subject bank. There was no segregation of duties and no oversight by the BOD. I turned my findings over to the German Embassy to further investigate this matter.
- Another international assignment involved a loan secured by cases of wine allegedly stored in a warehouse. During my review of the bank’s records, I noticed that the loan was not being serviced in accordance with the loan agreements. In other words, the loan was not being paid down as required. Upon inspection of the collateral, we discovered the storage warehouse was empty. This resulted in a multi-million-dollar loss to the bank.
- During a routine inspection of an international bank, I discovered fraudulent practices involving a deposit scheme in which a bank employee stole copies of certificate-of-deposit forms and used them to entice customers to open accounts with the subject bank from an off-site location. The person made copies of the original certificates and returned the original copies to the bank. The result was that the deposits were never recorded in the bank’s records, and the depositors had been deceived into believing their accounts were with the bank. Upon discovering this through meetings with several of the victims, I worked with the country’s law enforcement authorities to help recover about 50% of the deposits. The remaining monies had been transferred out of the country.
- In a recent case in which I served as an expert witness, I worked on a case involving a large, multinational US-based bank that failed to follow its established internal policies and procedures in servicing a loan for a long-time customer. This particular loan had never been criticized or adversely classified; however, the bank’s management tried to pressure the borrower into taking actions that would have been detrimental to his company. By proving that the bank failed to follow its own policies and procedures, the borrower’s lawsuit forced the bank, by court order, to settle, at a cost of millions of dollars.
- And lastly, I recently worked on an FDIC receivership of a failed bank in which the bank’s CEO committed numerous cases of loan fraud. In looking at the various loan documents, it could be easily determined the reason(s) for the fraud. It appeared that a single individual was responsible for approving the loan, disbursing the funds, acknowledging receipt of loan payments, and posting the disbursements and payments to the bank’s accounting records. There was no segregation of duties, allowing this individual to manipulate the entire scheme as they wished. There was minimal oversight by the loan committee or the BOD. This was a total failure of the bank’s governance system.
The Lessons Learned – Anti-fraud controls are designed to prevent and detect fraud and to help management achieve its organizational objectives. Failures in an organization’s control environment can contribute to a financial crisis. These failures usually occur due to insufficient oversight and governance over internal controls.
Each of the failures described above occurred because the bank’s management team found a way to circumvent the bank’s internal policies and procedures. It should be noted that each bank had adequate written policies and procedures; however, the board and senior management failed to supervise these activities properly. Some of the cases ended up in court, and the perpetrators were found guilty.
If you find your organization facing these realities, please give our team a call, and we can help you determine how and why this happened and develop policies and procedures to prevent it from happening in the future.
Prepared by Terry L. Stroud – December 2025
