This eye-opening documentary can teach us all a thing or two about the perils of not doing enough to protect our assets

Prevent fraud in your ERP

It won’t come as any great surprise to anyone who knows me, but I am passionate about fraud.  Or, to put it more accurately, I’m passionate about helping organizations across the globe to prevent and detect fraud in their ERP systems.

So you’ll often hear (or read) me banging on about the steps you need to take, and why.  But there are few better ways to make my case than pointing you to this gripping documentary, directed and produced by Kelly Richmond Pope, Associate Professor in the School of Accountancy and MIS at DePaul University in Chicago.

Available on Netflix, Amazon Prime, iTunes and other services ‘All the Queen’s Horses’ tells the story of Rita Crundwell, the former comptroller and treasurer of Dixon, Illinois, who embezzled over $53m from her employer over two decades.  This astonishing feat made her the largest municipal fraud perpetrator in the history of the US.

How she carried out the fraud

The methodology used by Crundwell was very simple, and it’s a classic example of a common fraud.

Dixon held 6 legitimate bank accounts, including one for the Capital Development fund, and Rita regularly moved money into that account from the others. But she also set up a secret account, giving it a name that made it look like a Dixon account (Reserve Sewer and Capital Development Account or RSCDA).

She then created false invoices to justify payments for imaginary capital projects such as street repairs, so she could transfer money from the real Capital Development fund into the RSCDA. Then she wrote cheques on that account to pay for her private horse-breeding business and personal expenses. Simple, really.

How the fraud was discovered

After doing this for years, maybe Crundwell grew too complacent.  Whereas most fraudsters avoid taking leave for fear of being found out, Rita regularly took lots of time off.

It was on one of those occasions that her deputy came across an RSCDA bank statement, marked “c/o Rita Crundwell,” showing three large deposits into this account that she’d never heard of.  She suspected that something was amiss, so reported it to the Mayor.  He contacted the FBI, who started a secret investigation to dig out the evidence and catch Rita red-handed.

This fascinating film gives much more information about what happened, but it also explores what went wrong and discusses who in general is responsible for detecting fraud and putting a timely end to it.

Who is responsible for identifying fraud?

Some people think that external auditors are responsible, but that’s not the case.

The auditors’ role is to ensure that their clients’ financial statements and disclosure are accurate, and that they comply with the relevant regulations.

It is the responsibility of the senior management in the organization to ensure that adequate controls are put in place to manage the risks.

Whilst high level executives can’t be involved in the day to day operations, people responsible for corporate oversight should have training to help them understand financial statements and ask questions if something doesn’t make sense.  If something looks off, it probably is!

Key issues raised by the Crundwell case

The film outlines many mistakes, made not only by Dixon commissioners and employees, but also by their auditors and their bank. Here are a few of the most critical points:

Segregation of Duties (SoD)

Statistics show that smaller organizations (like Dixon) often suffer bigger losses, because they trust long-serving, well-established employees (such as Rita).

Whatever the size and the structure of your organization, it’s imperative to design the controls within your business in a way that enables you to segregate duties. You need to produce regular reports to identify if anyone could violate your SoD policies.

Detective controls can limit the damage

Auditing changes to critical data, such as bank accounts and vendor accounts can help you to spot suspicious activity.  The sooner you find out about it, the quicker you can act to stop it.

The importance of independent auditors

The company which audited Dixon’s accounts was also retained to carry out other book-keeping services for the city, which meant it was involved in preparing the financial statements.  This obviously introduced a conflict of interest. There is no evidence to implicate them in the fraud itself, but Dixon’s lawyer points out some glaring issues that the auditors should have questioned.

Watch out for red flags

Dixon had a huge deficit of $4m at a time when the neighbouring town, Sterling, with a similar budget and population had a large surplus.  But nobody decided to dig deeper to find out why – even when Sterling’s City Manager wrote a letter to the City of Dixon, trying to alert them to the fact that something seemed wrong.

Rita’s lavish lifestyle was another red flag. Many people were surprised by the extent of her extravagance, but again, no-one scratched the surface to check what lay beneath.

‘Small town. Large fraud. Global problem’

In case you think this is an unusual case, the film reports that embezzlement is a $3.7 trillion problem, and that government entities are the second most frequent victims.

As Rita’s successor points out, what Rita did is very common, and could be done by anybody, in any size of organization. “The only thing that makes her unique is the dollar amount that she took.”

According to the statistics, 75% of companies are affected by fraud, and fraud accounts for 30-50% of all business failures.

We can all learn from Dixon’s mistakes

I’m not in the habit of reviewing films, but I do recommend you watch this documentary.

On one hand it illustrates a text book case of how NOT to prevent fraud; but it also tells a moving story about how it feels to be a victim, and it illustrates the wider repercussions and true costs of fraud.

Obviously, there are significant financial and reputational damages to the organization, but it also has an impact on the employees, and in fact, on all stakeholders, such as the citizens and commissioners of Dixon, in this case.

You don’t have to be a security geek like me to empathize with the sense of betrayal felt by Crundwell’s colleague, who blew the whistle. And you’ll probably share the anger of citizens when they found out that so much money had been embezzled during a period when cuts were being made to public services.

Most people I talk to seem to think this kind of fraud isn’t going to happen to them; their employees are too honest, or their processes are too tight.  But how can you be sure when the statistics are so clear?

If you feel that you should be doing more to close the stable door before the horse bolts, here you can explore tools to help you detect and prevent fraud in your Oracle ERP system.