Theft of cash. Theft of fuel. Ransomware attacks. Successful spear phishing schemes. Electronic vendor payment fraud. Expense reimbursement schemes. Purchasing and fraudulent return schemes. Theft of inventory. These are each common in local government in recent years, and the problem seems to be getting worse. Many of the recent local government fraud and embezzlement cases are for tens of thousands, hundreds of thousands, or even millions of dollars.
Why are there so many fraud and embezzlement cases in local government within the United States every year in organizations of all sizes—and more importantly, could it happen at your organization? The problem of why frauds happen so often in local government might be more of a senior management issue than we would like to believe. Of course, ethical decision making on the part of the person committing the fraud is the primary factor, but is it appropriate for senior management to believe their organization is well protected without really knowing their true fraud-risk vulnerabilities?
Not Just a Finance Concern
These fraud and embezzlement incidents have occurred in numerous departments and often from long-time employees in organizations with regular annual audits and established policies that “must be working” since the audits are “clean.” Many of these frauds occurred for several years, and even decades, all undetected. To highlight the financial and reputational harm that can come from an incident happening in your organization, the following quotes are from news articles on government fraud cases. They are intentionally older incidents so as to be respectful of the hundreds of recent incidents that government officials have had to deal with over the past year or two.
“It’s pretty embarrassing for the city to have that happen right under our noses.” —Councilman Roland Winters, 2016, regarding a finance employee that was accused of embezzling $836,000 from the city of Surprise, Arizona.
“When Columbia County commissioners realized that a long-term employee was embezzling funds, we were shocked. Our first thoughts were ‘how could this person, this trusted employee of 30 years, do this?’” —Commissioner Alex Tardif, 2018, regarding a sheriff’s office employee accused of stealing $650,000 from the organization in Columbia, South Carolina.
“Whether you are a business or a government agency, you are vulnerable to fraud. You must have strong oversight and robust systems in place to prevent theft. Valley Township was victimized by this trusted employee, acting merely to amuse herself, and now the taxpayers will foot the bill.”—Chester County District Attorney Tom Hogan, 2018, regarding a township clerk accused of embezzling $250,000 from Valley Township, Pennsylvania.3
Management Believes Everything Is Okay
Local government organizations receive regular annual audits, they have established policies to protect against wrongdoing, they have long-time employees who are very trusted, and fraud has never been found before—so the manager believes that everything must be okay.
Maybe it’s a desire to truly believe things are okay. Maybe it’s head-in-the-sand syndrome because we are busy and do not necessarily want to think about fraud because the audit is “clean.” But imagine for a minute that it is happening, or could happen in the near future, because of weaknesses within the control environment of which you are not aware. It is very possible that the reason fraud has not been discovered is either because it has not happened yet or because there are vulnerabilities in your processes, but nobody has tried to exploit them yet. You may have vulnerabilities that you don’t know about. While annual audits serve an important purpose, ensuring your organization’s internal controls are actually effective is not one of those purposes. On the front of the audit report, you will often read that the auditors will not express an opinion as to the effectiveness of the organization’s internal controls as that is the responsibility of management. A “clean” external audit does not mean you are without vulnerabilities.
External audits serve a valuable purpose, but they are generally ineffective at finding fraud. According to the Association of Certified Fraud Examiners, only about four percent of recent fraud cases were discovered by external audit.4 What the data show is that numerous local governments that fall victim to fraud find they were victimized for years, sometimes decades, losing hundreds of thousands or millions of dollars, and all while having policies in place and receiving regular annual audits.
Why Is This an Issue and Why Do People Steal?
People change roles within the organization, systems change, processes change, and even with good policies, it is always possible that employees are not actually following those policies to best protect the organization. This is all true, but why would a trusted employee of a local government steal from the organization? It comes back to the fraud triangle: pressure, rationalization, and opportunity.
Pressure can come from a health issue, a gambling problem, a spouse losing a job, or any of a variety of circumstances that can arise in life. Often it only happens after they have been there for a while, sometimes for years, and then all of a sudden something happens and they feel incredible financial pressure. They do not know what to do, but they realize that there are opportunities where they work for them to steal.
Rationalization is when the person feels the pressure and they consider stealing, but they need to rationalize it within themselves. Maybe they say, “I will only do it this one time,” or “I will just borrow it and pay it back soon,” or “I deserve this because I’ve worked really hard over the years.” It can be just about anything to make themselves feel like it is okay to steal.
Opportunity is what we are really talking about when we look at internal controls within the organization. Has the organization done enough to ensure they are aware of their vulnerabilities throughout all aspects of organizational processes? If the opportunity is there (such as a vulnerability nobody knew about because they didn’t know what to look for and nobody before has tried to exploit that vulnerability), then there is internal control residual risk that must be better mitigated.
Where Does Fraud Happen?
Fraud happens in local governments of all sizes and in all departments. The following list is a handful of areas that are known to be vulnerable to embezzlement within professional local government organizations:
- Fuel use management.
- Procurement/purchasing functions, including fraudulent refund schemes.
- IT and cybersecurity.
- Utility operations and utility billing functions.
- Grant management, including ARPA funding.
- HR operations.
- Permitting operations.
- Inventory management, including both fixed assets and small and attractive assets.
- Payroll management, including overtime use.
- Accounts payable and accounts receivable.
- Cash handling throughout all departments.
- Scheduled drug management (fire/EMS operations).
- Evidence handling and management (police operations).
The unfortunate thing is that once a trusted employee commits the embezzlement and it is finally uncovered, the damage is done. Consequences such as loss of public confidence, reputational harm, and financial harm (such as no salary increases, deferred capital projects, managers being fired, and elected officials losing the next election) demonstrate that the fallout is very real for the organizations that experience these incidents.
What You Don’t Know Can Hurt You
Many of us have spent time working in senior management positions, encouraging the employees working with us to do great work and often showing sincere appreciation for all that they do. We work with them every day and we trust them. But ethics in local government demands that we do more than trust. Trust is vital for many aspects of our work, but trust is not a control. Combining a mindset of trust with the fact that policies are in place and there is an annual “clean” audit can lead to devastating consequences (as it has for hundreds of recent local government managers).
Just because it hasn’t been discovered or even hasn’t happened, does not mean that your organization is not vulnerable. It seems to be getting worse and incidents are becoming more frequent. Fortunately, there is something you can do to reduce the risk that your organization will be victimized by fraud.
Actions to Take
Fortunately, a comprehensive fraud risk assessment will often find dozens or even hundreds of legitimate control weaknesses and vulnerabilities to fraud. These vulnerabilities are found in highly professional organizations of all sizes, from populations of a few thousand people all the way up to populations of over a million people with their own internal audit team in place.
Take these proactive steps to reduce your organization’s risk of fraud and embezzlement:
1. Complete a comprehensive fraud risk assessment throughout all levels of your organization—not just finance. This should include policies and procedures being vetted by a certified fraud examiner with industry expertise and qualifications, even if that is one of your own employees who is free from any conflicts of interest.
2. Ensure that you have an updated and modernized cybersecurity incident response plan in place and make certain that your team regularly conducts tabletop exercises related to the contents of that plan.
3. Make certain that you have correctly implemented multifactor authentication (MFA) for a variety of functions, including employee password resets, changing vendor banking information, etc.
Ethics are breached in local government organizations far too frequently. Please do not assume that your organization isn’t vulnerable because nothing has happened before, you have long-term employees and established policies, and you receive regular “clean” audits. The amount of fraud committed against local government each year is getting worse and the consequences of it happening at your organization can be significant.
DAVID ROSS, ICMA-CM, is a long-time city and county manager, and now president & CEO of 65th North Group, a local government consulting firm specializing in fraud risk reduction and internal control modernization. (firstname.lastname@example.org)