When it comes to fraud in government, I've found that prevention is always better than litigation. As both a Certified Fraud Examiner and someone who's worked in governmental accounting since my internship days, I've seen firsthand how fraud isn't just a financial issue—it's a deeply personal betrayal that hurts everyone involved.
Let's start with some sobering statistics from the Association of Certified Fraud Examiners' 2024 Report to the Nations:
One misconception I frequently encounter is that all fraud gets reported. In reality, 43% of fraud is never reported to police. Why? About 34% of entities cite bad publicity as the reason, which is particularly concerning for governmental organizations using taxpayer funds.
Even more surprising, while 68% of perpetrators are terminated by employers, that means 32% of known fraudsters keep their jobs. This happens for various reasons—sometimes out of embarrassment, fear of litigation, or simply because we want to believe the best in people.
The majority of fraud (43%) is initially detected through tips, with 52% of those tips coming from employees. This highlights just how critical reporting mechanisms are within your organization.
Another important reality check: external audits only detect 3% of fraud. This counters the common misconception that auditors should catch fraud. As we'll discuss later, this isn't their primary role.
Understanding the fraud triangle is essential for prevention:
While you can't control rationalization and pressure—those are specific to individuals—you can control opportunity through strong internal controls. In fact, 51% of occupational fraud occurs due to either lack of internal controls or override of existing controls. This is why your control environment is so crucial.
The most fundamental control is segregation of duties. Even in smaller organizations, try to keep these three roles separate:
And here's an important distinction: procedures and controls are not the same thing. A policy is broad, a procedure is specific instructions, but a control is an action designed to mitigate risk. Controls come in three types:
There's often confusion about who's responsible for what regarding internal controls and fraud detection. The audit opinion clearly states that management is responsible for the "design, implementation, and maintenance of internal controls.” You cannot have a person outside your department being part of your internal control. This includes auditors, citizens, and vendors.
For financial statement audits (excluding the audit related to federal grants), auditors typically will not test or opine on internal controls—we simply gain an understanding to design appropriate audit procedures. Our work is risk-based and materiality-driven, which is why fraud (especially collusion or forgery) can be difficult to detect through traditional audit procedures.
In this infamous case, Rita Crundwell, the treasurer/comptroller of Dixon (population 16,000), embezzled $54 million over 22 years. She created a secret account called "Reserve Sewer Capital Development Account" in 1991, created false invoices, and transferred funds to support her quarter horse farm.
What's shocking is how this went undetected for so long. The failures occurred at multiple levels:
Rita was eventually caught by accident when her clerk received all bank statements during Rita's absence and discovered the secret account.
In another case, a director ("Jane") embezzled nearly $1 million over just two years by creating a fictitious sales company. She either sold equipment at inflated prices and billed the Town, or billed for equipment never delivered.
What's notable here is that, unlike Dixon, this organization had properly designed controls:
However, these controls failed in execution. Approvers simply signed purchase orders without verifying quotes or checking whether prices were reasonable. Jane also had incompatible duties—handling procurement, receiving equipment, and maintaining inventory.
This fraud was only discovered when another employee took over Jane's responsibilities and quickly noticed discrepancies.
As you think about your own organization's controls, be honest about where you stand. Remember that your external auditors only do a brief review of internal controls during financial statement audits.
If you're interested in a deeper examination of your controls, consider requesting an agreed-upon procedures engagement focused specifically on internal controls. This can help identify weaknesses and provide recommendations for improvement before fraud occurs.
Fraud prevention isn't just about checking boxes—it's about creating a culture of accountability where authorization means true review, not just initials on a page. By focusing on strong controls, you can significantly reduce the opportunity for fraud in your organization.
Remember, the goal isn't just catching fraud—it's preventing it from happening in the first place.