Internal Controls Lessons from Citigroup's Internal Fraud
A recent case of internal fraud at Citgroup begs the question: Should we be criticizing Citi for not having the internal controls in place to prevent the fraud in the first place -- or applauding Citi for noticing the error and taking action on it?
The answer is, perhaps a little bit of both. Here's a snapshot of the case, and our thoughts on it.
According to a complaint filed by the U.S. Attorney, from July 2010 to December 2010 a midlevel accountant at Citibank transferred $19.2 million from various Citigroup accounts to Citigroup cash accounts, then used eight separate transactions to wire the funds to his personal account at a different bank.
The accused man left Citi in January 2011 and since then had been living the high life -- traveling the globe, collecting expensive cars, and purchasing high-priced properties. Citi's internal auditors discovered the fraud a few weeks ago, after a review of transactions in its treasury department. The company alerted authorities, who arrested the former employee on June 26.
$19 million is a staggering number for most of us. But for a banking behemoth like Citigroup, it's just a drop in the bucket. The company moves hundreds of millions of dollars a day across internal and external accounts and through wire transfers. And, it relies on employees from many different levels in the company to conduct those transactions.
With that in mind, it's easy to see how a midlevel staffer in the treasury department could move about $2.5 million or so eight times in six months and not raise suspicions. Particularly if, as the New York Times reports, that midlevel staffer had worked for the company long enough to establish trust -- and knew enough about the policies and procedures to circumvent them without causing alarm.
Still, there must have been a weakness in Citi's internal control. For example, perhaps there was no requirement to have director-level approval for the wire transfer, or the involvement of a banker on the other side of the wire transfer to confirm the other account's legitimacy. The accused allegedly used legitimate-sounding vendor numbers in the reference line of the wire transfer: was there no system in place to verify these numbers?
On the other hand, in his position the accountant in question would have known Citi's internal controls quite well. It's entirely possible that Citi had procedures in place, but that the accused was clever enough to work around them and get the money transferred.
Luckily someone at Citi was paying attention. It's unclear whether the fraud was discovered by happenstance -- for example, an audit staffer noticed suspicious discrepancies while doing a routine check of treasury department transactions, and the concerns were escalated to management -- or if someone at Citi reported the accused person's suspicious new lifestyle, and an internal investigation ensued. Regardless, Citi was right in reporting the incident to the authorities and handling the ensuing PR nightmare appropriately (in other words, saying very little). In that regard Citi acted differently than many other companies and nonprofits, who often choose not to investigate internal fraud or report it to the authorities out of fear that any ensuing bad publicity will cause more harm than the financial consequences of the fraud itself.
$19 million is an expensive lesson on the importance of having a strong internal control system. It's likely Citi will recover some but not all of the money it lost. The company's focus now must be on strengthening its internal controls, including entity-level controls that dictate corporate culture around internal fraud, to prevent a far greater loss down the road.