Just as the story was breaking about the embezzlement of around $800,000 by a City of Bloomington public works employee, the news broke of the guilty plea of the finance director of the City of Covington, Kentucky (the city right next to my home town of Fort Thomas, Kentucky) for embezzling — get this — around $800,000 from the City of Covington. Unlike the alleged perpetrator in the Bloomington case, the Covington ex-official both admitted his crime and expressed significant remorse.
Cincinnati.com just reported today on some of the security and accountability controls that Covington is putting in place in the wake of the scandal (In light of theft, Covington patches things up). Although many of the details of the Bloomington incident have yet to be released. just from the media accounts it appears that the Covington theft was far less sophisticated than the Bloomington one.
Most significantly, in Covington, the same official had complete control of the city’s finances and of the city’s information technology. This control allowed the finance director to create checks in the financial system to fake vendors (and/or himself and relatives) and then cover up his tracks by changing the data in the financial system to make it look like the checks were written to legitimate vendors. From the outside, it is hard to imagine how such a system had been allowed to exist. Separation of duties is essential to maintaining accountability in any financial system.
The use of computer databases adds particular additional managerial burden, since without adequate controls in place, it can be easy both to commit malfeasance and to cover up the evidence. Covington has since created both an internal auditor and a separate information technology manager.
I would like to make one comment about both embezzlement cases, and the justifiable outrage expressed by the public surrounding them. While some of the security controls in place — particularly in the Covington case — seem almost laughably lax (or absent), there will never be one set of processes or officials or board members that will forever be foolproof. There will never be an unpickable lock or an unbreachable vault. There will never be a board or commission that is able to exercise perfect oversight. As long as there is money to be made, there will be smart criminals who will figure out a way around any system of security controls. Financial crime will always be a cat-and-mouse game; sometimes the cat will have the advantage and sometimes the mice.