“Crime does pay. Just not very well.” — Matchstick Men
If you’ve been reading CFO for a while, you probably notice we will on occasion write about finance chiefs who get into trouble. You probably wouldn’t be that surprised to know that these stories are typically some of the most read.
Top five risks CFOs face in 2024? Sure, that’s helpful.
But a finance guy gets defrauded for $25 million by a deepfake CFO? Let me pull up a chair, grab a beverage, and stay a while.
***
We all get a thrill from the criminal element. It is why we love “Goodfellas,” “Heat,” and “Out of Sight.” It’s why I wrote an editor’s note barely a month ago underscoring my fascination with it. Elmore Leonard, the writer who collaborated with Stephen Soderbergh on the last film, had an interesting perspective on crime — the bad guys are not that different from you and me. They just want to be happy, but happen to be kind of dumb in their pursuit of it.
But as the deepfake scam indicates, we are in a world where you don’t have to be dumb, or even that gullible, to be tricked.
That’s why organizations put internal controls into place, and it is in part why we cover these stories.
CFOs know, perhaps more than anyone, that operations are bound by rules, regulations, policy, and internal HR best practices so that employees do not individually or collectively run afoul. And these missteps can occur by choice, or even inadvertently.
As one of today’s stories indicates, it is a choice when an employee decides to enter into a workplace relationship. In fact, it happens all the time, and an organization cannot, and probably should not, be attempting to monitor these types of interactions. But, as the Royal Bank of Canada disclosed, finance chiefs are held to an elevated standard, as they should be, and there are still key rules of governance in place so that the company and its people are protected. Perhaps RBC’s former CFO is more sophisticated than most, but in making the decisions she did, not only has she sacrificed her role and her compensation, but arguably made the company less safe for others as well.
Likewise, a former Indiana public school CFO made decisions that made those schools less safe as well. In that case, there were actual victims, as the disgraced finance chief was caught converting school funds into gift cards, which he then misappropriated for personal use. But the lesson to take away is not simply, “Don’t steal from public schools.” It is the fact that the schools’ internal financial controls were so inadequate that the CFO had little trouble using a corporate credit card for personal use with nobody noticing, or that he could purchase nearly half a million dollars worth of Visa gift cards, directly from the school’s credit union account, without fear of any checks and balances to catch or even deter him from such a brazen scheme.
Similarly, a Long Island private school was bilked by its CFO who was able to manipulate credit card transactions, deny anyone visibility into his actions, and face zero oversight or questions about his methods.
On the flip side of the same coin, the state of South Carolina discovered an extra $1.8 billion sitting in its coffers, likely a direct result of poor internal controls and communication between finance leadership.
Internal financial controls such as the COSO framework, checks and balances, corporate governance, and general skepticism don’t only guide a finance chief to a healthy company, nor do they only keep those CFOs from going down a forbidden path. They also keep the house under lock and key so bad actors can’t exploit any weaknesses or people.