Trust But Verify | Tom Golden, CFE | Rita Crundwell Fraud

Name: A Guide to Forensic Accounting Investigation
Author: Tom Golden

Before Behavior Can Change—Belief Must Change

Most people think fraud comes from the outside.

A hacker. A thief. A stranger.

That’s comforting, but it’s also usually wrong—at least when it comes to accounting fraud, corruption, and the quiet kinds of theft that happen in plain sight.

Because the real threat usually isn’t “out there.” It’s inside your org chart. Inside your approvals. Inside your assumptions. And most of the time, it’s not your system… It’s the person sitting at the keyboard.

In my work, the people most likely to defraud you are rarely strangers. They’re the people you already know. The ones you rely on. The ones you trust.

That’s not paranoia.

That’s pattern recognition.

And it’s why the phrase “trust but verify” keeps showing up—usually as a warning people nod at…and then ignore.

Because it still accounts for an overwhelming share of organizational fraud, it’s rarely a stranger. It’s a trusted insider, operating inside the gaps we never bothered to check. Why? Because we trusted them.

And here’s the part that stings: these people are cons.

“Con” is short for a confidence game—they win your confidence first, because it’s a necessary step in the process of defrauding you. Successful cons are exceptionally good at it. And once they have your confidence—look out.

Smart people get conned every day. Not because they’re incompetent, but because they’re busy, decent, and wired to trust what feels familiar.

President Reagan popularized the phrase during Cold War treaty negotiations with Mikhail Gorbachev, calling it an “old Russian maxim”—trust, but verify—because agreements are meaningless without verification.

But outside geopolitics, it matters even more—because in real life, betrayal doesn’t look like a movie villain.

Why “Trust People Until They Give You a Reason Not To” Fails

Most of us were raised on a simple moral lesson:

Trust people until they give you a reason not to.

It sounds decent. Even noble.

Unfortunately, in fraud—and in many of the worst betrayals in life—that advice fails at the exact moment it matters most.

Because by the time someone “gives you a reason,” the damage is already done.

Fraud thrives where trust already exists.

Not because trust is bad.

Because trust creates access.

And access—without oversight—is opportunity.

Trust Is Not the Enemy. Unchecked Access Is.

Here’s the part people miss:

The biggest fraud risks often aren’t behavioral.

They’re structural.

Too much access. Too little oversight. Too much reliance on one person.

That’s why I’ve said for years that verification isn’t about suspicion—it’s about structure.

Healthy organizations don’t run on “good vibes.” They run on clear roles, effective controls, and routine verification—because pressure, opportunity, and rationalization can coexist in any human being under the right conditions.

That’s not cynicism. That’s realism.

“Verify” Doesn’t Mean “Assume the Worst”

One of the most important clarifications from my Wiley textbook is this:

The message is not to withhold trust.

It’s to trust—but verify. Because “verify” has a practical meaning.

In the simplest terms, verification asks three questions:

Completeness: Is anything missing?
Accuracy: Is what’s recorded actually correct?
Validity: Is it real, legitimate, and authorized?

No accusation. No witch hunt. Just evidence.

That’s the entire point of “trust but verify” when you apply it to fraud risk: you don‘t manage risk with feelings. You manage it with objective proof.

A Case Study: Dixon, Illinois — The Rita Crundwell Fraud

If you want a clean illustration of how trusted access can beat a whole town’s common sense, look at Dixon, Illinois—population just 15,000.

Rita Crundwell was the city treasurer. Over roughly two decades, she siphoned off public funds—nearly $54 million—without detection. It stands today as the largest municipal fraud in U.S. history.

One of the most maddening details is how simple the eventual discovery was.

The City of Dixon’s recorder/clerk needed the bank statements to prepare the monthly Treasurer’s report to the city council. Rita had always done that.

What she discovered was shocking—a secret account no one had known existed. For roughly 20 years, Crundwell ran the fraud through a single city bank account—an account that survived because the city failed to enforce separation of duties and routine reviews.

This wasn’t an advanced cyber scheme.

It wasn’t a “perfect crime.”

It was a basic, long-running control failure—protected by trust.

And if that one piece of verification had happened a decade earlier, the same outcome would have occurred: that bank statement would have surfaced, the secret account would have been exposed, and the fraud would have begun to collapse. A simple but efficient separation-of-duties routine: have someone other than the city treasurer pick up the bank statements. Not rocket science.

Let that sink in.

“We trusted Rita” was the common refrain as I interviewed Dixon officials—the mayor, city council members, and residents—and then spoke with the whistleblower: City Clerk Kathe Swanson, the one who first spotted the secret account while Crundwell was out of town. On previous trips, Crundwell had her cousin pick up the mail. Guess she forgot this time.

Here’s the general shape of how a fraud like this survives for so long:

The fraudster sits in the “trusted” seat. A long-tenured insider with authority, respect, and very little friction.
One person becomes the system. When a single role controls too many steps—setup, approvals, reconciliations—verification becomes optional.
Oversight becomes ceremonial. Reviews happen, but they’re high-level, rushed, or based on summaries provided by the same person being “trusted.”
The story explains the pain. Budget cuts, staff shortages, deferred maintenance—those look like “small-town reality”…until you learn what was quietly being siphoned.
The lifestyle is the clue—after the fact. When the money is gone, everyone can connect the dots. While it’s happening, people normalize what they don’t understand.

NOTE: I was the financial fraud expert in the documentary All the Queen‘s Horses, which lays out how this played out and what it cost the town. I’ll do a later post that goes deeper on Dixon—what warning signs were missed, how she actually pulled it off and stayed under the radar, and the simple verification habits that would have ended it years earlier.

Ready To Stop Reading This Article?

I know what you’re thinking: “I already know all this.”

And you’re also thinking that what happened in Dixon, Illinois, could never happen in your organization. You and your team are too savvy, too experienced, too educated to ever let a Rita Crundwell get away with what she did.

Think what you will. I live a very comfortable retirement because plenty of people believed that… right up until I got the call to help expose the damage.

But before you dismiss all this, consider a little-known fact: Dixon is the boyhood home of Ronald Reagan—the guy who helped popularize “trust but verify.” They even erected a statue of him a few blocks from City Hall… where an entire community failed to follow their most famous resident’s advice… for two decades.

Ronald Reagan Statue along the Riverwalk in Dixon, IL

So before you walk away, pause for ten seconds and ask yourself one question:

If it could happen to them… why not you?

The Trap: Outsourcing Verification to “The Audit”

Many leaders think they’ve handled verification because an audit happens every year.

That’s a dangerous assumption. (A future post will explain why: The Expectation Gap)

Audits have a purpose. Good auditors are professionals.

But audits are not designed to “hunt intent.”

They test samples. They confirm balances.

They usually trust before they verify—because that’s how traditional auditing works.

Fraud prevention requires something different:

Controls that make concealment harder.
Oversight that makes rationalization riskier.
A culture where people expect verification as normal—not personal.

If you’re reading this as a leader, here’s the blunt version: an annual audit is not a substitute for internal accountability.

It’s not a substitute for clean separation of duties.

And it’s definitely not a substitute for someone who asks hard questions every month.

A Human Lie Detector

You were not hired to be a human lie detector.

You were hired to exercise control responsibilities—as outlined in the company’s policies and procedures manual, which you were trained on.

And if you’re an external auditor, you’re carrying out a fiduciary responsibility. The standards don’t ask you to “feel out” the character and integrity of the people who create or approve transactions. They ask you to obtain objective evidence.

So when someone says, “I trust them,” and uses that as a reason to stop verifying, that’s not professional judgment. That’s someone not doing their job.

It really is that simple.

Which means you have a couple of choices.

You can ignore this advice and keep treating trust like a substitute for verification. Maybe one day I’ll get a call, and we’ll meet in person… in the aftermath.

Trust me on this: that won’t be a good meeting.

Or you can change how you view trust—right now—and make it permanent.

Choose well.

How to Practice “Trust But Verify” Without Becoming a Cynic

If you want to keep trust healthy—and keep your organization (and life) protected—make verification boring.

Make it routine.

Make it impersonal.

Here are three ways to do it.

1) Verify the work, not the person

You don’t say, “I don’t trust you.”

You say, “We are testing the control mechanism—not you.”

“The position you occupy has responsibilities, and this is how we do it here.”

And if somebody tries the classic line—“Oh, don’t you trust me?”—here’s the response:

“Of course, we trust you. Otherwise, you wouldn‘t have the responsibilities you do. This isn’t personal. I’m just doing my job. And honestly—if we didn’t verify, why do any audits at all?”

Here are some examples of “verify the work” habits that actually matter:

Two sets of eyes on bank reconciliations; real separation of duties.
Independent review of vendor setup and vendor bank changes.
Approval limits that actually mean something (and aren’t routinely bypassed).
Monthly financial review by someone who can ask hard questions—and won’t backdown when they don’t like the answers.

People who are honest won’t be offended by a system that treats verification as normal.

They’ll be relieved.

2) Remove single-point control of money

If one person can authorize, record, and reconcile—your “trust” has become a control failure.

Rotate duties. Force vacations. Separate custody from recordkeeping.

Fraud loves comfort. It loves routine. It loves “no one else knows how to do it.”

If you hear that sentence in a finance function, treat it like a flashing light on the dashboard. Because “only I can do it” often really means “no one else can see it.”

3) Build a truth channel that doesn‘t depend on courage

Even the best controls miss what coworkers see.

That’s why independent reporting channels matter: people don’t need proof—they need a safe place to speak up. (If you missed my last post, it digs into this in detail—why whistleblowers matter, why people stay silent, and what a real hotline should look like.)

You don’t build this because you assume everyone is bad.

You build it because you accept the truth about human nature:

Pressure happens. Temptation happens.

And sometimes the person who “would never do that” is the one doing it. (If you read my post on Harry, you know exactly what I mean.)

Final Thought

Trust is essential to functioning organizations, families, and communities.

But blind trust—especially when paired with access and authority—is an invitation to harm.

So the lesson isn’t to stop trusting. It’s to stop confusing trust with control.

W.H. Auden put it perfectly in just a few words: “Evil is unspectacular and always human.”

Meaning: it doesn’t always kick the door in.

Sometimes it holds the door open.

Sometimes it’s been in your company for 20 years.

Sometimes it eats at your table.

Take another look at Crundwell’s photo at the beginning of this post. She’s not your typical white-collar criminal. She’s no “Harry.”

She’s a reminder that evil often looks ordinary… even familiar.

Think of her the next time you feel tempted to trust before you verify.

— Tom Golden

I’m headed to a warmer climate for a while, so no post next week. See you in a couple weeks. Subscribe so you never miss a post.

Frequently Asked Questions

What is a whistleblower hotline?

A whistleblower hotline is a confidential reporting system that allows employees, vendors, or other stakeholders to report suspected fraud, misconduct, or ethical violations – anonymously if they choose. When managed by an independent third party, a whistleblower hotline gives employees a safe way to report wrongdoing without fear of retaliation. According to fraud investigation expert Tom Golden, CFE, a properly designed whistleblower hotline is one of the most effective tools an organization can deploy – both as a deterrent to fraud and as an early warning system when fraud does occur.

Are whistleblower hotlines effective at detecting fraud?

Yes. Whistleblower hotlines are consistently identified as one of the most effective fraud detection methods available. Coworkers see what financial systems and audits miss – they notice unusual transactions, feel pressure from management, and receive instructions that don’t seem right. A hotline gives those employees a trusted, anonymous way to act on what they observe. As forensic accounting investigator Tom Golden explains, fraud thrives in secrecy, and a whistleblower hotline injects uncertainty that changes the behavior of potential bad actors before any fraud even occurs.

Why does a whistleblower hotline need to be independent?

A whistleblower hotline must be managed by an independent third party – not HR, legal, compliance, or internal audit – because employees will not trust an internal system. They assume calls will be traced, identities will leak, and careers will quietly stall. Without genuine independence, employees stay silent and the hotline becomes useless. An independent hotline removes that concern, giving employees confidence that their report will be handled confidentially and without internal interference.

How does a whistleblower hotline prevent fraud before it happens?

A whistleblower hotline deters fraud by changing the risk calculation for potential bad actors. Most corporate fraudsters operate with confidence because they believe they won’t be discovered. When employees know that anyone can report misconduct anonymously and that reports go to an independent third party, that confidence disappears. The mere existence of a functioning, trusted hotline introduces uncertainty – and uncertainty is one of the most powerful deterrents to financial crime.

What is the difference between a whistleblower hotline and an audit?

Audits and financial controls look backward – they examine transactions and records after they have already occurred. Financial criminals know this and know how to make fraudulent activity look ordinary in the records. A whistleblower hotline captures real-time intelligence that financial systems miss entirely. Employees who witness pressure, unusual instructions, or suspicious behavior can report it immediately – before the fraud grows. As Tom Golden notes, coworkers see what systems miss, and a hotline gives them a safe way to act on what they observe.

Does a whistleblower need proof before making a report?

No. A whistleblower does not need proof or evidence before making a report. They do not need to investigate anything themselves. All they need is a concern – something that does not sit right, a transaction that fails the smell test, or pressure they have been placed under. The job of the hotline and the investigators who follow up is to determine whether the concern has merit. Requiring proof before reporting is one of the most common reasons fraud goes undetected for years.