OK, stealing $22 million has nothing to do with someone “exploiting the organization’s virtual credit card program." Virtual credit cards are no more exploitable than physical credit cards IF you understand and follow through with solid internal controls.
This has to do with a complete lack of internal controls. What were Senior management and the CFO thinking? Let alone the external auditors.
Yes, the perp is dead-to-rights guilty and deserves serious jail time. But there was also a lot of inadvertent ignorance in and out of the organization to allow this to occur.
