Lessons in Fraud From Atlanta Hawks

Today, another compliance lesson from the world of sports! Federal prosecutors have indicted the now-former head of finance of the Atlanta Hawks professional basketball team, on charges that he embezzled millions from the team over at least eight years to buy sports cars, concert tickets, luxury vacations, and all the usual goodies we see in such cases.

Prosecutors in Atlanta indicted Leslie Jones, 46, in federal court last week. Jones pleaded not guilty and is currently free on $10,000 bond, and apparently is no longer with the Hawks nor commenting publicly about the case. Nevertheless, it’s a fascinating tale with all sorts of warnings about internal control over financial reporting and transparency into financial processes.

 We can start with the allegations in the indictment, an eight-page document sure to make internal auditors and SOX compliance professionals wince.

Jones first joined the Hawks in 2016 as director of financial planning and analysis, and then progressively moved up the ranks: promoted to vice president of financial planning and analysis in 2018, then again to senior vice president of finance in 2021. From 2018 until the Hawks parted ways with Jones earlier this summer, Jones was the senior-most accounting officer at the team after the CFO.

 As Jones climbed the corporate ladder at the team, his duties expanded too. At various times he was responsible for financial planning, accounts payable, payroll (no small thing for an NBA team; the Hawks’ payroll last season for players alone was reportedly $170 million), budgeting, preparing financial statements — and, crucially for us, handling employee expense reimbursements.

The Embezzlement Allegations

The indictment against Jones primarily addresses his time with the team from 2021 onward, when he became responsible for the company’s corporate credit card accounts with American Express. In that role, Jones decided which employees would receive an Amex card, had full visibility into who had which cards and what those balances were, and was the sole point of contact (Did your internal control antennae just perk up? Mine did) between Amex and the team for any issues related to late payments and card suspensions.

 At the same time, Jones was also in charge of the Hawks’ system for expense reimbursements. He managed the accounting employees who ran the system directly and had approval authority for who received what reimbursements, including payments to Amex.

Important detail: during that time period, the Hawks’ expense reimbursement system had several shortcomings. Foremost, the reimbursement platform didn’t properly integrate employees’ Amex transactions into the platform. That meant accounting staffers using the platform could see that employee John Doe might submit a reimbursement request, supposedly complete with invoices; but they could not see whether that documentation actually matched charges on the corporate Amex card.

Prosecutors say Jones exploited that weakness, submitting dozens of false expense reports with fictitious or altered invoices so that he could rack up millions in charges for trips around the world, a Porsche car, concert tickets, and so forth; plus Louis Vuitton clothes and jewelry for a female employee Jones was dating on the down low. (She too has left the team, apparently.)

As recently as January 2025, for example, Jones allegedly altered an email from American Express to make it look like Amex would cut off card access if he didn’t pay an overdue bill of $229,968. He supplied an expense reimbursement report for that amount, supposedly to cover the cost of a trip to an NBA event in Las Vegas Vegas, complete with a bogus invoice from Wynn Resorts. No such charges existed and Wynn never issued any invoice to Jones for the event, but the company reimbursed Jones anyway.

Lessons to Learn

The first and most obvious lesson from this case is the importance of segregation of duties. Employees should not have so many overlapping duties in financial reporting processes that they can abuse that power to commit fraud. This is Internal Control 101. A crucial corollary is the principle of least privilege — that is, the idea that employees should only have access to the data and systems they need to do their jobs, and no more.

 Typically people understand these ideas to mean that junior employees shouldn’t have so many system privileges or access that they could execute senior-level duties. That point is true, but we always need to remember that the principle of least privilege should run in reverse, too: senior executives don’t necessarily need the same access to the same systems as they move upward through the org chart. Proper segregation of duties works both across and up and down roles.  

 Internal auditors need to think about how employee roles evolve over time, and what privileges or access is necessary for people in those roles to do their jobs. Moving up doesn’t always mean more power to do things; it only means more power to make decisions — and with proper documentation, so poor or corrupt decisions stick out like a sore thumb.

 Along those lines, the second big lesson here is the importance of visibility into financial systems and transactions. Go back to the indictment; Jones is accused of altering email records and manipulating financial reports, and the Hawks were hobbled by a reimbursement platform that didn’t let accounting employees peer into the data so they could match claims on an expense report to actual charges on a corporate Amex card.

All of that should make SOX compliance and internal audit executives break out in hives. Your IT systems need solid IT general controls so that people either can’t alter email records, or discrepancies can be easily uncovered. Your financial reporting processes should be able to connect different troves of data (expense forms versus actual charges) so that you can have clear visibility down the chain of a transaction to detect fraud. Your risk management or financial reporting technology vendors will be happy to have a conversation about these abilities, rest assured.

The third big lesson is the enduring importance of internal audits, including audits of the boring stuff like expense reimbursement reports. Apparently a routine audit is how these discrepancies were uncovered, and the rest is history.

While we’re on the subject, let me also say this is yet another example of why strong internal controls and compliance remain important to corporate organizations, even in the Trump 2.0 era of deregulation and lighter enforcement — because the capabilities you built up for effective ethics and compliance programs are fundamentally the same ones you need to root out fraud and keep operational risks in check.