Although I have not been involved in this case, from the reports the following things strike me as lessons in these allegations that might apply to other cases:
1. Audits work, and for that matter so do double-checks, stock-checks and other second person checks.
2. The "Whistleblower" may or may not be innocent, after-all, they know about the problem for one of two reasons, one they were an innocent bystander
who witnessed wrong-doing and reported it at the earliest opportunity, or they knew of the fraud because they were involved in it, knew it was about to be discovered and therefore blew the whistle to protect themselves and implicate other people.
3. A second person involved in the process is not bullet proof, many other people would be much better, after-all you may bribe one member of the team but not many.
4. No matter how good your selection process, there's always one and they won't stop until you stop them.
5. Therefore don't set your processes in stone, changing roles, responsibilities, processes, systems every so often can shake out problems
6. There is no foolproof fraud rule, although the same card and same email address was used to buy many tickets, I am sure that for an airline they would have some corporate cards that are used to buy airline tickets every single day.
7. Employees should have no defence that they were not aware of their responsibilities or company policies.