As a forensic accountant, my first contact with clients often occurs when they suspect they've been victimized by fraud; usually they're right. Initially, my job is to determine the nature and extent of the theft, to identify the perpetrators and, if possible, to help them recover the loss. Most often, fraud victims are shocked and angry when they learn that a trusted employee has taken advantage of them. The emotions are understandable; violated trust doesn't feel very good. Unfortunately, trust is a key component of fraud and far too many companies rely upon it as an internal control.

The Association of Certified Fraud Examiners estimates that U.S. companies lose approximately 6 percent of their revenue to employee fraud and abuse; it's a massive, $600 billion a year problem. Financial statement fraud has garnered the lion's share of attention recently; however, it accounts for only 5 percent of the reported incidents. Fraudulent billing, payroll fraud, check-tampering, skimming, corruption and other such schemes affect businesses with much greater frequency.

Weak internal controls play a big part in most frauds; you might call them "worst practices." Two of the most common control weaknesses are inadequate segregation of duties and poor management oversight. Perhaps the best way to illustrate that point is through some examples. I've removed specific names to protect the innocent (or guilty).

For each example, I've included a description of the company's "worst practice."

Payroll Fraud And More

Our first example involves a company's payroll manager—we'll call her "Sarah."

Sarah was a long-term employee who was highly regarded by senior management. Over many years, Sarah had been rewarded handsomely with substantial merit increases, bonuses and other perks.

While reviewing the cash flow figures, a new company treasurer noticed that the prior month's payroll was $700,000 higher than normal. Naturally he called Sarah and asked her to explain the large increase. Returning from a business trip on short notice, Sarah quickly dismissed the matter as a "bank error" and, sure enough, $700,000 was wire transferred to the company's bank account the following day. Suspicious of the way the problem had been resolved, an investigation was launched and it was discovered that the $700,000 "returned by the bank" had in fact been wired from Sarah's personal bank account.

Understandably, the investigation continued. During questioning, Sarah admitted to taking $1.25 million through fraudulent payroll transactions. After delivering the company a cashier's check for $500,000, Sarah offered to resign and asked the company to consider the matter closed. Wisely, the offer was declined. At its conclusion, the investigation revealed that Sarah had actually taken more than $2.25 million. In addition to previously undisclosed payroll transfers, totaling $700,000, it was discovered that Sarah had misdirected nearly $350,000 dollars in tax refund checks to her personal bank account.

Worst Practice: Poor Oversight And Segregation Of Duties

Thanks to a sharp-eyed treasurer, this fraud was discovered and stopped. However, the story could easily have had a much different ending. In fact, this fraud could have continued indefinitely. For months before being discovered, Sarah was taking $30,000 to $40,000 at a time through fraudulent payroll transactions. Had she continued to steal in those amounts, it is unlikely that the new treasurer would ever have noticed the variance.

What about the other internal controls you ask? They were either missing altogether or not functioning as management thought they were.

Inadequately segregated duties and poor management oversight allowed Sarah to create, change and delete payroll transactions without authorization or supervisory review. After misdirecting fictitious payroll transactions to her own account, Sarah simply deleted them from the system. The payroll register was "out of balance" and had never been reconciled to the general ledger. Worse still, the payroll bank account hadn't been properly reconciled in nearly two years; a fact that went undetected by company management and the auditors. Had any of these controls been functioning, the fraud would have been stopped dead in its tracks.

Inadequate segregation of duties also played a key role in allowing Sarah to misdirect the tax refund checks to her personal account. Part of Sarah's job was to prepare the payroll tax returns. Refunds, resulting from her intentional overpayments, came directly to Sarah instead of being sent to a lock-box or to someone uninvolved in the process. Sarah simply endorsed the checks "Pay to the order of Sarah" and deposited them to her own account before they ever hit the company's books.

Watch Those Voided Checks

Following up on a bank inquiry, an accounting clerk noticed several cleared checks on the bank statement that were shown as being "voided" on the company's check register. The accounting clerk reported the matter her supervisor, who pulled the cancelled checks and discovered that the payee was none other than "Ted," the company treasurer.

The ensuing investigation disclosed that Ted had cashed "voided" checks totaling more than $700,000; most of which had been used to finance frequent gambling trips to Las Vegas. The amount of the actual fraud was probably much higher, as "voided" checks were shown to have been cashed by Ted as far back as records were available.

Worst Practices: Lax Supervision

As is often the case, this fraud was detected by accident. The ensuing investigation revealed significant weaknesses in the system of internal control. Inadequate segregation of duties and lax supervision again played critical roles. Ted had access to the blank check stock, as well as the check signing machine, and he and was responsible for reconciling the bank accounts.

No one but Ted ever saw the bank reconciliations. He simply completed a monthly report with a "check mark" indicating that the reconciliations had been completed, always on time of course. Each month, Ted's report was dutifully approved in writing by the company's controller. As in case with the first example, above, the unreconciled bank accounts went undetected by the company auditors.

Excessive Consulting Fees

As a truck terminal manager, "Pete" was considered to be the best. As a 30-year employee, there wasn't much he didn't know, which is why he managed the company's largest facility. One day, the human resources department got a call from an attractive, young female employee at the terminal who claimed that Pete had been harassing her sexually. Surprised by the complaint, the company launched an investigation, fully expecting to exonerate their favorite terminal manager. What they found shocked them further and exposed more than one type of inappropriate behavior.

Pete often took his pretty, young subordinate on business trips; at least until the arrival of another pretty, young employee at the terminal. The trips often included helicopter dinner tours, private boxes at sporting events, gambling junkets to Las Vegas and other types of lavish entertainment.

Upset at being replaced by a rival, the young lady told investigators about the inappropriate advances Pete often made while they were on these trips. When other employees confirmed some of the allegations, the investigators began to look more closely at Pete's operation, including an examination of his books and records. The terminal's books showed regular, monthly payments to a consultant for just under $10,000 each. When Pete couldn't explain the purpose of the fees, the investigators checked out the consultant. What they found was a mail drop in the name of a fictitious business that had been started by none other than Pete. Over the years, the bogus consulting payments totaled well over $1 million.

Worst Practices: Consolidated Expense Reporting

On the surface, the internal controls appeared to be adequate. However, Pete found some holes and made the most of them. Invoices in excess of $10,000 required two approval signatures; those below that amount required only one: Pete's. All of the bogus consulting fees were for amounts just below the "two signature limit"; often $9,999.

Though senior management reviewed a summary of the terminal's monthly expenses, the consulting fees were concealed by consolidating them with other expenditures. Ironically, because Pete had been stealing in this fashion for so long, the thefts were actually included in his annual budget and "approved" by management.

Eliminating "Worst Practices"

The best way to protect yourself from employee fraud and abuse is to improve internal controls. While even the best controls won't eliminate fraud, they will significantly reduce the risk and help you detect it when it does occur.

Look at your business environment and identify areas most susceptible to fraud. Asset misappropriation accounts for more than 80 percent of employee fraud and abuse; cash is the target 90 percent of the time. Make sure that duties are adequately segregated. No one should be able to initiate and complete a significant transaction without getting someone else involved.

While its important to develop a degree of trust with your employees, don't allow it to become an internal control. When approving the work of others, be skeptical and don't be afraid to ask questions. Make your approval mean something. Having your signature on a fraudulent transaction can be awfully embarrassing.

Finally, and most importantly, be aware of the risk. Fraud is a growth industry and anyone can become a victim.

The column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.

What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.

 

Topics