MOLLY, THE ASSISTANT, Molly treasurer at XYZ Corp. in Miami,
opened an e-mail from a former colleague who no longer worked
for the organization. The e-mail read: "Hi Molly, there should
be a refund of $716 on my old corporate Visa card from the IP
Conference. I paid for, but did not attend, the conference and
did not turn in the charge to XYZ for reimbursement. Can you have
Visa issue a refund check to me? Thanks very much for your help."
The e-mail was from Jerry, a former XYZ executive who had been
Molly's boss at one time. The message seemed innocuous enough.
Jerry had legitimately charged a business conference to his
corporate credit card, but he had canceled his registration
because he left the company. Therefore, he was due a refund.
It would have been very easy for Molly to trust her former boss
and get him the refund. Instead, because something didn't seem
quite right, she chose to check on whether XYZ had already
reimbursed Jerry for the conference.
To make this determination, Molly accessed Jerry's corporate
credit card records online and retrieved his expense reports from
the accounts payable file room. The expense reports confirmed
that Jerry had not expensed the conference fee, but when Molly
looked at his credit card statement, she saw a couple of odd
items.
First, the most recent statement indicated that the former XYZ
executive had made four payments to his credit card in one month.
Second, the statement was two pages long, and Molly knew that
Jerry rarely traveled for business. She scanned the charges and
noted that most of them were from local vendors. In addition,
none of the items looked like business charges. The charges
included dinners at local restaurants, department and grocery
store charges, and airline tickets for Jerry and his wife that
Molly knew were for their recent vacation.
Out of curiosity, Molly queried the company's checks online to
see if any of the payments made on Jerry's Visa account matched
the dollar amounts of checks written by XYZ. Sure enough, she
found that all four payments made to Jerry's credit card that
month equaled amounts on checks that the company had written to
Visa. Molly increased the scope of her search and observed that
every payment posted to Jerry's corporate credit card over the
previous 12 months was from a check written by the company. She
also noticed that of the $88,000 in charges on Jerry's card over
that time frame, none was for business expenses.
Molly printed copies of all of the checks and noted that,
although Visa was listed as the payee on all of them, Jerry's
corporate credit card account number was handwritten on each
check. Molly approached the director of internal auditing as
well as Jerry's former manager and requested an investigation
into the matter.
While working for XYZ, Jerry was in charge of making sure that
the organization paid delinquent balances on the corporate credit
cards of people who had left the company. XYZ had an arrangement
with the credit card company that it would guarantee payment for
certain employees if those employees did not pay the balances
on their accounts. Once a month, Jerry would provide accounts
payable with a list of delinquent accounts on guaranteed cards,
and accounts payable would cut the check to the credit card
company.
However, on the bottom of every check request in Jerry's last
year of employment, he had written, "Please deliver the check to
me." Typically, accounts payable would mail the check directly to
the credit card company, but because accounts payable knew that
Jerry maintained a relationship with the credit card company,
they adhered to his request and delivered the checks to him. When
Jerry received a check, he would write his own account number on
the check, and the bank would apply the payment to Jerry's credit
card.
Jerry did not need to make sure that the delinquent credit card
owners listed on his spreadsheet paid their balances, because he
had fabricated the delinquency list that he provided to accounts
payable. In many cases, the employees with the so-called
delinquent balances had left the organization long before, and
they had paid their balances in full before departing.
So, where were the control breakdowns? First, Jerry had sole
authority over the credit card function. He managed the corporate
credit cards, reviewed the delinquent accounts, had access to the
employee statements, and dealt with the bank's account managers.
No one reviewed his work. As soon as accounts payable walked the
checks down to his office, he had all he needed to perpetrate the
fraud.
The second breakdown was that the accounts payable clerk walked
the checks over to Jerry. Although not necessarily right, it is
understandable that accounts payable would not have the time to
audit Jerry's delinquency list. After all, accounts payable was
processing more than 1,000 checks per week with a staff of six.
However, it was unacceptable for the clerk to deliver the check
directly to Jerry. The check should have gone from accounts
payable to the vendor. The vendor invoice--or delinquency data in
this case--should have contained all of the pertinent information
to allow accounts payable to appropriately route the check.
XYZ decided to report Jerry to law enforcement. Although $88,000
is not a significant amount of money for a $1 billion company,
and the legal fees and other costs might be high, the company
wanted to demonstrate to its employees that it would not tolerate
fraud and would hold perpetrators accountable. Decisive and
timely action such as this is critical to maintaining a sound
control environment.
Not everyone is as diligent as Molly. The lesson she applied is
an important one to teach operations personnel: Take the time to
check anything that doesn't seem right. Because she spent a few
minutes performing due diligence, Molly uncovered an $88,000
fraud.
Several symptoms may have flagged the fraud. If internal auditing
had been testing the employee credit card charges, simply
identifying the top 25 corporate card users and reviewing their
charges would have flagged Jerry. Travel reimbursements of
$88,000 in one year covers a lot of travel. Testing the accounts
of the people with the most posted credits would have similarly
flagged Jerry. Also, Jerry averaged three payments a month on his
credit card over the course of a year, an unusual pattern that,
if identified, should have been investigated.
Testing the top 25 corporate credit card users and searching for
unusual patterns are the staples of any audit program that
contains tests designed to uncover fraud.
LESSONS LEARNED
* Employees should take the extra step. If employees are
presented with a transaction that they do not completely
understand, they should do what was going on so that it became
clear to everyone that XYZ would not treat fraud lightly. what
it takes to understand the transaction. Molly was one of the
custodians of the organization's cash, so when someone asked for
money from the company, even a trusted former boss, it was
important for her to understand the nature of the transaction.
* Segregate duties. This is a concept that is drilled into the
brains of internal auditors ad nauseam, but it is not necessarily
communicated as often to operational management. The
organization's head treasurer, to whom Jerry reported, was an ex-
auditor and ex-controller, and therefore should have been aware
of this control concept. However, during the course of business,
when times are good and everyone is busy, it is easy to overlook
the fundamentals. Jerry had too much control, and because
accounts payable trusted him, the clerks did not adhere to their
own processes and send the check directly to the third party.
* Act quickly and decisively. Jerry was a long-time employee of"
XYZ, and he was well-liked in the organization. It would have
been easy for the company to ask Jerry to pay the money back and
call it even. How ever, management and the board called for a
full investigation, led by the internal audit group that included
outside consultants, legal counsel, and the district attorney.
Management also decided to not keep it quiet; they let the
finance and accounting organizations know what was going on so
that it became clear to everyone that XYZ would not treat fraud
lightly.
* Thieves can get greedy. In this case, Jerry had already left
the company. His fraud might have gone undetected if he had not
returned for one last $716!
|
