This piece was originally shared on ACL’s blog and is republished here with permission.
You might have heard the statistic: in just about any size company, fraud claims between five and 10 percent of annual revenue. Some fraudulent activity comes from external sources (such as cyber breaches or theft), but a good amount of fraud can come from within the ranks of the company itself.
ACL is taking a closer look at how employees most often take advantage of internal systems for their own personal gain and what organizations can do to reduce their exposure to these risks of fraud.
Most managers probably don’t think that much about the likelihood of fraud carried out by people on their teams. They spend most of their time thinking about how to achieve their objectives and get the job done. Even the most demanding bosses tend to trust the basic integrity of the people working with them. These are likely to be among the many reasons employee fraud occurs and often remains undiscovered.
So what are the some of the common instances of fraud by employees managers and executives should bear in mind? How do they find out if fraudulent activities have occurred?
The use of corporate credit cards or purchasing cards can make good business sense. They dramatically reduce the costs of the typical purchase order and payment cycle for smaller expense and procurement items. However, they are particularly prone to abuse by employees. Maybe that recent corporate card purchase of a high-end, large-screen computer monitor was fully justified and helped improve the employee’s productivity — but what if the monitor ended up with the employee’s child who loves computer gaming? What about the $5,000 spent at Home Depot for “office improvements” by the branch supervisor? Perhaps the supervisor now has a greatly improved recreation room. What about duplicate purchases? Was one valid and one for personal use?
Of course, all purchases and expenses made through a p-card should be approved by an authorized manager. But that’s where the control weaknesses often appear. If a senior manager has to approve the monthly use of p-cards for 50 or more employees, are they really going to spend the time to ensure every item was justified?
There is a relatively simple answer to this problem. Credit card companies provide detailed data for every transaction. The data can be analyzed to identify many indicators of fraud. Merchant category codes can be checked and anything that seems dubious can be highlighted for review. There have been cases where one employee used their corporate card to spend thousands on psychic readings, while another purchased a cow at an auction for their hobby ranch.
The risks of fraud in p-card systems can also be applied to travel and entertainment expenses. The opportunities for fraud are very similar in terms of expensing personal costs to the business. Additionally, duplicate charges may signal fraud; for example, multiple employees charge for the same lavish entertainment of a key client. Was that expensive trip to Florida for a “client meeting” really justified when it was during spring break and overlapped with vacation days?
Again, it is a relatively simple process to analyze data to find the red flags of duplicate charges and expense claims that just don’t seem right.
Vendor systems and the purchase-to-pay process also pose a number of fraud risks. Employees can set up “phantom vendors” in order to process fraudulent invoices for nonexistent goods and services and then have payments made to bank accounts controlled by the employee.
Employees can also collude with vendors and approve the purchases of goods and services at grossly inflated prices. The vendors may express their appreciation by shipping some goods directly to the employee’s home.
There are various ways to check for these activities. For example, vendor addresses can be analyzed to identify fictitious addresses or to see if they happen to match an employee address. Vendor prices for goods and services can be analyzed in detail to find instances in which prices for specific items are far from the statistical norms.
Payroll fraud risks tend to increase in relation to the size of the organization. It may be a simple job to keep watch over a department with only 100 employees in one location. But what happens when there are hundreds or thousands of employees spread across multiple locations? How do you know that every person on the payroll actually came to work and did their job? A lot of trust is typically put in departmental and regional management to ensure that individuals on the payroll are still valid, contributing employees.
Some supervisors may be tempted to set up friends and relatives as employees and share the payroll proceeds. Even if the employee does turn up for work — what if the supervisor generously approves very large bonuses and overtime payments?
One way to keep an eye on things is to analyze employee activity records, such as electronic access and security records. How often was the employee logged on to corporate systems? How often was a swipe card used to access corporate premises? How do records for overtime hours compare to login and physical access records?
When thinking of anti-fraud measures, people tend to focus on the expense side of things. But there are also plenty of opportunities for employee fraud on the income side. Say a sales executive pushes through a large sale at period end and picks up a nice commission and bonus payment. Then, after about a month, the sale is reversed and a credit note is issued. What happens to the commission and bonus? Who makes sure that those are reversed as well?
The opportunities for collusion with customers tend to mirror those with vendors. A sales person may provide extremely generous pricing discounts in return for a kickback, and somehow half of the goods shipped to the customer happen to make their way to the salesperson’s home.
Analyses of discounts, pricing, sales reversals and credit notes and terms can identify many indicators of fraud. These are the same analyses that can match shipping addresses with employee addresses.
One of the key anti-fraud controls in almost any business process area is management approval. Managers are trusted to review and approve purchases and expenses in their areas — but only to a certain degree. There are approval limits depending on the level of manager and budget responsibility. The risk of a large fraudulent expense getting approved by a manager is presumably limited if, for example, they are only authorized to approve purchases up to $50,000. Yet, if a manager approves five purchases for $49,000 each, they might really be approving a fraudulent purchase of $245,000.
Scrutinizing data for this form of “split” approvals is a simple but effective task.
Incidentally, one of my personal favorites for innovative ways to see if the management approval process is working properly is to analyze the time stamp data for when a manager approves a monthly corporate card charge for employees. In one case, the analysis showed that a manager had approved a very large number of charges within about 80 seconds — not exactly reassuring that appropriate due diligence had taken place!
Whether it’s data analytics or forensic accounting, we encourage all companies, large and small, to use any and all available resources to stamp out fraud, reduce waste and optimize performance.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
John Verver is acknowledged internationally as an expert authority and thought leader on the application of data analysis technology in audit, risk management, and compliance. He is regularly asked to speak at global audit, compliance, risk, and control conferences and is a member of the advisory board of the Continuous Auditing Research Lab. John was also a key contributor to the Institute of Internal Auditors’ Global Technology Audit Guide #3 on continuous auditing, assurance monitoring, and risk assessment.
John Verver is currently a strategic advisor to ACL. Until recently he was a vice president with ACL, with overall responsibility for ACL’s product and services strategy, as well as for relationships with key organizations in the audit, compliance, risk, and control market. His previous responsibilities at ACL included leadership and growth of ACL’s professional services organization, including consulting, training, and technical support. He led the overall development of ACL’s industry-transforming continuous controls monitoring solution.
Prior to joining ACL, John spent 15 years with Deloitte in the UK and Canada. During his tenure, he was director of computer services, with responsibility for IT audit and security services, as well as accounting systems consulting and implementation. He subsequently became a principal, responsible for building and managing the system development and implementation practice in British Columbia.
John is a Chartered Accountant, Certified Management Consultant and Certified Information System Auditor. He has served on the Council of the Institute of Management Consultants of British Columbia and on committees of the Institute of Chartered Accountants of BC. He has an honors degree from King’s College, University of London, England.