Online Security - The Best Kept Secrets of Fraud, Part I
Deep in the heart of a steaming jungle, a ramshackle mining town is full of dangers like mudslides, snakebites, and tropical diseases. Even getting here is an adventure that requires a small plane, a day spent navigating seething rivers, or a hair-raising 4x4 ride over ungraded roads. There are few comforts here and, apart from items in a small camp commissary, almost nothing to buy.
It may seem the most unlikely place on earth to uncover an elaborate fraud scheme. But as Mary Breslin, CIA, CFE, discovered, “The accounting team had this fantastic, controlled, double sign-off process for the miners’ cash. It was placed in envelopes, which were actually sealed with wax, and then hand-delivered to each person, who had to count and sign for it.” Just one problem — the same payroll agent who prepared the miners’ checks was also entrusted with making the bank run to withdraw their cash. It was easy enough to add extra money to each check, pick up the cash, and pocket the difference.
Upon further investigation, Breslin unmasked the same employee as the culprit in a massive, years-long payroll fraud. “It looked like there was this great process,” says Breslin, today an independent audit trainer and consultant. “But they never reconciled the pay register to the actual take-home pay of the miners, and they never reconciled their pay register to their HR roster. If they had done any of those things even one time, they would have found ghost employees who had been there for years.”
No business professional thinks they’re an easy mark. Yet thousands of fraudsters roam today’s organizations, and they’re making off with millions of dollars each year. These conniving crooks are relentless in exploiting our complacency, coming up with inspired twists on the same old cons. Leonard Vona, CPA, CFE, of Fraud Auditing Inc., spells it out: “A lot of fraud scenarios are common to all businesses. The fundamental schemes of 30 years ago are the same schemes occurring today.”
If the schemes are so well known, why do they keep happening? “For decades, the profession has been talking about fraud data analytics as one of the key skills required for auditors,” Vona explains. “Years later, we’re still talking about it.” According to Vona, too many audit teams begin and end their war on fraud by purchasing a detection tool. “We’re comfortable as a profession with compliance and internal controls. But combating fraud is a different animal. It begins with understanding the specifics of your business systems and the scenarios that make you vulnerable to fraud.”
The next step is to build an audit program to search for these scenarios. To help you get started, here are three classic fraud scenarios, along with some savvy approaches to fraud data that real-world CPAs and fraud professionals are using to protect their organizations.
Scenario #1: fictitious employees
Ghost employees may be entirely fictitious, or they may be former employees or contractors who were never purged from the system. As Breslin discovered at the mining company, “The payroll manager had added 19 fictitious employees, in addition to pocketing the extra payday cash. And because there’d been a change in computer systems, we could only go back three years. We’ll never know how long he had been doing it.”
Breslin trains Fortune 500 accountants and auditors on how to combat fraud. “I can’t tell you how many times someone comes back and tells me that they zeroed in on fictitious employees and immediately found fraud. It happens every time. This scheme is very common, yet most organizations don’t look for it.”
“It sounds simple,” Vona concedes. “But the methodology for fraud risk identification is missing from most of the literature. Most auditors need help in paring down a list of fraud scenarios that exist in the business systems they’re auditing.” It helps to break the scenario into its components:
· WHO is committing the fraud? (in this case, the payroll function)
· WHAT type of entity is involved? (in this case, fake employees)
· WHEN and WHERE does the fraud transaction take place? (in this case, the pay register)
· HOW can an audit step be added? (in this case, what specific tests will find employees who don’t actually exist?)
In other words, take heart—fraud detection doesn’t have to be complicated! After all, real employees do real things—they take vacation and sick time, sign up for benefits for their spouses or children, have their wages garnished for child support, and participate in employee charitable campaigns. They scan their badges in and out, punch time clocks, and log in and out of their computers.
Ghost employees don’t do any of those things. They just get paid like clockwork, with the money being deposited right into the pocket of your friendly neighborhood payroll fraudster. “The details of the ghost employee fraud will vary from one organization to the next,” Breslin says. “Each company has a different culture, with different processes and different systems. The key to uncovering this scheme is looking for what’s not there.”
Vona notes, “What the auditor does is look for patterns and frequencies. There’s no official rulebook on this. It’s somewhat dependent on what the perpetrator thinks they can get away with. With all that said, by working through your scenarios, you start to understand what fraud detection really looks like.”
Stay tuned for part II, which will examine fraud scenario #2: zombie vendors.
Liz Clare is a professional writer focusing on enterprise technology.