| MOLLY, THE ASSISTANT, Molly treasurer at XYZ | | | | managed the corporate credit cards, reviewed |
| Corp. in Miami, opened an e-mail from a | | | | the delinquent accounts, had access to the |
| former colleague who no longer worked for the | | | | employee statements, and dealt with the |
| organization. The e-mail read: "Hi Molly, | | | | bank's account managers. No one reviewed his |
| there should be a refund of $716 on my old | | | | work. As soon as accounts payable walked the |
| corporate Visa card from the IP Conference. I | | | | checks down to his office, he had all he |
| paid for, but did not attend, the conference | | | | needed to perpetrate the fraud.The second |
| and did not turn in the charge to XYZ for | | | | breakdown was that the accounts payable clerk |
| reimbursement. Can you have Visa issue a | | | | walked the checks over to Jerry. Although not |
| refund check to me? Thanks very much for your | | | | necessarily right, it is understandable that |
| help."The e-mail was from Jerry, a former XYZ | | | | accounts payable would not have the time to |
| executive who had been Molly's boss at one | | | | audit Jerry's delinquency list. After all, |
| time. The message seemed innocuous enough. | | | | accounts payable was processing more than |
| Jerry had legitimately charged a business | | | | 1,000 checks per week with a staff of six. |
| conference to his corporate credit card, but | | | | However, it was unacceptable for the clerk to |
| he had canceled his registration because he | | | | deliver the check directly to Jerry. The |
| left the company. Therefore, he was due a | | | | check should have gone from accounts payable |
| refund.It would have been very easy for Molly | | | | to the vendor. The vendor invoice--or |
| to trust her former boss and get him the | | | | delinquency data in this case--should have |
| refund. Instead, because something didn't | | | | contained all of the pertinent information to |
| seem quite right, she chose to check on | | | | allow accounts payable to appropriately route |
| whether XYZ had already reimbursed Jerry for | | | | the check.XYZ decided to report Jerry to law |
| the conference.To make this determination, | | | | enforcement. Although $88,000 is not a |
| Molly accessed Jerry's corporate credit card | | | | significant amount of money for a $1 billion |
| records online and retrieved his expense | | | | company, and the legal fees and other costs |
| reports from the accounts payable file room. | | | | might be high, the company wanted to |
| The expense reports confirmed that Jerry had | | | | demonstrate to its employees that it would |
| not expensed the conference fee, but when | | | | not tolerate fraud and would hold |
| Molly looked at his credit card statement, | | | | perpetrators accountable. Decisive and timely |
| she saw a couple of odd items.First, the most | | | | action such as this is critical to |
| recent statement indicated that the former | | | | maintaining a sound control environment.Not |
| XYZ executive had made four payments to his | | | | everyone is as diligent as Molly. The lesson |
| credit card in one month. Second, the | | | | she applied is an important one to teach |
| statement was two pages long, and Molly knew | | | | operations personnel: Take the time to check |
| that Jerry rarely traveled for business. She | | | | anything that doesn't seem right. Because she |
| scanned the charges and noted that most of | | | | spent a few minutes performing due diligence, |
| them were from local vendors. In addition, | | | | Molly uncovered an $88,000 fraud.Several |
| none of the items looked like business | | | | symptoms may have flagged the fraud. If |
| charges. The charges included dinners at | | | | internal auditing had been testing the |
| local restaurants, department and grocery | | | | employee credit card charges, simply |
| store charges, and airline tickets for Jerry | | | | identifying the top 25 corporate card users |
| and his wife that Molly knew were for their | | | | and reviewing their charges would have |
| recent vacation.Out of curiosity, Molly | | | | flagged Jerry. Travel reimbursements of |
| queried the company's checks online to see if | | | | $88,000 in one year covers a lot of travel. |
| any of the payments made on Jerry's Visa | | | | Testing the accounts of the people with the |
| account matched the dollar amounts of checks | | | | most posted credits would have similarly |
| written by XYZ. Sure enough, she found that | | | | flagged Jerry. Also, Jerry averaged three |
| all four payments made to Jerry's credit card | | | | payments a month on his credit card over the |
| that month equaled amounts on checks that the | | | | course of a year, an unusual pattern that, if |
| company had written to Visa. Molly increased | | | | identified, should have been |
| the scope of her search and observed that | | | | investigated.Testing the top 25 corporate |
| every payment posted to Jerry's corporate | | | | credit card users and searching for unusual |
| credit card over the previous 12 months was | | | | patterns are the staples of any audit program |
| from a check written by the company. She also | | | | that contains tests designed to uncover |
| noticed that of the $88,000 in charges on | | | | fraud.LESSONS LEARNED* Employees should take |
| Jerry's card over that time frame, none was | | | | the extra step. If employees are presented |
| for business expenses.Molly printed copies of | | | | with a transaction that they do not |
| all of the checks and noted that, although | | | | completely understand, they should do what |
| Visa was listed as the payee on all of them, | | | | was going on so that it became clear to |
| Jerry's corporate credit card account number | | | | everyone that XYZ would not treat fraud |
| was handwritten on each check. Molly | | | | lightly. what it takes to understand the |
| approached the director of internal auditing | | | | transaction. Molly was one of the custodians |
| as well as Jerry's former manager and | | | | of the organization's cash, so when someone |
| requested an investigation into the | | | | asked for money from the company, even a |
| matter.While working for XYZ, Jerry was in | | | | trusted former boss, it was important for her |
| charge of making sure that the organization | | | | to understand the nature of the transaction.* |
| paid delinquent balances on the corporate | | | | Segregate duties. This is a concept that is |
| credit cards of people who had left the | | | | drilled into the brains of internal auditors |
| company. XYZ had an arrangement with the | | | | ad nauseam, but it is not necessarily |
| credit card company that it would guarantee | | | | communicated as often to operational |
| payment for certain employees if those | | | | management. The organization's head |
| employees did not pay the balances on their | | | | treasurer, to whom Jerry reported, was an |
| accounts. Once a month, Jerry would provide | | | | ex-auditor and ex-controller, and therefore |
| accounts payable with a list of delinquent | | | | should have been aware of this control |
| accounts on guaranteed cards, and accounts | | | | concept. However, during the course of |
| payable would cut the check to the credit | | | | business, when times are good and everyone is |
| card company.However, on the bottom of every | | | | busy, it is easy to overlook the |
| check request in Jerry's last year of | | | | fundamentals. Jerry had too much control, and |
| employment, he had written, "Please deliver | | | | because accounts payable trusted him, the |
| the check to me." Typically, accounts payable | | | | clerks did not adhere to their own processes |
| would mail the check directly to the credit | | | | and send the check directly to the third |
| card company, but because accounts payable | | | | party.* Act quickly and decisively. Jerry was |
| knew that Jerry maintained a relationship | | | | a long-time employee of" XYZ, and he was |
| with the credit card company, they adhered to | | | | well-liked in the organization. It would have |
| his request and delivered the checks to him. | | | | been easy for the company to ask Jerry to pay |
| When Jerry received a check, he would write | | | | the money back and call it even. How ever, |
| his own account number on the check, and the | | | | management and the board called for a full |
| bank would apply the payment to Jerry's | | | | investigation, led by the internal audit |
| credit card.Jerry did not need to make sure | | | | group that included outside consultants, |
| that the delinquent credit card owners listed | | | | legal counsel, and the district attorney. |
| on his spreadsheet paid their balances, | | | | Management also decided to not keep it quiet; |
| because he had fabricated the delinquency | | | | they let the finance and accounting |
| list that he provided to accounts payable. In | | | | organizations know what was going on so that |
| many cases, the employees with the so-called | | | | it became clear to everyone that XYZ would |
| delinquent balances had left the organization | | | | not treat fraud lightly.* Thieves can get |
| long before, and they had paid their balances | | | | greedy. In this case, Jerry had already left |
| in full before departing.So, where were the | | | | the company. His fraud might have gone |
| control breakdowns? First, Jerry had sole | | | | undetected if he had not returned for one |
| authority over the credit card function. He | | | | last $716! |