| MOLLY, THE ASSISTANT, Molly treasurer at XYZ | | | | sole authority over the credit card function. He |
| Corp. in Miami, opened an e-mail from a former | | | | managed the corporate credit cards, reviewed the |
| colleague who no longer worked for the organization. | | | | delinquent accounts, had access to the employee |
| The e-mail read: "Hi Molly, there should be a refund of | | | | statements, and dealt with the bank's account |
| $716 on my old corporate Visa card from the IP | | | | managers. No one reviewed his work. As soon as |
| Conference. I paid for, but did not attend, the | | | | accounts payable walked the checks down to his |
| conference and did not turn in the charge to XYZ for | | | | office, he had all he needed to perpetrate the |
| reimbursement. Can you have Visa issue a refund | | | | fraud.The second breakdown was that the accounts |
| check to me? Thanks very much for your help."The | | | | payable clerk walked the checks over to Jerry. |
| e-mail was from Jerry, a former XYZ executive who | | | | Although not necessarily right, it is understandable that |
| had been Molly's boss at one time. The message | | | | accounts payable would not have the time to audit |
| seemed innocuous enough. Jerry had legitimately | | | | Jerry's delinquency list. After all, accounts payable was |
| charged a business conference to his corporate credit | | | | processing more than 1,000 checks per week with a |
| card, but he had canceled his registration because he | | | | staff of six. However, it was unacceptable for the |
| left the company. Therefore, he was due a refund.It | | | | clerk to deliver the check directly to Jerry. The check |
| would have been very easy for Molly to trust her | | | | should have gone from accounts payable to the |
| former boss and get him the refund. Instead, because | | | | vendor. The vendor invoice--or delinquency data in this |
| something didn't seem quite right, she chose to check | | | | case--should have contained all of the pertinent |
| on whether XYZ had already reimbursed Jerry for the | | | | information to allow accounts payable to appropriately |
| conference.To make this determination, Molly | | | | route the check.XYZ decided to report Jerry to law |
| accessed Jerry's corporate credit card records online | | | | enforcement. Although $88,000 is not a significant |
| and retrieved his expense reports from the accounts | | | | amount of money for a $1 billion company, and the |
| payable file room. The expense reports confirmed that | | | | legal fees and other costs might be high, the company |
| Jerry had not expensed the conference fee, but when | | | | wanted to demonstrate to its employees that it would |
| Molly looked at his credit card statement, she saw a | | | | not tolerate fraud and would hold perpetrators |
| couple of odd items.First, the most recent statement | | | | accountable. Decisive and timely action such as this is |
| indicated that the former XYZ executive had made | | | | critical to maintaining a sound control environment.Not |
| four payments to his credit card in one month. Second, | | | | everyone is as diligent as Molly. The lesson she applied |
| the statement was two pages long, and Molly knew | | | | is an important one to teach operations personnel: |
| that Jerry rarely traveled for business. She scanned | | | | Take the time to check anything that doesn't seem |
| the charges and noted that most of them were from | | | | right. Because she spent a few minutes performing |
| local vendors. In addition, none of the items looked like | | | | due diligence, Molly uncovered an $88,000 |
| business charges. The charges included dinners at local | | | | fraud.Several symptoms may have flagged the fraud. |
| restaurants, department and grocery store charges, | | | | If internal auditing had been testing the employee credit |
| and airline tickets for Jerry and his wife that Molly | | | | card charges, simply identifying the top 25 corporate |
| knew were for their recent vacation.Out of curiosity, | | | | card users and reviewing their charges would have |
| Molly queried the company's checks online to see if | | | | flagged Jerry. Travel reimbursements of $88,000 in |
| any of the payments made on Jerry's Visa account | | | | one year covers a lot of travel. Testing the accounts |
| matched the dollar amounts of checks written by | | | | of the people with the most posted credits would |
| XYZ. Sure enough, she found that all four payments | | | | have similarly flagged Jerry. Also, Jerry averaged three |
| made to Jerry's credit card that month equaled | | | | payments a month on his credit card over the course |
| amounts on checks that the company had written to | | | | of a year, an unusual pattern that, if identified, should |
| Visa. Molly increased the scope of her search and | | | | have been investigated.Testing the top 25 corporate |
| observed that every payment posted to Jerry's | | | | credit card users and searching for unusual patterns |
| corporate credit card over the previous 12 months | | | | are the staples of any audit program that contains |
| was from a check written by the company. She also | | | | tests designed to uncover fraud.LESSONS |
| noticed that of the $88,000 in charges on Jerry's card | | | | LEARNED* Employees should take the extra step. If |
| over that time frame, none was for business | | | | employees are presented with a transaction that they |
| expenses.Molly printed copies of all of the checks and | | | | do not completely understand, they should do what |
| noted that, although Visa was listed as the payee on | | | | was going on so that it became clear to everyone |
| all of them, Jerry's corporate credit card account | | | | that XYZ would not treat fraud lightly. what it takes to |
| number was handwritten on each check. Molly | | | | understand the transaction. Molly was one of the |
| approached the director of internal auditing as well as | | | | custodians of the organization's cash, so when |
| Jerry's former manager and requested an investigation | | | | someone asked for money from the company, even |
| into the matter.While working for XYZ, Jerry was in | | | | a trusted former boss, it was important for her to |
| charge of making sure that the organization paid | | | | understand the nature of the transaction.* Segregate |
| delinquent balances on the corporate credit cards of | | | | duties. This is a concept that is drilled into the brains of |
| people who had left the company. XYZ had an | | | | internal auditors ad nauseam, but it is not necessarily |
| arrangement with the credit card company that it | | | | communicated as often to operational management. |
| would guarantee payment for certain employees if | | | | The organization's head treasurer, to whom Jerry |
| those employees did not pay the balances on their | | | | reported, was an ex-auditor and ex-controller, and |
| accounts. Once a month, Jerry would provide | | | | therefore should have been aware of this control |
| accounts payable with a list of delinquent accounts on | | | | concept. However, during the course of business, |
| guaranteed cards, and accounts payable would cut | | | | when times are good and everyone is busy, it is easy |
| the check to the credit card company.However, on the | | | | to overlook the fundamentals. Jerry had too much |
| bottom of every check request in Jerry's last year of | | | | control, and because accounts payable trusted him, the |
| employment, he had written, "Please deliver the check | | | | clerks did not adhere to their own processes and send |
| to me." Typically, accounts payable would mail the | | | | the check directly to the third party.* Act quickly and |
| check directly to the credit card company, but | | | | decisively. Jerry was a long-time employee of" XYZ, |
| because accounts payable knew that Jerry maintained | | | | and he was well-liked in the organization. It would have |
| a relationship with the credit card company, they | | | | been easy for the company to ask Jerry to pay the |
| adhered to his request and delivered the checks to | | | | money back and call it even. How ever, management |
| him. When Jerry received a check, he would write his | | | | and the board called for a full investigation, led by the |
| own account number on the check, and the bank | | | | internal audit group that included outside consultants, |
| would apply the payment to Jerry's credit card.Jerry | | | | legal counsel, and the district attorney. Management |
| did not need to make sure that the delinquent credit | | | | also decided to not keep it quiet; they let the finance |
| card owners listed on his spreadsheet paid their | | | | and accounting organizations know what was going on |
| balances, because he had fabricated the delinquency | | | | so that it became clear to everyone that XYZ would |
| list that he provided to accounts payable. In many | | | | not treat fraud lightly.* Thieves can get greedy. In this |
| cases, the employees with the so-called delinquent | | | | case, Jerry had already left the company. His fraud |
| balances had left the organization long before, and | | | | might have gone undetected if he had not returned for |
| they had paid their balances in full before departing.So, | | | | one last $716! |
| where were the control breakdowns? First, Jerry had | | | | |