| MOLLY, THE ASSISTANT, Molly treasurer at XYZ | | | | had sole authority over the credit card function. He |
| Corp. in Miami, opened an e-mail from a former | | | | managed the corporate credit cards, reviewed the |
| colleague who no longer worked for the organization. | | | | delinquent accounts, had access to the employee |
| The e-mail read: "Hi Molly, there should be a refund of | | | | statements, and dealt with the bank's account |
| $716 on my old corporate Visa card from the IP | | | | managers. No one reviewed his work. As soon as |
| Conference. I paid for, but did not attend, the | | | | accounts payable walked the checks down to his |
| conference and did not turn in the charge to XYZ for | | | | office, he had all he needed to perpetrate the fraud. |
| reimbursement. Can you have Visa issue a refund | | | | The second breakdown was that the accounts |
| check to me? Thanks very much for your help." | | | | payable clerk walked the checks over to Jerry. |
| The e-mail was from Jerry, a former XYZ executive | | | | Although not necessarily right, it is understandable that |
| who had been Molly's boss at one time. The message | | | | accounts payable would not have the time to audit |
| seemed innocuous enough. Jerry had legitimately | | | | Jerry's delinquency list. After all, accounts payable was |
| charged a business conference to his corporate credit | | | | processing more than 1,000 checks per week with a |
| card, but he had canceled his registration because he | | | | staff of six. However, it was unacceptable for the |
| left the company. Therefore, he was due a refund. | | | | clerk to deliver the check directly to Jerry. The check |
| It would have been very easy for Molly to trust her | | | | should have gone from accounts payable to the |
| former boss and get him the refund. Instead, because | | | | vendor. The vendor invoice--or delinquency data in this |
| something didn't seem quite right, she chose to check | | | | case--should have contained all of the pertinent |
| on whether XYZ had already reimbursed Jerry for the | | | | information to allow accounts payable to appropriately |
| conference. | | | | route the check. |
| To make this determination, Molly accessed Jerry's | | | | XYZ decided to report Jerry to law enforcement. |
| corporate credit card records online and retrieved his | | | | Although $88,000 is not a significant amount of money |
| expense reports from the accounts payable file room. | | | | for a $1 billion company, and the legal fees and other |
| The expense reports confirmed that Jerry had not | | | | costs might be high, the company wanted to |
| expensed the conference fee, but when Molly looked | | | | demonstrate to its employees that it would not tolerate |
| at his credit card statement, she saw a couple of odd | | | | fraud and would hold perpetrators accountable. |
| items. | | | | Decisive and timely action such as this is critical to |
| First, the most recent statement indicated that the | | | | maintaining a sound control environment. |
| former XYZ executive had made four payments to | | | | Not everyone is as diligent as Molly. The lesson she |
| his credit card in one month. Second, the statement | | | | applied is an important one to teach operations |
| was two pages long, and Molly knew that Jerry rarely | | | | personnel: Take the time to check anything that |
| traveled for business. She scanned the charges and | | | | doesn't seem right. Because she spent a few minutes |
| noted that most of them were from local vendors. In | | | | performing due diligence, Molly uncovered an $88,000 |
| addition, none of the items looked like business | | | | fraud. |
| charges. The charges included dinners at local | | | | Several symptoms may have flagged the fraud. If |
| restaurants, department and grocery store charges, | | | | internal auditing had been testing the employee credit |
| and airline tickets for Jerry and his wife that Molly | | | | card charges, simply identifying the top 25 corporate |
| knew were for their recent vacation. | | | | card users and reviewing their charges would have |
| Out of curiosity, Molly queried the company's checks | | | | flagged Jerry. Travel reimbursements of $88,000 in |
| online to see if any of the payments made on Jerry's | | | | one year covers a lot of travel. Testing the accounts |
| Visa account matched the dollar amounts of checks | | | | of the people with the most posted credits would |
| written by XYZ. Sure enough, she found that all four | | | | have similarly flagged Jerry. Also, Jerry averaged three |
| payments made to Jerry's credit card that month | | | | payments a month on his credit card over the course |
| equaled amounts on checks that the company had | | | | of a year, an unusual pattern that, if identified, should |
| written to Visa. Molly increased the scope of her | | | | have been investigated. |
| search and observed that every payment posted to | | | | Testing the top 25 corporate credit card users and |
| Jerry's corporate credit card over the previous 12 | | | | searching for unusual patterns are the staples of any |
| months was from a check written by the company. | | | | audit program that contains tests designed to uncover |
| She also noticed that of the $88,000 in charges on | | | | fraud. |
| Jerry's card over that time frame, none was for | | | | LESSONS LEARNED |
| business expenses. | | | | * Employees should take the extra step. If employees |
| Molly printed copies of all of the checks and noted that, | | | | are presented with a transaction that they do not |
| although Visa was listed as the payee on all of them, | | | | completely understand, they should do what was going |
| Jerry's corporate credit card account number was | | | | on so that it became clear to everyone that XYZ |
| handwritten on each check. Molly approached the | | | | would not treat fraud lightly. what it takes to |
| director of internal auditing as well as Jerry's former | | | | understand the transaction. Molly was one of the |
| manager and requested an investigation into the | | | | custodians of the organization's cash, so when |
| matter. | | | | someone asked for money from the company, even |
| While working for XYZ, Jerry was in charge of | | | | a trusted former boss, it was important for her to |
| making sure that the organization paid delinquent | | | | understand the nature of the transaction. |
| balances on the corporate credit cards of people who | | | | * Segregate duties. This is a concept that is drilled into |
| had left the company. XYZ had an arrangement with | | | | the brains of internal auditors ad nauseam, but it is not |
| the credit card company that it would guarantee | | | | necessarily communicated as often to operational |
| payment for certain employees if those employees did | | | | management. The organization's head treasurer, to |
| not pay the balances on their accounts. Once a month, | | | | whom Jerry reported, was an ex-auditor and |
| Jerry would provide accounts payable with a list of | | | | ex-controller, and therefore should have been aware |
| delinquent accounts on guaranteed cards, and | | | | of this control concept. However, during the course of |
| accounts payable would cut the check to the credit | | | | business, when times are good and everyone is busy, |
| card company. | | | | it is easy to overlook the fundamentals. Jerry had too |
| However, on the bottom of every check request in | | | | much control, and because accounts payable trusted |
| Jerry's last year of employment, he had written, | | | | him, the clerks did not adhere to their own processes |
| "Please deliver the check to me." Typically, accounts | | | | and send the check directly to the third party. |
| payable would mail the check directly to the credit | | | | * Act quickly and decisively. Jerry was a long-time |
| card company, but because accounts payable knew | | | | employee of" XYZ, and he was well-liked in the |
| that Jerry maintained a relationship with the credit card | | | | organization. It would have been easy for the |
| company, they adhered to his request and delivered | | | | company to ask Jerry to pay the money back and call |
| the checks to him. When Jerry received a check, he | | | | it even. How ever, management and the board called |
| would write his own account number on the check, | | | | for a full investigation, led by the internal audit group |
| and the bank would apply the payment to Jerry's | | | | that included outside consultants, legal counsel, and the |
| credit card. | | | | district attorney. Management also decided to not keep |
| Jerry did not need to make sure that the delinquent | | | | it quiet; they let the finance and accounting |
| credit card owners listed on his spreadsheet paid their | | | | organizations know what was going on so that it |
| balances, because he had fabricated the delinquency | | | | became clear to everyone that XYZ would not treat |
| list that he provided to accounts payable. In many | | | | fraud lightly. |
| cases, the employees with the so-called delinquent | | | | * Thieves can get greedy. In this case, Jerry had |
| balances had left the organization long before, and | | | | already left the company. His fraud might have gone |
| they had paid their balances in full before departing. | | | | undetected if he had not returned for one last $716! |
| So, where were the control breakdowns? First, Jerry | | | | |