We hear stories all the time about how some employee created a simple scheme to embezzle money from their unsuspecting employer. It is always amusing to read about how the perpetrator pulled off the heist but all the stories have one thing in common – lack of control.
A good example of a more current fraud is well documented in the August 2014 Journal of Accountancy. The following is an executive summary and some lessons to learn.
A corporate mistake opened the door for Nathan J. Mueller’s fraud. Two years after the error was made, he discovered he was authorized to request and approve checks of up to $250,000. A co-worker also was accidentally granted the same privileges, while a subordinate was authorized to request checks.
Mueller, his subordinate, and the co-worker often logged on as one another to get work done. This allowed Mueller to request checks under one identity and then approve them under his own account.
Mueller and his subordinate were allowed to physically pick up checks. This allowed Mueller to take physical checks to the bank to be deposited into the account of a fake vendor he set up.
Mueller hid his debits in ledger accounts that he controlled. Better separation of duties could have helped to prevent the scheme.
The fraud netted nearly $8.5 million in four years. The money was used to buy expensive cars, watches, and nighttime entertainment as well as to pay for numerous trips from Minnesota to Las Vegas. Living beyond one’s means is a classic red flag of possible fraud.
Mueller told his wife his extra money was from gambling winnings. After a while, she began to doubt that explanation, and they divorced.
The fraud was uncovered when Mueller’s ex-wife expressed her doubts about his income to his co-worker. The co-worker spotted questionable transactions in the company records and brought them to management’s attention. The scheme unraveled quickly after that.
Mueller was sentenced to 97 months in federal prison after pleading guilty to fraud. He is due to be released in September after 5½ years in prison.
LESSONS TO LEARN
An organization’s hiring policy should include past employment verification, a background check, a credit check, and education verification. These policies and procedures should be applied in every hiring instance, including those in which groups of employees are onboarded as the result of a corporate entity acquisition.
A good example of potential fraud risk is personal financial stress. A review of a new hire’s credit report will indicate the amount of financial burden an employee carries which may be a red flag for potential fraud risk.
Authentication controls identify the person accessing the accounting system and ensure that only legitimate users can access the system. These controls include passwords, smart cards, and biometric identifiers. For example, employees share passwords among peers as a workaround for when an someone is out of the office and they need to get the job done. Having strong authentication controls in place will reduce the risk of employees signing on as others.
Authorization controls restrict the access of authenticated users to certain classes of information and capabilities. It is always a good idea to regularly verify what access employees have whether it is to online banking or approval of expenses. Also, make sure the authorization employees have makes sense. Just because they were given access before doesn’t mean they need that access now.
Processing controls ensure that data is processed correctly and that obvious errors are not processed. A good review of the bank account on the general ledger should include picking debits and following them through to the original documentation. Check to see if the backup makes sense and did it come from a real vendor.
Physical safeguards ensure physical documents are handled correctly. For example, paper checks should not be picked up or distributed to the requesting or authorizing employee. The risk of fraud is hard to avoid where just one or two people understand the whole system and where one or two people are responsible for reconciliations and write-offs. Good business practices such as separation of operational responsibility from recordkeeping responsibilities are great ways to limit the opportunity for fraud.
Employee support programs can assist employees struggling with addictions, mental and emotional health, and family and financial problems. The elements of the fraud triangle include pressure, opportunity, and rationalization. Extensive personal debts and a new child provided the pressure for the first phase of the fraud. Good support system can help employees deal with an issue instead of rationalizing fraud.
Other Prevention Tools
Forensic analytics is the act of obtaining and analyzing electronic data using calculations and statistical techniques to reconstruct, detect, or otherwise support a claim of embezzlement or other financial fraud. The main steps in the process are data collection; data cleansing; running the analytics tests; and evaluation, investigation, and reporting.
The largest subsets growth test is based on the fact that people escalate their frauds at a much more rapid pace than what would be considered normal and they don’t know when to stop the stealing. For example, running a computer-based test to review the vendors with the largest annual growth in total dollars will indicate fraudulent vendors with explosive year-over-year growth. An employee using a company purchasing card for personal expenses often has geometric growth in total purchases. An employee with a fraudulent overtime scheme also often shows high growth in hourly totals, perhaps even to impossible levels. These are all hard to detect when looking at the trees but look at the forest and the picture gets much clearer.
Fraud awareness training reminds employees at all levels in the organization fraud is real and that it could be happening in their departments. A co-worker living beyond what his or her salary should allow is a classic red flag for fraud. Frauds are often discovered by tips and organizations should encourage employees to make anonymous reporting by offering an anonymous fraud reporting channel, such as a third-party hotline.