title:Curious Employee Foils Corporate Credit Card Fraud Scam author:Scott Burke source_url:http://www.articlecity.com/articles/business_and_finance/article_6416.shtml date_saved:2007-07-25 12:30:08 category:business_and_finance article:

MOLLY, THE ASSISTANT, Molly treasurer at XYZ Corp. in Miami, opened an e-mail from a former colleague who no longer worked for the organization. The e-mail read: “Hi Molly, there should be a refund of $716 on my old corporate Visa card from the IP Conference. I paid for, but did not attend, the conference and did not turn in the charge to XYZ for reimbursement. Can you have Visa issue a refund check to me? Thanks very much for your help.”
The e-mail was from Jerry, a former XYZ executive who had been Molly’s boss at one time. The message seemed innocuous enough. Jerry had legitimately charged a business conference to his corporate credit card, but he had canceled his registration because he left the company. Therefore, he was due a refund.
It would have been very easy for Molly to trust her former boss and get him the refund. Instead, because something didn’t seem quite right, she chose to check on whether XYZ had already reimbursed Jerry for the conference.
To make this determination, Molly accessed Jerry’s corporate credit card records online and retrieved his expense reports from the accounts payable file room. The expense reports confirmed that Jerry had not expensed the conference fee, but when Molly looked at his credit card statement, she saw a couple of odd items.
First, the most recent statement indicated that the former XYZ executive had made four payments to his credit card in one month. Second, the statement was two pages long, and Molly knew that Jerry rarely traveled for business. She scanned the charges and noted that most of them were from local vendors. In addition, none of the items looked like business charges. The charges included dinners at local restaurants, department and grocery store charges, and airline tickets for Jerry and his wife that Molly knew were for their recent vacation.
Out of curiosity, Molly queried the company’s checks online to see if any of the payments made on Jerry’s Visa account matched the dollar amounts of checks written by XYZ. Sure enough, she found that all four payments made to Jerry’s credit card that month equaled amounts on checks that the company had written to Visa. Molly increased the scope of her search and observed that every payment posted to Jerry’s corporate credit card over the previous 12 months was from a check written by the company. She also noticed that of the $88,000 in charges on Jerry’s card over that time frame, none was for business expenses.
Molly printed copies of all of the checks and noted that, although Visa was listed as the payee on all of them, Jerry’s corporate credit card account number was handwritten on each check. Molly approached the director of internal auditing as well as Jerry’s former manager and requested an investigation into the matter.
While working for XYZ, Jerry was in charge of making sure that the organization paid delinquent balances on the corporate credit cards of people who had left the company. XYZ had an arrangement with the credit card company that it would guarantee payment for certain employees if those employees did not pay the balances on their accounts. Once a month, Jerry would provide accounts payable with a list of delinquent accounts on guaranteed cards, and accounts payable would cut the check to the credit card company.
However, on the bottom of every check request in Jerry’s last year of employment, he had written, “Please deliver the check to me.” Typically, accounts payable would mail the check directly to the credit card company, but because accounts payable knew that Jerry maintained a relationship with the credit card company, they adhered to his request and delivered the checks to him. When Jerry received a check, he would write his own account number on the check, and the bank would apply the payment to Jerry’s credit card.
Jerry did not need to make sure that the delinquent credit card owners listed on his spreadsheet paid their balances, because he had fabricated the delinquency list that he provided to accounts payable. In many cases, the employees with the so-called delinquent balances had left the organization long before, and they had paid their balances in full before departing.
So, where were the control breakdowns? First, Jerry had sole authority over the credit card function. He managed the corporate credit cards, reviewed the delinquent accounts, had access to the employee statements, and dealt with the bank’s account managers. No one reviewed his work. As soon as accounts payable walked the checks down to his office, he had all he needed to perpetrate the fraud.
The second breakdown was that the accounts payable clerk walked the checks over to Jerry. Although not necessarily right, it is understandable that accounts payable would not have the time to audit Jerry’s delinquency list. After all, accounts payable was processing more than 1,000 checks per week with a staff of six. However, it was unacceptable for the clerk to deliver the check directly to Jerry. The check should have gone from accounts payable to the vendor. The vendor invoice–or delinquency data in this case–should have contained all of the pertinent information to allow accounts payable to appropriately route the check.
XYZ decided to report Jerry to law enforcement. Although $88,000 is not a significant amount of money for a $1 billion company, and the legal fees and other costs might be high, the company wanted to demonstrate to its employees that it would not tolerate fraud and would hold perpetrators accountable. Decisive and timely action such as this is critical to maintaining a sound control environment.
Not everyone is as diligent as Molly. The lesson she applied is an important one to teach operations personnel: Take the time to check anything that doesn’t seem right. Because she spent a few minutes performing due diligence, Molly uncovered an $88,000 fraud.
Several symptoms may have flagged the fraud. If internal auditing had been testing the employee credit card charges, simply identifying the top 25 corporate card users and reviewing their charges would have flagged Jerry. Travel reimbursements of $88,000 in one year covers a lot of travel. Testing the accounts of the people with the most posted credits would have similarly flagged Jerry. Also, Jerry averaged three payments a month on his credit card over the course of a year, an unusual pattern that, if identified, should have been investigated.
Testing the top 25 corporate credit card users and searching for unusual patterns are the staples of any audit program that contains tests designed to uncover fraud.
* Employees should take the extra step. If employees are presented with a transaction that they do not completely understand, they should do what was going on so that it became clear to everyone that XYZ would not treat fraud lightly. what it takes to understand the transaction. Molly was one of the custodians of the organization’s cash, so when someone asked for money from the company, even a trusted former boss, it was important for her to understand the nature of the transaction.
* Segregate duties. This is a concept that is drilled into the brains of internal auditors ad nauseam, but it is not necessarily communicated as often to operational management. The organization’s head treasurer, to whom Jerry reported, was an ex-auditor and ex-controller, and therefore should have been aware of this control concept. However, during the course of business, when times are good and everyone is busy, it is easy to overlook the fundamentals. Jerry had too much control, and because accounts payable trusted him, the clerks did not adhere to their own processes and send the check directly to the third party.
* Act quickly and decisively. Jerry was a long-time employee of” XYZ, and he was well-liked in the organization. It would have been easy for the company to ask Jerry to pay the money back and call it even. How ever, management and the board called for a full investigation, led by the internal audit group that included outside consultants, legal counsel, and the district attorney. Management also decided to not keep it quiet; they let the finance and accounting organizations know what was going on so that it became clear to everyone that XYZ would not treat fraud lightly.
* Thieves can get greedy. In this case, Jerry had already left the company. His fraud might have gone undetected if he had not returned for one last $716!

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *