Auditing for Anomalies
Working as a lender in a financial institution’s private banking operations, which caters to affluent clients, is a plum assignment, bestowing cachet on the person holding that job. But it also exposes that person to opportunities for committing insider fraud. An employee at National Penn Bancshares recently abused that position and defrauded the bank of $6.7 million, according to papers filed by the company with the Securities and Exchange Commission.
IT WORKED LIKE THIS: The employee misappropriated customer identities, making it appear as if those customers had obtained loans from the bank, then apparently shifted loan obligations around, in what the company called “a very sophisticated pyramid-style fraud scheme,” to mask the crimes.
The scheme, according to the February 2005 filing, “was specifically designed to avoid detection by ongoing bank controls and audits.” The fraud, which began at least as far back as 2002, was discovered when irregularities in loan and deposit accounts were uncovered during control audit procedures conducted in the first week of 2005. No customer lost money, but the bank itself was fleeced of $6.7 million. In response, National Penn Bancshares has announced that it is considering new internal control measures, such as limiting worker access to the computer system used to maintain deposit accounts, reviewing activity in employee accounts, and changing paper-flow procedures and confirmation processes.
While computerization of information has made companies more efficient, it has also, as this example shows, made it easier for financial criminals to commit insider fraud.
At the same time that technology is making fraud easier, new federal mandates for antifraud are raising the stakes for companies that fail to secure their systems. But software-based solutions do exist. Let’s look first at the typical schemes and then at the possible ways to prevent or detect them.
System-based schemes. Hack attacks against businesses make the headlines, but internal fraud remains the biggest threat for many businesses. Industry experts agree that 60 to 70 percent of the financial losses suffered by an organization result from insider fraud, and the Association of Certified Fraud Examiners estimates that fraud consumes six percent of an enterprise’s revenue.
A June 2002 Gartner report entitled Moving to Transaction Incident Monitoring for IS Security summed up the insider risk by stating, “The major threat comes from technology-minded insiders who have knowledge about processes, business system customizations and technologies. Insiders such as current employees, recently terminated employees, subcontractors, and consultants are significantly more dangerous than outsiders…. In some business environments, such as ERP (enterprise resource planning) or CRM (customer relationship management), 95 percent of fraud comes from insiders or internal users with access to key data transactions.”
Systems-based fraudulent schemes by insiders can fall into a number of categories. The main types include the following:
False (“ghost”) vendors. A ghost—or bogus—vendor can be created and added into the system by an accounts-payable clerk, who can then use the account to process checks made out to that ghost account—essentially funneling money to him or herself.
The clerk simply creates a bank account in the fictitious vendor’s name, then grants himself authorization to deposit or cash checks made out to the company. Some banks don’t require even that much. A fake business card stating that the person is a high-level officer of the fictitious company can be enough to get account privileges.
The dishonest clerk can either hope that the payment is lost amid hundreds of other payments on the corporate system, or he can delete invoice and payment records. Doing so requires database access and some sophistication, however.
Ghost employees. These are nonexistent employees placed on the payroll, resulting in the company paying a salary for work never done. It typically requires the collusion of an insider.
In one case currently awaiting disposition, a company contracted by the New York/New Jersey Port Authority to maintain and clean artifacts remaining from the World Trade Center after the attacks allegedly defrauded the port authority for two years by billing it for ghost employees. The contractor was able to cover up the scheme—which netted more than $100,000—for so long because it bribed port authority officials overseeing the contract, according to the indictment, which was made public in December 2004 by the Manhattan district attorney.
Product returns and voids. In this scheme, an employee buys and expenses an approved purchase and then returns the purchase for a refund without informing the company. The employee then pockets the refund. A separate but similar scheme is for an employee to void purchases by customers who have not actually returned the products. The employee then pockets the refund money.
For example, a complicated money laundering and fraud scheme that took place in the 1990s at three New York racetracks involved rampant voids by tellers at betting windows. Tellers would pocket bets, assuming that bettors would lose. If they won, the teller would pay them out of the till, while the money wagered remained in the teller’s pocket.
The system invited fraud by the way that it was set up. For example, at the beginning of racing meets (which lasted six or ten weeks), tellers and “mini-dealers”—who act as cashiers to groups of tellers—were given bags or boxes of cash to pay winning bets. Tellers could get additional money from a mini-dealer or the track’s cash room merely by requesting it.
Weak controls, including only occasional spot checks by auditors and the requirement that tellers balance their cash boxes only at the end of racing meets, allowed the scam to flourish. In a single year, scores of tellers had till shortages of more than $10,000. Tellers used the pilfered funds as “seed money” to run money laundering, loan sharking, and gambling operations, according to a 2003 report by New York Attorney General Eliot Spitzer.
Personal purchases. Purchase orders from approved vendors for items that fall within a company’s budgets—for computers, for example—are often approved with little oversight. This practice allows insiders to slip personal purchases into the billing system.
Accounts-payable tampering. In this type of scheme, just before a check is printed, an insider in the accounts-payable system changes the check’s payee information so that he or she can cash it. The insider can also alter the vendor’s address or bank routing number to receive payments, and the thief can then hide the evidence of wrongdoing by changing the routing information back to the original. There is, of course, the risk that the vendor will complain about not being paid.
Even more effective is simply creating a whole new fictitious invoice from a trusted vendor. The vendor won’t know that the invoice ever existed, so it won’t inquire about a missing payment.
Fabricated commissions. Commission-based employees can boost their compensation by falsifying sales orders for improper commission checks.
Risks. Unique risks posed by the migration of records to electronic systems include wide access, the transience of evidence, and authorized users’ attempts to make processes more efficient.
Wide access. In the old days, few people had access to the company’s accounting books or checks, but almost everyone in an office has at least the potential to access that information once it is digitized and stored on a computer connected to the corporate network.
In addition, it is riskier to be caught literally with one’s hand in the till than it is to fudge and rearrange numbers on computerized invoices and spreadsheets. As computers proliferate and users get savvier, they are discovering more anonymous ways of getting to the virtual till.
Evidence. System-based fraud methods typically leave a much more transient trail of evidence, since employees familiar with an enterprise’s system can cover their tracks. As users become more familiar with a system over time, they learn the logic behind it and how to game the system.
Efficiency. Authorized insiders often circumvent internal controls and required approvals to boost productivity. But that misuse of the system creates an opportunity for other insiders to use the same shortcuts to commit fraud.
Exponential expansion. Unfortunately, the opportunity to commit fraud increases as businesses link their systems with vendors, suppliers, and contractors and share more information. As the numbers of transactions and avenues rise, internal auditors cannot keep pace by relying on sampling-based audits.
New mandates. With Sarbanes-Oxley (SOX) public companies can no longer afford to be lackadaisical about internal controls and fraud prevention. Section 404, for example, outlines specific requirements for documenting internal controls. Companies must also continually assess those controls. And chief executives must personally attest in filings with the Securities and Exchange Commission to the reliability of the company’s financial statements based on the integrity of these controls.
Furthermore, Section 302 requires businesses to disclose all deficiencies in their internal controls and any fraud involving employees. Developing factors that could have a negative impact on internal controls must also be reported.
Some companies have formed SOX (which are sometimes called “SarBox”) teams to address these new mandates.
Solutions. So how can a company address the various challenges posed by systems-based fraud and also improve internal controls as called for now by law for public companies? Businesses and risk managers must find a technological way to duplicate the function of the long-replaced control department once responsible for sifting through invoices, purchase orders, and payment vouchers to ensure that all the numbers matched up. Let’s look at the options.
ERP controls. Many companies now use enterprise resource planning (ERP) systems, such as PeopleSoft and SAP, to integrate the information used by various operations, such as sales, production, inventory management, and billing.
ERP applications typically come with built-in system controls, and many organizations rely heavily on these. For example, one built-in control might try to segregate duties by prohibiting a single person from approving both an invoice and a related payment voucher.
The problem is that employees often view these controls as a burden and, thus, fail to maintain and update them. In many cases, employees never even properly implement the controls due to the complexity of maintaining them and the need to understand all relevant business processes before implementing those controls.
This approach clearly represents a missed opportunity. Companies with this type of software should make sure that the chief information security officer or another trusted employee has oversight of the use of ERP controls and that, perhaps as a part of SOX compliance audits, internal checks are made to periodically ensure that these controls are in place, are being properly used, and have not been circumvented.
Transaction-integrity monitoring. To supplement ERP controls, companies can engage in transaction-integrity monitoring. This entails computer scans of every activity that occurs in search of anomalies that deserve to be flagged and checked. For example, a transaction where the mailing address has been altered just before payment would likely be caught by such a scan.
The next step would be to compare information from systems, such as Dunn & Bradstreet vendor numbers and human resource applications. In that way, transaction-integrity monitoring builds a case of suspicious activities for internal auditors to pursue.
Transaction-integrity-monitoring solutions enable internal auditors to reduce their dependence on sampling-based audits. They can instead dedicate their time to investigating suspicious transactions flagged by the system.
Transaction-integrity monitoring can be accomplished in several ways. One option is for an internal member of the audit staff to write queries (usually in computer code) to the ERP system to ask it to probe for specific issues or anomalies. This requires special knowledge, and the company may not have anyone on staff capable of doing this. The author knows of one company that has set out to do this to monitor all activity (many companies query on a random basis for sampling purposes), but it is too early to tell how it’s working.
For companies that do not have the in-house expertise to build these queries into the ERP from scratch, specific off-the-shelf software is available from various companies (including the author’s). Some of this software is priced per user, starting at about $2,000 per user for a tool that facilitates the development of queries or rules. Oversight, the author’s company, charges $85,000 per business process. For example, one process might cover everything from procurement to payment with regard to all vendors. This fee covers an unlimited number of users and an unlimited number of changes to the monitoring logic.
In theory, a third method is by hiring outside auditors to perform the monitoring. But the cost and burden would be astronomical.
Whichever way they choose to go, companies should look for four key requirements in evaluating their individual needs.
Independence. First, transaction monitoring must be conducted independent of operations so that users cannot easily gain access to it.
Real-time. Second, a transaction-monitoring solution must access information in real time so that users do not have a chance to cover their tracks. Real-time analysis is essential since certain elements of the electronic information may exist only at a certain point in time. In other cases, the relevant information may not be retrievable after a specific period of time. Without a paper trail, transaction monitoring must produce a snapshot of the details of the fraudulent act.
Complete analysis. Third, transaction monitoring should analyze all elements of the transaction. For a transaction in the purchasing department, the analysis should include invoices, purchase orders, shipping receipts, invoice approvals, and payment voucher approvals.
Access controls. Fourth, only a few approved financial and IT personnel should have administrative privileges to the transaction-integrity-monitoring system to reduce the risk of a fraudster going into the system and deleting alerts and forensic information.
Implementation and cost. Installing and using transaction-integrity-monitoring software is relatively simple. In the case of Oversight, the software is shipped on a special appliance so that it will exist independently of the company’s operational infrastructure, including general computer controls.
Oversight normally controls the configuration of the software to prevent the customer’s employees from switching off software auditing functions. Oversight then works with a customer’s employee who is intricately familiar with the ERP system, so as to tailor the product for the customer’s use.
One company uses its accounts-payable system to process rebates for customers. In the standard configuration of the software, customers would appear to be highly irregular vendors. Instead, the software has been modified to accept these transactions as normal.
Transaction-integrity-monitoring software should be updated frequently. The core Oversight software is updated on a six-week cycle. On that same cycle is the introduction of new areas for analysis. Recently, for example, Oversight added the ability for C-level executives to purchase consulting services without having to prepare a purchase order. Previously, the lack of a purchase order would have been flagged as an anomaly. Then an alternative control might be implemented, such as having the CEO sign off on an engagement letter that is entered into the system.
Clear message. A transaction-monitoring system is a good way for management to send a clear message to staff that policies matter and that deviations will not be tolerated.
For instance, a large government agency responsible for managing assets of over $10 billion a year recently implemented a transaction-integrity-monitoring system to assist with the detection of internal fraud. By interfacing the monitoring system with the government agency’s proprietary accounting system, all transactions were monitored, analyzed, and subsequently correlated to network events.
The monitoring system worked by finding exceptions to policies in more or less real time. Possible policy exceptions included variations on the standard information that should be contained in vendor files, received shipments that didn’t match up to invoice line items, actions taken on a second invoice that was a copy of the first, and irregularities between numbers on payment vouchers, invoices, and other documents related to the same transaction.
When the agency performed its initial run-through of all of its vendor files, about a third of all entries had some sort of exception. For example, a vendor might be listed as IBM on one file and International Business Machines on another. Obviously, not all discrepancies were related to acts of fraud. In terms of dollars lost, the biggest problem involved differences between invoices and payments. For example, two might pay the same invoice using two slightly different numbers. Whether this was intentional fraud or error, it was still a cost to the organization.
Most importantly, the deployment of the monitoring system established a “tone at the top” from agency executives. It showed staff that there was a new conviction to eliminate past problems. Once employees got the message that they couldn’t tinker with payment systems with impunity, irregular activity dropped.
Compliance. Transaction-integrity-monitoring practices can also help public companies comply with Section 404 of Sarbanes-Oxley.
Such was the case with a biotech company with sales of nearly $1 billion annually. The company employed a transaction-integrity-monitoring system to address Sarbanes-Oxley mandates for monitoring and reporting the effectiveness of internal controls. Because all the transactions in the system were being analyzed electronically, internal auditors did not need to base their work on transaction sampling. Instead, they focused their efforts on suspicious transactions and irregular events, which resulted in more certainty that fraud would be caught.
The system did, indeed, help the company detect some fraud schemes. One involved the company’s use of external recruiters in the hiring process. As it turned out, someone was gaming the system. Whenever that person noticed a new hire without the name of a recruiter attached, he would list a fictitious organization as the recruiter, using an address to which he had access. He would then pocket the finder’s fee.
Through the transaction-integrity monitoring, these transactions had jumped out as suspicious. Specifically, the monitoring software continually checked for gaps in data listed for the vendor in the system. The records of the fictitious vendor were sketchy; the address was a post office box, and the phone number belonged to a cell phone. Further, there was no Dunn & Bradstreet information about the vendor on file.
Also fishy was that the recruiter’s transactions with the company only occurred on a new employee’s date of hire. Typically, related purchase orders or invoices would precede such a transaction. Through those means, the company sniffed out the fraud.
The company publicized to staff that it had uncovered the problem by analyzing every transaction. It also made clear that this new level of monitoring would persist into the future. Problem activity fell rapidly.
The crackdown on fraud goes a long way toward establishing a corporate culture of honesty and integrity. With transaction-integrity monitoring, enterprises can “trust but verify” their financial transactions, which allows internal auditors to assist the management team in establishing expectations of conduct from the top down.
Patrick Taylor, M.B.A., is CEO of Oversight Systems, Atlanta, Georgia.