IN 2009, THE OWNER of a small media firm got a phone call from her bank. That phone call signaled the end of a decade-long fraud scheme perpetrated by the company’s financial manager. Though painful for the company, the incident can provide lessons for other companies. An analysis offers clues to security managers with regard to how they might detect and prevent fraud in their own organizations.
The financial manager had orchestrated an accounts-payable fraud by preparing checks to vendors and then changing the payee to herself after the check was signed. A subsequent check was later prepared and mailed to the vendor. When the bank statement arrived, the manager removed the cancelled checks that she had written to herself.
Because a junior employee reconciled the bank statements, the manager was able to convince that employee that the bank no longer returned all of the checks with the statements. The employee reconciled all checks posted on the statement even though the checks were not all present, never again questioning the process.
On a regular basis, the manager had to delay payments to creditors, sometimes for more than 120 days. Over the years, the owner had to repeatedly infuse capital into the business, never realizing that funds were being syphoned off. It was not until the owner began to run out of money that the scheme began to unravel. When the fraudster saw what was happening, she tried to put off the inevitable by going to the bank and depositing a personal check to cover a shortfall until more revenue arrived. Her check was insufficient, causing bank personnel to phone the owner. The scheme collapsed.
The subsequent investigation determined that the manager had stolen a total of $1.2 million over the life of the fraud. She is still serving her eight-year prison sentence.
During the initial phase of the investigation, numerous document irregularities were uncovered. Any one of these red flags could have provided an indication that something was wrong. Together, the problems clearly added up to fraud. Here’s a look at some of the signs.
Checks were missing. This company would issue 100 checks a month, and the ones the financial manager had made out to herself were simply removed from the stack. A rudimentary matching of the checks to the bank statement would have immediately uncovered the fraud.
Payments were delayed. Because the manager stole the money from the company’s bank account, the company didn’t have enough money to pay the bills. That caused delays in the legitimate payments, with some vendors waiting 45 to 90 days for their checks. Vendors were frequently calling to complain that they hadn’t been paid. Some vendors called the main number and were transferred immediately to the financial manager. However, some vendors called the owner directly. The owner too sent the vendors to the financial manager. Had the owner asked why the payments were late, the fraud might have been uncovered.
Payments were duplicated. When the manager needed to pay an invoice, she would create a check, complete with the invoice number. The manager brought the check to the owner for a signature. Then, the manager put the check into a typewriter, wiped out the vendor company’s name, and inserted her own. However, because the invoice still needed to be paid, the manager created a second check with the same invoice number to be mailed to the vendor. The owner signed that too without realizing that it was a duplicate. This meant that two payments were issued for the same dollar amount under the same invoice number. This method was used throughout the 10 years the fraud was committed. If anyone had looked at the check amounts or the invoice numbers, the problem would have been obvious.
The company was broke. Because the company was always short on cash, the owner had to use her personal line of credit to put money into the company. This was an obvious red flag. Either fraud was occurring or the business was seriously mismanaged. Either instance warranted an examination into the cause of the shortfalls.
The company could have taken steps to prevent the fraud from happening in the first place. Training, segregation of duties, recordkeeping, and competent auditing—any one of those practices could have ended the scheme.
Training. The junior employee tasked with reconciling the bank statement was an accounting graduate who went on to become a CPA. She should have known that the order to stop reconciling the statement against each and every check was problematic. To prevent employees from being intimidated into ignoring possibly illegal behavior by superiors, the company should have critical tasks—such as reconciling checks with the bank statement—written out in a manual. Employees should be trained to always complete these tasks and to notify HR or the CEO immediately if these tasks are altered or reassigned.
Segregation of duties. In larger companies, critical duties should be segregated or duplicated to prevent a single employee from controlling the process. For example, one person should not be in charge of both receivables and payables. The person who gets the mail should record the checks that come in before they are checked by another person in accounting. One person should open the mail and record invoices and payments. Those invoices and payments should then be relogged in accounting with a third person comparing these two lists.
In small businesses, the owner should be the one to recheck accounting work. The owner should also receive the company’s bank statements at home. Once the owner reviews the statement, he or she can take it into the office. In this case, the statements would have shown that the employee received company checks.
Auditing. Auditing is important, and while such reviews are not meant to uncover fraud, they should find blatant problems like the fact that checks weren’t reconciled and that duplicate checks went to an employee. In this case, the company did have regular audits. The auditors came in, reviewed the books, and provided a clean bill of health. The auditing company clearly did not conduct an adequate review.
The auditing firm said it had reconciled the bank statements, but if it had, the double payments would have been obvious. Insurance taken out by the auditors provided the company with a hefty settlement. The owner wasn’t made whole, but the insurance payment covered a large amount of the losses.
To augment traditional audits, companies should consider adding periodic fraud audits. Conducted separately from a traditional audit, fraud audits are designed to identify fraud symptoms and identify transactions in the company’s records that don’t make sense.
Had the company’s owner noticed any of the warning signs or put any of the prevention strategies in place, the fraud might have been uncovered earlier. By learning from this company’s mistakes and using these tools, security managers can stop fraud before it starts.
R. A. (Andy) Wilson, CPP, CFE, is a managing director at the investigative consulting firm Wilson & Turner Incorporated. He has more than 30 years of experience in law enforcement and corporate security management. Wilson is a member of ASIS International and serves on the ASIS Economic Crime Council.