EYES WIDE OPEN: FRAUD AWARENESS, PREVENTION, AND … · 2010-11-11 · EYES WIDE OPEN: FRAUD AWARENESS, PREVENTION, AND DETERRENCE . PREVENTING AND DETECTING FRAUD IN ACCOUNTS PAYABLE

EYES WIDE OPEN: FRAUD AWARENESS, PREVENTION, AND DETERRENCE

PREVENTING AND DETECTING FRAUD IN ACCOUNTS PAYABLE

This presentation will illustrate the variety of methods used by fraudsters—both internal AND external—to victimize organizations through their accounts payable function. This session will cover the red flags of these frauds and conclude with a point-by-point presentation of the practical detection and prevention measures that have proved most effective in reducing losses to accounts payable fraud.

PETER GOLDMANN, CFE

President White-Collar Crime 101 LLC/FraudAware

Ridgefield, CT

Peter Goldmann is president of White-Collar Crime 101 LLC, the publisher of White-Collar Crime Fighter, a widely read monthly newsletter for internal auditors, controllers, corporate counsel, financial operations managers, and fraud investigators. The newsletter is in its 14th year of publication. Peter is the author of five books on fraud detection and prevention. His most recent title, Fraud in the Markets: Why it Happens and How to Fight It, was published this spring by John Wiley & Sons. It details the direct and substantial role played by fraud in bringing about the 2007-2008 financial meltdown. Peter also developed FraudAware, the leading fraud awareness training program. A customized learning service, FraudAware uses workshop, Webinar, and E-Learning formats to educate employees and managers at all levels in how to detect, prevent, and report incidents of fraud or suspicious conduct.

©2010

21st Annual ACFE Fraud Conference and Exhibition ©2010 1


NOTES Detecting and Preventing Fraud in Accounts Payable When a top management team turns its attention to the organization’s vulnerability to and losses resulting from fraud, the first question is always, How much are we losing to fraud? Before trying to quantify the problem of fraud in Accounts Payable (AP), we must be sure we understand what it is. In fact, the term “AP fraud” refers to a wide variety of different financial crimes. However, the one common denominator among all types of AP fraud is that they specifically target an organization’s procurement and payment processes. Therefore, to understand the meaning of AP fraud, we must be familiar with such critical categories of financial wrongdoing as:

Billing fraud Check fraud Vendor schemes Collusion Inventory theft and fraud Computer-based payments fraud Conflict of interest Fraudulent financial reporting

Under each of these main categories, there are numerous subcategories or varieties of AP fraud. And indeed, because fraudsters are a notoriously innovative bunch, the types of AP-related schemes that organizations must be prepared for is continuously evolving. Encouragingly, however, the anti-fraud and audit professions have developed their own arsenals of detection and prevention techniques and methodologies that, when effectively implemented and monitored, significantly



NOTES reduce an organization’s risk of becoming a victim of AP fraud. AP Fraud: How Big a Problem Is It? By comparing the ACFE’s estimated $1 trillion-plus lost to fraud every year (7% of corporate revenue) to the $700 billion TARP bailout that the federal government authorized in late 2008 to save the entire US financial system, we find that annual fraud losses are some 40% higher! In the context of accounts payable (AP) fraud, Exhibit 1 shows that billing schemes are the second-most common form of fraud against organizations, representing an estimated 23.9% of all fraud cases. Other AP-related frauds such as check tampering, expense reimbursement, and payroll fraud are also major threats, albeit with less frequency.

Exhibit 1

As for the cost of AP fraud, the numbers are somewhat more alarming. As shown in Exhibit 2, the AP-related



NOTES frauds listed above generate losses that are potentially financially crippling to an organization. An average billing scheme costs the victim company $130,000, and that number is rising, as the exhibit clearly indicates. The same applies to check fraud, while as you would expect, the costs of payroll fraud and expense reimbursement schemes are comparatively low and less likely to rise.

Exhibit 2

Who Commits AP Fraud In an effort to avoid confusion in understanding the forms and origins of AP fraud, it is useful to break down the various types of schemes into two broad categories: External AP Fraud and Internal AP Fraud. In the former category, we find ourselves dealing with crimes such as billing schemes perpetrated by dishonest vendors; the establishment of sham or shell corporations to be used as originators of phony invoices; dishonest clients or customers who make fraudulent claims of having received sub-standard product or service and request refunds; and cyber-criminals who are constantly finding



NOTES new ways to penetrate organizations’ information security defenses to steal confidential employee, vendor or customer data. While these are potentially highly damaging crimes, they occur relatively less frequently than AP-related frauds perpetrated by insiders. Statistics vary, but it is conservatively estimated that 60% of all fraud against institutions is committed by employees. Moreover, research indicates that most internal frauds are committed by employees who have worked for their organizations for several years—in many cases more than 10. The reason for this is easy to see—it is common, indeed, automatic human nature to trust those who work with or for us. The longer an employee’s tenure and the better his or her record of service, the less likely management (or co-workers for that matter) is likely to suspect that they will commit fraud. Hence the frequent occurrence of surprise and shock on the part of a guilty employee’s co-workers and bosses upon discovering that the individual has betrayed their trust by crossing the imaginary ethical and/or legal line. As to the types of AP fraud committed by insiders, it is fair to say that senior managers and executives are no less likely to be perpetrators than their subordinates. As indicated by Exhibit 3, there is some overlap in the varieties of AP fraud committed by line employees and their superiors—most notably billing schemes and embezzlement. In the case of other AP frauds, employees lack the authority to commit schemes such as self-approval of fraudulent invoices that managers often possess.



NOTES Most importantly, though regardless of the type of fraud being committed, the cost per incident is almost always lower when employees commit fraud, as opposed to when their bosses do, again due to the latter’s higher level of authority over payables-related transactions.

Exhibit 3

Billing Schemes: The Biggest and Baddest of AP Frauds Frauds involving phony invoices, bogus purchase orders, improper approval of check requests, and other billing/disbursement-related AP frauds make up the largest single category of insider-perpetrated AP frauds. Topping the list of this category of crimes are:

Shell company schemes Purchasing of services instead of goods Vendor pass-through schemes



NOTES Kickbacks at the employee level Inventory fraud Collusive AP schemes

Shell Company Schemes Topping the list of billing schemes in terms of frequency and cost is perhaps the billing fraudster’s favorite, insider creation of shell companies. These are not companies at all, but rather businesses in name only. Employees create them with the intention of generating bogus invoices in the “company’s” name and submitting them to their employer for payment. These perpetrators are often procurement or accounts payable staffers or “higher-ups” who have the authority to approve payments. The perpetrators usually set up a bank account in the entity’s name, using fraudulent incorporation documents obtainable for as little as $100 or less in some states. Some fraudsters may sidestep this bureaucratic annoyance and simply create the counterfeit papers necessary to open a business bank account. After that, it’s a simple matter of generating bogus invoices in the “vendor’s” name using a basic PC and an inexpensive printer. For employees whose jobs do not afford them the authority to approve phony invoices and route them through the payments process, a collusive scheme with a co-worker who does have the requisite authority is often perpetrated. Others generate phony purchase orders for goods or services the company purchases on a regular basis and forge an authorized manager’s signature. Then they



NOTES generate phony invoices for the shell company and await payment. Billing for “Services” It is often easy for AP or internal audit personnel to verify that a payment for tangible goods or supplies was legitimate. Simply comparing the purchase order against the invoice and against inventory, and/or the vendor name against the master vendor file, is usually sufficient to ascertain the validity of a transaction. But if the transaction is for some nebulous service such as “advertising” or “maintenance” or “research,” employees familiar with their organization’s payments processes can exploit weaknesses by submitting phony invoices for such services that were never provided and initiate a disbursement to the “supplier.” In such cases, the supplier might also be a shell company, or it may be an individual “consultant.” Either way, if the perpetrator knows the invoice won’t be scrutinized, he or she can get away with this crime until someone becomes suspicious, the organization’s audit procedures become more focused on fraud, or he or she slips up and somehow leaves a clue that the transactions were false. Straw Vendor Schemes This type of fraud, also known as “pass-through vendor schemes,” occurs when an employee who is in a position to approve invoices and authorize payments sets up a bogus company and has that company order goods your company actually needs. These schemes occur when goods are ordered from a legitimate vendor and, in turn, are sold to a targeted organization at inflated prices. The invoices are approved by the



NOTES fraudster. The fraudster may even be able to generate bogus refunds or rebates to the straw vendor, which he or she controls. Kickbacks Involving Employees Kickbacks are often integral to political corruption schemes involving illegal awarding of awarded public works contracts. In the private-sector they typically involve abuse or illegal circumvention of competitive bidding rules. An extreme variation was marked by the widely publicized scheme involving the venerated New York City-based law firm, Milberg Weiss. The firm’s senior partners were charged with, among other things, paying more than $11 million in kickbacks over 25 years to plaintiff clients to induce them to initiate class-action lawsuits against blue-chip companies—a blatant violation of federal law. Several Milberg Weiss senior partners, including cofounder Melvyn Weiss, were sentenced to stints in federal prison as a result of this high-profile fraud. As might be expected, more than just a few kickback schemes are committed on a smaller scale every day by “average” employees—specifically accounts payable or procurement employees who exploit control weaknesses to perpetrate kickback schemes with crooked vendors. For example, a dishonest AP employee can simply permit a similarly unscrupulous vendor to submit invoices that are inflated, or that indicate quantities that are greater than actual shipment quantities, which in some cases will actually be zero. After the AP employee fraudulently approves the invoice and the



NOTES vendor receives payment, the vendor “kicks back” a portion of the excess, illegally obtained cash. Note: These are not strictly internal billing frauds because they involve collusion with an outside party—typically a dishonest vendor. However, because they are often initiated by an AP employee, they are included here. Inventory-Related Billing Schemes AP staffers are in a unique position to steal physical goods from their employers and to conceal their crimes by falsifying billing/invoicing records. In a typical inventory theft case, if there is such a thing, an employee with access to physical inventory simply removes the materials from company storage areas or stockrooms—usually when the business is closed. No paperwork is involved, no documentation falsification is required, and, unless the amount stolen is very substantial, the chances of detection are minimal. A more elaborate scheme involves a procurement or purchasing employee who falsifies shipping documentation to make it appear “on paper” as though a delivery is made of products the company buys in the normal course of business. However, the perpetrator actually has the delivery sent somewhere else, such as a collusive vendor, who buys it for a price below actual value and resells it, splitting the proceeds with the insider. A variation of this ploy occurs when employees falsify invoices for supplies needed for a legitimate project, but in quantities greater than what is actually needed. After the invoice is processed by a collusive AP



NOTES employee and delivery is made, the excess is physically removed and sold. Collusion/Corruption Often, collusive schemes such the above examples fall into the category of corruption. As defined by the ACFE in its 2008 Report to the Nation, corruption is “any scheme in which a person uses his or her influence in a business transaction to obtain an unauthorized benefit contrary to that person’s duty to his or her employer.” In more specific terms, corruption can be understood as any fraud involving bribery, conflict of interest, or extortion. It is important to note that kickback schemes are often very similar to bribery frauds. The difference usually is that bribery is a one-time payment to obtain something of value, such as a construction contract, whereas kickbacks can be ongoing crimes involving repeated fraudulent acts that are rewarded with corresponding illegal payments. Overall, anti-fraud experts have noted a sharp increase in the occurrence of corruption schemes between procurement managers and vendors. The reason, according to these experts, is the onset of the economic and financial crisis that began in 2007 with the emergence of the subprime mortgage meltdown. The ensuing jump in unemployment, corporate losses, and credit market dysfunction forced U.S. companies to scramble for revenue opportunities in industries and geographical areas unfamiliar to them.



NOTES With this came the need to adopt certain business practices that were not exactly “kosher.”

EXAMPLES

Many companies have sought to develop new markets in exotic places such as Vietnam, Russia, South America, and China.

It is extremely difficult to do business in these countries without paying bribes to business decision-makers in order to secure contracts, or to government officials to get the necessary licenses and permits to operate locally.

The problem is that this is highly illegal under the Foreign Corrupt Practices Act (FCPA). The FCPA is enforced by the U.S. Department of Justice and the Securities and Exchange Commission, both of which have become very aggressive in investigating potential violations of the FCPA ever since U.S. companies began bidding for contracts in connection with the 2008 Olympics in Beijing.

Getting caught paying bribes can result in extremely heavy financial fines as well as imprisonment.

Closer to home, collusive/corrupt activity is exceedingly common in such sectors as pharmaceuticals, manufacturing, and construction.

Blake Coppotelli, J.D., senior managing director of Business Intelligence and Investigations and head of Real Estate Integrity Services based in the New York office of risk consulting company Kroll, has investigated hundreds of constructions projects all



NOTES over the world. He said, “I have not come across one that was totally clean.”

Construction companies are generally forced to set aside 10 percent of revenues for bribes in order to secure contracts, Coppotelli added. The individuals who have the authority to award contracts are simply conditioned to do business only with contractors willing to fork over what they demand in the form of illegal “under-the-table” payments.

Conversely, employees of financially squeezed developers may pressure contractors to come in with unusually low bids to win a contract.

Beyond Billing Fraud

Purchasing Card Fraud If your organization uses procurement cards commonly referred to as P-cards or corporate credit cards, it is probably not news to you that these cards are all too often abused for personal benefit. Of course, the primary reason that organizations initiate P-card programs is to save money on the cost of processing business-related purchases. Because it costs as much to process a $250,000 order as it does a $250 order using the organization’s normal procurement system, consolidating numerous small orders through the use of P-cards can save up to more than 50% in processing costs, according to the National Association of Purchasing Card Professionals (NAPCP).



NOTES The most common types of internal P-card fraud are: • Making personal purchases and disguising them as

business-related transactions by submitting falsified receipts.

• Split-purchasing—to avoid triggering scrutiny of purchases over a company-set amount requiring review and approval.

• Purchasing gifts for lists of clients and including one’s own address (with a phony name) among the list.

Vendor Master File (VMF) Fraud Any organization’s Vendor Master File (VMF) is a potentially ideal launch site for numerous insider frauds. As might be expected, many of these crimes ultimately fall into the category of vendor or billing fraud. But with access to the VMF, dishonest employees—or outsiders for that matter—have a much easier job of fabricating bogus vendors, generating fraudulent invoices, and obtaining approval of fraudulent transactions. For example, an employee who has authorization to add new vendors to the VMF or make changes to existing ones can: • Add phony vendors and submit invoices as if the

vendor were legitimate. • Alter the mailing address of an inactive vendor and

generate bogus invoices with their own or an accomplice’s address.

Important: As your organization’s business changes, so do the vendors it uses. However, too many organizations fail to regularly purge their VMF of



NOTES inactive vendors. When these dormant vendor accounts remain on the vendor list, dishonest employees with access to the VMF have the opportunity to abuse them by adding fictitious vendors whose names are similar to a legitimate one and submit invoices for the phony vendor whose address is one that the fraudster controls. Similarly, failure to purge the VMF creates the risk of paying the same vendor twice. For example, if “Dell” and "Dell Computer” invoices are both paid, chances are that one of the invoices is fraudulent. If nothing else, your AP control system should flag any payments to vendors with similar names but different addresses. T&E Fraud If your AP department is in charge of processing travel and entertainment (T&E) reimbursement claims, chances are it has seen its fair share of T&E fraud. Here are examples of the most common T&E schemes affecting large organizations: • Falsifying receipts—Receipts for transportation,

hotel, restaurant, and other business travel expenses are easily obtained and “recycled” by employees either by forgery or alteration. It is all too easy, for example, to alter the date or amount on a “business meal” or hotel receipt before it is faxed or scanned.

• Making multiple expense submissions—When two or more employees dine together while on the road, they may each submit a claim for reimbursement for their own meals even though the entire bill was paid by a single member of the group. Similar practices



NOTES often occur with shared taxis, airport shuttle services, etc.

• Claiming expenses just below the minimum for which receipts must be submitted—If receipts are required for all expenses over $25.00 for meals, an employee may fraudulently submit undocumented claims for amounts for $24.99 or $24.95.

• Falsifying automobile mileage expenses—Since most companies do not require receipts for use of an employee’s own car for business purposes, the accuracy of these claims is difficult to audit.

• Falsifying approvals—It is often easy for employees to forge their manager’s signature on an automobile mileage reimbursement claim or other low-dollar claim that is difficult to verify.

• Claiming for “out-of-policy” expenses—A dishonest employee may “test the waters” by submitting a receipt for a personal expense incurred during a business trip. If the expense claim form is complicated, the processor may overlook an improper expense and unknowingly reimburse the employee for it.

• Exploiting weak T&E anti-fraud controls—Improperly established segregation of duties for processing T&E claims can enable employees who process T&E claims to falsify expense submissions by changing amounts or payees. They may either pocket the unauthorized reimbursement amount themselves, or collude with the actual traveler to exploit these control weaknesses.

• Using multiple methods of expense submission—Some employees have exploited control weaknesses in T&E, procurement card and accounts payable processes by submitting the same expense claims numerous times, posing one or more times as a legitimate employee and at others as a vendor.



NOTES • Making “honest” mistakes—An employee who

always makes mistakes on her expense submission because “the spreadsheet didn’t work properly” is a prime candidate for extra scrutiny by management. In some cases, these “honest” mistakes can result in hundreds of dollars in fraudulent T&E reimbursements if not detected.

Check Fraud Checks remain the primary method of business-to-business payments by far, with Automated Clearing House (ACH) credit, ACH debit, corporate purchasing cards, and wire transfers all trailing far behind. Unsurprisingly, the Association of Financial Professionals confirms in the 2008 survey results, “Almost all organizations (94 percent) that experienced attempted or actual payments fraud in 2007 were victims of check fraud.” The following descriptions of check fraud include frequent mention of forgery, tampering, altering, and counterfeiting. The check-related crimes they define are all closely related. But there are critical differences, and making yourself familiar with them will greatly assist you in detecting and preventing many of these illegal acts. • Creating forged checks. The Merriam-Webster

dictionary defines forgery as “the crime of falsely and fraudulently making or altering a document (as a check).”

Most internal check forgery schemes are perpetrated by employees who lack check-signing authority. The employee steals a company check, usually a blank one, and makes it out to himself or



NOTES herself or to cash. Or the employee makes it out to a phony vendor or an accomplice and forges the signature of a person in the organization who has authorization to sign legitimate company checks.

This is sometimes easier said than done. It is true that many banks, and certainly most retail outlets that accept checks—such as liquor stores, grocery stores, or other organizations where scrutinizing the details of checks is not a high priority—won’t notice if a fraudster has done a poor job of replicating an authorized person’s signature.

However, if the fraudster presents a stolen check with a poorly forged signature to his or her employer’s bank, the forgery may be detected.

Employees most likely to commit this fraud, according to the ACFE’s Corporate Fraud Handbook, include anyone with access to blank check stock, or with an internal accomplice who has such access. These typically include AP staff, other employees with access to blank check stock (including managers), bookkeepers, and office managers.

• Check interception and forgery of endorsement.

Some check fraud perpetrators prefer to steal checks that have already been made out to a legitimate payee, signed and prepared for mailing or delivery. They intercept the check either before or after it is sealed in an envelope. After stealing the check, they attempt to change the payee using the “old-fashioned” method—by erasing the existing payee’s name and replacing it with their own, either by hand or with a computer.



NOTES This is often easy for a bank teller to catch, because these alterations, like the one in the image below, often are very conspicuous. And, of course, if the bank doesn’t catch the forgery, whoever in your organization is responsible for check reconciliations certainly should.

Another way that insiders without access to blank checks can commit fraud is to alter the payee electronically. This typically occurs in the AP department itself. For example, a senior AP staffer who has authorized access to the secure computer system that stores all AP data and runs AP automation software decides to exploit this authorization. He or she simply accesses the system, changes the name of a legitimate vendor to a name that is similar enough not to be noticed, and uses a phony or old invoice number to initiate a payment. Of course, when the payee name is altered, the address is also changed, so the check will go to the fraudster’s designated address. After the fraud is executed, the vendor’s name and address are changed back and disbursement records are “fudged” to obfuscate the transaction.

This ploy is risky in many companies with tight disbursement controls, because covering up this type of transaction is difficult. It is often easier and less risky to simply create a shell company or phony vendor, falsify the addition to the vendor master file, and generate phony invoices to be paid to that “vendor.”

ACH Fraud Losses from Automated Clearing House (ACH) fraud (typically referred to as Electronic Funds Transfer, or



NOTES EFT) are relatively small compared with those from check fraud. While approximately 35 percent of organizations are targets of ACH fraud attempts each year, only 20 percent suffer losses due to such frauds, compared with 93 percent and 25 percent, respectively, for check fraud, according to data from the National Automated Clearing House Association (NACHA), an industry group of ACH network participants NACHA. However, the fraud threat is expected to increase as more and more transactions shift from paper checks to ACH. This is being driven by potentially significant cost savings. NACHA estimates that a typical large company switching from paper paychecks to ACH direct deposit of payroll could realize per-transaction savings of $0.187. With a payroll of 100,000 transactions per month, annual cost savings would total $224,400. Naturally, along with cost savings come new fraud risks... • External ACH Fraud—Your organization allows a

few trusted, longtime vendors to debit your checking account to get paid for outstanding invoices. You arrange with your bank to put an ACH debit filter in place, which ensures that only your authorized vendors can execute debits. But a dishonest employee at one of the vendor companies obtains your bank account routing and account numbers and, posing as a legitimate payee, initiates a fraudulent ACH debit that is credited to his or her own fraudulent vendor account. The latest form of ACH fraud is a high-tech version. Cyber-fraudsters plant malicious software such as a Trojan horse on a targeted organization’s payments computer system. The software relays



NOTES back to the fraudster the keystrokes of authorized employees using the system to generate ACH payments. With the recorded bank account access information, the fraudster illegally accesses the organization’s system and originates fraudulent ACH transfers to third-party accounts.

• Internal ACH fraud. Instead of providing a creditor such as a credit card company or utility company his or her own bank account information, one of your own employees gives the creditor your payroll checking account numbers, representing to the creditors that they are from the employee’s personal account.

Management Level Fraud If you refer back to Exhibit 3 you’ll recall that there is some overlap between employee-level and management-level fraud types. For example, many forms of check fraud, billing/shell company schemes, and collusion can be perpetrated at all levels of the organization. Embezzlement is generally seen by fraud investigators to be the one fraud type shared most commonly by both employees and their bosses. The key difference is that because of their greater decision-making authority, executives are likely to steal substantially more than their subordinates. However, there are several potentially damaging AP frauds that only managers can commit. Many of them involve falsifying or manipulating AP-related financial records to make it appear as though the organization’s financial performance is better than it actually is. Following are management-level AP frauds that can be especially costly to victim organizations



NOTES Self-Approval of Fraudulent Invoices This is a common billing-related fraud that occurs primarily at the management level, unless an organization allows lower-level staff to approve invoices. It is usually tied to a shell company the manager has set up to receive the checks after he or she has approved the very invoices he or she is submitting. The risk of being caught is usually lower for dishonest managers than it is for lower-level fraudsters since they have comparatively fewer approval hurdles to surmount. However, with invoice self-approval schemes, the risk is especially low if the executive is in a procurement or payments position where adding a new shell company is just as unlikely to be scrutinized as the bogus invoice. And if purchase orders are required by the organization, they can either be signed by the manager as well, or be “approved” by the manager’s forging of the necessary approval signature. AP Book-Cooking Financial statement fraud has been at the center of more recent corporate frauds than any other form of white-collar crime. In virtually every major corporate scandal, “cooking the books” has been a key element of the criminal charges against the company. Most often, falsifying financial records is used to embellish the company’s financial statements to portray a rosier picture of the company’s financial performance than is actually the case. Sometimes AP records are manipulated to perpetrate these accounting schemes.



NOTES Example: Sometimes the amount of accounts payable is falsely inflated for a specific accounting period to support similarly falsified increases in sales. That’s because inflating revenues is among the most common forms of book-cooking, and when AP levels remain “normal” while sales are increasing, this can raise a red flag for astute auditors. Similarly, recording purchases in an accounting period other than the one in which the purchase was actually made can make the liability side of the balance sheet appear healthier than it really is. Another common form of AP-related financial statement fraud involves failing to record expenses altogether. By simply neglecting to record expenses and “burying” vendor invoices, management can make it appear as though expenses for a particular reporting period are lower than they actually are, thereby making earnings appear greater than they are. A related ploy involves classifying expenses as capital expenditures. This is a bookkeeping trick that essentially results in converting liabilities into assets.

Basic AP Fraud Detection It is widely agreed within the audit and accounting professions that internal and external auditors are not expected to be the organization’s primary fraud detectives. However, in light of exploding fraud in both the operational and financial reporting areas across corporate, nonprofit, and government sectors, there is growing pressure for auditors—as well as internal financial managers, including senior AP staff members—to develop and apply effective fraud detection and screening skills and practices.



NOTES The place to start this is in the area of basic fraud detection in operational activities, such as embezzlement, collusion, cash disbursements, inventory theft, check fraud, and information theft. Here are the important general AP fraud-related detection measures that management should have in place at all times:

Confidential Fraud Hot Line A confidential and anonymous fraud hot line gives employees at all levels a way to report the red flags of operational frauds to management without fear of retribution or retaliation. As such, it is one of the most important general fraud detection tools an organization can have. Research has proved that employees who have a confidential hot line at their disposal and who are trained in the red flags of fraud are very likely to report such red flags when they identify them. Implementing a hot line is relatively inexpensive. Even if you use a third-party independent hot line service, the price is insignificant compared with the cost of fraud that otherwise would go unreported. However, a hot line is only as effective as the people who run it. The most fruitful hot line systems are those operated by outside vendors whose employees are trained in fielding calls from employees, vendors, customers, and others. They know how to filter out the inevitable frivolous calls and how to converse with legitimate whistle-blowers in a way that makes them comfortable divulging as much evidence of fraud as possible to enable management to decide how to



NOTES pursue each case. Here are some specific guidelines for handling whistle-blower calls: • Assure the caller that the conversation is

confidential and advise him or her there is no obligation to be identified at anytime unless the caller specifically asks to be identified.

• Record the time and date of the call. • As the operator, record your name, identification

number, and location. • Assign a caller ID code or number. • Ask if the caller is an employee, vendor, contractor,

customer, or other. • Ask for as many details as the caller can provide

regarding the specific fraud incident. Try to find out how the caller became aware of the incident.

• Ask which individuals are involved in the incident, including names, titles, addresses, and any other contact information the caller may have.

• Find out when the incident occurred—or if it is still ongoing.

• Ask for any physical or electronic evidence the caller may be able to provide that is directly related to the incident.

• Inform the caller that while he or she may have the opportunity to provide additional information at a later date, it is advisable to share as much detail as possible now to enable the organization to effectively follow up on the call.

Surprise Audits When dishonest employees are aware of scheduled audits, it’s easy for them to conceal their fraudulent activities before the auditors arrive. For example, unscrupulous employees can have workplace, warehouse, or plant tours pre-arranged to



NOTES guide external auditors to areas where inventory theft or manipulation is not evident. Or they can conceal documentation that might lead the auditors to suspect fraud. Solution: Unannounced audits by external auditors or fraud examiners. Organizations that conduct these exercises once or twice a year and tell employees only that they can expect such an audit at any time not only are likely to detect fraud that is unconcealed when employees are caught off balance, but they also put a powerful anti-fraud-deterrent into place. At least some employees who, though dishonest, are smart enough to avoid getting caught will be less likely to perpetrate financial crimes if they know they may be investigated at any time. Manual Review of All Vendors Detecting crimes can be challenging when your organization could be vulnerable to so many varieties of vendor or billing schemes. Later in this chapter you’ll learn about special anti-fraud audit techniques that can often do the trick, but there are important basic detection techniques you can apply on a regular basis. Some examples: • Look for situations where payments to a vendor

substantially exceed the budgeted amount—especially when the disbursed amount is exactly double. This is a sign of possible double-billing by either a phony vendor or by a dishonest legitimate vendor who receives the first check while a dishonest conspirator in the accounts payable department takes the second.

• Periodically (at least twice a year) examine details and patterns in the organization’s largest accounts. Those are typically where fraudsters attempt to hide



NOTES their billing schemes, hoping the stolen amounts won’t raise any red flags in large-dollar accounts.

Preventing AP Fraud The number and variety of specific anti-fraud controls that an organization requires to minimize its vulnerability to AP fraud depend on the size of the organization, volume of invoices, and unique processes and procedures in place to manage the AP function. Importantly, the nature of anti-AP fraud controls must be flexible and dynamic, since fraudsters are continuously devising new ways to penetrate or circumvent existing controls. However, as AP management and other financial managers work to fine-tune these specific AP fraud prevention measures, there are two basic categories of fraud control that must in place at all times: segregation of duties and delegation of authority.

Segregation of Duties As it applies to reducing the organization’s external fraud risk, segregation of duties involves separating job functions in a way so that no single employee is in a position to be deceived by an external fraudster, or so no single employee has sufficient authority to collude with a vendor, client, or ex-employee. Segregation of duties is undoubtedly one of the most important internal controls for many key process-level operations. Its necessity will inevitably be clearly evidenced by your fraud risk assessment. Never have the same person approving invoices and generating or signing checks to vendors. If you do, a



NOTES dishonest vendor could submit fraudulent invoices that deceive the AP employee in charge of approving invoices and then get paid by the same individual. Instead, make one employee responsible for reviewing and approving invoices and another responsible for disbursements. That way, at least one person should catch any fraudulent billing a dishonest vendor may attempt. Similarly, expenditures exceeding a set maximum should require authorization from two managers instead of one. Never allow a single purchasing staff member to approve the addition of a new vendor to the vendor master file. Ideally, this should be done by a special committee representing different business functions and applying an agreed-upon set of standards or criteria for approving new vendors. Such standards should include, for example, length of time in business, a record of customer/client complaints against the vendor, legal or regulatory actions against the vendor, and person-to-person reference checking with the vendor’s existing clients or customers. If approval by committee is not practical in your organization, at least institute a control requiring two independent management reviews and approvals of new vendors. That eliminates the possibility of corruption and increases the chances that if there are suspicious factors in the vendor’s background, one of the managers will catch them. Here are some additional recommendations:

Segregate the duties of purchase order issuance and AP disbursements.

Separate the duties of invoice approval and approval/signing of delivery documentation.



NOTES Segregate any AP duties from the job of bank

reconciliation. If a single employee is permitted to handle these two functions, you have provided him or her with a proverbial license to steal, as it is easy for that person to issue fraudulent disbursements and then conceal them by manipulating the bank statements before anyone else, such as your outside auditors, has a chance to scrutinize them.

Delegation of Authority In the context of external AP fraud, delegation of authority applies primarily to determining who at what level of the organization should have the authority for specified spending limits within certain categories of expenditure. The employees or managers who delegate this authority “downward,” however, should be required to retain accountability for all spending decisions within their sphere of authority. With regard to preventing external fraud, this may require being directly involved in due diligence on prospective new vendors and review of disbursements that are unusual compared with existing patterns. Here are some additional recommendations:

Provide detailed anti-fraud training to employees who have direct contact with vendors. If you make them aware of the common scams and schemes vendors use to steal from organizations, employees in the procurement, accounts payable, accounting, and contracting functions will be better able to prevent vendor fraud from occurring. It is often best to retain an outside fraud prevention trainer to conduct this instruction. If gathering everyone who requires training into a single room at a specific time is impractical,



NOTES consider implementing the training via an online, or “e-learning,” program available from outside anti-fraud training vendors.

Train employees throughout the accounts payable and procurement departments. Just as anti-fraud training involving vendors, employee awareness of the numerous non-vendor schemes that threaten the organization is also key. Demonstrate to all sales personnel and point of sale (POS) staff the telltale signs of bogus credit cards, fake or falsified receipts, and stolen merchandise. Educate line employees about common accounts payable schemes involving check forgery, fraudulent endorsements, and theft of blank check stock, as well as the varieties of kickback schemes, vendor master file manipulation, and other forms of fraud discussed above. When employees are familiar with the red flags of accounts payable fraud, they are better equipped—and often more willing—to report suspicious activity to management. This of course requires implementation of a confidential hotline and continuous encouragement to use it.

Regularly review your approved vendor list(s). If a dishonest vendor has somehow managed to slip through the new-vendor approval process and is committing fraud by submitting phony or duplicate invoices or overcharging your organization, a semi-annual review of the approved vendor list will flag this and prevent further abuse.

Documents

EYES WIDE OPEN: FRAUD AWARENESS, PREVENTION, AND … · 2010-11-11 · EYES WIDE OPEN: FRAUD AWARENESS, PREVENTION, AND DETERRENCE . PREVENTING AND DETECTING FRAUD IN ACCOUNTS PAYABLE