| MOLLY, THE ASSISTANT, Molly treasurer at XYZ | | | | authority over the credit card function. He |
| Corp. in Miami, opened an e-mail from a former | | | | managed the corporate credit cards, reviewed |
| colleague who no longer worked for the | | | | the delinquent accounts, had access to the |
| organization. The e-mail read: "Hi Molly, there | | | | employee statements, and dealt with the bank's |
| should be a refund of $716 on my old corporate | | | | account managers. No one reviewed his work. As |
| Visa card from the IP Conference. I paid for, but | | | | soon as accounts payable walked the checks |
| did not attend, the conference and did not turn in | | | | down to his office, he had all he needed to |
| the charge to XYZ for reimbursement. Can you | | | | perpetrate the fraud.The second breakdown was |
| have Visa issue a refund check to me? Thanks | | | | that the accounts payable clerk walked the |
| very much for your help."The e-mail was from | | | | checks over to Jerry. Although not necessarily |
| Jerry, a former XYZ executive who had been | | | | right, it is understandable that accounts payable |
| Molly's boss at one time. The message seemed | | | | would not have the time to audit Jerry's |
| innocuous enough. Jerry had legitimately charged a | | | | delinquency list. After all, accounts payable was |
| business conference to his corporate credit card, | | | | processing more than 1,000 checks per week |
| but he had canceled his registration because he | | | | with a staff of six. However, it was unacceptable |
| left the company. Therefore, he was due a | | | | for the clerk to deliver the check directly to Jerry. |
| refund.It would have been very easy for Molly to | | | | The check should have gone from accounts |
| trust her former boss and get him the refund. | | | | payable to the vendor. The vendor invoice--or |
| Instead, because something didn't seem quite | | | | delinquency data in this case--should have |
| right, she chose to check on whether XYZ had | | | | contained all of the pertinent information to allow |
| already reimbursed Jerry for the conference.To | | | | accounts payable to appropriately route the |
| make this determination, Molly accessed Jerry's | | | | check.XYZ decided to report Jerry to law |
| corporate credit card records online and retrieved | | | | enforcement. Although $88,000 is not a significant |
| his expense reports from the accounts payable | | | | amount of money for a $1 billion company, and |
| file room. The expense reports confirmed that | | | | the legal fees and other costs might be high, the |
| Jerry had not expensed the conference fee, but | | | | company wanted to demonstrate to its |
| when Molly looked at his credit card statement, | | | | employees that it would not tolerate fraud and |
| she saw a couple of odd items.First, the most | | | | would hold perpetrators accountable. Decisive and |
| recent statement indicated that the former XYZ | | | | timely action such as this is critical to maintaining a |
| executive had made four payments to his credit | | | | sound control environment.Not everyone is as |
| card in one month. Second, the statement was | | | | diligent as Molly. The lesson she applied is an |
| two pages long, and Molly knew that Jerry rarely | | | | important one to teach operations personnel: |
| traveled for business. She scanned the charges | | | | Take the time to check anything that doesn't |
| and noted that most of them were from local | | | | seem right. Because she spent a few minutes |
| vendors. In addition, none of the items looked like | | | | performing due diligence, Molly uncovered an |
| business charges. The charges included dinners at | | | | $88,000 fraud.Several symptoms may have |
| local restaurants, department and grocery store | | | | flagged the fraud. If internal auditing had been |
| charges, and airline tickets for Jerry and his wife | | | | testing the employee credit card charges, simply |
| that Molly knew were for their recent | | | | identifying the top 25 corporate card users and |
| vacation.Out of curiosity, Molly queried the | | | | reviewing their charges would have flagged Jerry. |
| company's checks online to see if any of the | | | | Travel reimbursements of $88,000 in one year |
| payments made on Jerry's Visa account matched | | | | covers a lot of travel. Testing the accounts of |
| the dollar amounts of checks written by XYZ. | | | | the people with the most posted credits would |
| Sure enough, she found that all four payments | | | | have similarly flagged Jerry. Also, Jerry averaged |
| made to Jerry's credit card that month equaled | | | | three payments a month on his credit card over |
| amounts on checks that the company had | | | | the course of a year, an unusual pattern that, if |
| written to Visa. Molly increased the scope of her | | | | identified, should have been investigated.Testing |
| search and observed that every payment posted | | | | the top 25 corporate credit card users and |
| to Jerry's corporate credit card over the previous | | | | searching for unusual patterns are the staples of |
| 12 months was from a check written by the | | | | any audit program that contains tests designed to |
| company. She also noticed that of the $88,000 in | | | | uncover fraud.LESSONS LEARNED* Employees |
| charges on Jerry's card over that time frame, | | | | should take the extra step. If employees are |
| none was for business expenses.Molly printed | | | | presented with a transaction that they do not |
| copies of all of the checks and noted that, | | | | completely understand, they should do what was |
| although Visa was listed as the payee on all of | | | | going on so that it became clear to everyone |
| them, Jerry's corporate credit card account | | | | that XYZ would not treat fraud lightly. what it |
| number was handwritten on each check. Molly | | | | takes to understand the transaction. Molly was |
| approached the director of internal auditing as well | | | | one of the custodians of the organization's cash, |
| as Jerry's former manager and requested an | | | | so when someone asked for money from the |
| investigation into the matter.While working for | | | | company, even a trusted former boss, it was |
| XYZ, Jerry was in charge of making sure that the | | | | important for her to understand the nature of the |
| organization paid delinquent balances on the | | | | transaction.* Segregate duties. This is a concept |
| corporate credit cards of people who had left the | | | | that is drilled into the brains of internal auditors ad |
| company. XYZ had an arrangement with the | | | | nauseam, but it is not necessarily communicated |
| credit card company that it would guarantee | | | | as often to operational management. The |
| payment for certain employees if those | | | | organization's head treasurer, to whom Jerry |
| employees did not pay the balances on their | | | | reported, was an ex-auditor and ex-controller, and |
| accounts. Once a month, Jerry would provide | | | | therefore should have been aware of this control |
| accounts payable with a list of delinquent accounts | | | | concept. However, during the course of business, |
| on guaranteed cards, and accounts payable would | | | | when times are good and everyone is busy, it is |
| cut the check to the credit card | | | | easy to overlook the fundamentals. Jerry had too |
| company.However, on the bottom of every | | | | much control, and because accounts payable |
| check request in Jerry's last year of employment, | | | | trusted him, the clerks did not adhere to their |
| he had written, "Please deliver the check to me." | | | | own processes and send the check directly to the |
| Typically, accounts payable would mail the check | | | | third party.* Act quickly and decisively. Jerry was |
| directly to the credit card company, but because | | | | a long-time employee of" XYZ, and he was |
| accounts payable knew that Jerry maintained a | | | | well-liked in the organization. It would have been |
| relationship with the credit card company, they | | | | easy for the company to ask Jerry to pay the |
| adhered to his request and delivered the checks | | | | money back and call it even. How ever, |
| to him. When Jerry received a check, he would | | | | management and the board called for a full |
| write his own account number on the check, and | | | | investigation, led by the internal audit group that |
| the bank would apply the payment to Jerry's | | | | included outside consultants, legal counsel, and the |
| credit card.Jerry did not need to make sure that | | | | district attorney. Management also decided to not |
| the delinquent credit card owners listed on his | | | | keep it quiet; they let the finance and accounting |
| spreadsheet paid their balances, because he had | | | | organizations know what was going on so that it |
| fabricated the delinquency list that he provided to | | | | became clear to everyone that XYZ would not |
| accounts payable. In many cases, the employees | | | | treat fraud lightly.* Thieves can get greedy. In this |
| with the so-called delinquent balances had left the | | | | case, Jerry had already left the company. His |
| organization long before, and they had paid their | | | | fraud might have gone undetected if he had not |
| balances in full before departing.So, where were | | | | returned for one last $716! |
| the control breakdowns? First, Jerry had sole | | | | |