| MOLLY, THE ASSISTANT, Molly treasurer at XYZ | | | | First, Jerry had sole authority over the credit card |
| Corp. in Miami, opened an e-mail from a former | | | | function. He managed the corporate credit cards, |
| colleague who no longer worked for the organization. | | | | reviewed the delinquent accounts, had access to the |
| The e-mail read: "Hi Molly, there should be a refund of | | | | employee statements, and dealt with the bank's |
| $716 on my old corporate Visa card from the IP | | | | account managers. No one reviewed his work. As |
| Conference. I paid for, but did not attend, the | | | | soon as accounts payable walked the checks down |
| conference and did not turn in the charge to XYZ for | | | | to his office, he had all he needed to perpetrate the |
| reimbursement. Can you have Visa issue a refund | | | | fraud.The second breakdown was that the accounts |
| check to me? Thanks very much for your help."The | | | | payable clerk walked the checks over to Jerry. |
| e-mail was from Jerry, a former XYZ executive who | | | | Although not necessarily right, it is understandable |
| had been Molly's boss at one time. The message | | | | that accounts payable would not have the time to |
| seemed innocuous enough. Jerry had legitimately | | | | audit Jerry's delinquency list. After all, accounts |
| charged a business conference to his corporate credit | | | | payable was processing more than 1,000 checks per |
| card, but he had canceled his registration because he | | | | week with a staff of six. However, it was |
| left the company. Therefore, he was due a refund.It | | | | unacceptable for the clerk to deliver the check |
| would have been very easy for Molly to trust her | | | | directly to Jerry. The check should have gone from |
| former boss and get him the refund. Instead, | | | | accounts payable to the vendor. The vendor |
| because something didn't seem quite right, she chose | | | | invoice--or delinquency data in this case--should have |
| to check on whether XYZ had already reimbursed | | | | contained all of the pertinent information to allow |
| Jerry for the conference.To make this determination, | | | | accounts payable to appropriately route the |
| Molly accessed Jerry's corporate credit card records | | | | check.XYZ decided to report Jerry to law |
| online and retrieved his expense reports from the | | | | enforcement. Although $88,000 is not a significant |
| accounts payable file room. The expense reports | | | | amount of money for a $1 billion company, and the |
| confirmed that Jerry had not expensed the | | | | legal fees and other costs might be high, the |
| conference fee, but when Molly looked at his credit | | | | company wanted to demonstrate to its employees |
| card statement, she saw a couple of odd items.First, | | | | that it would not tolerate fraud and would hold |
| the most recent statement indicated that the former | | | | perpetrators accountable. Decisive and timely action |
| XYZ executive had made four payments to his credit | | | | such as this is critical to maintaining a sound control |
| card in one month. Second, the statement was two | | | | environment.Not everyone is as diligent as Molly. The |
| pages long, and Molly knew that Jerry rarely traveled | | | | lesson she applied is an important one to teach |
| for business. She scanned the charges and noted | | | | operations personnel: Take the time to check |
| that most of them were from local vendors. In | | | | anything that doesn't seem right. Because she spent |
| addition, none of the items looked like business | | | | a few minutes performing due diligence, Molly |
| charges. The charges included dinners at local | | | | uncovered an $88,000 fraud.Several symptoms may |
| restaurants, department and grocery store charges, | | | | have flagged the fraud. If internal auditing had been |
| and airline tickets for Jerry and his wife that Molly | | | | testing the employee credit card charges, simply |
| knew were for their recent vacation.Out of curiosity, | | | | identifying the top 25 corporate card users and |
| Molly queried the company's checks online to see if | | | | reviewing their charges would have flagged Jerry. |
| any of the payments made on Jerry's Visa account | | | | Travel reimbursements of $88,000 in one year |
| matched the dollar amounts of checks written by | | | | covers a lot of travel. Testing the accounts of the |
| XYZ. Sure enough, she found that all four payments | | | | people with the most posted credits would have |
| made to Jerry's credit card that month equaled | | | | similarly flagged Jerry. Also, Jerry averaged three |
| amounts on checks that the company had written to | | | | payments a month on his credit card over the course |
| Visa. Molly increased the scope of her search and | | | | of a year, an unusual pattern that, if identified, should |
| observed that every payment posted to Jerry's | | | | have been investigated.Testing the top 25 corporate |
| corporate credit card over the previous 12 months | | | | credit card users and searching for unusual patterns |
| was from a check written by the company. She also | | | | are the staples of any audit program that contains |
| noticed that of the $88,000 in charges on Jerry's | | | | tests designed to uncover fraud.LESSONS LEARNED* |
| card over that time frame, none was for business | | | | Employees should take the extra step. If employees |
| expenses.Molly printed copies of all of the checks and | | | | are presented with a transaction that they do not |
| noted that, although Visa was listed as the payee on | | | | completely understand, they should do what was |
| all of them, Jerry's corporate credit card account | | | | going on so that it became clear to everyone that |
| number was handwritten on each check. Molly | | | | XYZ would not treat fraud lightly. what it takes to |
| approached the director of internal auditing as well as | | | | understand the transaction. Molly was one of the |
| Jerry's former manager and requested an | | | | custodians of the organization's cash, so when |
| investigation into the matter.While working for XYZ, | | | | someone asked for money from the company, even |
| Jerry was in charge of making sure that the | | | | a trusted former boss, it was important for her to |
| organization paid delinquent balances on the corporate | | | | understand the nature of the transaction.* Segregate |
| credit cards of people who had left the company. | | | | duties. This is a concept that is drilled into the brains |
| XYZ had an arrangement with the credit card | | | | of internal auditors ad nauseam, but it is not |
| company that it would guarantee payment for | | | | necessarily communicated as often to operational |
| certain employees if those employees did not pay | | | | management. The organization's head treasurer, to |
| the balances on their accounts. Once a month, Jerry | | | | whom Jerry reported, was an ex-auditor and |
| would provide accounts payable with a list of | | | | ex-controller, and therefore should have been aware |
| delinquent accounts on guaranteed cards, and | | | | of this control concept. However, during the course |
| accounts payable would cut the check to the credit | | | | of business, when times are good and everyone is |
| card company.However, on the bottom of every | | | | busy, it is easy to overlook the fundamentals. Jerry |
| check request in Jerry's last year of employment, he | | | | had too much control, and because accounts payable |
| had written, "Please deliver the check to me." | | | | trusted him, the clerks did not adhere to their own |
| Typically, accounts payable would mail the check | | | | processes and send the check directly to the third |
| directly to the credit card company, but because | | | | party.* Act quickly and decisively. Jerry was a |
| accounts payable knew that Jerry maintained a | | | | long-time employee of" XYZ, and he was well-liked in |
| relationship with the credit card company, they | | | | the organization. It would have been easy for the |
| adhered to his request and delivered the checks to | | | | company to ask Jerry to pay the money back and |
| him. When Jerry received a check, he would write his | | | | call it even. How ever, management and the board |
| own account number on the check, and the bank | | | | called for a full investigation, led by the internal audit |
| would apply the payment to Jerry's credit card.Jerry | | | | group that included outside consultants, legal counsel, |
| did not need to make sure that the delinquent credit | | | | and the district attorney. Management also decided |
| card owners listed on his spreadsheet paid their | | | | to not keep it quiet; they let the finance and |
| balances, because he had fabricated the delinquency | | | | accounting organizations know what was going on so |
| list that he provided to accounts payable. In many | | | | that it became clear to everyone that XYZ would |
| cases, the employees with the so-called delinquent | | | | not treat fraud lightly.* Thieves can get greedy. In |
| balances had left the organization long before, and | | | | this case, Jerry had already left the company. His |
| they had paid their balances in full before | | | | fraud might have gone undetected if he had not |
| departing.So, where were the control breakdowns? | | | | returned for one last $716! |