A Novel Credit Card

Exercising a little due diligence, an internal auditor uncovers an attempt by a former employee to defraud the company.

Scott Langlinais, CPA
 
Jennifer, the assistant treasurer at ABC Corp. in New Orleans, opened an e-mail from a former colleague who no longer worked for the organization. The e-mail read: “Hi Jennifer, there should be a refund of $716 on my old corporate Visa card from the IP Conference. I paid for, but did not attend, the conference and did not turn in the charge to ABC for reimbursement. Can you have Visa issue a refund check to me? Thanks very much for your help.”
 
The e-mail was from Larry, a former ABC executive who had been Jennifer’s boss at one time. The message seemed innocuous enough. Larry had legitimately charged a business conference to his corporate credit card, but he had canceled his registration because he left the company. Therefore, he was due a refund.
 
It would have been very easy for Jennifer to trust her former boss and get him the refund. Instead, because something didn’t seem quite right, she chose to check on whether ABC had already reimbursed Larry for the conference.
 
To make this determination, Jennifer accessed Larry’s corporate credit card records online and retrieved his expense reports from the accounts payable file room. The expense reports confirmed that Larry had not expensed the conference fee, but when Jennifer looked at his credit card statement, she saw a couple of odd items.
 
First, the most recent statement indicated that the former ABC executive had made four payments to his credit card in one month. Second, the statement was two pages long, and Jennifer knew that Larry rarely traveled for business. She scanned the charges and noted that most of them were from local vendors. In addition, none of the items looked like business charges. The charges included dinners at local restaurants, department and grocery store charges, and airline tickets for Larry and his wife that Jennifer knew were for their recent vacation.
 
Out of curiosity, Jennifer queried the company’s checks online to see if any of the payments made on Larry’s Visa account matched the dollar amounts of checks written by ABC. Sure enough, she found that all four payments made to Larry’s credit card that month equaled amounts on checks that the company had written to Visa. Jennifer increased the scope of her search and observed that every payment posted to Larry’s corporate credit card over the previous 12 months was from a check written by the company. She also noticed that of the $88,000 in charges on Larry’s card over that time frame, none was for business expenses.
 
Jennifer printed copies of all of the checks and noted that, although Visa was listed as the payee on all of them, Larry’s corporate credit card account number was handwritten on each check. Jennifer approached the director of internal auditing as well as Larry’s former manager and requested an investigation into the matter.
 
While working for ABC, Larry was in charge of making sure that the organization paid delinquent balances on the corporate credit cards of people who had left the company. ABC had an arrangement with the credit card company that it would guarantee payment for certain employees if those employees did not pay the balances on their accounts. Once a month, Larry would provide accounts payable with a list of delinquent accounts on guaranteed cards, and accounts payable would cut the check to the credit card company.
 
However, on the bottom of every check request in Larry’s last year of employment, he had written, “Please deliver the check to me.” Typically, accounts payable would mail the check directly to the credit card company, but because accounts payable knew that Larry maintained a relationship with the credit card company, they adhered to his request and delivered the checks to him. When Larry received a check, he would write his own account number on the check, and the bank would apply the payment to Larry’s credit card.
 
Larry did not need to make sure that the delinquent credit card owners listed on his spreadsheet paid their balances, because he had fabricated the delinquency list that he provided to accounts payable. In many cases, the employees with the so-called delinquent balances had left the organization long before, and they had paid their balances in full before departing.
 
So, where were the control breakdowns? First, Larry had sole authority over the credit card function. He managed the corporate credit cards, reviewed the delinquent accounts, had access to the employee statements, and dealt with the bank’s account managers. No one reviewed his work. As soon as accounts payable walked the checks down to his office, he had all he needed to perpetrate the fraud.
 
The second breakdown was that the accounts payable clerk walked the checks over to Larry. Although not necessarily right, it is understandable that accounts payable would not have the time to audit Larry’s delinquency list. After all, accounts payable was processing more than 1,000 checks per week with a staff of six. However, it was unacceptable for the clerk to deliver the check directly to Larry. The check should have gone from accounts payable to the vendor. The vendor invoice — or delinquency data in this case — should have contained all of the pertinent information to allow accounts payable to appropriately route the check.
 
ABC decided to report Larry to law enforcement. Although $88,000 is not a significant amount of money for a $1 billion company, and the legal fees and other costs might be high, the company wanted to demonstrate to its employees that it would not tolerate fraud and would hold perpetrators accountable. Decisive and timely action such as this is critical to maintaining a sound control environment.
 
Not everyone is as diligent as Jennifer. The lesson she applied is an important one to teach operations personnel: Take the time to check anything that doesn’t seem right. Because she spent a few minutes performing due diligence, Jennifer uncovered an $88,000 fraud.
 
Several symptoms may have flagged the fraud. If internal auditing had been testing the employee credit card charges, simply identifying the top 25 corporate card users and reviewing their charges would have flagged Larry. Travel reimbursements of $88,000 in one year covers a lot of travel. Testing the accounts of the people with the most posted credits would have similarly flagged Larry. Also, Larry averaged three payments a month on his credit card over the course of a year, an unusual pattern that, if identified, should have been investigated.
 
Testing the top 25 corporate credit card users and searching for unusual patterns are the staples of any audit program that contains tests designed to uncover fraud.
 
LESSONS LEARNED
  • Employees should take the extra step. If employees are presented with a transaction that they do not completely understand, they should do what it takes to understand the transaction. Jennifer was one of the custodians of the organization’s cash, so when someone asked for money from the company, even a trusted former boss, it was important for her to understand the nature of the transaction.
  • Segregate duties. This is a concept that is drilled into the brains of internal auditors ad nauseam, but it is not necessarily communicated as often to operational management. The organization’s head treasurer, to whom Larry reported, was an ex-auditor and ex-controller, and therefore should have been aware of this control concept. However, during the course of business, when times are good and everyone is busy, it is easy to overlook the fundamentals. Larry had too much control, and because accounts payable trusted him, the clerks did not adhere to their own processes and send the check directly to the third party.
  • Act quickly and decisively. Larry was a long-time employee of ABC, and he was well-liked in the organization. It would have been easy for the company to ask Larry to pay the money back and call it even. However, management and the board called for a full investigation, led by the internal audit group that included outside consultants, legal counsel, and the district attorney. Management also decided to not keep it quiet; they let the finance and accounting organizations know what was going on so that it became clear to everyone that ABC would not treat fraud lightly.
  • Thieves can get greedy. In this case, Larry had already left the company. His fraud might have gone undetected if he had not returned for one last $716!

To comment on this article, e-mail the author at slanglinais@theiia.org.

 

April 2014IaCover

  IPPF_Ap42014 

IIA SmartBrief

Bookstore Digital

 IIA Academic_Nov 2013

 

 

 Twitter

 facebook IAO 

IA APP