control, and governance
SMALL FRAUDS EQUAL BIG LOSSES
The Boston Herald reports that a former Massachusetts bookkeeper has been convicted of embezzling US $140,000 from her former employer of 22 years, the Woods Hole, Martha’s Vineyard, and Nantucket Steamship Authority. The woman created fictitious Steamship Authority customer names and assigned credit card refunds to them but then sent the money to credit or debit card accounts she controlled. The scheme involved about 308 fraudulent refund transactions during an eight-year period.
One of the interesting things about this fraud is that the perpetrator did not get overly greedy, as evidenced by her average of about three fraudulent transactions per month (for eight years) at approximately US $471 per transaction. Although this small amount made the frauds difficult to detect, the internal auditors should have noticed the red flags: refunds were being issued to customers who had never made a purchase, and separation of duties were insufficient. For example, the bookkeeper was authorized to create customers and assign credit card refunds without additional approvals, and she was able to redirect refunds to other accounts, which she controlled.
The IIA’s International Standards for the Professional Practice of Internal Auditing require that auditors consider the risk of fraud at the start of every audit, which should include assessing the business process for possible separation of duties issues. When there are a large number of transactions and only a small percentage is fraudulent, a carefully planned fraud risk assessment can identify key controls and symptoms of potential fraud (e.g., refunds with no prior purchase) and help focus the auditors on the “needle in the haystack.”
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.