Interested in this topic? Visit the links below for more resources:
Visit The IIA's website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit. In this episode, Jamie Schein joins Colin May to expose the hidden risks behind payroll and overtime fraud, one of the most underestimated threats to organizational integrity. From toxic workplace cultures to impossible days and data-driven red flags, they uncover how emotional intelligence, analytics,
00:00:25 The IIA
and collaboration among internal audit, HR, and leadership can keep timekeeping honest and controls effective.
00:00:35 Jami Shine
Colin, welcome to the show. We're so excited to have you.
00:00:38 Colin May
Thanks, Jimmy. It's great to be here. I'm super excited to talk about what would otherwise be, I think, pretty run-of-the-mill type of financial discussion, but I think we're going to make it fun.
00:00:49 Jami Shine
Why was this something that you were passionate about? Did you personally have an experience with overtime fraud?
00:00:54 Colin May
I didn't. But what I did is I noticed that this was becoming more and more of an issue. I've been an investigator my whole life, but I've never had to deal with this type of fraud directly. But what I do is I look and see what
00:01:14 Colin May
is going on in courts. It just, it popped out to me. A couple of years ago, back in 2021, I'd written an article for the Association for Certified Fraud Examiners about no-show or low-show jobs. So these are schemes where an individual is basically given a position with very little responsibility and very little actual authority.
00:01:41 Colin May
no expectations of actually doing any work. And so over the last couple of years, I've been following this and the idea of what is happening out there is really interesting to me. So the whole payroll, it's a very complex issue for all of our organizations. It's the number one expense, right? We are organizations of people and we
00:02:06 Colin May
pay them. So, naturally, one would think that there could be some potential fraud there.
00:02:13 Jami Shine
Absolutely. That's a really great point, that it is often our number one expense for our organizations. And yet auditors often aren't spending a lot of time looking at things like overtime fraud or payroll fraud. Now, you mentioned something that I thought was really interesting. You mentioned that overtime fraud and just payroll fraud in general seem to be occurring more frequently. What do you think is contributing to that?
00:02:35 Colin May
I think there are a lot of issues. So I think number one, the economic outlook is uncertain. As we're recording this, there's a lot of uncertainty. There are industries that are under tremendous financial pressure and margins are down. Employees are feeling that pressure too. Managers are feeling that pressure to perform. And so there are those kind of macro factors.
00:03:01 Colin May
But let's also not discount the fact that there could be very personal or corporate specific issues that need to be addressed. So for example, one of the rationalizations that we often hear about in these cases is I'm owed that money. You know, there's a very personal belief that they've been left out or left behind or cheated basically. And so they then
00:03:30 Colin May
essentially see that as an opportunity to turn the tables and cheat the company as well. There's just a lot of stuff going on right now and it's happening so fast. And so I think if people are feeling left behind, if they're very unsure of their financial situation, if they're feeling that they need like a nest egg type of deal, it's just all over the map. But the motives fundamentally are driven by that economic concern.
00:03:59 Jami Shine
it's really sad to think of that, our economic situation could be causing fraud to grow, but certainly it makes sense. I really liked that you're addressing kind of the human element of fraud, right? That rationalization, the justification, even the motivation. I think sometimes as auditors, we really get trapped in just talking about the opportunity and what controls do we have in place to address the opportunity. But what types of controls could organizations implement to prevent or reduce fraud? Kind of focusing on that human
00:04:29 Jami Shine
element.
00:04:30 Colin May
So Jamie, I think you hit on like one of my favorite things for auditors. And last year I did a session for the IIA chapter in Albany, New York, specifically about emotional intelligence and how can we harness as auditors, right? We're not necessarily a group that's known for
00:04:54 Colin May
being warm and fuzzy, and that's okay. What we need to do is be able to utilize our emotional intelligence to help guide our interactions. And that gives us influence, and that gives us leverage in both the audit space, and then as we move up into audit executives and leadership in the companies or in the organizations. So we can have the best controls. We could have all the data.
00:05:20 Colin May
At the end of the day, it's people. People are organizations. Organizations are groups of people. And so to the extent that we can understand what's going on and what are the motivations, what are the concerns, those things really make a big difference. And so as auditors, we can really focus in on that piece.
00:05:48 Colin May
One of the things, and I was thinking about this morning, is a key audit that we would use is interviews, right? We go in there and interview people and ask them these questions. I really wonder if we can rethink how we do those interviews. Even the order of questions that we ask someone could really
00:06:15 Colin May
be telling. What's a typical audit type question that we would ask, right? Like, are you aware of any instances of an employee forging a supervisor's signature on a time card? How many people are really going to say yes to that, right?
00:06:30 Jami Shine
Absolutely. I always wondered that, right?
00:06:32 Colin May
Yeah, like we're kind of setting it up so that they say, well, of course not. You know, I don't know.
00:06:38 Jami Shine
It becomes a check the box exercise.
00:06:41 Colin May
Absolutely. Totally 100%. And that's what we want to avoid because
00:06:45 Colin May
We're not only doing internal audit as a verification, right, of the information that's being put into the financials, but it's that internal control environment. It's that risk management. It's fraud prevention. It's all of these things that we have an opportunity
00:07:04 Colin May
to really capture. And so I'm hopeful that, especially as we move from more of a kind of paper-based to more data-driven audits, that hopefully we spend less time on the check the box exercises, quote unquote, and more on the understanding the people, understanding the process, using that emotional intelligence so that we can really understand
00:07:33 Colin May
So much of this is driven by internal culture. It's, have we ever audited the culture of this department, of this, you know, whatever we're looking at? Because it's the culture that enables this type of behavior to exist, to persist, and then to flourish.
00:07:53 Jami Shine
Absolutely.
00:07:53 Colin May
And we can talk about some of those cases where that's happened.
00:07:58 Jami Shine
let's jump into that. I would love to hear, give this one of your best fraud stories where you've seen a cultural influence where maybe a toxic culture directly led to fraud.
00:08:10 Colin May
I'm going to give you some really interesting cases. And I should say at the outset that my background is in the public sector. And so a lot of my examples come from the public sector because, you know, those are kind of some of the easiest ones. That is,
00:08:28 Colin May
there's transparency. Public records are key. And certainly there's a lot of issues with private companies not wanting to air dirty laundry and having different ways of handling things. But so I'll give you an example, Boston Police Department, right? There's an evidence warehouse that needs to be, has 24-7 type of access. Well, and unfortunately, there was just a myriad of issues with that where supervisors
00:08:58 Colin May
and officers were just raking in overtime at an exorbitant amount of money. It's really sad when you've got public servants that are feeling like they could do that, right? That's a huge problem.
00:09:15 Jami Shine
Absolutely. What were some of the cultural factors that you think were leading to that?
00:09:19 Colin May
So what's interesting about this case particularly is that there seem to be a number of different issues. I would highly recommend people go out and go and read these court documents because they're really interesting. And I think that, again, from an auditor education perspective, like if we can look at these cases and see what's happening, then
00:09:41 Colin May
that might be helpful for us to really understand what it is that some of these things are happening and why. And then apply that to whatever our context is. Another really interesting case out of the New York City, the Metropolitan Transit Authority, they run the subway system in New York. So this longtime employee racked up 3,864 hours
00:10:11 Colin May
of overtime. That's on top of their 1,682 regular hours. So basically that equates to for the calendar year 2018, every single day, 365 days, including weekends and holidays. It's absolutely insane, right, that they have done this. And again, it's different motivations. Just yesterday, I was actually looking at some state data
00:10:41 Colin May
And I was looking at an individual who made $77,000 more than the top commissioner of that agency. So think about, like, you're making almost $75,000 more in overtime than the top head of the agency.
00:11:01 Jami Shine
That's mind-blowing.
00:11:02 Colin May
It really is. It's crazy.
00:11:05 Jami Shine
I'm curious, did the internal auditors detect the fraud in this situation, or did somebody else identify it?
00:11:13 Colin May
It's not clear in these cases kind of how this originated. But here's the thing. Internal audit is really well positioned to be able to detect these types of things. Now, in an ideal world, we are
00:11:30 Colin May
kind of on top of it, right? We're monitoring this. We know it's a risk area. And internal auditors have a great leadership role in identifying, hey, we see some trends in this area. We need to figure this out. And communicating that to leadership. That's a great opportunity. If we're not doing that, then we have a great opportunity to focus on that. And again, everything is different. Every case, every organization,
00:12:00 Colin May
and auditors really need to pay attention to that context. I always, I think, so is there a written policy or directive or some form of guidance for this over time, whether it's requesting it, whether it's approving it, then is the policy consistently followed? Is it actually working the way it's written or intended to be done? We all know that there are deviations and issues that come up.
00:12:29 Colin May
that need to be addressed, how are those addressed, right? Are they handled appropriately? Are they justified? Is it a fair system? One of the challenges I can see is, you know, like, let's say, for example, that you have an issue, and I'll give you an example from a real case. So California Highway Patrol officer was basically indicted for exaggerating their time, their overtime, and basically
00:12:59 Colin May
was dismissed because what the argument was that, well, this is kind of the way things are done, right? This is essentially A long-standing practice that became de facto policy. There's your issue, right? As soon as you don't have a written directive policy or guidance and it's not followed consistently,
00:13:20 Colin May
You're kind of toast, right? So, from an internal audit perspective, not only are we looking at the financial ramifications of that potential overtime, now we have an opportunity to address the culture and this other issue, the performance piece that is...
00:13:38 Colin May
really critical, right? So they go hand in hand.
00:13:40 Jami Shine
kind of a cultural root cause, it sounds like.
00:13:43 Colin May
Absolutely.
00:13:44 Jami Shine
As you were speaking, I was thinking to myself about all the things that had to go wrong for these frauds to be committed, right? Because first of all,
00:13:52 Jami Shine
how was management not reviewing the time cards? How did management not see these time cards and say, wow, this looks like a crazy amount of hours, but then is management not looking at some kind of dashboard? Is management not running data analytics themselves to monitor? And then somehow it must have potentially theoretically gotten through internal audit as well. And so to me, it seems like it went through multiple levels unchecked. So I'm curious, what types of monitoring or dashboards do you think that management should
00:14:22 Jami Shine
be looking at as well as internal audit.
00:14:25 Colin May
Yeah, and I think that's a great point. And here's one of the challenges that I think we really need to look at and examine, because let's be clear, like most overtime is approved by your first line supervisor. When you have an existing team, let's say that has been in place for quite a long time, and let's say that you promote from within that team,
00:14:49 Colin May
that cohesion still exists, right? It's not like suddenly the new supervisor's like not friends with you, the team anymore. Although that could happen, and I have seen that in some cases where then there's some hurt feelings about not, maybe not getting selected. But the concern that I have is, so, you know, hey, I'm getting promoted, you know, maybe you didn't,
00:15:14 Colin May
we're friends, I'm going to take care of you, right? Like that's the implicit message. And so maybe, every two weeks I throw you an extra hour in overtime. Well, then, maybe let's say you have a child who's getting married or you're going on a vacation, you know, you're planning a vacation. Okay, well, now I can do a little bit more. And then it just kind of compounds.
00:15:38 Colin May
So whether it's kind of implicit, whether it's formal or not, or there's a kickback situation, the potential for supervisors to really exploit this is really challenging. And so, I think that one of our issues is, what kind of education are we giving our supervisors?
00:15:58 Colin May
To your point, how are we monitoring this both in the aggregate, but also in terms of the drill down? And this is, again, where internal audit really can come in and hit the ground running. If you guys do, whoever's listening today, if you do nothing else,
00:16:14 Colin May
Just do an experiment. Run the numbers. Just see. It could be really illuminating. So think about like, what's your overtime expense by your department? Where's the department that has the most overtime expense? Is it what you expect? I mean, we think about, I was looking at things like, okay, what goes into overtime? Well, shift work. So where is your shift work? So those are places that you would expect overtime. But where are the places that are doing overtime that you don't expect?
00:16:42 Colin May
Right? Where are the office workers that are doing supposedly overtime? A, are they even eligible for it under the law? But then B, what is the explanation?
00:16:53 Colin May
Again, going back, what is that process? What is the policy? How is it being followed? Again, our favorite word in audit, documentation, right? Are you keeping good documentation? Here's the thing. We have to have a baseline, right? We have to know where is the shift work? Who's working weekends? Who's working holidays? What are the expectations? Where are there independent workers, you know, people who are working with little or no supervision?
00:17:21 Colin May
Just last night, I was actually talking to my neighbor about being on this podcast. His family, they run a commercial cleaning service, right? A commercial cleaning business. Well, they have people that work all over. You know, they have like 200 some odd sites across three different states. And so, you know, there's no way that
00:17:43 Colin May
They're not tied to a computer. They're not tied to a desk. They're all over in the building. So, you know, that creates some challenges. But he said to me, he's like, he said, you know, I need somebody who will show up and somebody that I can trust. And we all know trust is not an internal control, but we have to be able to know kind of
00:18:05 Colin May
where those risk areas are. and I think about what are the different industries or what are the different types of sectors that are more likely to have these. Healthcare, manufacturing, transportation, retail, public safety, some of the trades. Anybody that's on call, anybody that's, you know, kind of an emergency or, you know, urgent response.
00:18:28 Jami Shine
That makes sense. That's a great point.
00:18:30 Colin May
Those create higher risk. It goes back to
00:18:35 Colin May
that process piece. And if we preach nothing else as internal auditors, right, we preach process.
00:18:43 Jami Shine
Absolutely. Like even as you were talking about all of these different checks that internal audit should be doing, I keep thinking in my mind, should management also be doing these checks? Shouldn't management have dashboards? Shouldn't they be looking at data? And of course, I think that's going to differ based on industry, based on the size of the organization. But I was thinking about just some of the controls that a lot of
00:19:05 Jami Shine
my clients have had in place that would theoretically, hopefully, knock on all the wood, detect fraud in a more timely manner or prevent it to begin with. Even just controls that can be built into payroll systems.
00:19:17 Jami Shine
And that's something I wanted to ask you about. I'm wondering how really just the landscape of what overtime fraud looks like is changing based on technology. Like as an example, at my organization, there's a lot of controls and a lot of checks that are built into our payroll system where, for example, if somebody's hours fit outside of certain parameters, it would flag the supervisor and say, hey, are you sure about this? Are you sure you want to approve this and override it? Because this looks kind of fishy. Are we sure they didn't take a lunch break? Or would they really have worked 2 shifts back?
00:19:47 Jami Shine
And I don't know exactly what they are, but there's a lot of things like that built in. I'm curious, as we become more automated and as we just have more technology in place, how are you seeing the landscape changing?
00:20:00 Colin May
Yeah, I think that's a great point. So there are two pieces to this, right? So the one is the technology that, like you said, can really streamline, it can automate, it can, we can build in rules and flags and things to really, you know, just make sure that we're
00:20:17 Colin May
we're actually getting the right information that we need to. The second piece is the people piece. Are we collaborating with our payroll and HR functions, right? Have we talked to them about this? What is their take on it, right? What do they see?
00:20:35 Colin May
What do they have that they don't use or what do they use, but would be really nice for us to sit down on a, even a quarterly basis, right? And just say, hey, let's run some numbers, kind of see where we're at. It's not a huge deal, but we want to just kind of, again, create that baseline, that expectation, you know, that we're kind of monitoring this.
00:21:01 Colin May
It all comes down to communication, right? Everything we do is communication. Absolutely. And so, again, what are the expectations? Internally within our team, as internal auditors, internally within our other components, including leadership, are the policies clear? Are they effective? How do we make sure that those conversations are happening on a regular basis? Because if they're not, they need to be.
00:21:30 Colin May
There's diminished potential value. If we come in as audit and say, you're doing this wrong, without having created the foundation for that communication, for that collaboration to say, hey, payroll, when you start to see a pattern of weirdness, like who are you calling?
00:21:51 Colin May
right? Or are you keeping that to yourselves? Because we can work together on that, right? That's good for us. That's good intelligence for us to know. But it's also a great opportunity for us to build in those. We can help consult with you and build in those controls on the front end. Because once we uncover an issue and once we figure out that it's a problem,
00:22:14 Colin May
Is the horse out of the barn?
00:22:16 Jami Shine
Yep, absolutely.
00:22:19 Colin May
Are we too little too late? So we really, I just, I think it from a fundamental perspective is communication. We bring certain skill sets that other people may not have or may not be able to understand. We can ask the questions.
00:22:37 Colin May
We can present the scenarios like in the article and show the cases and say, Hey, this happened at XYZ company or this agency. This is what happened. Could this be happening here? I mean, we have a duty because we're also concerned from an external risk management perspective about things like reputation. If any of these organizations that I've named or
00:23:06 Colin May
we've talked about with cases like that takes a hit, right? It may not be a big hit, it may not, it may not be, catastrophic, it may not sink the agency, but these are careers, right? These are people's livelihoods in some respect. I'm looking at a 2024 Nebraska auditor of public accounts report on an individual, right, as a village clerk,
00:23:30 Colin May
was there for two years. And the amount of questionable overtime this person had, it was in the range of, say, 18,000. Well, that's not a lot of money if you just think about it. But I bet for that village it is.
00:23:45 Jami Shine
Absolutely. And when you think about that money that it's coming from taxpayers.
00:23:50 Colin May
Exactly.
00:23:51 Jami Shine
And that erodes trust in public servants.
00:23:54 Colin May
Yes. And again, the same can be said for private, right, for private companies.
00:23:59 Colin May
Trust is an essential commodity in the marketplace. Goodwill is actually a real thing, even though it's pretend on the balance sheet.
00:24:10 Jami Shine
Well, I think you've shared some great insights about the importance of partnering with management, the importance of partnering with your HR and payroll functions as well, building those collaborative relationships. And something that you mentioned that I think is so key that I kind of wanted to ask you more about is
00:24:26 Jami Shine
being involved in the initial consulting on control design. Because as auditors, of course, every time we perform an assurance engagement, we're usually evaluating control design and then operating effectiveness. But to your point, if the controls have already been put in place and they're weak and they're not designed effectively, it's not my favorite thing to tell them that after they've been performing these expensive controls for years, right? So it's obviously better if they're putting well-designed controls in place on the front end.
00:24:55 Jami Shine
So I would love to know from your experience, what are a few controls you would expect to see in place that would help prevent or detect overtime fraud specifically?
00:25:05 Colin May
Okay, so the controls that I would be really interested in is what is the policy, what are the forms or the documentation that is required?
00:25:16 Colin May
So there's this really neat piece called a behavioral insights, or sometimes called behavioral economics. So basically, these really smart people won Nobel prizes and stuff by basically looking at how do we make, how we as humans make choices. And so, you know, there's a field of study that is really examining how
00:25:39 Colin May
we can leverage that decision-making process in ways that protect integrity and minimize friction and things. A book called Nudge, if you have a phone, you see the pop-ups and the alerts, all of that stuff is kind of baked into these because that's just how our minds operate. And so if we can build in controls that utilize more of those behavioral insights,
00:26:07 Colin May
then I think that that's a really good way to do it. So one just example off the top is like if you have an automated timesheet, it could be really useful to put the warning on the front end instead of just the back end. So you could have a pop-up that says with your timesheet, I agree that the information I'm about to enter into this timesheet
00:26:34 Colin May
I was actually working, I have not added or subtracted hours or anything like that. basically some nice way of saying, I'm not lying, right, about what I'm doing. It forces us in our mind to think, oh yeah, you know, I really, if I was tempted to kind of fudge some numbers, that I wouldn't. And then on the back end, you know, there's a certification that says, you know, everything I submitted is true and correct and accurate.
00:27:04 Colin May
I know that it's subject to verification and I consent to, that, blah, blah, blah. So it's hitting you on both ends. And again, the more you do that, the more people get into that mindset of, oh, well, they really are looking.
00:27:20 Colin May
Now, one control that I think we do need to talk about, and it's a double-edged sword, is some of the technology. And I think, we really need to be careful and really think about the ethical implications of things like digital surveillance, RFID, and just all of these new technologies that are coming about. It's a legal and an ethical issue that organizations
00:27:47 Colin May
really need to kind of understand before they roll out. And again, it's the, yes, we need to trust but verify, but we also live in a free society. And so there's these competing values that just need to be, we just need to be cognizant of, and we need to address them, like you said, from the front end so that they don't become a liability on the back end.
00:28:13 Jami Shine
That's a great point. Absolutely. I hear so many auditors say that they record every conversation they have with their clients now. I hear a lot of things like that, a lot of organizations using the video surveillance. And my response when people say it is always, first of all, have you checked with legal? Second of all, do the employees know? Do they know they're being recorded? Are you disclosing it? But what are your thoughts on that? And what control should we be looking for as auditors?
00:28:39 Colin May
Let's give a shout out to our legal counsel, especially in some of these technology issues. We really need to make sure that we're hand in glove with legal, especially for large organizations that operate in multiple states or multiple locations. There's just a myriad of different legal issues that need to be identified and navigated through. So definitely,
00:29:03 Colin May
shout out to them and thanks for all their hard work and the research. And just because the technology is there doesn't mean that it's necessarily good or effective. I think the key controls that we really need to think about are, what are the opportunities for people to do this? How can that happen? And then a lot of it's just education, right? Again, are we talking to our management about making sure that these issues are addressed?
00:29:33 Jami Shine
I love that you tied in technology and even just how this threat landscape is changing because of technology. Now, do you think that there's actually going to be maybe opportunities to have better controls in place because of things like technology, artificial intelligence, even surveillance that can automatically detect if someone is where they say they are and then correlate that to their timesheet? Is that an opportunity or is it a risk or is it both?
00:30:00 Colin May
I think it's both, right? And I think it's an opportunity if it's done well and the risk is mitigated. Like you said, I mean, do employees understand that this is happening, right? Hey, we're rolling out this new software and it will do X, Y, and Z. You know, if they don't know, that's a, that could be a huge liability. Absolutely. But if they, if they know, right, if they have informed consent and
00:30:30 Colin May
all of a sudden, like they're still doing their old thing, then that's a problem, right? And that's going to create major issues for them personally. So I do think that, again, it's how, what is the plan for the tech? How is it being used? How are we as audit brought in to think about this issue? And then how are people using it, right? How are even auditing, you know, the use of it,
00:30:59 Colin May
right? who's actually using the dashboard, like the payroll dashboard, the overtime dashboard? Well, if Unit A and Unit B both have access to it, and Unit A is using it, but Unit B isn't, isn't that an opportunity to talk to Unit B and say,
00:31:18 Colin May
We noticed you're not using it. Tell us what you think. Like, is it not helpful? Is it not easy? Do you need the link again? It could be as simple as that. They just don't, you know, they don't really know.
00:31:30 Jami Shine
Well, I've so enjoyed talking to you. I feel like we could have this conversation all day, but I do want to ask you just one more question before we say goodbye to everyone. If the people who listen to your podcast, if they could remember just one thing from it, what would it be?
00:31:46 Colin May
My takeaway is this.
00:31:48 Colin May
Do an experiment, look at your own data. If you don't have access to the data for whatever reason, write it up as a proposed audit program, right? Just A one-page memo. Doesn't have to be super, super detailed, but explain why you think this is important and present it and just see where it goes and start having those conversations.
00:32:14 Colin May
Build those partnerships and look at that process, because ultimately that's it's people, process, and partnerships.
00:32:25 Jami Shine
People, process, partnerships. I love it. Well, everyone, if you remember nothing else, I hope you remember people, process, and partnerships today. And we hope you got some great takeaways for how you can, first of all, help management implement strong controls, maybe provide some advice, or evaluate the controls that are in place to prevent and detect overtime fraud. And again, thank you so much, Colin. I just really enjoyed listening to you, hearing your stories, all the insights that you shared. Thanks, everyone, for tuning in. We look forward to seeing you next time.
00:32:55 Colin May
Thanks, Jamie.
00:32:58 The IIA
Ready to lead with confidence? Join the IIA's 2025 RISE Virtual Conference on December 5th, all online. Earn up to 7.2 CPEs while diving into resilience, innovation, strategy, and ethics with today's top audit leaders. Save your spot now at theiia.org.
00:33:20 The IIA
If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or at the iia.org. That's T-H-E-I-I-A dot O-R-G.
