We serve privately held and family businesses, angel and venture-backed companies, public companies, foundations, not-for-profit and public sector organizations, and high net worth individuals and their families.
We all read recounts of fraud schemes from time to time; some of them fairly short and others rather long and detailed. At our firm, we gather and share cases in the news on what we call “Fraud Friday.” The latest story shared on Fraud Friday is the source of this particular post. The thing that is typically missing from fraud tales is the point of view of the perpetrator. How did they do it? What was their motivation? Did they ever get nervous and think about stopping? Did anyone get close to catching them along the way? These human interest details are often missing from the facts of the case, and it’s left to our imaginations to fill in these blanks, including the big question of “how.” How did they pull it off?
Click on graphic for a larger image
This article featured in the Journal of Accountancy is a rare glimpse into a significant and fairly noteworthy fraud from 10 years ago. The perpetrator is given the opportunity to tell the story from his point of view. So, how did it really happen? There were warning signs that went unnoticed, breakdowns in process, and flaws in the system, and the article details the preventive tools that could have helped. Here are some highlights of the article and my commentary as well (note: if you haven’t read the article yet, the fraud was perpetrated through a check scam using a fake vendor):
The organization’s conversion to a new ERP system was a big trigger point in this story. Major changes to an organization, whether related to accounting and finance, operations, or any other aspect, need to be followed by an assessment of new risks created by the change. The risk assessment process undertaken by a company needs to be a living and breathing process. Change happens and you need to keep up with it
Bad execution beats great design every time. They had separated the duties of initiation and review of checks to be issued, but since passwords were shared (and apparently never required to be updated) the good design didn’t matter. It’s just like hanging the key to the file cabinet on a hook right next to the file cabinet. Is the file cabinet really locked?
Hindsight is a handy tool, but in this case you wonder why they didn’t revisit the authorized check amounts throughout this time. Authorized users to systems, permissions within those systems, and authorization thresholds like this need to be reviewed and re-approved on a needs basis.
The fraudster was clearly living beyond his means, and that was a big warning sign that went unnoticed. To go from a mountain of bills, a new baby, and financial struggles, to lavish trips, fancy cars, and luxury must have had outward signs in the workplace. Those kinds of signs merit some exploration. The steps that were ultimately performed by a coworker are the ones that should have been performed as these signs started to bubble up. There needs to be a balance of healthy skepticism and trust amongst your employees, but in this case he earned the skepticism.
The end of the article does a great job of pointing out several preventive and detective controls that would be valuable to nearly every organization. I encourage you to read through that section carefully and think of ways you can enhance your control program. The two that jump out at me are (1) the overall ERP controls and (2) data analytics.
ERP controls. I alluded to this earlier, but being very intentional with how you set up the permissions in your accounting and/or other computer systems is essential. Employees should have access only to systems that are necessary for them to fulfill their duties. As their duties change or as new people are brought on board, those permissions should be reviewed and updated.
Data analytics. A regular regimen of analytics on accounting data is a great tool! With larger organizations, it is nearly impossible to have robust controls around every transaction at the point of attack. That being the case, it is that much more important to conduct a rigorous review of the data after the fact. The article mentions this, but gathering statistical data on your top vendors is critical. If new vendors all of a sudden make their way into the Top 10 list, or have explosive growth as the fraudster’s fake company did, the finance executives should know about it and be able to verify that activity. Aside from that, reviewing round dollar checks (i.e., for even thousand dollar amounts) or reviewing vendors who receive more than one check a month and/or checks written on the weekends, can really help identify oddities like this.
The article shares a common refrain that I often use: “An Ounce of Prevention is Worth a Pound of Cure.” These words have been proven true over and over again. Spending the time to brainstorm about how your control and monitoring program can be enhanced will not only help you fight fraud, it will also very likely provide new and meaningful information to help you run your business. And that’s definitely worth your while.
This article or blog contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.