Aire : once again, travel and expense report audits foil a fraudster. This time, spelling and repetition are the perpetrator's downfall
J. Mike JackaAN AUDITOR PERFORMING AN audit of travel and expense reports noticed that the word airport was misspelled on a receipt attached to one of the expense reports. Thinking that this was odd for an automatically generated receipt, the auditor contacted the vendor to get a copy of a blank receipt. Although the blank copy was similar in appearance to the one attached to the expense report, there were several differences. Most notably, airport was spelled correctly on the blank receipt. Consequently, a formal investigation was launched and the employee who turned in the expense report admitted to forging the receipt and was fired.
Unfortunately, the employee convinced the company to rehire him. Several years passed and another audit of travel and expense reports was conducted. The auditor downloaded all receipt information and sorted it by mileage reported to identify large requests for mileage reimbursement.
The auditor found one employee had many different amounts listed for mileage from his home to the airport--in some instances the distance was as much as 50 miles. Of course, the employee was the same one who couldn't spell airport. Using an online mapping service and information obtained from the employee's personnel file, the auditor determined the distances claimed were up to triple the actual distance from the employee's home to the airport. Because the employee traveled extensively, the amount of excess reimbursement was several thousand dollars.
A formal investigation was launched, and the employee admitted he had inflated his mileage to compensate himself for the amount of time he spent in traffic. He told the investigator that if he were caught in traffic, he would add a mile to the reimbursement for every minute he was delayed. The employee told the investigator that he would willingly reimburse the company if there were something wrong with this practice. Unfortunately for the employee, the company did not endorse the mile-a-minute program and the employee was re-fired.
AK-SAR-BEN CHAPTER
INACTIVE + GENERIC = ACCESS
By reviewing the identification (ID) storage system and verifying "inactive" IDs, the auditors could test controls over transferred and terminated employees' computer user IDs. However, because the environment being reviewed involved a computer system with at least three systems communicating back and forth, the auditors began to question if "inactive" meant the user IDs were truly denied access.
Prior audits over the same department showed that the information technology (IT) department issued a generic or default password with each new user ID. In addition, there were no mechanical controls requiring the employee to immediately change the generic password to a unique one. Armed with that information, the auditors decided to conduct an additional test to ensure that the different systems were communicating with each other and revoking access to the back-end financial systems when deactivated in the front-end system. The auditors attempted logon with known terminated user IDs against the default passwords issued by IT.
To no one's great surprise, a portion of the "terminated" user IDs allowed access to the financial system when the generic passwords were used. Although the system vendor had assured the company that its programming recognized deactivated user IDs from the front-end system, the financial system was ultimately accessed through otherwise "inactive" IDs.
This was an important finding for the auditors because it helped remind them of the various ways they could add value to the company. Testing an area that the vendors had assured was working as intended--but apparently was never tested for verification--helped ensure the overall security of a high-risk computer system.
KANSAS CITY CHAPTER
WHEN A DOLLAR IS NOT A DOLLAR
One of the services provided by a manufacturing company was a team of individuals to assist its customers in the installation of the company's products. Because products were sold internationally, these individuals were required to travel extensively. Unfortunately, the company paid a flat per diem rate, even if the employee traveled to a high-cost area.
During a routine audit, the auditor noticed an expense report with several charges made in Canada. Hotel and meal charges were expected, however, there were also charges for airline tickets and rental cars, which were normally purchased prior to departure. The attached credit card statement clearly showed a conversion rate was applied and the employee was actually charged less than the amount on the receipt. The auditor further verified that the employee was charged in Canadian dollars by calling some of the establishments listed on the receipts.
Based on this information, the auditor pulled the individual's expense reports for the year and noticed that any time the individual traveled to Canada, he charged almost all of his expenses in Canada. This information was brought to the attention of senior management. Surprisingly, senior management told the auditor that they were aware of the practice and did nothing about it because the employee was not receiving adequate per diem when he traveled to high-cost areas. The response to a recommendation to change the per diem policy was that it would be too difficult to implement and the company was actually benefiting from the practice. The tax implications of this practice were discussed and dismissed as being immaterial. The auditor eventually left the company to work elsewhere.
At the new company, the auditor was once again involved in an audit of travel and expense reports. The company had automated its expense reporting system so that information was filled out online, stored electronically, and retrievable using various report formats. The auditor downloaded all of the expense report information for the year and, based on his previous experience, sorted out travel to foreign countries. The auditor then identified those reports in which travel to Canada was reimbursed.
A close review of those reports revealed that an employee had made charges in Canadian dollars and requested reimbursement in U.S. dollars. Further investigation could not demonstrate that the employee did this fraudulently, however, the employee was required to reimburse the company for the difference. Additionally, foreign travel was included as a criterion in a system developed to flag expense reports for further investigation.
Technology helped the auditor quickly weed through all of the expense reports and identify those with foreign travel entries. Although the amount recovered was less than US $250, word quickly spread throughout the company that travel and expense reports were being closely scrutinized and during the next audit, there were far fewer findings.
In one company, the lax attitude regarding expenses bred an atmosphere where fraud began to take root. In the other company, there was a reinforced understanding that, even for an amount as "immaterial" as US $250, the company cared about the ethical practices of its employees.
AK-SAR-BEN CHAPTER
THE PAIN OF GROWTH
Although the company had grown over the last few years, most of management's practices and policies were the same as those in place when the company was small. In particular, a lot of the staff in the Purchasing Department were not trained or experienced in their jobs.
During a purchasing audit, the auditors concluded that quotation requirements were noncompliant because most of the miscellaneous items' purchases were done using only one quote. Employees in the Purchasing Department responded that the user departments were unable to provide adequate details of the purchase, so it was difficult for them to provide enough specifications for vendor quotations. In addition, the user departments usually suggested vendors for the Purchasing Department to contact to shorten the vendor search time.
Though the proportion of miscellaneous-items purchases was insignificant compared to the direct-materials purchases, the audit manager decided to dig deeper to get a better picture of the purchase patterns. The purchase data for four major vendors was compiled and analyzed, and, not surprisingly, some of the items were purchased frequently and in large quantities. What was surprising was that the purchase requisition forms estimated the unit cost for one item at 20 cents, but the purchase price was actually US $1.
Company policy stated that the Purchasing Department would approve purchase requisitions if the total purchase amount was within the department's budget. However, there was no requirement to notify the end user if the purchase price was different than the estimated price.
The issue was brought up with the purchasing director. Because there was no evidence of fraud, the director requested damage recovery from the vendor, the quotation policy was revised, and training was given to all buyers regarding their role--including their role in risk management
HONG KONG CHAPTER
OF MICE AND MONEY
The company had contracted out computer software and hardware maintenance for several years. Numerous contracts totaling hundreds of millions of dollars had been initiated and monitored by the responsible contracting officer.
The audit plan included an audit of contracted software and hardware maintenance. A review of a sample of invoices revealed a US $390 charge for the replacement of a computer mouse. The contracting officer, who had signed the invoice for payment, explained that hardware maintenance could involve many hours of travel for remote offices or just minutes for headquarters. As a result, he said, a standard cost was used and that--on average--the organization benefited from this arrangement. However, reviews of the contractor records led the auditors to ask more questions about internal monitoring and control of the maintenance contracts. One test they performed involved the calculation of labor and material costs for each work order. A number of work orders for hardware maintenance had labor costs without materials. Another group had significant material costs and no labor costs. The audit entered a different phase--a preliminary investigation into possible wrongdoing.
The auditors reviewed the contracts for software and hardware maintenance and noted that the prime contractor, from whom they received all invoices, was a reputable firm. However, they noted many contracts where subcontractors and sub-subcontractors were involved. The detailed review of the invoices approved by the hardware and software maintenance contracting officer showed numerous discrepancies, including the payment of invoices without evidence of goods or services having been received and higher-than-expected charges for standard pieces of hardware.
Working through a complex billing scheme, the auditors discovered the contracting officer had established a company through which millions of dollars in software and hardware maintenance contracts were being funneled. This company would subcontract with other companies who performed the necessary services. The subcontractors added their own markup when they billed for the work performed and sent their invoices to the prime contractor, who sent an invoice to the contracting officer. In some cases, there were three and four levels of markup, with final charges often exceeding 100 percent of the original cost of the work.
The audit also found that the contracting officer, through a company he had created, was submitting invoices for work that was never performed and billing for equipment used for contracts with other companies. These fake invoices were duly processed by a subcontractor and sent to the prime contractor, each adding their own markup without questioning if the work had been performed. The prime contractor then sent them to the contracting officer for certification and payment. The subsequent forensic audit and criminal proceedings determined that the organization had been overcharged at least US $145 million over the last 10 years. During that time, the contracting officer had taken numerous holiday trips and purchased several houses and vintage cars.
After the results were analyzed and criminal prosecution initiated, the auditors reviewed the control weaknesses and the red flags that could be used to highlight high-risk contracts in other areas. A series of computer analysis techniques were used to select high-risk contracts for review by audit. The work on these contracts continues.
OTTAWA CHAPTER
Please send Roundtable submissions to:
J. MIKE JACKA, Farmers Insurance Group
18444 N. 25th Ave.
Phoenix, AZ 85023-1296 USA
Fax: +1-602-863-8588
E-mail: mike_jacka@farmersinsurance.com
EDITED BY J. MIKE JACKA
CONGRATULATIONS TO THE SAN ANTONIO CHAPTER for submitting the December 2004 winning "Roundtable" story. In "An Off-key Tone," an investigation into top management revealed that the chief executive officer, along with the vice president of strategic planning, had directed manipulations of both delinquencies and charge-offs.
Internal Auditor awards a gift certificate to the affiliate, chapter, or individual submitting the best "Roundtable" story in each issue. Individuals interested in claiming the certificate should contact their affiliate president. Each submission is worth five chapter achievement program (CAP) points and furthers The IIA's motto of "Progress Through Sharing."
COPYRIGHT 2005 Institute of Internal Auditors, Inc.
COPYRIGHT 2005 Gale Group