Who is Responsible for Vendor Fraud?


Emma Zhang, CFE, CPA

When I was working as an internal auditor at an oil and gas company (the Company) in California, one of my colleagues and I conducted a routine vendor audit. The vendor provided services to one of the oil rigs of the Company and the Company had used the vendor for two years. Basically, the audit was to ensure that the vendor performed jobs as contracted.

In this audit, I was responsible for the vendor payment review. The vendor assigned 35 employees to perform jobs at the rig during the two-year period. Five employees covered 24-hour shifts daily. The working-hour review and billing process was that the employees submitted their timesheets to their supervisor for review and authorization. Then, the supervisor submitted the timesheets to the project manager for review and approval. The project manager was the Company’s employee and oversaw the vendor services and the project progress. The vendor presented the invoice each month to the project manager for review and approval before billing the Company. The project manager should ensure that the invoice was correct and accurate before approving it.

I requested all approved timesheets and pulled all vendor invoices from the Company’s accounting system to ensure that they were properly authorized. No exception was noted. Then, I created a spreadsheet to include the 35 employees’ names and their working dates and hours. Once the spreadsheet was built and all data were input, I found some employees’ working hours were suspect. For example, some employees were consistently working 15 hours a day; or some employees worked a night shift and continued to work another 8-hour shift in the following day; or some employees never took any days off and worked on holidays.

To confirm whether the timesheets were fraudulent, I requested all payrolls of the two years. The vendor denied my request, claiming that the payrolls included confidential information and it would not be secure to send them. I then requested an on-site review of payrolls. The vendor found excuses to reject the visit but eventually agreed to a two-day visit. Soon my colleague and I flew to California to visit the vendor’s office. Unsurprisingly, we experienced a cold welcome and we were arranged to sit just outside of the restroom. No one in the vendor office hid their unpleasant feeling towards us. In the two days, my colleague and I input payroll information into the spreadsheet and then compared the payroll hours with the working hours from the timesheets. Through the comparison, we found that the working hours on the timesheets did not match the paid hours on payrolls. We even noted that two employees were not on the payroll. This was a fraud scheme to alter employee timesheets and create ghost employees to obtain payments. Consequently, the fraud cost the Company around $250,000 overpay.

So, you may be wondering, “Who is responsible for the fraud?” After coming back from California, I completed a report that was distributed to my manager and the California office management. Soon, my manager and I had a phone meeting with the CFO and his team, including the project manager in California office, to discuss the fraud. During the meeting, the CFO and his team were laughing about the fraud and took this as a joke until we mentioned the ownership of the fraud. Who should be responsible for this fraud and loss? Quickly, we felt the intense silence from the other side of the phone.

The project manager could hardly absolve himself of the blame. The CFO and the accounting team in the California office, as the payment gatekeeper, held responsibility as well. Two weeks later, we had another meeting with the CFO and his team. This time, we had a serious discussion about responsibilities and actions to recover the loss. Several months later, the Company requested the full amount of overpay from the vendor and stopped working with the vendor when the contract expired. The project manager was demoted to a project supervisor. Also, the corporate management made a decision to let the internal audit department review the billing process and vendor bidding process across the organization to determine if any gaps or poor controls existed and required improvement or redesign.

Emma Zhang is an experienced audit professional at Carrtegra, with more than seven years of internal audit and Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. 

Fraud Examiner: 'Interviewing is Not a Simple Yes or No Answer'


Kenneth Springer, CFE, Founder and President
Corporate Resolutions Inc. 

Author Kenneth Springer, CFE, is the founder and president of Corporate Resolutions Inc., a specialized firm that gathers intelligence and offers a variety of investigative services that helps its clients make informed business decisions. When conducting an investigation, “use your investigative skills to follow the evidence,” Springer said. “Interviewing is not a simple yes or no conversation; there are skills required to make sure the person feels comfortable in order to elicit the most honest and complete information.”

How did you become passionate about fighting fraud? 
While in college, I spoke with a family friend who was in the FBI. I became very interested and pursued it.

What steps led you from the FBI to starting your own company?
Although I enjoyed the FBI and the people I worked with, I had an opportunity to leave and get involved in managing a small investigations firm that conducted background checks and investigations for private firms. Four years later, I was running the company and decided I wanted to start my own business. I put together a business plan, got a Small Business Administration (SBA) loan and started Corporate Resolutions Inc. in August 1991.

What is one of the biggest lessons you have learned since becoming a CFE?
When investigating a fraud, you cannot necessarily rely on all of the facts as initially presented by the client since they may have their own agenda. You need to be open-minded and not have a preconceived notion as to how the fraud may have happened and by whom. Use your investigative skills to follow the evidence.

I know this because a long time ago a client led me to believe that a certain employee had committed the fraud we were investigating. It turned out that the client was actually responsible. The client was eventually arrested by the FBI.

What is a memorable case or project that you have worked on — one that made you feel especially proud?
In one instance, investors backed a company that sold hardware (desktops) and during a surprise audit, found $5 million dollars missing. After two months of having forensic accountants try to figure out the fraud, we were brought in to conduct interviews and gathering facts. We quickly learned that while the auditors were there, the CFO abruptly resigned and left town (in our business we call that a clue).

We immediately began fact gathering on the previous CFO and learned he had formed a similar-sounding entity within the company, yet the CEO was unaware of it or why it was formed. He also changed company procedure so that he was the one who opened all of the company mail.

To perpetrate his scheme, he would buy 100 computers, pay for them and then return 50. When the computer company sent a refund check, he was able to take the check and deposit it into the account he had fraudulently formed — which was located at the same branch where the company did their banking. Thus, it did not raise any red flags within the company. The FBI is still looking for him.

While putting together the fidelity bond claim for the insurance company, we did a background check on the previous CFO. He was not a CPA as he had claimed and the three references he provided did not check out.

What activities or hobbies do you like to do outside of work?
Spending time with family and golfing.

Read Kenneth's full member profile in the Career Center on ACFE.com.