Who is Responsible for Vendor Fraud?


Emma Zhang, CFE, CPA

When I was working as an internal auditor at an oil and gas company (the Company) in California, one of my colleagues and I conducted a routine vendor audit. The vendor provided services to one of the oil rigs of the Company and the Company had used the vendor for two years. Basically, the audit was to ensure that the vendor performed jobs as contracted.

In this audit, I was responsible for the vendor payment review. The vendor assigned 35 employees to perform jobs at the rig during the two-year period. Five employees covered 24-hour shifts daily. The working-hour review and billing process was that the employees submitted their timesheets to their supervisor for review and authorization. Then, the supervisor submitted the timesheets to the project manager for review and approval. The project manager was the Company’s employee and oversaw the vendor services and the project progress. The vendor presented the invoice each month to the project manager for review and approval before billing the Company. The project manager should ensure that the invoice was correct and accurate before approving it.

I requested all approved timesheets and pulled all vendor invoices from the Company’s accounting system to ensure that they were properly authorized. No exception was noted. Then, I created a spreadsheet to include the 35 employees’ names and their working dates and hours. Once the spreadsheet was built and all data were input, I found some employees’ working hours were suspect. For example, some employees were consistently working 15 hours a day; or some employees worked a night shift and continued to work another 8-hour shift in the following day; or some employees never took any days off and worked on holidays.

To confirm whether the timesheets were fraudulent, I requested all payrolls of the two years. The vendor denied my request, claiming that the payrolls included confidential information and it would not be secure to send them. I then requested an on-site review of payrolls. The vendor found excuses to reject the visit but eventually agreed to a two-day visit. Soon my colleague and I flew to California to visit the vendor’s office. Unsurprisingly, we experienced a cold welcome and we were arranged to sit just outside of the restroom. No one in the vendor office hid their unpleasant feeling towards us. In the two days, my colleague and I input payroll information into the spreadsheet and then compared the payroll hours with the working hours from the timesheets. Through the comparison, we found that the working hours on the timesheets did not match the paid hours on payrolls. We even noted that two employees were not on the payroll. This was a fraud scheme to alter employee timesheets and create ghost employees to obtain payments. Consequently, the fraud cost the Company around $250,000 overpay.

So, you may be wondering, “Who is responsible for the fraud?” After coming back from California, I completed a report that was distributed to my manager and the California office management. Soon, my manager and I had a phone meeting with the CFO and his team, including the project manager in California office, to discuss the fraud. During the meeting, the CFO and his team were laughing about the fraud and took this as a joke until we mentioned the ownership of the fraud. Who should be responsible for this fraud and loss? Quickly, we felt the intense silence from the other side of the phone.

The project manager could hardly absolve himself of the blame. The CFO and the accounting team in the California office, as the payment gatekeeper, held responsibility as well. Two weeks later, we had another meeting with the CFO and his team. This time, we had a serious discussion about responsibilities and actions to recover the loss. Several months later, the Company requested the full amount of overpay from the vendor and stopped working with the vendor when the contract expired. The project manager was demoted to a project supervisor. Also, the corporate management made a decision to let the internal audit department review the billing process and vendor bidding process across the organization to determine if any gaps or poor controls existed and required improvement or redesign.

Emma Zhang is an experienced audit professional at Carrtegra, with more than seven years of internal audit and Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. 

What to Do When the Authorities Just Aren’t Interested


Mary Breslin, CFE, CIA
President, Empower Audit

Sometimes stopping a fraud and terminating an employee are all you can do. Even though those are two accomplishments in themselves, they can leave you wondering, “What do I do when the authorities are not interested in criminally prosecuting an internal fraud?”

One of the easiest fraud cases I ever worked was also one of the most frustrating. My team and I did solid work and had iron-clad evidence, but we couldn’t convince the local authorities to do anything with the information. Unfortunately, it was one of those scenarios where the executives really wanted to prosecute and make a clear example of the situation.

As the chief audit executive, I reported to the general counsel for my organization. It was a great arrangement in my opinion, and I enjoyed working for him. We were a large international organization with operations in many developing nations. My team was routinely involved in fraud investigations, often on multiple continents simultaneously. But this fraud — this fraud was close to home. Literally in the office next door. The general counsel’s paralegal had been committing expense reimbursement fraud for two years, and the general counsel took it personally. Wouldn’t you?

A perceptive accounts payable clerk noticed some issues with the paralegal’s expenses and informed us of the inconsistencies. After a little research and some data analytics, we quickly found tens of thousands of dollars in purchase card (pcard) and expense reimbursement fraud. She had two major schemes. First, she paid for things with her pcard and then listed the items for cash reimbursement on her personal expenses. She always had a receipt! The opportunity had presented itself to her when she realized the general counsel did not closely review her expenses. Second, she charged a considerable amount of personal items to her company pcard. I won’t get into details, but I do believe she had everything ever made by Victoria's Secret.

Understandably, the general counsel felt a lot of things —anger, frustration, betrayal and a little foolishness for trusting her and not reviewing her expenses in detail. As a result, he wanted her charged criminally. She was not getting special treatment — we wanted to follow our normal process to prosecute for internal fraud. However, while there was approximately $30,000 in fraud, the local authorities were not interested in prosecuting. Why? Like most things in life, it was mostly about timing. At that particular moment in time, the local authorities had bigger cases they were concerned with and did not believe they could spare the resources to deal with our fraudster.

The final outcomes of even successfully executed investigations can be very frustrating and less than satisfactory. So how can this be prevented? It is always a potential problem, but if you do the following you are less likely to run into this issue:

  • Make sure your case is ready to hand over to the authorities, including ensuring that you have solid evidence that was properly handled.
  • Use experts. Bring in external assistance if you do not have fraud investigation and examination experts in-house.
  •  If the authorities feel they are too busy, remember you have time. Understand what the statute of limitations is for the crime. Ask the authorities if it would be acceptable to check in periodically to see if their schedules allow your case to be addressed at a later time.
  • You can initiate a civil suit to recover losses.

Remember: Catching the fraudster and ending the fraud is a deterrent to other fraudsters, so do not allow yourself to get too frustrated. Stop fraud and carry on!

Auditor Earns CFE Credential While Stationed in Baghdad


Scott A. Cohen, CFE, CIA, CISA
Director of Internal Audit
NATO Airlift Management Agency
In 2004, Scott Cohen, CFE, CIA, CISA, Director of Internal Audit for NATO Airlift Management Agency, was three years away from retiring from the U.S. Navy when a friend suggested he begin to think about his post-retirement career. Like many professionals making a career transition, Cohen ruminated over his experience, his credentials and, more importantly, what it was going to take to for him to enter the job market as a competitive candidate. It didn't take him long to discover that ACFE resources and the CFE credential were the vital tools he needed to make a smooth transition. "It's a case of not really knowing what you're missing until you learn about it and then wondering how you ever did your job effectively without it," Cohen said.

What made you decide to become a Certified Fraud Examiner (CFE)?
I was having lunch with an IRS agent in Saddam Hussein''s former palace in Baghdad. The idea of being an accountant in law enforcement was intriguing. He explained that part of his job was to seize records and computers, and sometimes, people were not willing to part with them. I asked how I could get involved doing that sort of work, only to learn that at the age of 40, I was too old to apply for a federal law enforcement position. But he said that I could be trained as a forensic accountant or fraud investigator, and I would be the person to whom he would turn over the records for analysis.

I looked into several options and decided that while no one qualification would provide all the training I would need, the CFE credential would provide a solid basis for any further study. The approach is interdisciplinary, drawing on ideas from criminal justice and the law, sociology, accounting and economics. Fraud issues are never one dimensional, and understanding the fundamentals in different disciplines is important to understanding how a problem occurred or can occur and what can be done to detect or prevent fraud.

How did you prepare for the CFE Exam? Where were you in your career when you studied and passed the Exam?
I attended the ACFE Fraud Conference and sat through several lectures, not really knowing from the outset what being a CFE meant. Although I am sure that I missed a lot of details, I was excited by what I saw.

I ordered the CFE Exam Prep Course offered by the ACFE. It took about two and a half months to feel that I was ready to take the exam. At the time, I was stationed in Baghdad as the Chief of Logistics for the NATO Training Mission – Iraq. The program allowed me to study when I was able and I used the Fraud Examiners Manual as a reference when I needed something explained in more depth.

When I was ready to take the exam, I planned to take each part on successive Saturdays. While this seemed a bit drawn out, I figured this would give me the best chance at success. And it was a strategy recommended in the lecture at the ACFE Fraud Conference. I did the first part and felt good about how I'd done. Then the bombing started and mortars were falling close enough to the headquarters that it was not safe to go anywhere. So I did the second part. And the bombs were still falling. Before long, I'd completed all parts.

Read the full profile here.

Where were you in your career when you took the CFE Exam?

Worried? Who’s Worried? What Board Directors Need To Know


Sheila Keefe, CFE
Principal, BDR Advisors, LLC
Lake Geneva, WI

As reported in Monday's Chicago Tribune, the SEC charged three ex-directors who served on DHB Industries Inc.'s audit committee for being "willfully blind to numerous red flags" of fraud. Just last year, the SEC accepted a settlement that included a $50,000 fine and a restriction against serving as a director or officer for five years from an audit committee chairperson, stating that the director failed to adequately investigate allegations on inappropriate related-party transactions. The SEC has made it clear that it will hold directors accountable for fraud deterrence. So, what can board directors do?

  1. Leverage internal audit or hire a consultant. Be sure your advisors remain outside the reporting lines of CEOs and CFOs.
  2. Implement a fraud risk management program to proactively address emergent threats to your organization. Sadly, only half of organizations have formal board risk oversight of fraud deterrence (2010 COSO Report).
  3. Know the business. Look for complex transactions that are more form than substance.
  4. Support fraud deterrence by continuous monitoring, surprise audits, segregation of duties, hotlines and ethics training. 
  5. Address the Audit Report Expectation Gap. Revenue recognition, estimates, disclosures, related party transactions are areas most vulnerable to manipulation.
  6. Ensure auditor independence. Let your auditors know that you want the unvarnished truth.
  7. Watch out for management influence over financial reporting and their ability to override controls.

Fraud deterrence is a game of endurance. By following the steps listed above, directors will be well on their way to addressing their fiduciary responsibilities effectively and efficiently.

To read more about Sheila or to follow her blog, Business Done Right, go here.