Who is Responsible for Vendor Fraud?


Emma Zhang, CFE, CPA

When I was working as an internal auditor at an oil and gas company (the Company) in California, one of my colleagues and I conducted a routine vendor audit. The vendor provided services to one of the oil rigs of the Company and the Company had used the vendor for two years. Basically, the audit was to ensure that the vendor performed jobs as contracted.

In this audit, I was responsible for the vendor payment review. The vendor assigned 35 employees to perform jobs at the rig during the two-year period. Five employees covered 24-hour shifts daily. The working-hour review and billing process was that the employees submitted their timesheets to their supervisor for review and authorization. Then, the supervisor submitted the timesheets to the project manager for review and approval. The project manager was the Company’s employee and oversaw the vendor services and the project progress. The vendor presented the invoice each month to the project manager for review and approval before billing the Company. The project manager should ensure that the invoice was correct and accurate before approving it.

I requested all approved timesheets and pulled all vendor invoices from the Company’s accounting system to ensure that they were properly authorized. No exception was noted. Then, I created a spreadsheet to include the 35 employees’ names and their working dates and hours. Once the spreadsheet was built and all data were input, I found some employees’ working hours were suspect. For example, some employees were consistently working 15 hours a day; or some employees worked a night shift and continued to work another 8-hour shift in the following day; or some employees never took any days off and worked on holidays.

To confirm whether the timesheets were fraudulent, I requested all payrolls of the two years. The vendor denied my request, claiming that the payrolls included confidential information and it would not be secure to send them. I then requested an on-site review of payrolls. The vendor found excuses to reject the visit but eventually agreed to a two-day visit. Soon my colleague and I flew to California to visit the vendor’s office. Unsurprisingly, we experienced a cold welcome and we were arranged to sit just outside of the restroom. No one in the vendor office hid their unpleasant feeling towards us. In the two days, my colleague and I input payroll information into the spreadsheet and then compared the payroll hours with the working hours from the timesheets. Through the comparison, we found that the working hours on the timesheets did not match the paid hours on payrolls. We even noted that two employees were not on the payroll. This was a fraud scheme to alter employee timesheets and create ghost employees to obtain payments. Consequently, the fraud cost the Company around $250,000 overpay.

So, you may be wondering, “Who is responsible for the fraud?” After coming back from California, I completed a report that was distributed to my manager and the California office management. Soon, my manager and I had a phone meeting with the CFO and his team, including the project manager in California office, to discuss the fraud. During the meeting, the CFO and his team were laughing about the fraud and took this as a joke until we mentioned the ownership of the fraud. Who should be responsible for this fraud and loss? Quickly, we felt the intense silence from the other side of the phone.

The project manager could hardly absolve himself of the blame. The CFO and the accounting team in the California office, as the payment gatekeeper, held responsibility as well. Two weeks later, we had another meeting with the CFO and his team. This time, we had a serious discussion about responsibilities and actions to recover the loss. Several months later, the Company requested the full amount of overpay from the vendor and stopped working with the vendor when the contract expired. The project manager was demoted to a project supervisor. Also, the corporate management made a decision to let the internal audit department review the billing process and vendor bidding process across the organization to determine if any gaps or poor controls existed and required improvement or redesign.

Emma Zhang is an experienced audit professional at Carrtegra, with more than seven years of internal audit and Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. 

How a Clerk’s $250,000 Fraud Went Unnoticed for 4 Years


Courtney Babin
ACFE Communications Coordinator

Between August 2010 and March 2014 an employee within the City of Ithaca’s Tompkins Consolidated Area Transit (TCAT) diverted cash out of TCAT accounts using a fraudulent check scheme. In total, the fraud cost the not-for-profit organization nearly $250,000 over a span of four years. The fraud kept growing in the years that it remained undetected: in 2010 they lost $1,600; in 2011, $43,000; in 2012, $69,000; and in 2013, a staggering $113,000.

In last month’s Fraud Talk podcast, John E. “Jack” Little, CFE, CPA, Senior Lecturer of Accounting at Cornell University, examines this fraudulent check scheme and discusses a three-part process that every anti-fraud program should implement.

The perpetrator was Pamela Johnson, an accounts assistant clerk, who managed the bills and the accounts payable system. According to The Ithaca Voice, she created a fictitious vendor, “JTD Enterprises,” which happened to reflect her husband’s company: Johnson Tool Design. Johnson then created fictitious invoices which she paid through the accounts payable system. She cut the checks, signed them with a signature stamp and then deposited them into a business account to which she had access.

The fraud was discovered March 2014, during the audit process of the 2013 year, by a staff accountant. The accountant asked Johnson to pull an invoice and when Johnson was uncooperative, the staff accountant went to the purchasing manager and asked them to look into the issue. “The purchasing manager, of course, had never heard of the vendor,” says Little. Ultimately, Johnson was interviewed, suspended and indicted for grand larceny in the second degree.

The fraud went unnoticed mostly because of the volume of TCAT’s $13 million budget. “When you have a $1,600 fraud amongst $13 million, it’s not apt to be discovered,” says Little. “Even in the next couple of years when it’s $40-$60,000, in the grand scheme, it’s perhaps not ‘material.’” By 2013, she had gotten a little bolder and was taking larger sums and more often. And at the same time the fraud became material, it was discovered.”

According to Little, it’s essential for all entities to have an anti-fraud program and it needs to be a 3-part process: deterrence, detection and response.

  • Deterrence: How companies set their top at the top. There need to be written policies that outline fraud prevention, internal controls and some sort of prevention program that is educational in nature. Organizations need to educate their board, management and staff.
  • Detection: Organizations need to know how to investigate fraud. Fraud can be prevented by simply having better controls. With detection, monitoring and auditing all of the procedures on how we deal with misconduct should be written down and summarized. There has to be a response policy implemented.
  • Response: What happens when an organization finds something? How do they investigate and report to when there is an alleged fraud. “It’s so important that these things get laid out and considered long before you have a problem,” says Little, “It shouldn’t be a reaction, it should be preventative in nature.”

Little’s advice to staff auditors is to be diligent in your work and follow through. Watch for unusual behaviors in your coworkers. Is there unusual behavior by coworkers at your organization that is going unnoticed; what about behavior that is evident? It’s easy to look the other way and press forward with the rest of your work but follow through with the rest of your items in question. But above all, says Little, “Be diligent.” 

Hear Little's full interview with the Fraud Talk at ACFE.com/podcast.

Are You Being Swindled and Don’t Even Know It? 


Misty Carter, CFE, CIA
ACFE Research Specialist

If you were to ask business owners how many times they thought one of their vendors ”got one over” on them, the majority would probably say something like, “I trust my vendors. They would never steal from me. I have used them for years and never had any problems.” In a perfect world, that might be true, but unfortunately, we live in the real world and that is just not realistic. I mean, let’s face it — even with the best controls in place, you cannot eliminate vendor fraud. Consider the vendor fraud that occurred against one of the nation’s largest consumer electronics companies, Best Buy. This company, duped by several vendors, lost close to $42 million with the help of a company employee. This employee colluded with several vendors to defraud the company by approving fraudulent online bids. The vendors would bid low and then charge high after being awarded the contract. In fact, over the course of three years, one vendor submitted bids for $24 million in parts, but ended up charging the company $66 million. In exchange for his help in this scheme, the company employee was treated to lavish vacations, given envelopes full of money weekly or bi-weekly, and was even extended a $300,000 “loan” to help his father start a business. Sounds like the good life, right? Well, maybe until you are caught. And yes, this scheme finally caught up with them. 

Many might ask how these vendors were able to steal so much money from this large, publicly traded company for so long before getting caught. According to the defendants (the vendors), it was the company’s fault. They blamed company executives for “turning a blind eye” and having weak internal controls. In other words, it was the company’s fault that they were defrauded. What do you think? Could this fraud have been detected earlier or even prevented if anti-fraud measures had been in place? Based on the outcome, it certainly appears that something was lacking. It’s too late to prevent this fraud, but fortunately for other business owners, the ACFE has a new self-study course to help management in its fraud prevention and detection efforts related to vendor fraud.

The new online self-study course, Auditing for Vendor Fraud, is a great “go-to” guide for anyone interested in learning about vendor fraud and how to conduct effective vendor audits. This course walks you through the process of preparing for and conducting vendor audits, both internally and externally. It offers guidance on what to include in right-to-audit clauses for vendor contracts and is designed to help you learn about various types of vendor fraud schemes and red flags to identify these schemes as you perform vendor audits. 

Read more about the new course at ACFE.com.

A Contract Bid that Just Didn’t Feel Right


Peter Parillo, CFE, CPA, Director of Internal Audit
Folsom, N.J.

Within the past 10 years, the word “fraud” has been used many times to describe the unfortunate actions of individuals and companies. Afterwards, a debate usually begins, and people ask questions such as, “How did this happen?” and “How didn’t anyone see this happening?” in disbelief and anger.

Most people are shocked to learn that more than 7 percent of fraud discovered is done so by accident. In my experience, everything seems obvious only after a fraud is discovered. Increasing one’s knowledge regarding the possibility that fraud may occur and identifying situations where fraud can happen is imperative to the success of any fraud examiner. Knowing this, I motivate all members of my team to become Certified Fraud Examiners (CFEs).

Maria, a member of the team, was reluctant to become a CFE, but was quickly intrigued by some of the topics presented at the ACFE Global Fraud Conference I attended in Las Vegas. Within a few days, Maria began studying for the CFE Exam, and within a few months the ACFE notified her that she had passed the Exam and should be proud to hold the title of CFE.

With this newly obtained knowledge, Maria began looking at audit projects a little differently. Her first project after earning her CFE was a construction project at a nearby facility. After identifying contract specifics, she noticed a vendor named All Right Construction. Maria started her work by asking how the facility chose All Right as a vendor. The response she received was not what she expected. No one she asked knew how the vendor was selected or who was responsible for monitoring the progress of the construction. Maria identified the person who signed the contract on behalf of the vendor, Tony Rizzo, and called him directly. After exchanging pleasantries, Maria asked Tony who told him to perform the work. Tony replied, “John from Facilities.”

The following day Maria met with John who introduced himself and stated, “Tony informed me that you have some questions regarding the construction work?” Maria, shocked that Tony called John, told him that she did and asked him how he typically selects vendors. Looking annoyed, John responded, “The company has a process that requires all proposals be received, and after all bids are received a determination is made regarding which vendor gets the job.” Maria understood the response she received, but felt that John was holding back information. Maria then asked John who was responsible for gathering the bids. John replied, “Well, I do.”

Maria immediately notified me of the issue and continued to investigate. She identified that of the last 12 projects initiated by the facility, All Right was awarded 10. In addition, for each of the 10 projects awarded, All Right was paid for additional work to be performed outside of the initial proposal.

John was asked to explain why All Right was awarded the majority of the contracts, but could not explain. Management was made aware of the issue and John was terminated. John’s replacement was made aware of the issue and within two weeks of starting, was contacted by Tony from All Right, asking if he was interested in going on a big game fishing trip. The new person politely declined.

Afterwards, Maria credited studying for the CFE Exam as why she did not feel comfortable with the initial response. Maria informed me, “It just didn’t feel right, knowing now about fraud scenarios that can happen and the potential for it happening.” Maria added, “It makes me wonder all the things I potentially missed in the past.”

Fraud Week News and Resources You May Have Missed


Mandy Moody
ACFE Social Media Specialist

The ACFE would like to say “thank you” to all of the International Fraud Awareness Week Official Supporters, supporting media, bloggers, tweeters and posters for your efforts this week. The activity on social media, blogs and in the press has been tremendous and something we can only hope to top next year.

Even with the many articles and resources shared, you may not have seen all that was done to spread the word about fraud detection and prevention. Here are some Fraud Week highlights you may have missed:

• Designing an Effective Anti-Fraud Program: PDF resource specifically designed to assist you in honing your fraud awareness messaging and ensuring the efficient use of anti-fraud training resources.
• Fraud of the Day: A daily commentary from LexisNexis on how fraud is perpetrated against government programs.
• Thomson Reuters White Papers: Download free white papers covering subjects like health care fraud, government fraud and money laundering. Read more at their blog, The Knowledge Effect.
• Cynthia Hetherington’s Four Tips on Minimizing the Impact of Fraud: The Hetherington Group reviews five steps businesses can take today to prevent fraud in the workplace. Bonus: Check out the five employee-monitoring controls. 
• Top 10 Reasons to Authenticate Your Suppliers: Your employees are not the only people who could steal from you. Learn why it is imperative to check out your vendors and suppliers.
• Six Ways to Reduce the Risk of Fraud and Errors While Managing Spreadsheet Content: With more data comes more risk for error. Heed these tips so you don’t end up on the wrong side of a spreadsheet fraud.

Did we miss any resources or highlights? Let us know! Email us at spatterson@acfe.com.

Until next year...