Emma Zhang, CFE, CPA
When I was working as an internal auditor at an oil and gas company (the Company) in California, one of my colleagues and I conducted a routine vendor audit. The vendor provided services to one of the oil rigs of the Company and the Company had used the vendor for two years. Basically, the audit was to ensure that the vendor performed jobs as contracted.
In this audit, I was responsible for the vendor payment review. The vendor assigned 35 employees to perform jobs at the rig during the two-year period. Five employees covered 24-hour shifts daily. The working-hour review and billing process was that the employees submitted their timesheets to their supervisor for review and authorization. Then, the supervisor submitted the timesheets to the project manager for review and approval. The project manager was the Company’s employee and oversaw the vendor services and the project progress. The vendor presented the invoice each month to the project manager for review and approval before billing the Company. The project manager should ensure that the invoice was correct and accurate before approving it.
I requested all approved timesheets and pulled all vendor invoices from the Company’s accounting system to ensure that they were properly authorized. No exception was noted. Then, I created a spreadsheet to include the 35 employees’ names and their working dates and hours. Once the spreadsheet was built and all data were input, I found some employees’ working hours were suspect. For example, some employees were consistently working 15 hours a day; or some employees worked a night shift and continued to work another 8-hour shift in the following day; or some employees never took any days off and worked on holidays.
To confirm whether the timesheets were fraudulent, I requested all payrolls of the two years. The vendor denied my request, claiming that the payrolls included confidential information and it would not be secure to send them. I then requested an on-site review of payrolls. The vendor found excuses to reject the visit but eventually agreed to a two-day visit. Soon my colleague and I flew to California to visit the vendor’s office. Unsurprisingly, we experienced a cold welcome and we were arranged to sit just outside of the restroom. No one in the vendor office hid their unpleasant feeling towards us. In the two days, my colleague and I input payroll information into the spreadsheet and then compared the payroll hours with the working hours from the timesheets. Through the comparison, we found that the working hours on the timesheets did not match the paid hours on payrolls. We even noted that two employees were not on the payroll. This was a fraud scheme to alter employee timesheets and create ghost employees to obtain payments. Consequently, the fraud cost the Company around $250,000 overpay.
So, you may be wondering, “Who is responsible for the fraud?” After coming back from California, I completed a report that was distributed to my manager and the California office management. Soon, my manager and I had a phone meeting with the CFO and his team, including the project manager in California office, to discuss the fraud. During the meeting, the CFO and his team were laughing about the fraud and took this as a joke until we mentioned the ownership of the fraud. Who should be responsible for this fraud and loss? Quickly, we felt the intense silence from the other side of the phone.
The project manager could hardly absolve himself of the blame. The CFO and the accounting team in the California office, as the payment gatekeeper, held responsibility as well. Two weeks later, we had another meeting with the CFO and his team. This time, we had a serious discussion about responsibilities and actions to recover the loss. Several months later, the Company requested the full amount of overpay from the vendor and stopped working with the vendor when the contract expired. The project manager was demoted to a project supervisor. Also, the corporate management made a decision to let the internal audit department review the billing process and vendor bidding process across the organization to determine if any gaps or poor controls existed and required improvement or redesign.
Emma Zhang is an experienced audit professional at Carrtegra, with more than seven years of internal audit and Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement.