Curious Employee Foils Corporate Credit Card Fraud Scam
Scott Burke looks at how to avoid and deal with Corporate Credit Card Fraud
by: Scott Burke
Molly, treasurer at BusyCo Corp. in Miami, opened an e-mail from a former colleague who no longer worked for the organization. The e-mail read: "Hi Molly, there should be a refund of $824 on my old corporate Visa card from the IP Conference. I paid for, but did not attend, the conference and did not turn in the charge to BusyCo for reimbursement. Can you have Visa issue a refund check to me? Thanks very much for your help."
The e-mail was from Jerry, a former BusyCo executive who had been Molly's boss at one time. The message seemed innocuous enough. Jerry had legitimately charged a business conference to his corporate credit card, but he had canceled his registration because he left the company. Therefore, he was due a refund.
It would have been very easy for Molly to trust her former boss and get him the refund. Instead, because something didn't seem quite right, she chose to check on whether BusyCo had already reimbursed Jerry for the conference.
To make this determination, Molly accessed Jerry's corporate credit card records online and retrieved his expense reports from the accounts payable file room. The expense reports confirmed that Jerry had not expensed the conference fee, but when Molly looked at his credit card statement, she saw a couple of odd items.
First, the most recent statement indicated that the former BusyCo executive had made four payments to his credit card in one month. Second, the statement was two pages long, and Molly knew that Jerry rarely traveled for business. She scanned the charges and noted that most of them were from local vendors. In addition, none of the items looked like business charges. The charges included dinners at local restaurants, department and grocery store charges, and airline tickets for Jerry and his wife that Molly knew were for their recent vacation.
Out of curiosity, Molly queried the company's checks online to see if any of the payments made on Jerry's Visa account matched the dollar amounts of checks written by BusyCo. Sure enough, she found that all four payments made to Jerry's credit card that month equaled amounts on checks that the company had written to Visa. Molly increased the scope of her search and observed that every payment posted to Jerry's corporate credit card over the previous 12 months was from a check written by the company. She also noticed that of the $88,000 in charges on Jerry's card over that time frame, none was for business expenses.
Molly printed copies of all of the checks and noted that, although Visa was listed as the payee on all of them, Jerry's corporate credit card account number was handwritten on each check. Molly approached the director of internal auditing as well as Jerry's former manager and requested an investigation into the matter.
While working for BusyCo, Jerry was in charge of making sure that the organization paid delinquent balances on the corporate credit cards of people who had left the company. BusyCo had an arrangement with the credit card company that it would guarantee payment for certain employees if those employees did not pay the balances on their accounts. Once a month, Jerry would provide accounts payable with a list of delinquent accounts on guaranteed cards, and accounts payable would cut the check to the credit card company.
However, on the bottom of every check request in Jerry's last year of employment, he had written, "Please deliver the check to me." Typically, accounts payable would mail the check directly to the credit card company, but because accounts payable knew that Jerry maintained a relationship with the credit card company, they adhered to his request and delivered the checks to him. When Jerry received a check, he would write his own account number on the check, and the bank would apply the payment to Jerry's credit card.
Jerry did not need to make sure that the delinquent credit card owners listed on his spreadsheet paid their balances, because he had fabricated the delinquency list that he provided to accounts payable. In many cases, the employees with the so-called delinquent balances had left the organization long before, and they had paid their balances in full before departing.
So, where were the control breakdowns? First, Jerry had sole authority over the credit card function. He managed the corporate credit cards, reviewed the delinquent accounts, had access to the employee statements, and dealt with the bank's account managers. No one reviewed his work. As soon as accounts payable walked the checks down to his office, he had all he needed to perpetrate the fraud.
The second breakdown was that the accounts payable clerk walked the checks over to Jerry. Although not necessarily right, it is understandable that accounts payable would not have the time to audit Jerry's delinquency list. After all, accounts payable was processing more than 1,000 checks per week with a staff of six. However, it was unacceptable for the clerk to deliver the check directly to Jerry. The check should have gone from accounts payable to the vendor. The vendor invoice--or delinquency data in this case--should have contained all of the pertinent information to allow accounts payable to appropriately route the check.
BusyCo decided to report Jerry to law enforcement. Although $88,000 is not a significant amount of money for a $1 billion company, and the legal fees and other costs might be high, the company wanted to demonstrate to its employees that it would not tolerate fraud and would hold perpetrators accountable. Decisive and timely action such as this is critical to maintaining a sound control environment.
Not everyone is as diligent as Molly. The lesson she applied is an important one to teach operations personnel: Take the time to check anything that doesn't seem right. Because she spent a few minutes performing due diligence, Molly uncovered an $88,000 fraud.
Several symptoms may have flagged the fraud. If internal auditing had been testing the employee credit card charges, simply identifying the top 25 corporate card users and reviewing their charges would have flagged Jerry. Travel reimbursements of $88,000 in one year covers a lot of travel. Testing the accounts of the people with the most posted credits would have similarly flagged Jerry. Also, Jerry averaged three payments a month on his credit card over the course of a year, an unusual pattern that, if identified, should have been investigated.
Testing the top 25 corporate credit card users and searching for unusual patterns are the staples of any audit program that contains tests designed to uncover fraud.