Posted by Steve Wilcox on Tue, Feb 10, 2009 @ 03:17 PM
In my last blog entry, I explored the importance of segregating AP duties.
Today, I will present a fascinating case study of AP Fraud that highlights the risks of poor AP internal controls.
This is a true story.
Our tale concerns a husband-wife team who colluded with an outside vendor to fleece their company of at least $2 million over a seven-year period. The target of this sustained fraud was the well-respected newspaper, The Charlotte Observer, where poor internal controls contributed mightily to the scandal they were, to their considerable embarrassment, obliged to report in their own pages.
The Profile of an AP Fraudster
The mastermind of the scheme was a Mr. Johnson, a white male and 22-year employee of the newspaper with an unblemished record. Believe it or not, this is the typical profile of an AP Fraudster.
It was Mr. Johnson's good fortune to serve as a purchasing manager who also had authority to both receive goods and services and approve invoices for the same. The invoices would naturally flow through the AP department, where Mr. Johnson's wife happened to work. All the Johnsons needed to complete a seamless scam was a cooperative and unscrupulous vendor. Mr. Johnson cultivated a friendship with a favorite supplier until they became close enough that he could propose his ploy: for every two shipments you send me, invoice The Observer for three, and we'll split the payment for the phantom shipment!
Too Many Hats for One Head
The breakdowns in internal controls that allowed this arrangement to prosper over a 7-year period are manifold. Consolidating so many responsibilities in the hands of even the most trusted of employees is the first bright-red flag. A married couple with entangled duties connected with AP is another red flare. Significant budget variances, on the order of $50,000 of bogus charges per month per department, were overlooked as boom times created a lax atmosphere that tolerated such large discrepancies. Poor inventory controls allowed non-existent shipments to be processed and paid for. To top it all off, nobody involved was bonded and the company wasn't insured against such a loss.
NASCAR Insider?!? Where was the Common Sense?
While there is no question that better systems and procedures might have excised this cancerous scheme, simply bringing common sense to bear would have at least curtailed the loss. During the seven years that the Johnsons were siphoning off a substantial chunk of The Observer's revenue, their lifestyle took a dramatic turn for the better. They sold their old home, moved into a new lakefront mansion in an exclusive neighborhood, added a swanky boat, traveled like pashas and stockpiled fancy automobiles. Indeed, not only did Johnson flaunt his new-found wealth, he abandoned discretion entirely by incessantly insinuating himself into the picture - literally - in the very high profile world of NASCAR. Every week, it seemed, he would be photographed bear-hugging the winner at the victory celebration, an awesome display of insider status in the region's most revered sport.
Meanwhile, his demeanor around the office was quite the opposite. Formerly out-going and hands-on, Johnson retreated into his office where he spent most of each day behind a closed door and drawn blinds.
How could anyone, indeed everyone, have failed to notice? The answer is that of course people noticed, but they didn't trust their intuition enough to call Johnson's bluff. All Johnson had to do to deflect curiosity over the course of the better part of a decade was claim an aunt died and left him an inheritance. Naturally, once the fraud was unmasked, the aunt was discovered to be as imaginary as the stream of phantom shipments Johnson authorized and his wife paid for.
AP Internal Control Breakdowns
Clearly, a woeful failure to segregate duties was at the heart of this calamity. Had Johnson not had the power to approve his own actions, this fraud might have been prevented altogether. Improved transparency and more disciplined approval framework would also, at the very least, make a fraud such as Johnson's more difficult to launch and impossible to sustain.
While Mr. and Mrs. Johnson eventually received their comeuppance - curiously, The Observer did not take immediate legal action upon their exposure - the newspaper nonetheless took a substantial hit, both in terms of financial loss and tarnished reputation. Nor were the perps the only people to suffer: managers who presided over the slipshod operations were sacked, steering lives and careers off track. The real tragedy of this tale is that if today's AP automation software and associated best business practices had been in place at The Observer, this entire fraud, and all the damage that ensued, would never have happened in the first place.
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Fri, Feb 06, 2009 @ 03:27 PM
Question: What do the following situations all have in common?
- A policeman ticketing a Dunkin' Donuts truck driver ...
- A doctor prescribing medicine from a pharmaceutical company in which he owns stock ...
- A politician accepting contributions from a special interest group ...
- A procurement manager being wined and dined by vendors ...
- A hungry wolf guarding the chicken coop ...
- A judge sentencing a family member ...
- Coaching your own son or daughter on a travel team ...
Answer: In each situation, there is a conflict of interest.
A conflict of interest is a situation where someone (such as a doctor,politician, procurement specialist, police officer, judge, coach, wolf etc.) has a personal interest or motivation that might compromise the reliability and integrity of bigger obligations.
In many cases - especially where money is involved - a conflict of interest may tempt someone to break the law. Nowhere is this truer than in Accounts Payable.
In AP, there are a lot of conflicting duties which should always be segregated. Segregating AP duties is one of the most important internal controls in finance. For example, the person entering the invoice should not approve the invoice for obvious reasons. Similarly, the person who sets up a vendor should not enter the invoice into the ERP system. There are many examples in AP where duties should be segregated. The problem is that most finance departments constantly have pressure to do more with less. But to follow segregation of duties to the letter, you need enough staff which isn't always a luxury - especially in these economic conditions.
But wait!
Haven't ERP systems addressed segregated duties through a security framework which governs the acceptable use for each authorized user?
Aren't roles and responsibilities managed so that, for example, an entry-level accounts payable clerk can access modules only related to her specific job function while the CFO can access any module in the system?
Well ... yes ... but the problem of trying to maintain segregated duties using this classification approach is that these configurations are expensive to design and deploy. As employees are promoted, reassigned, or terminated, organizations must continually update their ERP systems with everyone's correct authorization level including consultants, contractors and business partners. Supporting and maintaining the classifications and configurations is a resource intensive job.
Furthermore, most organizations struggle with their initial ERP setup -- millions are spent in projects that can take up to 3 or more years. Unfortunately, the setup of these segregated classifications is often the last phase of the project and does not receive the attention it requires especially if the project is over budget or behind schedule - which is more common than not.
With AP automation that includes a robust workflow engine, you should have complete end-to-end AP process visibility as the invoice transitions from one step to the next ... the AP system should track all changes maintaining a comprehensive audit trail of what was performed and by whom for all prior steps so potential conflicts can automatically be caught at the transaction-level.
Using this approach, limited headcount can still allow for segregated duties since segregation can be enforced at the transaction level instead of the job role level. Employees can still be cross trained and allowed to perform multiple functions as long as they don't perform conflicting duties on the same transaction. For example, an AP Specialist could both enter invoices and also setup suppliers as long as there is no conflict on each and every transaction.
This transaction-level segregation can be enforced by the workflow software which allows you to move away from restrictive job role controls ... rather than limiting what functions employees can carry out as part of their jobs, this approach allows enterprises to boost productivity while mitigating the business risks.
One last point here ... this approach requires less overhead since segregation rules are defined once at the process level as opposed to the constant overhead of ERP administration.
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts