can you spot the five accounting weak points?
by ed mendlowitz
77 ways to wow!
in this fraud, ing, an extremely large and well-known financial services company, had approximately $8.5 million stolen from it by a single employee for a little more than four years.
more: six benefits of an internal audit | the hazards of poor internal controls | rule #1: start with cash | the priorities were backward | how to read a financial statement | 77 thoughts about client needs
exclusively for pro members. log in here or 2022世界杯足球排名 today.
here’s how it worked:
- nathan (the fraudster) was an accounting manager in ing’s reinsurance division with three people working under him. nathan reported to the assistant controller and the controller.
- nathan, another coworker and one of his subordinates had the ability to request checks in amounts up to $250,000.
- nathan and the coworker were also given the ability to approve checks.
- each of the members of nathan’s group as well as the coworker all knew each other’s password.
- nathan was having trouble making ends meet on his $80,000 annual salary and had run up about $88,000 in credit card debt.
- the initial fraud started with nathan signing on as his coworker and requesting an $1,800 check to a company called universal – which happened to be both the name of his credit card company and a vendor ing conducted substantial business with. after requesting the check, he logged on as himself and approved and mailed the check to his credit card company. after the success of the first theft nathan began requesting and approving checks until, over time, his $88,000 credit card debt was paid off.
- one of his early checks for $4,500 never cleared his credit card statement. he had forgotten to write his account number on the check before mailing it, and the credit card company did not know where to apply the payment. it returned the check to the corporate office, which rerouted it to the original requester!
- later nathan expanded his fraud by creating a fictitious company with a name similar to another vendor ing had substantial business with. he would log on as one of his subordinates in the evening after the subordinate had left work and when the subordinate was off the following day. he would then log on as himself and approve the check. after picking the check-up the next day (when the subordinate was off), he deposited it into the bank account of the fictitious company he had created. this continued for several years resulting in a loss of $8.5 million.
- a check request requires the requester to indicate where the check was to be posted. nathan always chose accounts with significant reconciliation activity, such as insurance claims or commissions.
- another account nathan used to hide his payments was the foreign currency exchange gain/loss account. he was the only one who reconciled this account for seven straight years and, therefore could fudge exchange rates a small amount to mask the posting of his checks.
- the fraud was uncovered when nathan’s ex-wife had lunch one day with one of his coworkers and the ex-wife talked about not believing his gambling-winning stories. the coworker became suspicious and began investigating and uncovered the fraud.
as frauds go, this was nothing novel. the fraudster was enabled by poorly designed and poorly implemented internal controls.
the following all played a significant factor in the fraudster being able to perpetrate and hide the fraud for a considerable length of time:
- lack of segregation of duties – those requesting checks should not be allowed to approve checks.
- insecure password policies. employees should understand the importance of changing passwords often and keeping them private. public passwords are virtually worthless.
- insufficient oversight and lack of rotation of duties. having the same employee perform the same reconciliation operation for several years without oversight or rotation of duties enables that person to fudge the reconciliation at will.
- inadequate check mailing policies. signed checks should not be returned to the check requester for mailing. furthermore, checks returned by the recipient should not be sent to the original parties involved in their request and authorization for investigation.
- inadequate procedures on how a new vendor can be added to the system.
there are other preventive measures, but the above sequence indicates many steps that could have been taken that either would have avoided, minimized, or uncovered the fraud sooner. as it was, none of ing’s procedures caught the fraud – it was through an unrelated lunch discussion.