Common internal control lapses made worse by manipulation

Fraudulent billing schemes perpetrated through sophisticated social manipulation can fool anyone. An invoice that appears legitimate, a fund-transfer email supposedly from a manager, a trusted staff member recommending a fake vendor — all are examples of fraud that happens regularly and can be costly.

The following case study shows how a billing scheme was perpetrated for over a year by an employee and led the company to lose $250,000. The names and some company details have been changed.

A billing scheme at PharmaCo

Dorinne started defrauding PharmaCo shortly after Jack took over as CEO. Jack planned to expand the company aggressively through organic growth and mergers and acquisitions (M&A).

Dorinne was the head of the legal department and supported the CEO in the M&A process. She portrayed herself as a successful and trusted employee to the CEO. The CEO publicly recognised Dorinne for her pivotal role in the M&A success, but she was not awarded a higher salary or bonus.

Jen, the CEO's assistant, was not surprised when Dorinne secretively told her that Jack requested Dorinne to engage the law firm LawCo to perform early due diligence assessments on potential acquisition targets in Asia Pacific (APAC).

Dorinne also explained to Jen that the reason behind the CEO's imminent travel to APAC was a preliminary talk with a potential target. In reality, Dorinne overheard Jack's travel plans and decided to use the information to her advantage.

The story was credible to Jen, and Dorinne recommended she not tell anyone and avoid talking about it even with Jack himself, as he supposedly wanted the M&A plans kept confidential.

Jen was very reserved and aware that part of her job was not to divulge any confidential information. Furthermore, Jen knew very well that Jack disliked what he called the "bureaucratic task" of approving invoices, as he shared system access with her and explicitly told her that her job was to "sort this out" for him — all good reasons not to talk with Jack about the topic.

Dorinne, together with an accomplice, set up a bogus law firm and submitted all the required documentation (eg, bank account confirmation, company registration) to the master data team in charge of setting up new vendors. No questions were asked, and the bogus vendor was successfully set up in the company's system.

Dorinne then asked an assistant on the legal team to set up a purchase order (PO) in the system for just below $50,000 for "legal consultancy in APAC". The assistant should have asked for supporting documentation, such as a contract, but most employees often skipped this step. Then Jen approved the PO, as all POs for M&A costs required the CEO's approval, in line with the company process.

Finally, Dorinne submitted a false invoice, which was booked against the PO and approved by Jen. The invoice was paid with no questions asked, as, on paper, it was approved and processed in full compliance with the internal process.

The fraudulent expense went unnoticed, as the M&A expense account was usually not scrutinised by the financial planning and analysis (FP&A) team due to the "sensitivity" of the expenses booked and the fact that the team knew that the CEO approved these expenses.

A few months later, Dorinne repeated the scheme using a supposed M&A target in West Africa for $97,000, and then another one in Eastern Europe for $103,000.

During the annual audit, PharmaCo's external auditors selected this last invoice as part of their audit sample. They questioned the nature of the invoice with the CFO, who then checked with the CEO. This is when the fraud became apparent.

When confronted, Dorinne confessed the wrongdoing. She told the investigators that, while she knew other executives had been rewarded financially for the M&A success, she had not been. She rationalised the fraud by believing she deserved a similar increase in compensation.

How could PharmaCo have prevented the billing fraud?

On paper, PharmaCo's purchase-to-pay process included several key controls (such as obtaining vendor bank documentation, segregation of duties between the PO creator and the PO approver, and invoice approval). However, several employees failed to understand the rationale for having such internal controls in place. This led to the control overrides that made the fraud possible.

Conduct regular, substantive vendor checks

Neither the vendor master data team nor Jen searched for information on the vendor. They relied entirely on the documents submitted by Dorinne and little more than a pro forma check. A simple online search would have raised a red flag, as the bogus law firm had no online presence.

Make supporting documents one condition for creating POs

Dorinne was able to request the creation of a PO without submitting any documents, because this was a common practice amongst PharmaCo's employees. They failed to understand the importance of verifying the existence of a contractual agreement before creating POs in the system. They did not see the potential consequences of the control override, which was made possible by the creation of a PO upon another employee's request.

Question the legitimacy of all expenses

Jen was known in the company for questioning invoices and costs booked in the CEO's cost centres. This time, as she related once the fraud was uncovered, she did not check the validity of the expense with anyone other than Dorinne. Jen felt that, given Dorinne's position and the trust the CEO was supposedly giving her, it was acceptable not to question the expense.

The objective of social manipulation is to lead the victim into thinking that the request is legitimate and, therefore, OK to execute. It is essential to make everyone in the organisation aware of common social manipulation tactics that make bogus requests appear legitimate.

Make sure executives understand the importance of internal controls

The CEO's practice of sharing his system access with his assistant so that she could approve invoices instead of him might seem practical. However, from an internal control perspective, it makes the approval process weaker.

Internal controls are in place to protect the company and company management, and disregarding them as "bureaucratic" instead of understanding their added value makes both more vulnerable. Because of his knowledge and position, the CEO would have been more likely to question the invoice and thus prevent the fraud. In theory, Jen could have challenged the expense and the vendor, but because of Dorinne's clever social manipulation, she never questioned it.

Implement questioning of costs into FP&A's role

The FP&A function was ineffective in reviewing the expenses related to the M&A legal costs, as the invoices booked for M&A legal fees significantly exceeded their budget allocation. However, FP&A was unwilling to question such invoices because they had already been approved by the CEO. This dynamic is a typical result of authority bias, which is the tendency to attribute higher weight and accuracy to the opinion of an authoritative figure. This bias leads to an unwillingness to question the authority's decisions. The best thing that leaders can do to prevent this dynamic is to show that they are OK being challenged. This attitude tends to create an environment where decisions are discussed openly, regardless of whether they are taken by an authority or someone else in the company.

Resources

Articles

• "5 Strategies for Investing in Anti-Fraud Efforts", FM magazine, 7 September 2020
• "Vendor Fraud", AICPA Forensic and Valuation Services' FVS Eye on Fraud newsletter, Spring 2017

Cecilia Locati, FCMA, CGMA, is the founder of Internal Control Toolbox and vice-president of risk, compliance, and internal audit for RHI Magnesita. To comment on this article or to suggest an idea for another article, contact Neil Amato, an FM magazine senior editor, at Neil.Amato@aicpa-cima.com.