Business Fraud Cases and Their Lessons for Auditors & Managers
Unpacking and analyzing business fraud cases provides a great opportunity. We can learn a lot by taking a deep dive into past incidences of fraud, including how to adjust anti-fraud efforts.
- How did the fraud occur?
- Who was involved?
- How did they avoid controls and management oversight behaviors?
- Why wasn’t it found right away?
- How can we prevent this from happening again?
These are all valid questions. And the answers are found in the study of past fraud cases.
3 Examples of Business Fraud Cases to Study
Here are three examples of business fraud cases worth studying…
A procurement employee used their authority to purchase printer toner cartridges and charge the cost to their city employer. They then offered these cartridges for sale at a discount online.
Not a bad business model when your product cost is zero…
In this incredibly basic scheme, the employee stole $1.3 million. Let me do the math for you: At about $100 per toner cartridge, that’s 13,000 cartridges bought, received, and then resold and shipped. It’s pretty much a full-time job.
How did supervisors miss this? How about budget analysts and the accounting department? How did this thief get all of this done and still perform their primary job in a satisfactory manner?
(By the way, there’s nothing new here. I’ve been hearing about the good old toner cartridge resale scheme since the early 1990s.)
In a similar scheme, a university employee stole in much the same way. But she used $1,000 Apple iPads and Microsoft Tablets instead of $100 toner cartridges. Her illegal take? Over $43 million. Again, here’s the math: That’s over 40,000 units bought by her employer and resold.
A railroad track safety employee recorded an average of 114 hours per week, every week, for a year. Coworkers performing the same important safety tasks also had overtime but at a fairly normal rate.
It’s fair to say that 114 hours a week, every week, for a year is pretty much physically impossible. Yet the supervisor signed off on the time sheets. The payroll department paid these ridiculously inflated wages. Budget analysts and senior leaders were apparently asleep or willfully blind.
Here’s the thing…
On and on we could go with tales of theft, manipulation of financial and operating results, corruption, and the ever-present and growing cyber fraud cases.
But that’s not news to you. It’s the background chatter that should prompt a step-back look that asks, “What are the common action lessons we should be learning?”
5 Lessons from Business Fraud Case Analysis for Auditors
So, what lessons can auditors take away from studying business fraud cases like the ones above?
1. Beg for expectations clarity.
Beg is a very strong word. I use it here because I couldn’t think of anything stronger. Auditors who do not operate with crystal clarity about what’s expected of them regarding fraud prevention and detection may be fumbling in the dark. “Be aware of fraud risks” and similar statements found in professional standards are interesting but not especially useful.
How about this instead? On every single audit project, every auditor asks and gets solid answers to three questions:
- “Hey, Boss. Are we supposed to look for wrongdoing and fraud on this project?”
- If yes, “What kind? Theft? Overcharges? Results manipulation? Corruption? Technology schemes? Something else?”
- Finally, “How hard do you want us to look? Random sample? 100% testing? Data analytics? Inquiry? All of the above?”
Audit team members should ask with every project. Audit leaders should tell their team even if no one asks.
- Do meaningful brainstorming.
Meaningful fraud risk brainstorming drills hard into what can go wrong and what it looks like. Brainstorming involves taking potential business fraud cases and putting ourselves in the position of the thief or fraudster. Then, start throwing out ideas about how to do it (commit), how to benefit (convert), and how to hide it (conceal).
The best approach I’ve seen involves small teams of 3 to 5, including the project team members, project leadership, and technical specialists in relevant areas (e.g., loss prevention, payments, payroll, contracting, cyber, data analytics, and other areas).
Then we take off the fraudster hat and think from the perspective of an auditor. “If I knew this was happening, where would I look to prove it? What files would I pull? What questions would I ask?”
- Use data analytics.
Data analytics is the secret sauce for auditors. It’s all the rage right now. And I agree 100% it should be. I’ve been tracking trends in data analytics by auditors since 1990. And the time has never been better to jump into these tools to examine mountains of data looking for the needles in the haystack. The current audit-focused DA tools are more powerful yet easier to use than ever before.
- Ask honest people.
Auditor literally means “one who listens.” Inquiry has always been one of our most comprehensive and inexpensive tools for gathering information. Fortunately, the vast majority of those we interview believe in telling the truth. These are honest, dedicated people trying their best every day to do the best job possible. So, they hate it when one of their own—whether in a management or staff position—breaks the rules for their own personal gain.
These honest employees want to speak up. They know they should or must speak up. But more often than not, they won’t do so.
It could be fear of repercussions, fear of not fitting in, conflict avoidance—possibly a dozen other reasons. However, all of these can be undone by simply asking, “Have you seen anything that has made you uncomfortable?” “Have you been asked to sign or approve anything that you were not sure was correct?” or even “Is anyone here breaking the rules?” Follow up with, “Can you tell me what happened?” and “How could we prove that?”
Asking is free. Being consistent with your organization’s culture and your department’s protocols, consider just asking the honest people who are there every day.
- Drive the bus.
Someone has to drive fraud risk management efforts forward. Unfortunately, management efforts over the last 20+ years tend to be inconsistent or nonexistent. Maybe it’s time for auditors to offer to step in and sponsor meaningful fraud risk management initiatives.
- To ask senior managers to become much more visible and vocal about fraud risks
- To recruit every employee every day as part of the organization’s anti-fraud efforts
- To lead or facilitate operating and financial department fraud risk brainstorming
- To stress-test controls, including the human components
- To teach anyone who will listen about how they can be part of the solution
Yes, I know about the restrictions on auditors due to standards covering “independence and objectivity.” But when we see a macro-level recurring risk go uncorrected over several years, maybe it’s finally time to find a way to lead the solution. Maybe it’s long past that time.
5 Lessons from Business Fraud Case Analysis for Managers
And what about managers? What lessons should management take away from business fraud cases?
- Accept responsibility.
In your areas, accept responsibility for managing fraud risks and exposures. Acknowledge that it’s up to you to know what can go wrong. Do your best to prevent wrongdoing from occurring on your watch. Assume that despite your team’s best efforts, someone may still get away with it. Find it as fast as possible, and immediately turn over suspicions to those with the authority, skills, and willingness to handle suspected theft, wrongdoing, and outright fraud incidents.
- Understand the limits of controls.
Never buy into the philosophy that strong controls will prevent fraud. Replace it with, “Strong controls will make it more difficult. They make the fraudster work harder. They limit their opportunities. But they don’t stop them.”
- Preach to your team.
Tell your team that you need their help. Preach attention to details. Explain what they can do to assist through daily vigilance—by looking for red flags in transaction documentation they see every day and speaking up when something does not look or feel right.
- Teach your team.
Teach yourself and your team exactly what theft, wrongdoing, and fraud look like. Brainstorm lists of red flags in an open discussion with them. Give examples of business fraud cases. Encourage them to pay attention and to look for errors, mistakes, and wrongdoing—because they often look the same. Be open to their questions and patient in bringing them up to speed as part of your fraud prevention team. And when you need help in any of these tasks, ask for that help from your audit, loss prevention, IT, HR, or other department.
- Look, ask, doubt, and resolve.
In your own behavior when reviewing transactions, adopt the simple mantra Look-Ask-Doubt Resolve. Look at the details. Ask yourself, “How do I know what’s in front of me right now in this moment is correct?” If you aren’t sure, doubt—don’t believe. And resolve or refer it elsewhere before you put your good name in the space for your approval signature. Look, ask, doubt, and resolve (LADR) before approving. It can’t get much more simple than that.
Auditors and managers can learn a lot from studying business fraud cases. Along with giving greater insight into what could happen, they can help us strengthen our controls. Don’t underestimate the value of using case examples to educate yourself and your team.