Jack had prepared everything. Now he was ready for a little embezzlement. 

An accounts payable clerk at a property management firm, Jack had found a way to worm around the internal controls of his company s accounts payable (A/P) software and write checks to himself. Now he d be able to take care of that pesky gambling debt. Jack told himself he d pay it back when he d hit the big win. "I m due," he thought. "I m due."

A/P software packages with "built-in controls" promise to streamline financial operations and help prevent fraud within an organization. But like the old Gershwin tune, it ain t necessarily so.

For instance, the check-writing systems of some common business applications allow a clerk to add and delete temporary vendors without leaving an audit trail in the system. And these systems have options that can be turned off so that check numbers aren t monitored and invoices from vendors aren t rejected if the invoice number already has been paid.

These and other accounts payable software weaknesses helped one fraudster steal $14,000 in a recent embezzlement case we investigated. We discovered that the internal control functions in these A/P software packages are far from dependable.

Telltale Canceled Check

I m an auditor and fraud examiner for the California Public Employees Retirement System (CalPERS), the largest public pension system in the nation with nearly $160 billion in assets. CalPERS provides retirement and health benefits to more than 1 million state and local public employees, retirees, and their families from more than 2,400 employers.

One of CalPERS s investment properties is operated by a separate management company retained by CalPERS (I ll call it Davis Properties), which collects rent and maintains the building. Davis Properties, the fraudster s employer, used a faulty A/P software that permitted the crime.

One Friday morning at Davis Properties, the controller opened a company bank statement and found a canceled check made out to Jack (not his real name), the A/P clerk, who was in charge of the accounting of the property. That weekend, the controller and two other A/P clerks reviewed the bank statements for the year and found more evidence of fraudulent disbursements to Jack.

On Monday, the controller confronted Jack, who confessed that he had been writing checks to himself. The controller talked to the owner of Davis Properties, who then notified CalPERS. CalPERS reviewed the management contract and we – members of CalPERS s Office of Audit Services – made an appointment to begin examining the records.

The bank statements and check registers showed that the checks Jack wrote to himself cleared the bank. He had carried the amounts as "deposits in transit" (or unpaid items) when he performed the bank reconciliation. We also found out that Davis Properties had few internal controls; each clerk not only reconciled the bank accounts for his properties, but also balanced the monthly general ledgers and printed the financial statements. Jack worked with three other A/P clerks each of whom also had a full work load.

The company s A/P software printed and wrote the checks, and encoded a magnetic ink character reader number on blank unnumbered check stock. Of course, Jack had access to the blank check stock and the owner s signature stamp that was required to be on all checks under $10,000.

This software allowed the printing of unrecorded checks. One of the A/P clerks normally would print a test check to ensure alignment and spacing, discard the printed check, clear it from the computer, and begin printing the real checks. Only at that point would the real checks be recorded so the fraudster could use the dummy checks for his own use.

Also, the A/P software didn't control the use of check numbers; we found several instances in which two checks had the same number. In some cases the second check was made out to Jack, but in other cases, the same number was just given to another vendor.

In the days before personal computers, these problems were controlled by using two- or three-part, pre-numbered check stock. The checks printed to ensure proper alignment were marked void and included in the numerical sequence of all numbered checks usually as the second or third copy.

The software system also didn't reject invoices from a vendor when payment had been made on a previous invoice with the same number from the same vendor. A control option may have existed in the software but it was either turned off or not selected when the software was loaded. If it had been activated, the computer would have rejected the second invoice and would have prevented paying from a duplicate invoice.

Because everyone in the office knew the general password to log into the software, every A/P clerk had access to all the property files. This type of loose design could have allowed other clerks to dip into the CalPERS building accounts. The password did have a secondary level of identification but it was turned off when the software was installed to make it easier for the harried clerks to cover each other s jobs.

Also to ease the work load, the software allowed A/P clerks to add or delete vendors. Even though Jack didn t try to manipulate this feature, he could have added himself to the list as a dummy vendor and paid himself. However, we discovered his name appearing occasionally in the check register by tracing every item on the bank statements back to each month s register. The bank provided microfiche copies that we could use as evidence that the checks were made out to the clerk.

Wide Use of Flawed Software 

Our audit department discovered that the same brand of flawed A/P software was being used widely throughout the real estate industry. CalPERS has numerous real estate holdings in its investment portfolio, so we sent a memo to our real estate division and properties expressing our concerns about control weaknesses in the software.

Following are the questions we advised them to ask when inspecting the check-writing systems on their A/P software:

• Can two or more checks be written with the same number? If the system doesn't control the use of check numbers, checks can be written with the same number and cashed, and only one of them will show when the numerical listing of checks is printed.  

• Can a check be printed, voided, and zeroed in the check register without leaving an audit trail? If it can, then another check with the same number could then be written to any payee for any amount.

• Can a check be written that does not appear in the check register? If this is possible, then unrecorded checks can be written.

• Do checks have to be written sequentially? Writing checks non-sequentially facilitates writing unrecorded checks.

• Does the system allow unnumbered checks to be printed? Printing unnumbered checks can lead to writing unrecorded checks.

• Does the system allow payments to vendors using the same invoice number? If the system doesn't reject invoices from a vendor because the same invoice number previously was entered into the system, then duplicate payments and kiting could occur.

• Does the system allow the A/P clerk, or anyone with access, to add and delete temporary vendors (such as himself or associates) without leaving an audit trail in the system? If the system does this, embezzlement could happen.

• Does every clerk have access to the check-writing system for all clients? If so, any of the several accounts payable clerks might have access to a CalPERS-related checking account and could write unrecorded checks for personal gain.

We also asked the company that managed Davis Properties to work with the A/P software firm to put better controls in place and install any upgrades.

This embezzlement case reminded my audit services department that no business software can safeguard against fraud, especially when internal controls can be disabled and the program can be made available to anyone. None of us should be lured by the promises of built-in controls. The best fraud examiner is still of the human persuasion.

Rosemary Wilke, CFE, CIA, is staff management auditor for the California Public Employees Retirement System.