Using an Organization's Credit to Commit Fraud, Part 1

Fraud by using an organization's credit is a type of fictitious expense scheme. In the ACFE's fraud tree, the crime is a subset of fraudulent disbursements, which is a subset of cash schemes.

There are many types of fraud involving an employee's use of the organization's credit to purchase assets (i.e., goods and services) for personal benefit. Unauthorized use of the organization's general credit cards, purchasing credit cards, travel credit cards or business charge accounts are some of the most common fraud schemes I have encountered during my career. Unscrupulous employees cause victim organizations to order and pay for assets they do not really need. Obviously, the damage to a victim organization is the money lost in purchasing these unnecessary items.

The individuals who commit these crimes are usually responsible for approving and processing transactions for payment. They may rely on the inexperience of their supervisors (or their organizations' governing bodies) to unknowingly process their fraudulent transactions in the disbursement cycle. Victimized organizations then issue checks for unauthorized business purposes, and the wayward employees receive personal benefits.

We begin this three-part series with employee abuses of general organization credit cards.

GENERAL ORGANIZATION CREDIT CARDS

Commercial banks issue credit cards to organizations (and individuals) to aid them in conducting official business. Banks and organizations enter into agreements specifying the terms of use for the credit cards. Some banks charge an annual fee; others do not. Banks make their money for processing your transactions by charging a fee to vendors who accept the cards and by charging you an interest rate on the unpaid account balance when the full amount due is not paid each month. The primary responsibility for charges on these credit cards rests with the organizations.

THE BUSINESS OF CREDIT CARDS

An organization that authorizes company credit cards for its employees' use should maintain formal logs of all cards issued and require all employees to sign agreements stating that they have received a copy of the organization's usage policies and have been trained on the proper procedures for using the cards. These agreements provide the foundation that employees understand that they can use the cards for official business only.

Written company policies should require employee training, prohibit cash advances, restrict purchases of unauthorized items (such as alcohol), require receipts for all charge transactions and specify disciplinary actions for any unauthorized or personal use of the cards. Organizations never should pay for employee charges shown on the bank's monthly statement without accompanying receipts. It is the descriptions of the items shown on the receipts that determine if the expenses are for official business purposes.

UNAUTHORIZED CARDS

Employees who have stolen company credit cards or who have obtained unauthorized company credit cards through other means (such as ordering them directly from banks without approval) will circumvent organizations' incoming mail to snag the monthly credit card statements. They usually make personal payments on the credit card account balances to conceal their unauthorized purchases.

However, if employees submit unauthorized expenses for payment by their companies, management and auditors will have at least some documents they can review to detect fraud. While the supporting documents for credit card payments should include the statement and all purchase receipts, fraudsters who choose this latter process usually only submit statements for payment purposes. In many cases, their supervisors or the governing bodies of the organizations may unknowingly approve these fraudulent payments.

Employees may periodically use an organization's credit card for unauthorized purposes or personal benefit, but managers who are assigned to monitor the credit card program can resolve these minor infractions promptly according to policies and procedures.

Companies should publicize employee disciplinary actions in their internal publications to deter future problems. Unfortunately, even this method is not fraud-proof because often the very managers who are charged with monitoring the system are the ones who abuse it. These individuals may be able to hide their unauthorized activities from other employees and their supervisors, but most of the time they should not be able to conceal their actions from organizations' governing bodies and their internal or external auditors. However, when their misdeeds are detected, the fraudsters usually attempt to get organizations to pay from monthly credit card statements by indicating that receipts for individual transactions were not available or were inadvertently misplaced or lost.

Case No. 1 — Personal use of an authorized general organization credit card

In the November/December 2009 Fraud's Finer Points, I discussed a credit card case that involved missing supporting documents. This concept emphasized why organizations should never pay the balance due on monthly credit card statements without seeing the supporting receipts for the purchases first.

Sarah was the clerk-treasurer responsible for processing all of the city's disbursement transactions, including all purchases on its credit card. The city first detected irregularities in accounts receivable and contacted its external auditor to investigate the case.

The subsequent audit detected multiple fraud schemes, which totaled $49,894.88 in losses over 2½ years. These schemes included payroll fraud, accounts receivable fraud, municipal court revenue fraud, unauthorized use of the city's business charge account and overpayments to a cleaning contractor. The clerk-treasurer performed many tasks in a variety of functions at the city, and no one monitored her work to ensure the city's expectations were being met.

The clerk-treasurer purchased $5,319.16 in assets for personal benefit using the city's credit card. I detected this scheme by scanning the city's disbursement files to determine other risks. I quickly noted that the city was making its monthly credit card payments using only the statements. There were very few purchase receipts available for review and audit. For example, credit card purchases from a local computer store were almost always missing from the files. I contacted the city's computer consultant who was responsible for all information technology issues. However, he wasn't aware of any official purchases from the computer store.

A computer store representative faxed documents to me that showed Sarah had signed for a computer, monitor, software and games on many occasions through the period of this loss. City staff members conducted a search of city hall but were unable to locate any of these assets.

Sarah had made all credit card payments on time, but she had destroyed all the supporting documents that listed the details of the purchases from the computer store. She hoped that retaining only the monthly credit card statements on file for the city's governing body and its external auditors would be sufficient to conceal her irregular activities. She was wrong. The governing body did not notice this irregularity, but her fraud did not escape the watchful eye of the external auditors. In my experience dealing with fraud cases in state agencies and local governments in the state of Washington, governing bodies rarely detect fraud in the transactions they are reviewing and approving, primarily because no one took the time to properly train them for this task.

The clerk-treasurer demanded a trial to resolve the issues in this case. She hired a prominent regional lawyer for her defense and agreed to a bench trial. (There was no jury.) After all the evidence was heard during a week of testimony, the judge rendered a guilty verdict in the case and ordered Sarah to make restitution of the loss amount, plus audit costs. He also sentenced her to three months in a work-release program.

Case No. 2 — Personal use of an unauthorized general organization credit card

A small water district in the state of Washington had three employees, operated on an annual budget of $466,000 and served approximately 1,000 customers. Jackson, the office manager, was responsible for practically all financial operations; his supervisor, the district superintendent, did not monitor his work. These are the two most common internal control weaknesses I have found in small organizations.

While Jackson had no prior criminal history, he apparently came to work for the district with ill intentions. He sent a memorandum on official letterhead to the district's bank shortly after being hired requesting that the bank issue a credit card in the district's name and assign it to him. The credit limit on the card was initially set at $5,000, but Jackson subsequently sent a facsimile to the bank one month later requesting an increase to $20,000. Of course, the district's governing body did not authorize either of these requests. Later, when the case was under investigation, the district stated that someone had forged the authorizing signatures on the documents.

As the office manager, Jackson was responsible for opening the mail and processing invoices for payment. Thus, he was able to remove the monthly bank credit card statements from the incoming mail before anyone else saw them. One of the interesting facts of this case is that Jackson did not submit any of the credit card statements to the district superintendent or the governing body for approval or payment. Perhaps Jackson was not quite bold enough. While it would have been prudent to do so, Jackson did not make any personal payments to the bank on the card balance either. Because neither the organization nor Jackson made any payments on the credit card balance, the monthly expenses and interest charges continually increased until the balance became delinquent and approached the credit limit on the card.

Jackson misappropriated $19,454.84 from the district in 3½ months, with $18,284.03 of this amount representing his unauthorized use of the district's credit card for personal benefit. Personal charges included the purchase of a used pickup truck, frequent stays at a motel while traveling to his favorite casino, thousands of dollars in cash advances at the casino, Internet and telephone use and other miscellaneous purchases. Jackson also misappropriated $1,170.81 in utility revenue from the district.

The district first detected irregularities in its checking account and petty cash fund and requested an external audit. Jackson was placed on administrative leave and subsequently terminated for a wide variety of managerial shortcomings. Shortly thereafter, the district received a monthly statement for the unauthorized credit card. In a plea-bargaining agreement, the court ordered Jackson to make restitution for the loss amount plus audit costs. It also sentenced him to less than one year in county jail for this crime.

Case No. 3 — More personal use via an unauthorized credit card

James, the chief of a small fire district in the state of Washington, obtained an unauthorized credit card in the district's name. He circumvented the district's internal controls by intercepting the mail, removing the monthly credit card statement and making personal payments on the account to conceal his unauthorized purchases. He basically used the district's credit card as his own by charging $7,797 in personal purchases for more than a year. He used the card to make unauthorized cash advances and also incurred finance charges when he did not make monthly payments on time.

When the district finally discovered the unauthorized card, there was a $1,599 unpaid balance on the account. The district found out about the card while making a change in signatories on all of its bank accounts after the fire chief resigned for unrelated personal reasons. The chief reimbursed the district for this amount when questioned about the unauthorized purchases on the credit card. The district paid the balance due on the account and canceled the credit card. The county prosecutor declined to criminally prosecute the case because the district had been made whole.

LESSONS LEARNED

Let us review some of the finer points of fraud detection from these general organization credit card fraud schemes.

Organizations should: 

• Establish written policies and procedures for credit card use and train their employees to ensure they use the cards only for official business purposes. 
• Always obtain purchase receipts from employees and never pay bills using only the monthly credit card statements. 
• Properly train employees and governing bodies on the authorization and approval procedures for all disbursements. 
• Appropriately segregate employee duties and periodically monitor the work of key employees to ensure its expectations are being met. 

Once fraud examiners detect fraud, they should assess what else is at risk of loss within an organization.

MORE CREDIT CARD MISUSE

In part two of this series, we will discuss the use of purchasing credit cards and travel credit cards. Stay tuned.

Regent Emeritus Joseph R. Dervaes, CFE, CIA, ACFE Fellow, is retired after more than 42 years of government service. He is the president of the ACFE's Pacific Northwest Chapter.  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.