Phoning it in: Employee phone fraud and abuse

Using the organization's phone for personal benefit is a simple asset misappropriation and a type of fictitious expense scheme. In the ACFE's Fraud Tree, the crime is a subset of fraudulent disbursements, which is a subset of cash schemes. At the end of the month, an entity's phone statement may include both official business charges and personal charges. If managers don't detect the personal charges, obviously the entity unknowingly will pay them and sustain a loss. Phone fraud and abuse occurs when an entity hasn't established appropriate policies and procedures to deter it, to detect it in a timely manner and to stop it before paying phone bills.

INTERNAL CONTROLS FOR PHONES

The entity should establish formal written policies and procedures for phone use and conduct training to advise employees about its expectations. Here are some key elements of these policies and procedures:

1. In Washington state agencies, employees may not use their official business phones or their state-owned cellular phones to make personal long-distance phone calls even if they subsequently reimburse their agencies for such use. Entities that use zero tolerance procedures should understand that invariably some employees will use phones for personal use, such as emergency family matters. So, entities must regularly monitor monthly phone statements for any inappropriate employee long-distance charges when they receive them. 
2. Once an entity identifies personal phone calls, it should seek reimbursement from the individual. It should also take appropriate personnel actions for this abuse, possibly ranging from a simple reprimand to termination of employment and/or prosecution for continuing or serious abuses. 
3. Employees normally do their best to refrain from using official business phones for personal purposes to avoid the possible negative effects from these strict phone control systems. Also, they almost always purchase personal cellphones that they may use for both personal and official business purposes.
4. Under these procedures, employees submit their personal cellphone statements to their supervisors at the end of each month to obtain reimbursement for any official business phone use.

Entities usually don't maintain records for local calls made on business landline phone systems, so it's not possible for them to identify employee's local calls. Entities should expect some employee use of local phone calls for personal purposes, such as child-care inquiries, doctor's appointments, repair status on automobiles, etc. However, some employees abuse this privilege and even try to manage personal businesses using the office landline phone system.

Employees usually report their fellow employees' call abuses to supervisors. The minimal cost of the local phone calls doesn't normally annoy honest employees. Rather, it's the amount of work-related time these individuals lose from constant incoming and outgoing calls and interruptions. In serious cases, the offending employees' actions may negatively affect their job performances and result in the entities taking adverse personnel actions against them.

Entity policies and procedures should prohibit employees making personal phone calls and accepting collect phone calls in any official business long-distance phone system. The entity should also take appropriate actions to block employee access to out-of-state and international calling applications except when this would be expected for the individual, such as those in key executive positions.

All employees don't need this type of access to perform their work. Leaving this option active and accessible to everyone on the phone system is simply an open invitation for employee abuse.

Case No. 1: Over-the-border collect long-distance phone calls
An unidentified employee accepted collect long-distance phone calls from Mexico to the state of Washington totaling $1,828 for two years. The agency didn't adequately monitor its monthly phone statements to promptly detect this irregular condition. There was no fixed responsibility for these losses.

Employees should appropriately safeguard their access codes to any agency-controlled long-distance phone system to preclude unauthorized use by others (either inside or outside the entity).

Cases No. 2, 3 and 4: 
Safeguarding phone access codes
Entity policies and procedures should ensure only one individual is allowed to use each specific phone access code. Otherwise, it may not be possible to know who's responsible for any unauthorized phone calls. The following three cases illustrate this:

• All 16 employees in one department of a state university used a single access code on the state-controlled long-distance phone system. The university didn't adequately monitor monthly phone statements. Thus, one or more unknown employees made unauthorized personal long-distance phone calls totaling $40,510 for six months. There was no fixed responsibility for these losses.
• A former employee of a state university used a fellow worker's access code to make personal phone calls with charges totaling $40,000 for three years on the state-controlled long-distance phone system. The university didn't adequately monitor monthly phone statements. The suspect individual left the state and couldn't be located. The university didn't prosecute. 
• A temporary security guard at a community college used a fellow worker's access code to make personal phone calls for one year for charges totaling $14,621 on the state-controlled, long-distance phone system. The college didn't adequately monitor monthly phone statements. The unauthorized phone calls originated in Florida, New York and Canada. The employee was terminated for sharing their phone access code with family and friends. The college didn't prosecute.

Case No. 5: Governing body abuses phones
During a routine two-year audit of a very small fire district, the external auditor determined that members of the governing body purchased a total of five cellphones for their relatives and friends. The district had no paid employees, only volunteers. The governing body obviously didn't understand that phones were to be used only for official public business.

The unauthorized charges for these five cellphones amounted to $3,147 in two years. The governing body discontinued all of these cellphones and required the individuals to reimburse the district. This case wasn't prosecuted because the individuals had reimbursed the district for all unauthorized cellphone charges.

The entity, after receiving long-distance cellphone statements, should distribute them to employees for verification.

Employees should:

• Review all monthly cellphone statements promptly.
• Certify that all cellphone charges shown on statements were for official business purposes or identify any personal charges for reimbursement.
• Return the statements to their supervisors for verification. 

Managers should also review cellphone statements to identify any unusual activity such as calls made before or after normal duty hours when the calls wouldn't be part of employees' jobs.

Case No. 6: Employee phone monitoring
An employee who was monitoring cellphone use in a state agency noticed that an employee's charges for a three-month period far exceeded the entity's expectations for both duration and amount. The employee's supervisor called the three cellphone numbers most frequently listed on the employee's monthly statement and verified they weren't for official business purposes. The supervisor also determined that all calls made during weekends and before and after the employee's normal working hours were for personal purposes.

As required by state law, the agency reported this abuse to its external auditor. A subsequent audit determined that one employee made personal calls totaling $1,035 for seven months. The employee wasn't totally cooperative when asked to identify the called personal phone numbers, refused to make restitution to the agency and was disciplined. The county prosecutor declined to prosecute this case citing other more serious and priority cases.

At the end of each monthly billing cycle, the entity's phone statement should be properly supported by all of the certified employee statements.

What happens when phone fraud and abuse occurs?

In my experience, governing bodies and key leaders of government entities have been reluctant to take strong disciplinary actions against employees when they detect unauthorized employee local and long-distance phone abuse.

Perhaps they somehow feel guilty about the situation because they didn't make this area a priority by establishing formal written policies and procedures to protect employees and their resources.

Rather than make an example of an employee for serious phone abuse — such as by disciplining them and publicizing the case facts in an entity newsletter or other internal publication — they simply require restitution from the employee and then add a clause in the formal written policies and procedures to help them deal with future similar situations. Entities don't usually refer such cases for prosecution unless the loss is significant.

In the above cases, you see what happens when an entity hasn't deterred phone fraud and abuse cases. A far better remedy is to ensure your entity has established formal written policies and procedures for employee phone use and a strong monitoring system to deal with any unauthorized use. The old cliché works: an ounce of prevention is worth a pound of cure.

LESSONS LEARNED

Let's review some of the finer points of fraud detection that we've learned 𠊏rom this discussion of employee phone fraud and abuse:

• Entities should establish formal written policies and procedures for phone use and conduct employee training to advise employees about their expectations. 
• Personal phone calls and accepting collect phone calls should be prohibited in the long-distance phone system of any entity.
• Entities should block employees' access to out-of-state and international calling applications, except when this use would be expected for the individual, such as those in key executive positions.
• Employees should safeguard their access codes to any agency-controlled, long-distance phone system to preclude any unauthorized use by others.
• Governing bodies should approve use of all cellphones within entities and monitor them for appropriate use.
• Entities should distribute monthly long-distance phone statements to employees for verification purposes.

EDUCATIONAL FRAUD AND ABUSE

The next series will cover fraud and abuse in educational classes designed to teach trade skills to students in high schools, colleges and universities. When things go wrong, no one is monitoring the operations to determine if the entity's expectations were being met. We'll explore what goes wrong and why.

Regent Emeritus Joseph R. Dervaes, CFE, CIA, ACFE Fellow, is retired after more than 42 years of government service. He's president emeritus of the ACFE's Pacific Northwest Chapter. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.