Minding your own business: Preventing payroll fraud with internal controls

Small businesses are particularly susceptible to payroll fraud, and they can go under as a result. Here’s a story about a controller who used many tricks in the books to rob a medical practice and some lessons on how to detect and avoid such scams.

How would you like to double your salary? No, this isn’t about some “get-rich-quick” scheme, but it’s a case of how a controller at a medical practice took to heart this dubious route to riches and used her position to perpetrate a payroll fraud scheme against her employer. Her attempts to garner a bigger paycheck ultimately failed, but her story provides important lessons for fraud examiners investigating these types of scams.

Medical practices are often susceptible to fraud because their owners — usually physicians — are focused on patient care instead of the day-to-day operations of running a business. Often, they designate someone else to manage the practice with little oversight.

In this case, a medical practice based in the U.S. state of Georgia, found itself the victim of occupational fraud when the owners learned that their controller had been embezzling funds via a payroll scheme. The controller had worked at the practice for more than three years and was earning a salary of $85,000 after having received two raises over that period. But despite those advances in her career, she’d decided to defraud the practice and had been conducting her scheme over 20 months before she was caught. The medical practice’s external CPA found discrepancies in the payroll registers compared to the total funds deducted from the bank account for payroll expenses. The practice’s outside legal counsel retained my team to investigate the controller’s theft and quantify the misappropriated funds.

Through our investigation, we discovered that the controller had misappropriated approximately $80,000. And while that might be a relatively insignificant sum to a large business, that kind of loss can devastate a small company.

Indeed, it’s those small businesses that are particularly susceptible to this type of fraud. According to the ACFE’s 2020 Report to the Nations, small organizations are twice as likely to fall victim to

payroll schemes as large businesses. (See ACFE.com/RTTN.)

A typical case of payroll fraud

In many ways, our case closely matched the results of the 2020 Report to the Nations, which analyzed 2,504 occupational fraud cases across the globe. Here are some of its findings: (1) A typical payroll fraud scheme lasts approximately 24 months and has a velocity, or median loss per month, of approximately $2,600. (2) Fraud schemes with one perpetrator result in a median loss of $90,000 over a median duration of 14 months. (3) Fraudsters who had worked at companies for five years or less caused a median loss of $50,000. (4) The accounting department is a favorite spot for an employee to carry out a scheme. It ranked second among departments most at risk for fraud. (5) Female fraudsters caused a median loss of $85,000.

Our case also resembled some of the report’s findings in the way the controller carried out her crime by altering the electronic payroll reports she generated and sent to the external accountant. According to the Report to the Nations, the top four methods that fraudsters use to conceal their crimes are: (1) creating fraudulent physical documents, (2) altering physical documents, (3) modifying electronic documents or files and (4) generating fraudulent electronic documents or files.

Creative but sloppy

Yet to a certain extent, the controller veered from the methods typically used by fraudsters to perpetrate payroll schemes, which, according to the Report to the Nations, are the creation of ghost employees, the falsification of wages and the fabrication of sales to create unearned commissions. Even so, her creativity — and her carelessness— proved to be her downfall.

Her scam worked like this: She regularly wrote herself extra paychecks, which she backed out with an “adjustment check” to net the transaction as zero on the company’s books. But this was purely an adjustment on paper. While an initial review of the payroll register would show the two transactions canceling each other out, the practice was actually disbursing the additional funds into the controller’s bank account. Over the course of the payroll cycle, the controller was paying herself two to three times her salary.

The controller compounded the loss from her scheme with an extra element. She entered negative amounts on her paycheck for her usual deductions, such as employee-paid health care premiums and state withholding, thus increasing her net pay. But she posted positive amounts in the adjustment checks, forcing the company to ultimately pay her portion of health insurance premiums and withholding amounts. By reviewing the controller’s paychecks and cross-checking those numbers with the correct deduction amounts provided by human resources, we discovered the practice had unknowingly paid more than half of her insurance premiums and several thousand dollars’ worth of withholding deductions.

And payroll fraud wasn’t the controller’s only scheme. With no oversight or controls, she was also able to submit other employees’ expense reports as her own, forcing the practice to reimburse the same set of expenses twice.

A typical expense reimbursement fraud scheme lasts approximately 24 months and has a velocity of approximately $1,400. (See ACFE.com/RTTN.) And the amount lost accelerates over time as the perpetrator gains confidence that they can evade detection. The controller exhibited the same behavior, beginning with stealing a couple of hundred dollars and ending with more than $5,000 per fraudulent reimbursement.

She only evaded detection for so long and was able to perpetrate the fraud because the practice failed to segregate duties properly. The controller had sole authority over the payroll. No one else was reconciling the payroll register to see if items such as deductions and expenses balanced with the amounts going into employees’ bank accounts and corresponded to expense reports.

In the end, it was the company’s external accountant who alerted the owners to the fraud when he discovered irregularities in the payroll reports. The controller had taken steps to conceal the fraudulent activity by manipulating the data on the exported report before she sent it to the accountant. But like many fraudsters who become comfortable with the continued success of their schemes, the controller grew sloppy. She was inconsistent in her creation of the adjustment checks, and some weeks the payroll register even showed the actual inflated amount. That in turn escalated the cost of the fraud for the practice, which had to pay higher payroll taxes for the excess pay.

The importance of interviews

Analyzing payroll reports and transaction testing were instrumental to our investigation, but interviews were also essential to cracking the case. Aside from the HR manager who gave us the correct deduction amounts for the controller, we also talked to the owners of the medical practice, employees in the accounting department, account managers of the payroll provider and the perpetrator herself. It’s important to interview as many people as possible even if you know the fraudster’s identity. We advise interviewing the suspected or known perpetrator, if possible. After two requests to interview the controller, she finally agreed to speak to us on the phone. During our interview, she lied about the extent of the fraud, contradicted the known timeline of events, underestimated the amount she’d misappropriated and withheld other information.

But in the end, she admitted to committing the fraud. By interviewing an assortment of parties, our team was better able to understand the internal controls in place at the organization and how to recommend preventive measures to help the practice avoid falling victim again to occupational fraud schemes.

Internal controls post COVID

As the case of the medical-practice controller demonstrates, lack of oversight can be just the encouragement an employee needs to commit fraud. She was, after all, solely responsible for entering the bimonthly payroll data into a third-party payroll company’s system. There were no checks on her work or any third-party reconciliation.

Fortifying internal controls is even more important now as employees continue to work from home and company leaders consider a permanent shift to remote work. The pandemic has given rise to opportunities and rationalizations for fraudulent behavior, especially for people feeling financial pressure.

Business owners must evaluate their company’s internal controls and the vulnerabilities that might exist in their systems. The absence of such internal controls — such as segregation of duties, authorizations and approvals, and verifications and reconciliations — can make a company a breeding ground for fraud as the case of the controller shows.

The importance of internal controls for small businesses

Internal controls are imperative for small businesses. As the ACFE’s 2020 Report to the Nations shows, companies with less than 100 employees are more likely to lack internal controls. (See ACFE.com/RTTN.) And individual perpetrators are more likely to take advantage of situations where no one is looking over their shoulders.

Internal controls don’t have to be a burdensome expense or a daunting task for a small business. Businesses of all sizes can reasonably implement basic accounting internal controls. Small enterprises can set up these guardrails to prevent fraud with relative ease and minimal cost:

Segregate duties so there are checks and balances in the accounting process. Limit access to accounting and information systems to those employees and management with the relevant job roles.

Regularly carry out an independent reconciliation of financial numbers. An external CPA should review and reconcile bank and credit card statements, payroll registers and expense reports.

Set up a fraud hotline. Having a fraud hotline for employees, customers, vendors and others to anonymously report fraud can be one of the most valuable anti-fraud controls a small business can have. After all, it was the external accountant who tipped off the medical-practice owners that something was amiss with their controller. As the 2020 Report to the Nations demonstrates, tips led to the detection of fraud in 43% of the cases in the survey. A small business can implement a fraud hotline through a third party, such as Fraud Hotline (fraudhl.com) for a nominal fee of $500 per year.

Natalie S. Lewis, CFE, ACFE Regent Emeritus, is a senior vice president at consulting firm J.S. Held, LLC, where she specializes in forensic accounting and the analysis of economic damages.