The finance department at a Midwest university issued 28 purchasing cards (P-cards) to the university’s IT department so it could more easily purchase electronics and technology items and deliver them to the departments IT supported. P-card use at the university was decentralized, and all supporting purchase documents were maintained in each department. Every month, the university required the cardholder to provide supporting invoices and receipts for purchases, as well as the P-card statement, to his or her direct supervisor for review and approval before submitting.
Within IT, Lisa Moore recently was promoted from supply technician to operations support manager. Soon after her promotion, Michael Graham was hired as a supply technician within the department, reporting directly to Moore. The two were friends before they became co-workers in the same office.
Campus internal audit conducted regular reviews of departmental P-card transactions, which looked for risk factors such as high-dollar and high-volume purchases. In one such audit, the auditor in charge, Heath Crocker, noted that departmental cards’ activity as stated in the monthly bill did not match the supporting receipts in several instances. When Crocker questioned the IT department about the discrepancy, it insisted that the information on the bill was not accurate. Crocker then queried the university’s P-card coordinator, who confirmed that the information on the monthly bill is sometimes not accurate. The auditor accepted this explanation and did not take additional action — nor was this information provided to the auditor’s supervisor. As a result, internal audit missed the opportunity to uncover a fraud that lasted 15 months and cost the university $292,371.
Six months after the audit, an employee noticed a transaction on his P-card that he did not make and notified his manager of the discrepancy. Management conducted an internal review, and the university hired an accounting firm to review the P-card program and evaluate the internal control environment. Information about the theft was then handed over to the State Attorney General’s Office for further investigation and action.
- Internal audit risks losing credibility when fraud activities go unnoticed. As a result, management will look to cosourced and outsourced relationships to ensure it has the resources necessary to protect the organization from fraud.
- Simply accepting that the monthly P-card statements may contain merchant errors on an ongoing basis led to a lack of detailed review and a breakdown of the approval process. Control improvements could have minimized or prevented the fraud.
- Functional oversight can identify suspicious activities. Without additional reviews from individuals not directly connected to employees, red flags may not be identified and the fraud may be allowed to continue in plain sight. In this case, the director’s “review” was not an effective internal control in detecting discrepancies.
- Standardized budget analyses of purchases coded to categories of consumable inventories can identify increases in purchases that do not have an apparent business need. This type of review was not conducted in this case.
- The use of electronic software and appropriate system access set-up could have ensured effective segregation of duties — in this case, for the initiation, approval, and reconciliation of purchases.
The investigation found that Moore and Graham were colluding to manipulate the system. They created fictitious purchase requests for merchandise in the office’s electronic purchasing tracking system. The items were generally office consumables that would not be tracked by the department’s inventory control system. Moore and Graham created false documents, including receipts and invoices for monthly P-card statement approval. They manipulated the receipts to retain the vendor’s main information while adjusting the merchandise itemizations. In addition, they created false receiving documents and logged into the software to update the false purchases as received in the tracking system.
Actual items purchased consisted of electronic/IT merchandise sourced from various vendors. Moore and Graham collected the items and resold them online. The falsified receipts sometimes listed items that were no longer available from the vendor listed on the P-card statement.
Moore’s P-card statements were reviewed by a director who provided oversight for several university departments. The director, Emily Darrough, noticed that the merchant information on the monthly P-card statements often did not reconcile with the receipts provided for support. However, Darrough was under the impression that the statements’ vendor information was often inaccurate and did not further question those discrepancies. Because Moore reviewed and approved Graham’s P-card statements, they went unquestioned.
By circumventing multiple internal controls, the employees were able to conceal the fraud for many months. Because the university had single transaction limits and monthly purchasing limits on P-cards in place, the fraudsters had to get creative. Once the monthly purchase amount on Moore and Graham’s cards had been reached, Moore used her influence to coerce her subordinates into giving her their P-cards to make additional, supposedly legitimate, purchases for the university. Moore also had access to the P-card numbers issued to all employees within the department. She and Graham used these numbers, without the physical P-card, to make additional purchases in their scam.
A combination of the decentralized nature of the business culture and the manual nature of the purchase review process led to the standard practice of reviewing the monthly card statements and supporting receipts/invoices just once, with document retention left to the cardholder. This placed responsibility on the single supervisory review of the card’s monthly statements. In addition, random undisclosed reviews by internal audit and other oversight functions cannot occur with this type of document retention methodology, as the documents cannot be viewed without the cardholder’s knowledge.
After an investigation that lasted almost two years, Moore was sentenced to 24 months to 60 months in state prison. A separate case was filed for Graham for a lesser dollar value of fraud, but, to date, he has not been sentenced. In addition, Moore was ordered to pay $292,371 in restitution to the university.