Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​The Slice and Dice Fraud

A routine tax audit uncovers a $1 million theft by a former employee with a criminal past.

Comments Views

​Hanzo Enterprises was a global operation that produced fine cutlery for sophisticated consumers. While assisting government authorities during a routine tax audit, the Asia-Pacific controller, Jane O'Ren, discovered that company policies on the retention of support documentation for invoices was not being followed and details behind these invoices were raising red flags. O'Ren soon determined that the exceptions were related to invoices processed by the Okinawa location controller, Bill Tripp. However, Tripp had left the company during a downsizing process more than a year earlier.

O'Ren reached out to Tripp via email to ask about the invoices in question. Tripp responded almost immediately, apologized, and indicated he would take care of it. He later sent a payment of $10,000. During the intervening time, O'Ren felt a knot forming in the pit of her stomach and reached out to Hanzo's chief financial officer, Brad Gates, about what she'd found. Gates listened and determined legal and internal audit needed to be contacted. Beatrix Hales, Hanzo's new chief audit executive (CAE), was subsequently asked to meet with corporate counsel to discuss the situation.

​Lessons Learned
  • Hanzo Enterprises didn’t perform a fraud risk assessment, relying instead on its enterprise risk assessment, which allowed potential red-flag situations to go unaddressed.
  • Internal audit was structured to focus on Sarbanes-Oxley compliance, allowing attention to nonmaterial operations to slip. In essence, the third line of defense had governance failures.
  • Budget analyses were not performed at an appropriate level of detail to note excessive spending around renovations that were taking place at the subsidiary during Tripp’s tenure, and to question such.
  • Tripp’s fraudulent activity could have been detected earlier, or even prevented, if the review controls, such as invoice reviews, in place were executed appropriately.
  • Controls that were missing at the Okinawa location, including secondary review, segregation of duties, and exception reporting, were validated or implemented at all locations that were previously included within the scope of Sarbanes-Oxley controls testing.
  • Hanzo’s detective controls over third-party service providers, such as its third-party payroll provider, did not include validation of transmitted files by an individual independent of the process, so Tripp was able to easily manipulate the system.
  • Detective controls also were not in place to ensure the approved payment register tied — in vendor name and payment amount — to the actual bank payment register, allowing Tripp to alter payment amounts and create vendors.
  • Due diligence efforts during the hiring process were insufficient given the importance of the controller position and its breadth of responsibility. Because Hanzo Enterprises did not conduct due diligence during the new-hire process, it didn’t know that Tripp was a career criminal. Japan had strict privacy guidelines, but there were ways to ask the right questions to validate a candidate’s responses with governing agencies and that was not done. Had Hanzo followed through and confirmed the candidate’s background, it would have learned of Tripp’s past.

After the meeting, a course of action was determined. The invoices at the Okinawa office needed to be reviewed for anomalies, discrepancies, support, and payment trails. Okinawa was a small operation and had not been included within the scope of U.S. Sarbanes-Oxley Act of 2002 controls testing. In fact, internal audit's focus had been primarily Sarbanes-Oxley testing at larger, in-scope locations, so it had not covered small operations globally.

The chief financial officer, internal audit, and corporate counsel selected a third-party firm based on language skills necessary to review and translate documents. Hales made sure the external auditors were kept informed of the progress of the review as the discovery was close to the completion of the company's quarterly financials.

The review started with invoices from the Okinawa operation to ensure issues weren't prevalent in other locations. The invoice review soon spread to human resources (HR) and payroll once it revealed that Tripp had wide control on that side of the operation, as well. The scope of the issues grew exponentially as the review proceeded, but internal audit and the third-party team were able to determine the issues were confined to the Okinawa operation.

The fraud review identified numerous control deficiencies that allowed Tripp to carry out different methods of theft. In the small operation, Tripp was the only person in charge of financial operations and HR. As such, he took advantage of his position in several ways.

As the Okinawa controller, Tripp was the only approver of invoices. The biweekly check run was sent as a file with supporting invoices to O'Ren for approval. Invoice review was not done at a level of precision to detect anomalies or even glaring fraudulent activity. Some paid invoices were for items Tripp purchased for his personal property or services provided.

Once the check run was approved, Tripp would log into the online bank account and change payment recipients. In many cases, payments were being sent to Tripp's credit card companies. He also easily created false vendors by editing the vendor master list. He was able to do both of these things without a requirement of secondary review.

Tripp also was in charge of the third-party payroll service interface and added extra funding to the file to get additional pay or expenses reimbursed without the requirement of secondary review. Lastly, he manipulated the funds sent to the company's pension administrator by convincing her to not only return erroneous overpayments, but to return them to an account different than the source — his own personal account.

The fraud review determined that over two years, Tripp stole more than $1 million. The efforts made by Hales to keep the audit committee and external auditors informed via status calls and check-ins kept worries at a minimum during the six-week investigation, and the interaction between legal and external audit helped build cooperation and coordination. Legal found that Hanzo's insurance policy had provisions for loss due to fraud, so the company was able to file a claim for most of the losses.

Oddly, Tripp cooperated during the fraud review, answering questions and admitting guilt whenever presented with proof. Authorities arrested Tripp and his wife, who also had a criminal past, and confiscated cash, property, and vehicles.

Michael McShea
Jeffrey Sardelli
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Authors

 

 

Michael McSheaMichael McShea<p>Michael McShea, CIA, is director of internal audit and enterprise risk at KPMG in Boston.​</p>https://iaonline.theiia.org/authors/Pages/Michael-McShea.aspx

 

 

 

Comment on this article

comments powered by Disqus
  • Gleim_Oct2018_Premium 1
  • IIA CERT CIA_Oct2018_PRemium 2
  • IIA CIALS_Oct2018_Premium 3