Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Municipal Misappropriation

By exploiting legacy system knowledge, a key finance employee siphons county funds to his personal account.

Comments Views

X​avier County billed its residents monthly for their utility use through its finance division using in-house legacy software, which was not up to the rigors of modern billing and reconciliation processes. Unfortunately, the county had a “We have always done it this way” mindset, so there were no plans to upgrade the system. The county was collecting an average of $1.3 million each month in accounts receivables for the utility, cranking out manual receipts upon request and patching the system as needed to limp along to the next billing cycle.

The IT employee who set up the legacy platform and managed it for decades had retired, and back-of-the-house adjustments were much more difficult to achieve without his institutional knowledge. When new executive management at the county requested additional reporting from the system and management personnel asked to supplement controls, they were told that the software could not produce the reports they were asking for nor could they implement the additional controls requested. At this point, the internal audit department became aware of the software’s reporting constraints and initiated a soft-monitoring project regarding the internal controls of the billing and payment process. 

Because the software was incompatible with modern online processes, certain account activities could not be completed online. Instead, customers were encouraged to call the division with account concerns and other matters. The customer service line was shared by several employees in the finance division who were involved in the billing and payment process. The employees would take customer calls and process payments and adjustments within the system, as needed. Financial and county management accepted this diversity of personnel providing customer contact as a satisfactory level of segregation of duties. A few functions, however, were handled by Jeff Neeley, the most senior staff member in the division, who was familiar with the legacy software and the most effective at resolving those requests. 

The division needed institutional knowledge so much that many weekends, when customer needs were high, he would come into the office and process those payments needing adjustment. It was during this time, without supervisory oversight, that Neeley conducted inappropriate transactions, feeling empowered by the lack of physical management review. 

The fraud, itself, included a few adjustments to the financial software and a bit of manual tracking. When a customer paid using a credit card over the phone with Neeley, he would tally the payment amount in a workbook on his desktop computer. During month-end close-out procedures, he would take the running tally amount in the workbook, create a journal entry, and move that amount from accounts receivable revenues to accounts payable. This entry was processed within the financial system without additional review as Neeley had both a staff-level login and a supervisory-level login, presumably to perform different roles for different duties, as assigned. A phony invoice was then created for a fictitious vendor and included in the backup documentation for that journal entry. The fictitious services amounted to the total of all individual accounts that were manipulated during the month. The vendor was paid via the standard accounts payable process within the county. The vendor verification process had been completed by Neeley many years before.

Through multiple inquiries during performance audits throughout the organization, internal audit identified a weakened internal control structure due to the level of trust within the county. Internal audit discussed the risks multiple times with executive management, with no change. In fact, when internal auditors cautioned against this untested trust, they were told it was important not to upset employees because they were still skeptical of the county after layoffs during the Great Recession. Those who remained were territorial regarding their responsibilities and did not see the value of cross-training. 

The utility’s legacy system led to the practice of a few key employees handling adjustments every time one was needed. The work became so specialized that certain customer account adjustments were put on hold until Neeley returned to work. It wasn’t until he was out on unscheduled medical leave that another person within the department had to handle his transactions for waiting customers. That’s when personnel noticed unusual adjustments within the system. 

Adjustments within the monthly journal were paid via the accounts payable process to a fictitious service vendor account Neeley set up many years before that appeared to be a legitimate cost of service as payment lockbox service fees. This service fee was one of two that the county paid — because the fee amounts were consistent, without material variances, and of a nominal amount, no one thought to ask why there were two separate payments for the lockbox service fee. 

Once the fraud was identified, internal audit asked the employees who reviewed Neeley’s summary reports why the fictitious vendor account wasn’t flagged or reviewed further. They explained that it did not receive any attention because the fee was nominal considering the large amounts that were being processed monthly. The fraud investigation determined that those nominal fees siphoned to Neeley’s personal account added up to nearly $91,000 and, because the system did not retain records more than 10 years back, the true dollar amount lost by the county was estimated to be greater.

The department was informed of the suspected fraud, and a vendor service company conducted a financial investigation. Still out on medical leave, Neeley hastily completed retirement paperwork with human resources and did not return to work. The investigation resulted in multiple recommendations that brought the division back up to an appropriate level of internal control. The county later submitted the case to the local district attorney’s office for prosecution, which is currently in process.

The impact to the county was perhaps greater than the monetary loss of the fraud. It became a local media topic, drawing many concerned citizens to the county’s public meetings to voice their disproval of the situation and the county. The level of trust in the community has been eroded and it will take time to mend. 

Lessons Learned

  • Internal controls should be respected in all organizational cultures. Creating a baseline for oversight and applying management reviews consistently for all employees is recommended. 
  • Key employees are great additions to organizations and are often the most trusted employees. They can provide institutional knowledge that can compel fact-driven decision-making. However, trust is not an internal control and all employees require oversight. 
  • Succession planning and work-task rotations could have been key in preventing the fraud from occurring at the level it did. 
  • By not requiring Neeley to attend staff training and enabling special working conditions, management created an environment where the employee felt outside of the system and its authority.  
  • Physical security of a work area is important to instill a sense of oversight and supervisory review for employees. Working outside of normal business hours is not recommended.
  • Segregation of duties within the financial system is key to ensuring appropriate reviews. If one employee has two separate logins for staff transactions and supervisory/review transactions, this built-in internal control is no longer effective.

Emily E. Kidd
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Emily E. KiddEmily E. Kidd<p>​Emily E. Kidd, CIA, CGAP, is director of internal audit at the City of Reno, Nev.</p>https://iaonline.theiia.org/authors/Pages/Emily-E.-Kidd.aspx

 

Comment on this article

comments powered by Disqus
  • AuditBoard_Dec 2091_Premium 1
  • IIA CIA_Dec 2019_Premium 2
  • IIA AEC_Dec 2019_Premium 3