​The Cover-up

One fraudster is bad, but multiple people carrying out separate schemes can be particularly costly without appropriate controls.

Comments Views

​Detectives in New South Wales, Australia allege that a senior manager at Commonwealth Bank covered up an employee's theft so that his own fraud wouldn't be detected, The Sydney Morning Herald reports. Police say Lee Zaragoza discovered that the employee had made 107 fraudulent transactions totaling AU $64,000 ($43,980) from the bank's internal accounts in 2015 and 2016.

Rather than reporting the fraud, Zaragoza encouraged the employee to repay the money. That was because an investigation might have discovered that Zaragoza had redirected AU $463,240 ($318,327) into his own personal account over a five-year period in a separate fraud, police allege. An internal investigation by Commonwealth Bank uncovered both frauds in December, and the bank reported Zaragoza to the police.

Lessons Learned

This story highlights the negative impact when fraudsters in the same organization can coexist and multiply the financial harm caused. It also demonstrates the need for organizations to regularly audit their internal controls over cash disbursements as well as human resource controls.

Cash disbursement schemes can be difficult to detect, even when the organization has traditional segregation of duties controls in place in the cash disbursement process and performs monthly reconciliations. A recurring theme in many of these schemes is inappropriate payments to fictitious or disguised recipients. 

In some cases, all fraudsters need to do is create a duplicate name in the listing of regular recipients of legitimate disbursements that is similar to a legitimate one. For example, the name may be misspelled with extra letters or add "Inc." or "Co." to the name. Other methods to perpetrate this kind of fraud include altering payment processing data such as account and wire routing numbers. 

Here are some of the basic strategies organizations need in place:

  • Regularly review and verify the listing of disbursements. When was the last time someone not directly involved in the cash disbursements process reviewed the listing of transactions to look for unusual items? If the organization is not conducting this review at least semi-annually, it may be leaving the door open for fraud or errors to occur. 

    This review may be time-consuming at first. However, subsequent reviews should be shorter once the initial clean-up has occurred and the reviewer has become familiar with the names and types of legitimate recipients. 

    Internal auditors should examine the listing with names, addresses, and any other identifying information as well as the history of invoices and payment amounts made to each over a specified period. Auditors should look for multiple recipients with similar names but with slight variations, multiple payments of the same invoice number or same dollar amount, and unfamiliar recipient names that cannot be found in an internet search.

    In addition, auditors should seek out addresses that appear to be personal home addresses and employees with significant payment activity outside the usual approved expense reimbursements. Reviewers should contact suspicious recipients — or at least a sample of them — to confirm their validity.
  • Review the transaction approval limit controls. In the story, the bank manager allegedly stole almost AU$500,000 in 90 transactions between 2013 and 2018, averaging about AU $5,000 per theft. If he was doing this on his own authority, that kind of delegation of power should be reviewed. A second level of required approval, coupled with a lower dollar authority limit, even if temporary, might help to deter and detect this kind of fraud.
  • Review listing controls over disbursements. Who has access to make changes in the vendor listing? Is there an approval process for making changes to the system? 

    The person updating the listing should be different from the person who inputs the payments to be made. Before adding new recipients to the listing, particularly recurring ones, someone outside of the payments area, such as management, should review them. If the accounting system has reporting capability, the report of monthly additions and edits to the list should be reviewed.
  • Review the electronic payments process. Although this story does not detail how the two Commonwealth Bank employees allegedly stole funds, the electronic payments process would be a likely target for them to exploit. That is why appropriate segregation of duties in the electronic payments process is essential to restrict last-minute or unusual changes to redirect disbursement funds. 

    Internal auditors should walk through the electronic payment process and examine whether the person who enters the data is different from the person who approves it before submission. Additionally, the organization should implement a feature that automatically generates an email after each payment showing the amount and recipient. The email should go to someone in management, central accounting, or internal audit who is not involved in generating electronic payments.
  • Review and strengthen human resource controls over employee background checks and job transfers. Regular background checks and updates can help uncover lifestyle changes due to fraudulent activity. Requiring employees to routinely transfer out of areas that handle large financial transactions after a minimum number of years also can help prevent temptation, if not motivation, for fraud.
Art Stewart
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Art StewartArt Stewart<p>​Art Stewart is an independent management consultant with more than 35 years of experience in internal audit, financial management, performance measurement, governance, and strategic policy planning.​​​</p>https://iaonline.theiia.org/authors/Pages/Art-Stewart.aspx


Comment on this article

comments powered by Disqus
  • AuditBoard-February-2021-Premium-1
  • GAM-February-2021-Premium-2
  • ACGI-February-2021-Premium-3



Thanks, We Already Know Thathttps://iaonline.theiia.org/blogs/jacka/2020/Pages/Thanks-We-Already-Know-That.aspxThanks, We Already Know That
Six Data Privacy Predictions for 2020https://iaonline.theiia.org/blogs/Jim-Pelletier/2020/Pages/Six-Data-Privacy-Predictions-for-2020.aspxSix Data Privacy Predictions for 2020
Public Servants Are Vital to Defeating COVID-19https://iaonline.theiia.org/blogs/chambers/2020/Pages/Public-Servants-Are-Vital-to-Defeating-COVID-19.aspxPublic Servants Are Vital to Defeating COVID-19
Are We Ready to Move Beyond COVID-19 Risks?https://iaonline.theiia.org/blogs/chambers/2020/Pages/Are-We-Ready-to-Move-Beyond-COVID-19-Risks.aspxAre We Ready to Move Beyond COVID-19 Risks?