In early 2020, Lauren George was promoted to director of internal audit at the Pier Ten Group, a management company for a hotel chain in Southern California. George was interested in innovation and had training in robotic process automation, which she was eager to bring to her new role to increase productivity and expand risk coverage.
Before her promotion, Pier Ten’s internal audit department typically performed smaller audits using manual processes. George’s first goal as director was to improve coverage without increasing staffing. She started by adapting a pre-built reconciliation bot to compare expenses to receipts and reperform all bank reconciliations starting with the company’s San Diego property.
The expense reimbursement bot was simple. Receipts were already stored in a shared folder by date and titled by date and dollar amount. The bot downloaded expenses for the year into one Excel file. It then went into the receipts folder and copied the date, description, and amount for the expense into the same file. Finally, the bot sorted the expenses by date and amount and flagged any unsupported expenses and receipts not matching an expense.
Before she reviewed the flagged items, George manually checked a sample of matched items to confirm the bot was working correctly. In the first pass, it identified 22 mismatches where expenses matched but the date on the receipt was off by a day. To be certain, she reviewed some of the receipts to make sure they matched the descriptions. The bot also flagged 12 expenses for $500 without receipts totaling $6,000. George thought the bot wasn’t picking up the receipts until she saw there were no receipts in the folders, just a blank sheet titled by day and dollar amount.
When George pulled the expense reports filed for each of these, she identified three commonalities: The receipts were missing, the description on the expense report was labeled “business expense reimbursement,” and the reimbursements were made to Skip Townes, the hotel controller.
The reconciliation bot was deployed next. It was pre-built, but required some modifications to make certain it was accessing the bank systems to retrieve bank account and credit card information. It also downloaded information into Excel and compared dates and amounts and flagged items that did not match. The results were messier than the expense reimbursement bot. Although many items matched, several items remained unreconciled.
George pulled the monthly reconciliations and started comparing line items with the bot’s reconciliation. She identified better rules that would help the bot perform more effectively next time, including pulling different reports to help reconcile some items. After her review, she was left with 12 credit card overpayments totaling $87,321.53.
Satisfied with a successful first pass, George documented her results and met with Walter Banning, the property manager, and Townes. To her surprise, Banning and Townes did not share her enthusiasm about the bot’s performance. George’s questions about the undocumented receipts and credit card payments were met with challenges about the technology. When she showed the source documents supporting the outstanding questions, both men expressed concern and insisted they would investigate and get back to her.
George suspected she was being stalled after weeks passed with no answers. The questions she asked could easily be answered with a little digging, so she contacted Wilson Kon, the audit committee chair, for guidance. George explained to Kon how the bots reperformed manual repetitive tasks, just like having an audit staff member who did exactly what he or she was told over and over. The work still needs to be reviewed and source documents pulled to investigate, but the observations are validated just like any other audit. Convinced by George’s explanation, Kon encouraged her to expand her review of the property’s financial processes, and assured her that Banning and Townes would provide her answers.
The next day, George met with Banning and Townes to discuss the observations. Both men were on edge and kept changing their answers. According to Banning, it was an IT issue that they were exploring. When George asked them to explain, they could not. Townes suggested it was a performance issue with the employee performing the reimbursements and reconciliation. George pointed out that Townes approved the reconciliation and Banning approved the expense reimbursement. She followed by asking why they did not flag these issues in their review. Banning went back to blaming the issues on the bot. George again left the meeting with no answers.
George first called Kon with an update and then the district manager and human resources (HR). With their support, she expanded her review to all financials for a month and went directly to the staff member performing the reconciliations. Several flagged items appeared, which were validated. The hotel accountant quickly identified the flagged items as bonus checks, reimbursements for Banning’s credit card, and car allowances for Townes. Surprised and curious, George dug in deeper.
She discovered that shortly after Banning was promoted to property manager, the corporate office cut the bonus program. He felt this was unfair and that he should be compensated for the success of his property, so he instituted his own bonus program. With the help of Townes, Banning found various ways to issue the bonuses, including a $500 monthly reimbursement to the controller to keep quiet about the bonuses. An expanded review found that the expenses for $87,321.53 were payments to Banning’s personal credit card company, and that extra manual payroll checks were issued to the controller, front desk manager, and housekeeping manager. In total, George identified nearly $485,000 in unsupported and suspicious payments, payroll checks, and reimbursements spanning three years.
George turned over her results to HR and local authorities. Pier Ten terminated Banning and Townes and brought charges against them. They claimed that the bonus program was sanctioned by the corporate office through a handshake deal.
- Robotic process automation (RPA) is a useful tool for enhancing internal audit capabilities. Simple and quick bots can immediately enhance department productivity when applied to repetitive processes relying on digitized data and tasks.
- Fraud risk always exists, but internal audit must balance risk and resources. Deploying RPA can significantly lower the cost of certain fraud detection procedures. These procedures would mitigate many difficult-to-close internal control gaps in small- and medium-size companies. Initially, this could lead to fraud detection, but over time, these inexpensive procedures would become preventative.
- When developing bots for audit work, internal audit should consider passing them off to the business units. Reconciliation bots make useful audit tools, but once hardened, they are capable of performing the regular control function, providing additional value and capacity to the business departments. Just like analytics, later reviews can include regularly testing the bot’s performance and, when convinced, relying on the bot’s results.