Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

The Double Dipper

​An employee tip uncovers a multimillion-dollar travel and expense scam.

Comments Views

​Robert Shull and Alysa Cayden, the forensic audit team at Midnight Sun Inc. (MSI), sat with Justin Planter, a regional sales manager at the solar power company, as he rolled his eyes and made condescending faces. MSI’s procurement department forwarded Planter’s travel and expense (T&E) reports to Cathy Francis, the human resources manager, after an employee noted that spending was not consistent with the company’s T&E policy. Francis reviewed the reports and was concerned that there was a greater pattern of abuse, so she requested that Shull and Cayden examine his T&E reports.

Sitting next to Planter was his boss, Thomas Cooper, a veteran regional manager with more than 25 years of experience with MSI. During the interview, Planter admitted to purchasing a personal cell phone using his company credit card. In addition, he frequently used the card for alleged business meetings at establishments that bordered on adult entertainment. Much to his surprise, Planter’s employment was subsequently terminated.

After the interview, Shull and Cayden felt something was amiss. Cooper approved all of Planter’s T&E reports but was not suspicious of any of his spending. Also, they noticed that Cooper’s statements were inconsistent, requiring him to revise them on several occasions.

After his firing, Planter contacted MSI’s CEO, James Spicolli, and explained how Cooper allowed his management team members to use their corporate credit cards to dine out, make personal purchases, and charge mileage for business travel despite being reimbursed through another program. Planter also claimed that Cooper attended many of the dinners and instructed him to pay the bill so that he could approve the expenditure, thus avoiding the scrutiny of Cooper’s manager. He also alleged that Cooper coached him before the interview on what to say and promised that there would be no significant disciplinary action.

To review Planter’s allegations, Shull and Cayden obtained all T&E reports for Cooper and his management team. Data analytics compared the company policy against spending. One area of focus was cash reimbursements for expenses below $25, the minimum amount requiring receipts to be submitted.

The results were shocking. Cooper’s team members used their corporate credit cards for expenses well outside the T&E policy. Furthermore, Cooper approved every expense report submitted to him. They found numerous abuses of travel expenses:

  • Managers split expenses to stay below the $25 internal control threshold. In one instance, two managers split unknown expenses at a liquor store.
  • One manager submitted for cash reimbursement for client meetings over lunch or dinner for $24.99 every other day for more than two years.
  • Multiple holiday parties and team meetings were reimbursed, including a substantial liquor bill at each.
  • Team members expensed mileage reimbursement twice.

Shull and Cayden put together detailed profiles on Cooper and each manager, including their expense reports, supporting invoices, and the section of the T&E policy they violated. Additional evidence gathered during interviews resulted in the termination of Cooper and several other managers. Cooper justified the expenditures by explaining he was under budget for T&E expenses on his annual profit and loss statement.

Shull and Cayden then embarked on a companywide T&E audit. They obtained six months of data from MSI’s online T&E reporting program. The program allowed employees to book transportation and lodging, code expenditures by spending category, and submit expense reports for approval. Deviations from policy were flagged for the employee’s manager to review before approving the expense report.

Shull and Cayden organized and ranked all spending by employee and spending category. Their team selected T&E reports for detailed testing for the most egregious spending by category based on total spending and frequency of policy violation. Text analysis on words such as “gift card,” “baby shower,” and “party” identified miscoded or out-of-policy expenditures. They selected samples, reviewed receipts attached to the expense reports, and documented all policy violations. Finally, the investigation team interviewed the employees who submitted the expense reports. Policy violations included:

  • A lack of review by managers of exceptions identified by the T&E program, which flagged millions of dollars of expenditures that were outside policy.
  • Abuse of cellphone reimbursement.
  • Abuse of meal reimbursement, first-class travel, and hotel lodgings.
  • Cash reimbursement where no invoice was submitted to support the expense.
  • Personal spending at online retailers.
  • Spending and funds transfers through money service providers, such as PayPal and Venmo, which have limited audit trails.
  • Purchases of gift cards.
  • Numerous spending violations in Las Vegas, including front row seats to shows and $1,000 dinners at four-star restaurants.

Individual violations included:

  • An employee transfered $7,000 from his corporate credit card to his personal business through a money service provider.
  • Employees shared their credit cards with one another when they reached their card limits.
  • A manager sponsored a “kids” event at a local bar.
  • A manager purchased gifts for his secretary at a popular women’s lingerie company.

After the investigation, MSI invested in T&E audit software to review all reports in real time. When the software identifies T&E reports with excessive policy violations, the procurement department rejects them. In extreme cases, procurement forwards them to the forensic audit team. In addition, MSI started blocking spending on company credit cards by merchant category codes, which classify businesses by the products or services they provide. The T&E policy was updated to eliminate the use of money service providers.

In most cases of fraud, the employee was terminated. Employees who violated the T&E policy were reprimanded, and demand notices for repayment were sent to employees whose misdeeds were discovered after they left MSI. After one year, T&E spending was reduced by more than $5 million. 


​Lessons Learned

  • Periodically conduct a T&E audit to ensure employees are in compliance with the T&E policy. Review and update the T&E policy and educate employees as part of annual code of conduct training. Low-cost software can review all T&E reports in real time.
  • Management should review subordinates’ T&E assumptions during its annual budgeting period. In MSI’s investigation, a management team used the T&E budget as a slush fund for personal spending and out-of-policy entertainment.
  • T&E policies should not allow for the use of money service providers (e.g., PayPal). These providers allow for the purchase of goods and services or the transfer of funds for personal use. They also have limited audit trails, which enhances the risk of fraud.
  • The organization should block merchant category codes on corporate T&E cards for goods and services that would not be appropriate for its business or allowable under its T&E policy.

Grant Wahlstrom
Anisa Chowdhury
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Authors

 

 

Grant WahlstromGrant Wahlstrom<p><span><span>Grant Wahlstrom, CIA, CPA, CFE, is the forensic audit manager at a privately held company in Hollywood, Fla. </span></span>​</p>https://iaonline.theiia.org/authors/Pages/Grant-Wahlstrom.aspx

 

 

Anisa ChowdhuryAnisa Chowdhury<p>Anisa Chowdhury, CPA, CA, is a senior forensic auditor at a security company in South Florida.​</p>https://iaonline.theiia.org/authors/Pages/Anisa-Chowdhury.aspx

 

Comment on this article

comments powered by Disqus
  • Galvanize-September-2020-Premium-1
  • Auditboard-September-2020-Premium-3