Home > Articles

  • Print
  • + Share This
This chapter is from the book

1.4. Employee Fraud Schemes

The Association of Certified Fraud Examiners conducted a substantial study to classify occupational fraud cases. The recent edition published in 2010 presented updated descriptive statistics on the occurrence, damages, and so on of occupational fraud. The schemes discussed in this section are the common schemes reported in that study. Further details on the schemes and methods of prevention and detection are available on ACFE’s publication.6 The following sections present a brief description of the common fraud schemes and ways to detect and deter them.


Organizations that engage in cash transactions are vulnerable to skimming by their employees. Skimming involves theft of cash, generated usually from sales, prior to its entry into the accounting records. Skimming is a relatively common occurrence in professional practices where fees are collected in cash. The cashier responsible for collection might pocket the cash and not enter the transaction into the accounting records or subsequently delete those records after being entered into the system. Medical practices are particularly vulnerable to this type of fraud, as small amounts of copayments are collected in cash, and the patients are not that particular about obtaining receipts as there isn’t an opportunity for a refund. Instituting proper internal control systems that mandate giving receipts to the customers or installing surveillance equipment can mitigate the risk of fraud caused by skimming.

Even for retailers that sell merchandise for cash, theft through skimming is quite prevalent. In some cases, the employees keep the store open beyond regular business hours and pocket the sales made at those times instead of properly recording the sales in the accounting records. For merchandising companies, because a sale involves the exchange of goods, skimming results in inventory shrinkage. That is, there is reduction in inventory totals without corresponding sales. In these instances, a pattern of inventory shrinkage is generated.

Another type of business that is vulnerable to skimming is off-location rental services, in which the on-site manager usually has much autonomy. The manager may rent out property for cash without making the necessary accounting entry or without reporting the rental revenue to the organization. Random on-site inspections and correlating maintenance expenses with rental revenue are two approaches to ensure early detection of such schemes. The statistical technique of correlation, developed in a subsequent chapter, can be applied to identify the pattern between rental revenue and maintenance costs. The application of this procedure enables the identification of locations that are anomalous and perhaps need to be visited.

Lapping or Fraudulent Write-offs

Another common form of skimming is undertaken by mail room employees who are responsible for receiving payments and can therefore skim the checks received. That is, instead of depositing the checks in the company account and logging the payment into the accounting system, the employees would deposit checks into their accounts and steal the funds. This kind of scheme requires a cover-up or falsification of records. Without a cover-up the scheme is unraveled quickly when the company sends a second bill and the customer furnishes a cancelled check as proof of payment. Hence perpetrators of such crimes also need to conceal the theft of the checks. Two common ways to conceal the theft are lapping and fraudulent write-offs. In a lapping scheme, one customer’s payment is posted on another customer’s account.7 For example, assume the perpetrator stole Mr. Smith’s payment; next, when Mr. Jones makes his payment, it is applied to Mr. Smith’s account, and later when Mr. Wells makes a payment, it is applied to Mr. Jones’s account, and so on. Thus, when the perpetrator laps customers’ accounts, he repeatedly alters accounting records, even though the theft of funds occurred only at the outset.

The fraudulent write-off of a customer’s account is another way to bring the account up-to-date without the organization receiving the payment. As noted earlier, the customer is going to complain after receiving a second bill for the amount he or she has already paid. This can provoke internal investigation of the missing funds. To prevent customers’ complaints, the perpetrator of the crime has to keep the second bill from being sent to the customer. The customer will not be billed by the organization if the account is written off. The perpetrator would therefore try to write-off the customer account and steal the funds that the customer sent as payment. This way the funds are stolen, the customer isn’t billed repeatedly, and the accounting records balance. Because most large organizations segregate the duties of receiving cash, maintaining accounts receivables records, and authorizing write-offs, collusion between employees has to occur for this scheme to be successful. Chapter 5, “Data Mining,” shows how such collusion can be unraveled through the use of association mining.

With the increased popularity of online payments, skimming of receivables is a diminishing threat in most modern organizations. However, for organizations still employing traditional methods of receiving payment by checks or cash, institution of proper internal controls can prevent or lead to early detection of such schemes. In subsequent audits, identifying unusual patterns on customer accounts could also unravel such schemes.

Use of a Shell Company

High-level employees within an organization with authority over disbursements may create shell companies that they control. These shell companies then bill the organization for fictitious goods and services. The perpetrator usually is in a position to approve charges or has authority over personnel who approve payments on behalf of the organization. As the payment is made to the shell company, the perpetrator has effectively stolen funds from the organization.

Fraudulent shell companies often will use a P.O. box or residential address as a business address. Sometimes the owner of the shell company could be the spouse or other close relative of the perpetrator, and their names or addresses could be used to set up the shell company. Often the billing documents from these shell companies lack the authenticity of legitimate companies. For example, use of a shell company was discovered when a secretary noticed that the street address of a vendor was the home address of her supervisor. In another instance, fraud was revealed when it was observed that invoices from a vendor that were months apart were sequentially numbered. The implication therefore was that the victim organization was the only customer for this vendor. On further investigation, the fictitious vendor was revealed.

Shell companies can at times sell legitimate goods to the company but at an inflated price. The shell company purchases the goods needed by the organization from legitimate vendors and then resells to the organization at an inflated price. The individual(s) who own the shell company pocket the difference. Such schemes are known as pass-through schemes.

Verifying the list of vendors and ascertaining their legitimacy is an effective way of uncovering the use of a shell company. Data analytic techniques could be effectively employed to analyze large amounts of vendor data to identify anomalies and suspicious activities.

The Enron financial scandal increased the public’s awareness of the use of shell companies to commit fraud. Even though shell companies were used by Enron for fraudulent purposes, they were not used to embezzle from the company, but rather to falsify their financial statements. Enron’s use of shell companies is an example of management fraud where the victim was not the organization but the investors and other third parties.

Ghost Employees

A common fraudulent scheme involving payroll is for Human Resource managers or Payroll managers to create ghost employees. The ghost employee, while on the payroll of the company, collects wages periodically but does not actually work for the company. This could be a fictitious person or a family member of the perpetrator. By means of falsifying personnel and payroll records, a ghost employee is added to the payroll and hence collects monthly wages. The potential loss to the victim organization of a ghost employee scheme could be enormous due to the recurring nature of the theft. After the perpetrator has successfully created a ghost employee in the payroll system, the regular process of issuing paychecks ensures a steady stream of funds to the perpetrator. When successfully instituted, unlike the schemes of a shell company or skimming, the perpetrator of a ghost employee scheme does not have to engage in any further maintenance of the fraudulent scheme. As there are no recurring actions on the part of the perpetrator, the data shows no unusual patterns.

The existence of ghost employees is difficult to detect by performing trend analysis or investigating unusual patterns; instead, they can be identified by comparing different databases. The perpetrator could have access to a couple of databases and thus might be able to alter them. However, she will not be able to include the ghost employee in other essential databases to which she has no access. Because the ghost employee doesn’t really work at the company, there is no documentation of work performed by this employee, no vacation days taken, no performance evaluation report, and so on. Reconciling employee data across various functions of the organization can help to detect ghost employees. Data mining and statistical techniques are helpful in identifying the handful of employees who are outliers across various organizational functions so the investigation can focus on them.

Inventory Shrinkage

When inventory is sold and the corresponding sale is not recorded (as in skimming discussed earlier) or when inventory is stolen, the perpetrator has to amend the unaccounted decrease in inventory balance. Inventory shrinkage is the reduction in the inventory balance due to theft or waste. Investigating the causes of inventory shrinkage can help unravel fraud schemes. Although some amount of inventory shrinkage is routine and expected in the normal course of business, abnormal shrinkage or a pattern of shrinkage are red flags. Normal inventory shrinkage, a random event, should affect all items of the inventory and not just a particular item. Moreover, there should not be any detectable pattern or trend of inventory shrinkage. Such patterns and trends, if identified through statistical procedures, require further investigation.

Documenting inventory shrinkage can be difficult for many organizations due to their accounting systems for inventory. There are two common methods to account for inventory: the perpetual system and the periodic system. In the perpetual method, every transfer-in and sale of inventory is recorded. On the other hand, in the periodic method, the inventory balance is estimated or computed at periodic intervals. Usually only one of the two inventory systems is used in an organization. To effectively detect inventory shrinkage, a perpetual system has to be implemented to maintain running totals of the inventory that can be verified periodically through physical observation. Discrepancies between the two balances indicate the amount of inventory shrinkage.

Perpetrators have been known to conceal inventory shrinkage by altering either the perpetual inventory records or managing the physical count. A critical internal control procedure, segregation of duties, prevents the perpetrator from altering records to conceal the theft of inventory. For example, an item could be reported as broken or perished prior to its theft by the perpetrator, thus the records are adjusted prior to the actual theft of the inventory item. In the most egregious cases, the inventory items are replaced by empty boxes, giving the illusion of inventory. The fraud case of Crazy Eddie, an electronics superstore in the New York metro area, was an infamous occurrence of inventory padding (see Exhibit 1.1).

Inventory shrinkage, even when carefully concealed, can be detected by comparing gross margin percentages across various stores. The location that is stealing inventory and reporting it as either sold or spoiled would have an unusually lower gross margin percentage relative to other stores. Furthermore, conducting a trend analysis over multiple periods would lead to early detection of changes in patterns due to inventory theft. Statistical methods, discussed later in the book, can be used to conduct such analysis.

Embezzlement by Management

Three senior officers at Tyco International were convicted of embezzling millions of dollars from the company. The CEO and two other top officials manipulated two corporate loan programs to obtain funds to sponsor their lavish lifestyles and to give themselves unauthorized bonuses. Subsequently, in order to conceal their theft, they would forgive each other’s loans and thereby steal the funds from the company.

The formal charges filed against the officers by prosecutors were for stealing $170 million in company loans and other funds and obtaining more than $430 million through the fraudulent sales of securities. The SEC filed a separate but related charge for their failing to disclose the multi-million dollar low interest or interest-free loans they took from the company and in some cases never repaid. It charged the officers with “treating Tyco as their private bank, taking out hundreds of millions of dollars of loans and compensation without ever telling investors.”

  • + Share This
  • 🔖 Save To Your Account