Home > Articles

  • Print
  • + Share This
This chapter is from the book

1.4. Employee Fraud Schemes

The Association of Certified Fraud Examiners conducted a substantial study to classify occupational fraud cases. The recent edition published in 2010 presented updated descriptive statistics on the occurrence, damages, and so on of occupational fraud. The schemes discussed in this section are the common schemes reported in that study. Further details on the schemes and methods of prevention and detection are available on ACFE’s publication.6 The following sections present a brief description of the common fraud schemes and ways to detect and deter them.


Organizations that engage in cash transactions are vulnerable to skimming by their employees. Skimming involves theft of cash, generated usually from sales, prior to its entry into the accounting records. Skimming is a relatively common occurrence in professional practices where fees are collected in cash. The cashier responsible for collection might pocket the cash and not enter the transaction into the accounting records or subsequently delete those records after being entered into the system. Medical practices are particularly vulnerable to this type of fraud, as small amounts of copayments are collected in cash, and the patients are not that particular about obtaining receipts as there isn’t an opportunity for a refund. Instituting proper internal control systems that mandate giving receipts to the customers or installing surveillance equipment can mitigate the risk of fraud caused by skimming.

Even for retailers that sell merchandise for cash, theft through skimming is quite prevalent. In some cases, the employees keep the store open beyond regular business hours and pocket the sales made at those times instead of properly recording the sales in the accounting records. For merchandising companies, because a sale involves the exchange of goods, skimming results in inventory shrinkage. That is, there is reduction in inventory totals without corresponding sales. In these instances, a pattern of inventory shrinkage is generated.

Another type of business that is vulnerable to skimming is off-location rental services, in which the on-site manager usually has much autonomy. The manager may rent out property for cash without making the necessary accounting entry or without reporting the rental revenue to the organization. Random on-site inspections and correlating maintenance expenses with rental revenue are two approaches to ensure early detection of such schemes. The statistical technique of correlation, developed in a subsequent chapter, can be applied to identify the pattern between rental revenue and maintenance costs. The application of this procedure enables the identification of locations that are anomalous and perhaps need to be visited.

Lapping or Fraudulent Write-offs

Another common form of skimming is undertaken by mail room employees who are responsible for receiving payments and can therefore skim the checks received. That is, instead of depositing the checks in the company account and logging the payment into the accounting system, the employees would deposit checks into their accounts and steal the funds. This kind of scheme requires a cover-up or falsification of records. Without a cover-up the scheme is unraveled quickly when the company sends a second bill and the customer furnishes a cancelled check as proof of payment. Hence perpetrators of such crimes also need to conceal the theft of the checks. Two common ways to conceal the theft are lapping and fraudulent write-offs. In a lapping scheme, one customer’s payment is posted on another customer’s account.7 For example, assume the perpetrator stole Mr. Smith’s payment; next, when Mr. Jones makes his payment, it is applied to Mr. Smith’s account, and later when Mr. Wells makes a payment, it is applied to Mr. Jones’s account, and so on. Thus, when the perpetrator laps customers’ accounts, he repeatedly alters accounting records, even though the theft of funds occurred only at the outset.

The fraudulent write-off of a customer’s account is another way to bring the account up-to-date without the organization receiving the payment. As noted earlier, the customer is going to complain after receiving a second bill for the amount he or she has already paid. This can provoke internal investigation of the missing funds. To prevent customers’ complaints, the perpetrator of the crime has to keep the second bill from being sent to the customer. The customer will not be billed by the organization if the account is written off. The perpetrator would therefore try to write-off the customer account and steal the funds that the customer sent as payment. This way the funds are stolen, the customer isn’t billed repeatedly, and the accounting records balance. Because most large organizations segregate the duties of receiving cash, maintaining accounts receivables records, and authorizing write-offs, collusion between employees has to occur for this scheme to be successful. Chapter 5, “Data Mining,” shows how such collusion can be unraveled through the use of association mining.

With the increased popularity of online payments, skimming of receivables is a diminishing threat in most modern organizations. However, for organizations still employing traditional methods of receiving payment by checks or cash, institution of proper internal controls can prevent or lead to early detection of such schemes. In subsequent audits, identifying unusual patterns on customer accounts could also unravel such schemes.

Use of a Shell Company

High-level employees within an organization with authority over disbursements may create shell companies that they control. These shell companies then bill the organization for fictitious goods and services. The perpetrator usually is in a position to approve charges or has authority over personnel who approve payments on behalf of the organization. As the payment is made to the shell company, the perpetrator has effectively stolen funds from the organization.

Fraudulent shell companies often will use a P.O. box or residential address as a business address. Sometimes the owner of the shell company could be the spouse or other close relative of the perpetrator, and their names or addresses could be used to set up the shell company. Often the billing documents from these shell companies lack the authenticity of legitimate companies. For example, use of a shell company was discovered when a secretary noticed that the street address of a vendor was the home address of her supervisor. In another instance, fraud was revealed when it was observed that invoices from a vendor that were months apart were sequentially numbered. The implication therefore was that the victim organization was the only customer for this vendor. On further investigation, the fictitious vendor was revealed.

Shell companies can at times sell legitimate goods to the company but at an inflated price. The shell company purchases the goods needed by the organization from legitimate vendors and then resells to the organization at an inflated price. The individual(s) who own the shell company pocket the difference. Such schemes are known as pass-through schemes.

Verifying the list of vendors and ascertaining their legitimacy is an effective way of uncovering the use of a shell company. Data analytic techniques could be effectively employed to analyze large amounts of vendor data to identify anomalies and suspicious activities.

The Enron financial scandal increased the public’s awareness of the use of shell companies to commit fraud. Even though shell companies were used by Enron for fraudulent purposes, they were not used to embezzle from the company, but rather to falsify their financial statements. Enron’s use of shell companies is an example of management fraud where the victim was not the organization but the investors and other third parties.

Ghost Employees

A common fraudulent scheme involving payroll is for Human Resource managers or Payroll managers to create ghost employees. The ghost employee, while on the payroll of the company, collects wages periodically but does not actually work for the company. This could be a fictitious person or a family member of the perpetrator. By means of falsifying personnel and payroll records, a ghost employee is added to the payroll and hence collects monthly wages. The potential loss to the victim organization of a ghost employee scheme could be enormous due to the recurring nature of the theft. After the perpetrator has successfully created a ghost employee in the payroll system, the regular process of issuing paychecks ensures a steady stream of funds to the perpetrator. When successfully instituted, unlike the schemes of a shell company or skimming, the perpetrator of a ghost employee scheme does not have to engage in any further maintenance of the fraudulent scheme. As there are no recurring actions on the part of the perpetrator, the data shows no unusual patterns.

The existence of ghost employees is difficult to detect by performing trend analysis or investigating unusual patterns; instead, they can be identified by comparing different databases. The perpetrator could have access to a couple of databases and thus might be able to alter them. However, she will not be able to include the ghost employee in other essential databases to which she has no access. Because the ghost employee doesn’t really work at the company, there is no documentation of work performed by this employee, no vacation days taken, no performance evaluation report, and so on. Reconciling employee data across various functions of the organization can help to detect ghost employees. Data mining and statistical techniques are helpful in identifying the handful of employees who are outliers across various organizational functions so the investigation can focus on them.

Inventory Shrinkage

When inventory is sold and the corresponding sale is not recorded (as in skimming discussed earlier) or when inventory is stolen, the perpetrator has to amend the unaccounted decrease in inventory balance. Inventory shrinkage is the reduction in the inventory balance due to theft or waste. Investigating the causes of inventory shrinkage can help unravel fraud schemes. Although some amount of inventory shrinkage is routine and expected in the normal course of business, abnormal shrinkage or a pattern of shrinkage are red flags. Normal inventory shrinkage, a random event, should affect all items of the inventory and not just a particular item. Moreover, there should not be any detectable pattern or trend of inventory shrinkage. Such patterns and trends, if identified through statistical procedures, require further investigation.

Documenting inventory shrinkage can be difficult for many organizations due to their accounting systems for inventory. There are two common methods to account for inventory: the perpetual system and the periodic system. In the perpetual method, every transfer-in and sale of inventory is recorded. On the other hand, in the periodic method, the inventory balance is estimated or computed at periodic intervals. Usually only one of the two inventory systems is used in an organization. To effectively detect inventory shrinkage, a perpetual system has to be implemented to maintain running totals of the inventory that can be verified periodically through physical observation. Discrepancies between the two balances indicate the amount of inventory shrinkage.

Perpetrators have been known to conceal inventory shrinkage by altering either the perpetual inventory records or managing the physical count. A critical internal control procedure, segregation of duties, prevents the perpetrator from altering records to conceal the theft of inventory. For example, an item could be reported as broken or perished prior to its theft by the perpetrator, thus the records are adjusted prior to the actual theft of the inventory item. In the most egregious cases, the inventory items are replaced by empty boxes, giving the illusion of inventory. The fraud case of Crazy Eddie, an electronics superstore in the New York metro area, was an infamous occurrence of inventory padding (see Exhibit 1.1).

Inventory shrinkage, even when carefully concealed, can be detected by comparing gross margin percentages across various stores. The location that is stealing inventory and reporting it as either sold or spoiled would have an unusually lower gross margin percentage relative to other stores. Furthermore, conducting a trend analysis over multiple periods would lead to early detection of changes in patterns due to inventory theft. Statistical methods, discussed later in the book, can be used to conduct such analysis.

Embezzlement by Management

Three senior officers at Tyco International were convicted of embezzling millions of dollars from the company. The CEO and two other top officials manipulated two corporate loan programs to obtain funds to sponsor their lavish lifestyles and to give themselves unauthorized bonuses. Subsequently, in order to conceal their theft, they would forgive each other’s loans and thereby steal the funds from the company.

The formal charges filed against the officers by prosecutors were for stealing $170 million in company loans and other funds and obtaining more than $430 million through the fraudulent sales of securities. The SEC filed a separate but related charge for their failing to disclose the multi-million dollar low interest or interest-free loans they took from the company and in some cases never repaid. It charged the officers with “treating Tyco as their private bank, taking out hundreds of millions of dollars of loans and compensation without ever telling investors.”

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020