urner, a payroll specialist for a large Florida nonprofit organization, was a sick man. Most employees who steal do so out of greed, but Turner had a different motive—he was HIV-positive and needed expensive drugs to control the disease. Complicating matters, he hid his illness from his employer and health insurer. Over the course of two years, he embezzled $112,000 to cover his medical costs. Although Turner needed the extra cash, there were alternatives to stealing. But he couldn’t bring himself to reveal his sickness and ask for help.
It took a bit of doing to circumvent the internal control system and steal cash from the nonprofit, but Turner was up to the task. First, when the co-worker who added and deleted master records logged onto the system, Turner peeked over her shoulder and noted her user ID and password.
This enabled him to add fake master records—for “ghost” employees—to the system. Because tax deductions were programmed to fall within a given range of employee numbers, each time Turner added the name of a phony worker to the system, he assigned to it an employee number higher than the range. Thus, the payroll summary report—which was printed each week in ascending order by employee number—displayed fake workers at the end of the printout where they wouldn’t be selected for deductions.
Next, Turner entered false wage information for the ghost workers. At the same time, he arranged for their paychecks to be direct-deposited into his own bank account. Based on past dealings with his own financial institution, Turner knew the bank did not match the employee name to the one on the depositor’s account.
Finally, to get over the last internal control hurdle—approval of the payroll disbursements by a superior—Turner prepared his own fake payroll summary for the supervisor’s signature. Because Turner was seen as an exemplary employee, the supervisor didn’t check his work carefully and failed to notice the fraudulent documentation was printed in a typeface different from the one used in the real reports.
WHITE AS A GHOST
But someone did notice: An observant accountant got lucky and discovered Turner’s ghost-employee scheme. During routine transaction-testing of the payroll account by the CPA firm Cuthill & Eddy LLP ( www.cuthilleddy.com ), an auditor immediately singled out a white copy of a paycheck. He brought it to Carson L. Eddy, the partner in charge of the audit.
Eddy, a CPA for more than 30 years, had encountered payroll frauds before and considered this suspicious. “Let’s trace this disbursement through the system and see what we come up with,” he instructed the staffer. The additional testing revealed the employee in question was not in the payroll register.
After more digging, Eddy and his staff uncovered three more names that weren’t in the register. Their paychecks were all being direct-deposited to the same bank account—Turner’s. “Looks like we’ve got a ghost-employee scheme,” Eddy told his auditors. Realizing it was important to determine whether Turner was in collusion with another staff member, Eddy used textbook fraud-examination techniques to document the defalcation. First, the auditors obtained original copies of payroll registers, payroll check summaries, direct-deposit records, personnel files, time sheets and bank documents. In addition, they carefully interviewed accounting department employees and the executives in charge of oversight. Noting that Turner was the only employee who profited from the scheme, Eddy and his team concluded Turner had acted alone. Their report, which detailed his embezzlements, convinced Turner to plead guilty when the nonprofit filed charges. Under a plea bargain agreement, he served no jail time but was sentenced to 15 years’ probation and ordered to make restitution.
Besides noting with concern that the payroll system administrator infrequently changed passwords, Eddy and his team looked into the following clues.
Each ghost-employee record contained a dead person’s Social Security number, which Turner had lifted from local death records open to the public. He arbitrarily made up their names.
Ghosts’ employee identification numbers were much higher than those of legitimate employees, and a gap in the series separated the two groups.
None of the fake employees had a personnel file or withholdings for taxes and Social Security.
The net payroll expense was lower than the funds actually issued because it didn’t include amounts paid to ghost employees.
The paycheck summaries prepared for management approval—which contained the ghost employees—were not in the same typeface as those the system printed.
Multiple direct deposits were made to the same bank account but under different employee names.
WHO SAYS AUDITORS CAN’T FIND FRAUD?
Applying routine auditing techniques can uncover fraud clues. But most important is what the auditor does with them, says Eddy, who is also a certified fraud examiner. “It would’ve been easy for our auditor to think the white copy of the paycheck was simply an anomaly. But we train our auditors to look proactively for fraud,” he said.
Eddy believes it’s essential for auditors to be skeptical. “Business fraud is more common than most auditors realize,” Eddy observed. “The things people tell you or the documentation they give you isn’t necessarily true or authentic. If you accept everything at face value, you’re not doing your job as an auditor.” He added that it’s equally important for the auditor to react to the kinds of clues present in many fraud cases. “If something—such as a document that’s the wrong color—doesn’t look right, check it out. Perhaps it’s just an error. But it could be more; it was in the Turner case.”
JOSEPH T. WELLS, CPA, CFE, is founder and chairman of the Association of Certified Fraud Examiners in Austin, Texas, and professor of fraud examination at the University of Texas. Mr. Wells is the author of “ So That’s Why It's Called a Pyramid Scheme ” ( JofA, Oct.00, page 91), which won the Lawler Award for the best JofA article in 2000, and he was inducted into the AICPA Business and Industry Hall of Fame in 2002. His e-mail address is email@example.com .