Keep Ghosts Off the Payroll

Strong internal controls and well-trained, attentive auditors can prevent phony-employee schemes.


urner, a payroll specialist for a large Florida nonprofit organization, was a sick man. Most employees who steal do so out of greed, but Turner had a different motive—he was HIV-positive and needed expensive drugs to control the disease. Complicating matters, he hid his illness from his employer and health insurer. Over the course of two years, he embezzled $112,000 to cover his medical costs. Although Turner needed the extra cash, there were alternatives to stealing. But he couldn’t bring himself to reveal his sickness and ask for help.

Turner’s duties included posting time and attendance information to the computer system and preparing payroll disbursement summaries. Adding and deleting employee master records were separate tasks, performed by another staff member. As an additional safeguard, a supervisor approved all payroll disbursements, and the company deposited them directly into employees’ personal bank accounts.

It took a bit of doing to circumvent the internal control system and steal cash from the nonprofit, but Turner was up to the task. First, when the co-worker who added and deleted master records logged onto the system, Turner peeked over her shoulder and noted her user ID and password.

This enabled him to add fake master records—for “ghost” employees—to the system. Because tax deductions were programmed to fall within a given range of employee numbers, each time Turner added the name of a phony worker to the system, he assigned to it an employee number higher than the range. Thus, the payroll summary report—which was printed each week in ascending order by employee number—displayed fake workers at the end of the printout where they wouldn’t be selected for deductions.

Next, Turner entered false wage information for the ghost workers. At the same time, he arranged for their paychecks to be direct-deposited into his own bank account. Based on past dealings with his own financial institution, Turner knew the bank did not match the employee name to the one on the depositor’s account.

Finally, to get over the last internal control hurdle—approval of the payroll disbursements by a superior—Turner prepared his own fake payroll summary for the supervisor’s signature. Because Turner was seen as an exemplary employee, the supervisor didn’t check his work carefully and failed to notice the fraudulent documentation was printed in a typeface different from the one used in the real reports.

Paying a Nonexistent Employee Can Be Expensive

Source: Occupational Fraud and Abuse, by Joseph T. Wells, Obsidian Publishing Co. Inc., 1997

Turner also had to create phony file copies of the ghosts’ paychecks. He hoped no one would notice that the office’s hard copies of legitimate employees’ checks—printed in the accounting department—were yellow, while the ghosts’—printed by Turner—were white.

But someone did notice: An observant accountant got lucky and discovered Turner’s ghost-employee scheme. During routine transaction-testing of the payroll account by the CPA firm Cuthill & Eddy LLP ( ), an auditor immediately singled out a white copy of a paycheck. He brought it to Carson L. Eddy, the partner in charge of the audit.

Eddy, a CPA for more than 30 years, had encountered payroll frauds before and considered this suspicious. “Let’s trace this disbursement through the system and see what we come up with,” he instructed the staffer. The additional testing revealed the employee in question was not in the payroll register.

After more digging, Eddy and his staff uncovered three more names that weren’t in the register. Their paychecks were all being direct-deposited to the same bank account—Turner’s. “Looks like we’ve got a ghost-employee scheme,” Eddy told his auditors. Realizing it was important to determine whether Turner was in collusion with another staff member, Eddy used textbook fraud-examination techniques to document the defalcation. First, the auditors obtained original copies of payroll registers, payroll check summaries, direct-deposit records, personnel files, time sheets and bank documents. In addition, they carefully interviewed accounting department employees and the executives in charge of oversight. Noting that Turner was the only employee who profited from the scheme, Eddy and his team concluded Turner had acted alone. Their report, which detailed his embezzlements, convinced Turner to plead guilty when the nonprofit filed charges. Under a plea bargain agreement, he served no jail time but was sentenced to 15 years’ probation and ordered to make restitution.

Afterward, Eddy said: “As payroll frauds go, this one wasn’t very sophisticated. As it happened, we conducted our transaction testing first but a number of routine auditing procedures would have uncovered it later.”

Besides noting with concern that the payroll system administrator infrequently changed passwords, Eddy and his team looked into the following clues.

Each ghost-employee record contained a dead person’s Social Security number, which Turner had lifted from local death records open to the public. He arbitrarily made up their names.

Ghosts’ employee identification numbers were much higher than those of legitimate employees, and a gap in the series separated the two groups.

None of the fake employees had a personnel file or withholdings for taxes and Social Security.

The net payroll expense was lower than the funds actually issued because it didn’t include amounts paid to ghost employees.

The paycheck summaries prepared for management approval—which contained the ghost employees—were not in the same typeface as those the system printed.

Multiple direct deposits were made to the same bank account but under different employee names.

Types of Payroll Frauds
Ghost employees. This term refers to someone on the payroll who doesn’t actually work for the victim company. The ghost frequently is a recently departed employee, a made-up person or a friend or relative of the fraudster, who can cash the paycheck by forging the endorsement or by having an accomplice deposit the proceeds into his or her bank account.

Falsified hours and salary. Dishonest employees commonly exaggerate the time they work in order to increase their compensation. Moreover, some crooked payroll clerks look for internal control deficiencies that will permit them to adjust their own salaries. For a share of the extra money, supervisors sometimes approve an employee’s falsified hours.

Commission schemes. Salespeople and other similar workers can sometimes falsely increase their pay. These schemes depend on the employee’s finding a way to either falsify the amount of sales or to increase the commission rate. Adequate oversight is crucial in preventing these frauds.

False workers’ compensation claims. Some dishonest employees fake injuries in order to collect disability payments. In extreme cases employees have held other full-time jobs while their employers paid them to stay home and recuperate. Also, some crooked physicians have earned millions of dollars by issuing false diagnoses of illnesses for workers who kick back a portion of their benefits to the doctors.

Carson Eddy has uncovered a number of frauds during his career. “Luckily, most of them have not been material to the financial statements,” he said, “but the frauds I’ve seen tend to start small and grow to the point where they can become material. Even though auditors have no responsibility to detect immaterial frauds, you’re providing your client a valuable service by discovering these schemes early.” According to Statements on Auditing Standards no. 82, Fraud, and no. 99, Consideration of Fraud in a Financial Statement Audit, the new, revised fraud standard, auditors are responsible only for frauds that could have a material impact on the financial statements.

Applying routine auditing techniques can uncover fraud clues. But most important is what the auditor does with them, says Eddy, who is also a certified fraud examiner. “It would’ve been easy for our auditor to think the white copy of the paycheck was simply an anomaly. But we train our auditors to look proactively for fraud,” he said.

Seeing Ghosts
Most ghost-employee frauds originate with payroll personnel. With simple but effective measures, you can prevent or detect many of these schemes.

Ensure the payroll preparation, disbursement and distribution functions are segregated.

Look for paychecks without deductions for taxes or Social Security. Completely fictitious employees frequently don’t have any.

Examine payroll checks that have dual endorsements. Although most of them are legitimate, two signatures could signal the forgery of a departed employee’s endorsement, which the thief also endorses and deposits into his or her own account.

Use direct deposits. This method, although not foolproof, can cut down on payroll chicanery by eliminating paper paychecks and the possibility of alteration, forgery and most theft, although it doesn’t prevent misdirection of deposits into unauthorized accounts.

Check payroll records for the presence of duplicate names, addresses and Social Security numbers.

On occasion, hand-deliver paychecks to employees and require positive identification. If you have leftover paychecks, make sure they belong to actual employees, not ghosts.

Be wary of budget variations in payroll expense. Higher-than-budgeted labor costs can indicate ghost employees.

Eddy believes it’s essential for auditors to be skeptical. “Business fraud is more common than most auditors realize,” Eddy observed. “The things people tell you or the documentation they give you isn’t necessarily true or authentic. If you accept everything at face value, you’re not doing your job as an auditor.” He added that it’s equally important for the auditor to react to the kinds of clues present in many fraud cases. “If something—such as a document that’s the wrong color—doesn’t look right, check it out. Perhaps it’s just an error. But it could be more; it was in the Turner case.”

JOSEPH T. WELLS, CPA, CFE, is founder and chairman of the Association of Certified Fraud Examiners in Austin, Texas, and professor of fraud examination at the University of Texas. Mr. Wells is the author of “ So That’s Why It's Called a Pyramid Scheme ” ( JofA, Oct.00, page 91), which won the Lawler Award for the best JofA article in 2000, and he was inducted into the AICPA Business and Industry Hall of Fame in 2002. His e-mail address is .

Where to find May’s flipbook issue

The Journal of Accountancy is now completely digital. 





Leases standard: Tackling implementation — and beyond

The new accounting standard provides greater transparency but requires wide-ranging data gathering. Learn more by downloading this comprehensive report.