Don't Argue Your Limitations
2 comment(s)
"Argue for your limitations and sure enough, they're yours." Richard Bach
Approximately 10 years ago, while working in professional services, I was assigned to an accounts payable fraud investigation. The scheme involved the payment of fictitious vendors with a total loss rapidly approaching $500,000. Before engaging my firm, the client had conducted an investigation that had failed to uncover the fraudster.
Unfortunately the client had almost no way of reviewing AP employee activity. The company had over 7,000 vendors with approximately 3,500 to 5,000 vendors receiving payment in any given month. We knew which payments were fraudulent only after the checks were returned by the bank and then reviewed by the accounts payable manager (note: client's bank did not offer "positive pay" etc).
Twenty five employees had access to the AP system. We reviewed each employee's work schedule and began matching the date the checks cleared against the date we believed that they were issued by the company. From this analysis, we ruled out thirteen of the twenty five employees. Next, we suggested that the client send each of the remaining twelve employees (one at a time) to a two day offsite computer training class.
We successfully narrowed our list of suspects to 0. Yes, you read correctly. 0. Fraudulent accounts were still being created even when we had systematically removed every AP employee from the operation. We could not figure out why we had not uncovered the fraudster. Where did we go wrong?
Ironically, one of the AP clerks approached the partner on the engagement to let him know that one of the company's programmers had access to the AP system. Neither the client, nor our team realized that a member of the technical staff had access to the AP system. Not surprisingly, he had an admin login and password that allowed him unfettered access. In order to perpetrate the fraud, he would come in to the office on weekends to create fictitious vendor accounts and print checks (note: he also had access to the check register so he could erase the issued checks). Since the employee had responsibility for server maintenance, everyone within the company viewed the weekend work as normal.
The moral of the story is that instead of accepting the limitations of the data and the system used to house it, we viewed the situation
a challenge, not a dead end. Shortly after we began the investigation, you will note that the law of unintended consequences came in to play and we received information from an AP clerk that lead to the programmer.
Fraudsters view banks as a target rich environment. They adapt and overcome. Rarely does a determined fraudster abandon all hope of ill gotten gains. Fraud practitioners should always view their job as a challenge that can, and will be overcome. We can all become a little jaded and overwhelmed with the volume of alerts and cases, but remember, you are only limited by your imagination. Don't give in to the temptation to "argue for your limitations", it's only a short term crutch.
Share your creative approaches to fraud investigation and detection. Did you develop an interesting forensic technique that you are particularly proud of and would like to share?