A P2P fraud case: What went wrong?
If you look, you can find numerous cases of how employees have found loopholes in their organization’s Purchase-to-Pay (P2P) and Accounts payable processes. In this post we’d like to take a look at one and give a few tips on how to prevent it.
The headline: AP Supervisor Embezzles Millions Sentenced to Prison (GASP!)
While overseeing the company’s credit card accounts, the AP Supervisor embezzled approximately $1.9 million for a variety of personal purchases. In addition, false tax returns were filed, failing to report the money embezzled on tax returns.
The embezzlement was carried out through access to the full range of financial records and accounts. On most occasions, the company’s credit cards were used to make personal purchases. Then to conceal the fraud, the credit card statements would be intercepted to alter using specialized software. The company’s books and records were then falsified by coding personal expenses as legitimate business expenses.
How could you prevent this from happening?
Let’s start by saying this individual clearly had too much power. They had access to all credit cards, bank accounts, payments with no checks and balances in place.
- Implement internal controls:
There were obviously little to no user access levels to limit what one individual had power to. There should be different users to make a purchase, receipt the purchase and pay for the purchase. This can easily be built into a P2P process and digitalized. By automating each step and workflow, you take away the manual opportunity for people to commit fraud. Therefore, making it more secure.
- Automate Segregation of Duties and system access controls:
This is probably the most common and the most difficult internal control to implement. Don’t let buyers be the ones to handle other aspects of the process. There needs to be a delegation of authority.That is where automating the process can help. Automation can be used to alleviate the manipulation and risk by defining and keeping controls in place.
- Develop a business ethics code of conduct policy and mandatory training program:
This isn’t the end all be all answer to the problem, but it is a piece of the pie. Implementing an ethics code and training on an annual basis make employees aware of the policies and the consequences if fraud or anything unethical were to occur hindering the fraudster to carry out action. Tip: We’ve seen policies where there are contracts with employees using credit cards. The employee signs something saying they understand the expectation and responsibilities. This makes it more clear cut on what the card can and can’t be used for.
- Reviews for internal or external audit:
Audit, audit, audit. If you have an automated P2P process you can use alerts (daily, weekly) and audit reports to help manage the process and detect suspicious activity. It’ll help you detect fraud a lot sooner than later, saving your organization from losing millions down the road.