Anatomy of a Fraud

Anatomy of a Fraud

In this fraud, ING, an extremely large and well-known financial services company had approximately $8.5 million stolen from it by a single employee over a period of a little more than four years. Here’s how it worked:

• Nathan (the fraudster) was an accounting manager in ING’s reinsurance division with three people working under him. Nathan reported to the assistant controller and the controller.
• Nathan, another coworker and one of his subordinates had the ability to request checks in amounts up to $250,000.
• Nathan and the coworker were also given the ability to approve checks.
• Each of the members of Nathan’s group as well as the coworker all knew each other’s password.
• Nathan was having trouble making ends meet on his $80,000 annual salary and had run up about $88,000 in credit card debt.
• The initial fraud started with Nathan signing on as his coworker and requesting an $1,800 check to a company called Universal – which happened to be both the name of his credit card company and a vendor ING conducted substantial business with. After requesting the check he logged on as himself and approved and mailed the check to his credit card company. After the success of the first theft Nathan began requesting and approving checks until, over time, his $88,000 credit card debt was paid off.
• One of his early checks for $4,500 never cleared his credit card statement. He had forgotten to write his account number on the check before mailing it and the credit card company did not know where to apply the payment. It returned the check to the corporate office which re-routed it to the original requester!
• Later Nathan expanded his fraud by creating a fictitious company with a name similar to another vendor ING had substantial business with. He would log on as one of his subordinates in the evening after the subordinate had left work and when the subordinate was off the following day. He would then log on as himself and approve the check. After picking the check up the next day, (when the subordinate was off) he deposited it into the bank account of the fictitious company he had created. This continued for several years resulting in the loss of $8.5 million.
• A check request requires the requester to indicate where the check was to be posted. Nathan always chose accounts that had significant reconciliation activity such as insurance claims or commissions.
• Another account that Nathan used to hide his payments was the foreign currency exchange gain/loss account. He was the only one who reconciled this account for seven straight years and therefore was able to fudge exchange rates a small amount to mask the posting of his checks.
• The fraud was uncovered when Nathan’s ex-wife had lunch one day with one of his coworkers and the ex-wife talked about not believing his stories about gambling winnings. The coworker became suspicious and began investigating and uncovered the fraud.

As frauds go, this was nothing novel. The fraudster was enabled by poorly designed and poorly implemented internal controls.The following all played a significant factor in the fraudster being able to perpetrate and hide the fraud for a considerable length of time:

• Lack of segregation of duties – Those requesting checks should not be allowed to approve checks.
• Insecure password policies. Employees should understand the importance of both changing passwords often and keeping them private. Public passwords are virtually worthless.
• Insufficient oversight and lack of rotation of duties. Having the same employee perform the same reconciliation operation for several years withoutoversight or rotation of duties enables that person to fudge the reconciliation at will.
• Inadequate check mailing policies. Signed checks should not be returned to the check requester for mailing. Furthermore, checks that are returned by the recipient should not be sent to the original parties involved in their request and authorization for investigation.
• Inadequate procedures on how a new vendor can be added into the system.

There are other preventive measures but the above sequence indicates many steps that could have been taken that either would have avoided, minimized or uncovered the fraud sooner. As it was, none of ING’s procedures caught the fraud – it was through an unrelated lunch discussion.

This blog was called to my attention and summarized by two of our quality control partners – Brian Gibney and Dave Dacey and was based on an article by Mark J. Nigrini and Nathan J. Mueller in the August 2014 Journal of Accountancy titled “Lessons from an $8 million fraud.” The entire article can be accessed at https://www.journalofaccountancy.com/issues/2014/aug/fraud-20149862.html