Aire : once again, travel and expense report audits foil a fraudster. This time, spelling and repetition are the perpetrator's downfall

Internal Auditor, April, 2005 by J. Mike Jacka

AN AUDITOR PERFORMING AN audit of travel and expense reports noticed that the word airport was misspelled on a receipt attached to one of the expense reports. Thinking that this was odd for an automatically generated receipt, the auditor contacted the vendor to get a copy of a blank receipt. Although the blank copy was similar in appearance to the one attached to the expense report, there were several differences. Most notably, airport was spelled correctly on the blank receipt. Consequently, a formal investigation was launched and the employee who turned in the expense report admitted to forging the receipt and was fired.

Unfortunately, the employee convinced the company to rehire him. Several years passed and another audit of travel and expense reports was conducted. The auditor downloaded all receipt information and sorted it by mileage reported to identify large requests for mileage reimbursement.

The auditor found one employee had many different amounts listed for mileage from his home to the airport--in some instances the distance was as much as 50 miles. Of course, the employee was the same one who couldn't spell airport. Using an online mapping service and information obtained from the employee's personnel file, the auditor determined the distances claimed were up to triple the actual distance from the employee's home to the airport. Because the employee traveled extensively, the amount of excess reimbursement was several thousand dollars.

A formal investigation was launched, and the employee admitted he had inflated his mileage to compensate himself for the amount of time he spent in traffic. He told the investigator that if he were caught in traffic, he would add a mile to the reimbursement for every minute he was delayed. The employee told the investigator that he would willingly reimburse the company if there were something wrong with this practice. Unfortunately for the employee, the company did not endorse the mile-a-minute program and the employee was re-fired.

AK-SAR-BEN CHAPTER

INACTIVE GENERIC = ACCESS

By reviewing the identification (ID) storage system and verifying "inactive" IDs, the auditors could test controls over transferred and terminated employees' computer user IDs. However, because the environment being reviewed involved a computer system with at least three systems communicating back and forth, the auditors began to question if "inactive" meant the user IDs were truly denied access.

Prior audits over the same department showed that the information technology (IT) department issued a generic or default password with each new user ID. In addition, there were no mechanical controls requiring the employee to immediately change the generic password to a unique one. Armed with that information, the auditors decided to conduct an additional test to ensure that the different systems were communicating with each other and revoking access to the back-end financial systems when deactivated in the front-end system. The auditors attempted logon with known terminated user IDs against the default passwords issued by IT.

To no one's great surprise, a portion of the "terminated" user IDs allowed access to the financial system when the generic passwords were used. Although the system vendor had assured the company that its programming recognized deactivated user IDs from the front-end system, the financial system was ultimately accessed through otherwise "inactive" IDs.

This was an important finding for the auditors because it helped remind them of the various ways they could add value to the company. Testing an area that the vendors had assured was working as intended--but apparently was never tested for verification--helped ensure the overall security of a high-risk computer system.

KANSAS CITY CHAPTER

WHEN A DOLLAR IS NOT A DOLLAR

One of the services provided by a manufacturing company was a team of individuals to assist its customers in the installation of the company's products. Because products were sold internationally, these individuals were required to travel extensively. Unfortunately, the company paid a flat per diem rate, even if the employee traveled to a high-cost area.

During a routine audit, the auditor noticed an expense report with several charges made in Canada. Hotel and meal charges were expected, however, there were also charges for airline tickets and rental cars, which were normally purchased prior to departure. The attached credit card statement clearly showed a conversion rate was applied and the employee was actually charged less than the amount on the receipt. The auditor further verified that the employee was charged in Canadian dollars by calling some of the establishments listed on the receipts.

Based on this information, the auditor pulled the individual's expense reports for the year and noticed that any time the individual traveled to Canada, he charged almost all of his expenses in Canada. This information was brought to the attention of senior management. Surprisingly, senior management told the auditor that they were aware of the practice and did nothing about it because the employee was not receiving adequate per diem when he traveled to high-cost areas. The response to a recommendation to change the per diem policy was that it would be too difficult to implement and the company was actually benefiting from the practice. The tax implications of this practice were discussed and dismissed as being immaterial. The auditor eventually left the company to work elsewhere.