Check fraud by an AP supervisor.

How likely is it that check fraud could happen to your organization? The following case shines a spotlight on control gaps, as well as drawbacks of checks. Would the same thing have happened with card payments? Keep reading to learn about the crime (the AP perpetrator is currently awaiting sentencing), the control that not enough organizations are using, and what might have occurred if the payment fraud vehicle had been a Commercial Card. 

The Crime

As reported by KSTP-TV, Teresa Garin, former accounts payable supervisor for Hamline University in St. Paul, Minnesota, pleaded guilty last month to felony-level theft by swindle. Between August 2015 and February 2017, she stole nearly $160,000 in approximately 70 university checks, mostly written out to fake vendors that she created. In addition, she had cashed checks made out to legitimate vendors and, when they inquired about late payments, she cut duplicate checks to pay them. 

The university was alerted by their bank, which had noticed checks being deposited into Garin’s personal bank account. A police investigation ensued. Upon getting caught, Garin admitted to the scheme, saying she used the money to pay off bills, help with living expenses, and provide financial assistance to family members. Yes, she was fired. For details, read the article published by KSTP.

Control Gaps

As always when reading about internal fraud, I contemplated what might have allowed the crime to occur, such as:

  • Lack of separation of duties for 1) setting up new vendors and 2) cutting checks, including duplicate checks; it appears she could do everything on her own

  • No usage of the Payee Name Positive Pay service, which would have prevented her from cashing checks to legitimate vendors; see definitions below

Per AP Now’s 2017 Payment Attitudes Survey (www.ap-now.com), approximately 20% of respondents’ organizations are not using Positive Pay and/or Payee Name Positive Pay. Yet, it is one of the best things an organization can do to fight check fraud—besides scaling back on checks altogether.

Definitions  

Per 101 Best Practices for Accounts Payable by Mary Schaeffer:

  • Positive Pay is a service offered by most banks. As part of the service, companies transmit to their banks their check issuance file each time checks are written. The file contains a list of check numbers and dollar amounts. When a check is presented for payment, it is matched against the file. If there is a match, the check is honored and the check number removed from the file. If there is no match, the check is handled according to the preset instructions from the company.

  • Payee Name Positive Pay is an enhanced product that includes the payee’s name along with the check number and dollar amount in the file sent to the bank.

What About Cards?

Let’s imagine if Garin tried to accomplish a similar thing with a card. She was after cash, but, assuming an MCC block on cash/ATMs, this would not have been a good option for her. Further, setting up fake vendors to pay via a card (in order to obtain cash) would have been difficult. Even if she went the Square route to pay herself, she would have to provide personal information as part of the set up process.

If Garin made personal purchases with a Commercial Card, the key control would be manager oversight to spot issues. If her manager missed something, then effective auditing would be next. Another detective control is reports. As a program manager, I found value in the following, which would have quickly put Garin on my radar.

  • “New Vendors” report showing the first time a particular vendor was used

  • Report highlighting vendor spend; for example, when YTD P-Card spend with a vendor reached or exceeded $5,000

Final Thought

Does Hamline University use cards? With 70 checks totaling roughly $160,000, the average amount per transaction is just under $2,300. This is a prime target for P-Cards, which offer notable benefits and stronger fraud protection (e.g., liability waiver insurance). It is time for every organization to actively reduce check payments and expand electronic payments, including Commercial Cards.  

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Danger signs of card misuse.

Another case of Commercial Card misuse has made its way into the news. Once again, the culprit is a person who held a high-ranking position, which created a tricky situation for staff. Keep reading to learn what happened and the unique action that exposed the problem. As for your organization, what mechanisms are in place to protect against abuse by executives? Do you discuss the potential warning signs of card misuse or fraud? See examples below of what your organization should pay attention to.

Card Misuse Case

The situation occurred within a Minneapolis suburb—at the Shakopee Public Schools—but it could happen anywhere. If folks in the public sector are taking chances even with taxpayers’ eyes on them, imagine what could be happening at private organizations.

The following content is based on reporting by Shakopee Valley News.

Rod Thompson, the former superintendent (he recently resigned), began making personal purchases on his P-Card soon after he was hired in 2011, but it was not discovered until this year. In all, he made more than 100 such purchases—many were shipped directly to his home—totaling approximately $15,000. There could be more, as the investigation is still ongoing. Missing or partial receipts, as well as a lack of cooperation by the district, have made the investigative process more difficult.

Thompson reimbursed the district for some personal purchases, claiming he made them accidentally. Based on articles I’ve read, it seems he did not initiate reimbursement unless someone questioned him.

“Dr. Thompson realized the P-card (credit card) had been used as a default card when he made purchases through Amazon and PayPal,” district spokeswoman Ashley McCray said earlier this year.

Gee, how convenient. He never noticed that his personal card was not charged or his P-Card was used. All the more reason for organizations to adopt Amazon Business if Amazon purchases are allowed.

Things began to unravel in March when Thompson announced a $4.5M shortfall within the district due to “human errors made through a series of inaccurate budgeting assumptions, omissions and errors.” In addition, the school district’s cash reserves have been in a downward spiral since 2012. Further, when Thompson left his previous position with a different school district, there was a $700,000 accounting error. Hmmm…

Ultimately, it was a group of concerned Shakopee citizens, not the school board, that began digging into records, which revealed Thompson’s card use and led to police involvement. As a side note, the district is currently revising its P-Card policies and procedures.

More Information 

Shakopee Valley News offers more information on this story.

2018 update: See a follow-up blog post from Recharged Education about the outcome of this internal fraud case.

Credit cards are not dangerous; rather, inaction in response to questionable activity and/or a lack of controls are dangerous.

Credit cards are not dangerous; rather, inaction in response to questionable activity and/or a lack of controls are dangerous.

Possible Warning Signs

Some of the below are demonstrated in the Shakopee story, but I am adding others to round out the list. However, please keep in mind that the presence of a sign does not solidify misuse or fraud. It may simply highlight the need for further review.

  • Cardholder has self-reported (and paid back) more than one or two instances of accidental P-Card use for personal purchases

  • Any “accidental” use that is found by someone other than the cardholder

  • Cardholder fails to provide, or is late in providing, receipts for P-Card purchases; Thompson was guilty of this, even though his executive assistant said she tried repeatedly to get him to turn in late receipts

  • Receipts/supporting documentation do not clearly reflect what was purchased

  • Purported business purchases cannot be located

  • Budget issues within a department

  • A cardholder’s spend is higher than historical averages and/or that of other cardholders with a similar job position

  • Cardholder has personal financial struggles and/or obviously lives beyond their means

Final Thoughts

If an executive has a sense of entitlement, he or she can wreak havoc on an organization by pulling rank on anyone who questions a purchase. While some type of board must provide oversight, they cannot scrutinize everything, as nothing would get done. At some level, a board needs to trust executives. There is a fine line, but controls must prevail. See a related blog post Executive card fraud beyond beliefincluding some tips.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.

Who audits the program manager?

In the life of a Commercial Card program, cardholders are routinely under a microscope. Yet, an auditor’s radar may fail to pick up the program manager or administrator (PM/PA). Even if the PM/PA is a rock star within the organization, no one should be exempt from an audit process. Following are six PM/PA aspects for your internal audit team to review.

PM/PA Aspects to Audit

1. Separate from the policies and procedures (P&P) cardholders must follow, are there current, documented procedures for tasks executed by the PM/PA? Examples include steps the PM/PA follows to establish a new card account, monthly reporting and analysis performed by the PM/PA, and how to resolve card usage issues like declined transactions.

2. Perhaps most important, does the PM/PA consistently follow documented procedures? For example: 

  • If the PM/PA must ensure a card applicant completes training prior to receiving a card, the auditor should review the timing of the training versus the timing of card issuance/activation.
  • If the PM/PA must notify a cardholder’s manager upon instigating a temporary limit increase, is there documentation (e.g., an email to the manager) to support this?   

3. What type of system access does the PM/PA have? Is there adequate separation of duties? For example, the same person should not be able to:

  • download transaction interface files from the issuer and upload into the finance system
  • upload transaction interface files into the finance system and make coding changes/other corrections to the uploaded information

If a lack of resources makes separation of duties impossible for certain activities, then, at a minimum, there should be sufficient means to monitor the PM/PA’s activity, such as an electronic audit trail and/or management oversight.  

4. Are there effective controls to ensure the PM/PA does not obtain unauthorized cards? In my role as a PM, an auditor asked what prevented me from getting and using a card without anyone knowing. I had to admit that it would be easy for me to obtain a card for myself, but I explained the detective controls that would catch this.

5. Is the PA/PM allowed adequate time to spend on card program management? If they are pulled in too many directions, it increases the risk to the organization and the program will likely flounder. An auditor can help shed light on this problem.

6. Is there sufficient backup for when the PM/PA is out of the office or otherwise unavailable? Select an appropriate employee—someone with the right skills—for this role. Also, if someone is trained as a backup, but does not routinely execute back-up duties, then he or she might get rusty. 

Final Thoughts

The PM/PA is critical to long-term card program success. An organization should design the role thoughtfully, hire wisely, and audit regularly (e.g., annually). 

Related Resources

If your organization would like assistance with developing the PM/PA role and/or audit process for the P-Card program, contact Recharged Education.

About the Author

Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more

Subscribe to the Blog

Receive notice of new blog posts.