(Author Vinod Khurana, President, Institute of Forensic Accounting & Investigative Audit)
The management of corporate in the present social and working environments is scaring. The White-Collar Crime Menace is so widespread that I candidly see no company small or big which is not hit by this menace. It is a different matter that they do not come to limelight as often they do not get reported. They not only have serious implications for corporate reputation and profitability but also convert large number of man-hours to unproductive exercise, which finally as you move forward becomes difficult to handle.
We often see that these white-collar crimes are the germination of the working complexities. Working complexity is so strong that in which all directions the pipelines to drawn out the cash flow or choke the inward cash flow are laid could be mindboggling. The senior management may even come to know of the wrong, after the huge damage is done, if at all, the frauds being done do surface. Not only that, the senior management often is not successful in laying the early trap to sniff out the wrong happenings, not that they are not intelligent enough; unfortunately the systems are so complicated and they run short of time to understand and focus on these areas for many-many reasons. Candidly, may be they are not even capable enough to sniff out the wrongs as they do not have sniffers mindset and are not trained how to look for wrongs.
The complexity becomes further complex when the working environments are not simple and transparent. Simplicity and transparency brings in inherited strength to catch the wrongs, and by itself is strong preventive measure. Whereas the complexity and camouflaging makes it that complex and sniffing out becomes difficult and the difficulty aggravates with more complexity. The complexity that we often observe is either by design or by default. The complexity by design is created when the perpetrator does not want any other person to understand as to what wrongs he has done and how he has been doing these wrongs and camouflaging. This complexity is brought in not only at complex scenario but even at the simplest scenario. The modus operandi of such creation would be based on the position of the person trying to create complexity or to exploit the complexity to the best that perpetrator understands the systems, so that the system does not reveal the wrongs and with the passage of time the wrong becomes integrated in the system and gets dissolved. These days these complexities are even easy to create in the present existing computerised environments, which are rarely well understood at the top.
Whereas, the complexity by default is based on various reasons and lack of appreciation and understanding of the complexity, which grow with the time factor and the person living under those conditions gets so intoxicated with the situation that the foul smell becomes sentient and complexities are often not rectified till they start bleeding. These complexities when not rectified on time breed and generate more complexities, vertically as well as horizontally. To understand the consequences of these complexities better, I wish to share one simple rather a simplest live example that we revealed as to how the complexities that are created by default over a period of time are exploited and can be turned into perpetual pipe lines.
A well established and managed company in multidivisional domain used to apply for various tenders in the Govt, Public and Private sector for supply of material and execution of projects on turnkey basis. The task of applying for various tenders was undertaken by the concerned operation team and there were good number of operation team for each vertical. These teams whenever had to apply for tender used to make request to Account department to provide them a draft for applying the tender as earnest money/ security deposits. The practice went on for long but the earnest money so deposited with various Companies, Public Sectors and Govt. Departments, were not reconciled as to how many tenders were filed, how many allotted and earnest money adjusted and how much earnest money has been refunded and how many are outstanding and for how long and who has the receipt of deposit for safe custody, a huge vacuum was created on this account as to reconciliation, so much so that whenever the issue was brought up by auditors , there used be deliberations as to who is responsible for reconciliation; the accounts or the operational division, who is answerable for the funds so deposited. With the passage of time and keeping in mind the financial impact being not very large the matter subdued and reconciliation became defunct by default.
During one of our system evaluation/examination, one of our team members was examining salary accounts reconciliation, and while he was evaluating loan grant procedure and recovery thereof, he found that one of the loans, taken by staff member few months earlier, was refunded in lump sum and the refund was made by submission of Draft and the indication was made on the records. This clearance by Draft raised alarms in his mind for one reason that the bank accounts of the Individual are held in the same bank in which the company holds his bank account, as the salary payment is being made through transfer of funds for all the employees, if that being so , why should a person get the draft made to clear the loan, when the same can be cleared through cheque, as getting the draft made is definitely time consuming and at the same time additional amount for getting the draft made would need to be incurred. Therefore even if the charges for getting the draft making are not very high, but why one would do so, when he can easily clear the loan through cheque. The curiosity to understand , our colleague went into details of the concerned person and he found another anomaly; the person was in habit of raising loans as frequently as possible but also refunds the loans immediately after clearing two odd instalment through his salary deduction and thereafter he often deposits the draft for clearance of his loan. This anomaly was not tenable and immediately drove our team member to the bank, which happened to be in the same building. On request, when the draft so deposited by the company with the bank was taken out to find out its real origin, what was revealed with the help of the bankers that the Draft so deposited by the company, which was received from the staff member was prepared by the bank which was located miles away and this particular branch was catering to one large Public sector, which was revealed through the code number of the branch, by virtue of its geographical position. The matter became suspicious as to how and why the staff person would get the draft made from a bank so remote from the area. The concerned person was called to enquire as to how he has managed the draft and what was revealed during investigation was alarming and astonishing and the followings were revealed:
(i) The concerned staff member was working as lowest positioned clerk in the corporate secretariat, whose responsibility was to open the mail received from various sources, to record them in the register for posterity and place them in appropriate folders for review at appropriate level.
(ii) This person was working earlier as a peon in the Accounts department and was influential. He was aware that the earnest/ security deposit for contract purpose was not being reconciled as he had heard the deliberation and had understood this problem from the concerned dealing staff.
(iii) While working in the Corporate Secretariat registry during his process of opening the mail, he used to receive refund of earnest money, and smartly he would remove this refunds , destroy the covering notes , make no entry in the records and use these drafts for refund of his loan, as he would take these drafts to Accounts department and would make request to refund of loan stating that he has managed the finances from his family members, for which he would hand over the draft and accounts staff taking the draft would not really understand the nitty-gritty . He would even synchronize his loan and outstanding amount with the draft value that he has in his hand, and the variations in the amount of outstanding loan and the draft value would be transacted through his monthly salary.
(iv) As there were limitation on taking his loans, and the flow of earnest money/ security refunds/ other receipts which were unaccounted and could easily be played with were large, and his scheme of operation had successfully capitalised, he wanted to expend the scheme in the same gambit.
(v) He approached his friends in the company, who had sought loans from the company and were paying interest on loan, he would offer on the pretext to those colleagues that his friend has money and is willing to grant loan at lower rate of interest, and convinced them to repay the loan and he would initiate the process for repayment and repayment for all those refund would flow in from all those drafts which were refund of security/ earnest money which always remained un- reconciled and after the refund he would recover the amount from his friends in due course of time.
The reference made above is certainly small with respect to the total financial impact that it would have on the large corporate and one may even say at the corporate that this is part of the business, however I would put it differently saying , what a lesson to be learnt, a person gets idea knowing the vulnerability, irrespective of the position he works and believe you me, if there is a weak link in the system and not exploited till today, does not mean the weak link would not be exploited tomorrow, be rest assured one day it would be exploited, unless we put our house in order and brings transparency and remove complexities .
The Instance that I have mentioned above crept up due to complexity of reconciliation created by default, though the reconciliation of earnest money per se may not be perceived as big issue and most of the companies may be in the same state, but I am sure we can appreciate and understand the gravity of complexity created by design. When one creates complexity by design the exploitation would be much faster and consequences would be based on who has created the complexity and what is his total understanding of the system in which the complexity is created. If the understanding in the system is complete then sniffing out the wrong gone through with the complexity is going to be extremely difficult, but if the understanding of the person creating complexity by design is limited to some aspects in which the complexity is created, the sniffing out the wrong could be easier but would be based on the expertise available in the system who can understand the manoeuvring done and can see the red-flag to sniff out the wrongs. I wish to share an event, but not much in details intentionally, wherein one of our colleague while undertaking forensic Audit in well established corporate with well structured and operated ERP environments, revealed the followings:
(i) The Salary staff person in accounts department, looking after the corporate salary, used to regularly update the salary transaction file and would assure the complete updations, before he closes the monthly salary scroll, prints out the salary, and gets the funds transferred to each account through cumulative transfer to bank. Unfortunately he had wrong access to the salary masters, which otherwise was the responsibility of Computer Cell and the concerned person had assigned him to take access to update the master with respect to salary increase to avoid bringing out lapses and getting highlighted the inaction on his part. But the person passing the password never could visualise as to what all wrongs can go through.
(ii) The Concerned Accounts staff member was a member of modules development team when ERP was being developed through outsource agency, and when the ERP was developed and established this person was deployed in accounts to look after the salary module. As he knew the system well and was able to secure the access to master file , played a smart move wherein; the de-activated salary master of the person who had left the organisation was activated and to reconcile the total number of master, being one of the major control, the active master of the person who was out on to the client base for more than 6 months and was not being paid the salary during their stay with the client, was deactivated, and the salary went through to the person who had left the organisation. The concerned salary staff person had access to the bank account of the person whose master was activated, as while leaving the organization being in hurry he handed over his cheque book to the concerned accounts staff to get the accounts balance transferred to his given account and to close the accounts thereafter. The funds were transferred to the given account but the account was not closed hence he had access to his bank account.
(iii) How was it revealed and sniffed out is little longer statement, but in short, when our colleague found during review of monthly transaction file, the person gone abroad on the client side are not being paid and their ledgers are active but flagged, he wanted to know as to how many such employees are with clients whose ledgers are flagged and why the summery of their movements is not being prepared regularly and reconciled as being done for other employees, so as to know how many of the staff members are with the clients who are not been paid on monthly basis. Sooner our colleague asked this question he found the changing behaviour in the concerned staff person and our colleague instantly opened up, the transaction file of the previous month and tried to compare the flagged ledger the previous month and the current month. During this analysis he found the flagged ledger of one employee in the previous month did not exist in the current month and was not part of the scroll, this was alarming, and as he moved on comparing he found a Pandora box wherein this activation of deactivated ledger was a routine exercise.
I am really concerned, as at large the knowledge at various levels on ERP working operation and the capacity to monitor the audit trail and the logs is very limited. If the masters are played with it may be really difficult to reveal, though one may claim that he has the best ERP and the controls, may that be so, who has the capacity and understanding to monitor the complexities created by design. The factual position is the password of the person who left the organization years back are still alive and being used fearlessly. I do not wish to go much in detail on this aspect at this stage as the same may not be desirable, but I do suggest that appreciate and understand as to what has gone wrong with others may go wrong with you tomorrow and the design of manoeuvring may even be flawless. Most of the frauds that we reveal or are being reported otherwise are so stupidly done, that I often wonder, why one has to do such stupid frauds. Do smart frauds ever surface?
I strongly suggest, that the systems at corporate must be simple and transparent, complex structure should be so divided and partitioned that understanding of each part becomes simple, which can easily and regularly be reconciled. We must not forget that our preventive controls would only function if the instructions are well understood at the levels who are supposed to monitor and the understanding would be much easier if the instructions are simple. Do not bring complexity in the system be it by design or by default, keep them at bay and if we can simplify our systems their managing them would be simple and transparent and that is the need of the day.