The Art of the Steal
A common technique of embezzlers is known as “lapping” or check-kiting. It works like this: An employee with responsibility for recording payments will pocket a payment for an outstanding bill. He then covers the shortfall by applying part of a larger and later payment by a second customer to the incriminating invoice, thus “lapping” the two accounts. A payment from a third customer will then be used to cover the second account, and on and on. A skillfully done lapping scheme can keep the money flowing undetected for years, as long as the employee stays on top of it and doesn’t take time off. I heard about one guy who succeeded in lapping receipts for twenty-nine years, quite possibly a lapping record. He was basically a career lapper. He rarely took a day off, and his scam was only discovered when he no longer came in at all. He had reached retirement age.
A recent study by the Association of Certified Fraud Examiners offers an interesting picture of embezzlers. It found that fraud committed by managers was sixteen times greater than fraud by rank-and-file employees. Fraud losses caused by men were four times those caused by women. People sixty and older committed twenty-eight times the fraud committed by people twenty-five and under. The losses from workers with post-graduate degrees were five times as great as those caused by high school graduates.
When you think about it, this picture starts to make sense. In order to steal a lot of money from a company, you’ve got to be in a position of some power and trust. Otherwise, you don’t have access to the company’s assets. So that’s likely to be someone who’s well-educated and in a
senior position. It’s not often going to be some young person on a low rung.
ERODING ETHICS, GROWING ENTITLEMENT
It’s obvious to me that one of the key reasons that employee theft has gotten so pervasive is that ethical standards have fallen to appalling lows.
Back in the 1960s, if a company found out that an employee had embezzled some money, say ten thousand or twenty thousand dollars, he would be called into the head office and confronted with the crime. Under questioning, he would eventually break down, apologize profusely, and explain that he stole the money because his kid needed a heart operation. He would promise to pay back every cent.
By 1980, a bold new ethic had taken hold. This time, when an employee was caught stealing company funds, he would again be ushered into the head office. But his response would be completely different. He would launch into a diatribe about how he was entitled to take the money. He actually deserved it, he would insist, because the company paid him poorly, offered a vile healthcare plan, and didn’t in any way properly value him. He would practically expect his boss to thank him for taking the money.
By 1990, we reached yet another level of entitlement. When an employee was called in to account for his theft, he wouldn’t even bother with explanations or excuses. He would simply shrug his shoulders and say, “So what?”
It’s a pretty sad state of affairs, but it’s a reality. Another undeniable factor for taking at the office is economic envy. Top executives make so much more than ordinary workers, and there is so much publicity about all the millionaires created from stock options, that some workers rationalize that they deserve their cut. They don’t feel that there’s anything shameful about robbing the company. A cavalier attitude has taken hold.
SIZE DOESN’T MATTER
By now, I’ve seen just about every type of scam imaginable, and to my mind, embezzlement is the most difficult to detect. It’s a crime of stealth and subterfuge.
Here’s a case that typifies so many. There was this small company, doing about $1.7 million in revenues, with just seven employees. The company hired a temporary woman to come in and do some bookkeeping. They liked her well enough that they asked her if she’d like to work full-time. She did and was hired.
Every month, the bank that the company dealt with sent along the company’s statement to the president. He faithfully opened it, looked through the checks, and reconciled the account. Then he would tell the bookkeeper, “Here’s the statement. I’ve already gone through it, go ahead and post it.” In time, he came to trust the woman enough that he asked her to take care of this chore, which he never much cared for anyway. Fairly quickly, the woman realized that she was balancing the books, and the president didn’t even know how much money he had. Each month, she began to write herself a check for one thousand dollars. Sometimes, she wrote one for five thousand dollars, and she made some out for fifteen thousand dollars. She did this for a year and a half. She stole a total of $178,000 from the company.
Finally, she wrote a very large check, and the bank called the company to check on it. For several days in a row, the bookkeeper told the bank that the president wasn’t available. Suspicious, the bank officer called the president at home one night. He told him about the check and explained that he wanted to verify it. At this point, the president went through the books and discovered the losses. He prosecuted the secretary, but the bank said they weren’t responsible for replacing the stolen funds. The president protested that he would sue the bank, because these were forged checks and the bank should have caught the signatures. The bank explained that it didn’t examine checks for as little as $1,000. It would never have seen the signatures of most of the checks. And no one challenged the bank statements sent to the company.
I was asked to testify in the case, and I supported the bank. No bank looks at one-thousand-dollar checks. What’s more, the company president was negligent in not going over the statements himself, as he used to do. It was his mistake that allowed the loss to happen.
It’s very important to reconcile bank accounts promptly, and always within thirty days of when the statement was mailed. So many companies don’t bother to do it. I know there’s nothing interesting or fun about reconciling a bank statement. You’d rather read the Congressional Record. But it’s important to your financial health. If you fail to reconcile accounts, you’ve extended an open invitation to employees to embezzle, because they know their actions won’t be discovered for a long time, usually after they’ve resettled in Bermuda.
Unfortunately, that was a small company. A loss like that would probably be enough to bring it to the brink of bankruptcy. If you’re Delta Airlines and somebody rips you off for $250,000, you contact your insurance company and tell it that the bank refuses to cover your loss. The insurance company says, okay, here’s $150,000, your loss minus your $100,000 deductible. Then Delta takes the loss off of its taxes and ends up being shortchanged $50,000, which it can certainly absorb as part of its operating costs.
But if you own six dry cleaning stores, and an employee embezzles $50,000 and takes off with her boyfriend, the bank’s not going to give it to you and you’re through. The smaller you are, the more you need to worry about these things and be aware that embezzlement is prevalent, and it’s a real threat.
MAILROOM MAYHEM
The mailroom is where stealing frequently starts. For the criminally-inclined, a mailroom is as opportune a place as a bank vault. Much of the company’s money passes through there in the form of incoming and outgoing checks. Criminals frequently seek mailroom jobs for this reason.
A Fortune 500 company in Cleveland hired a twenty-four-year-old woman as an accounts processor in its mailroom. One of her jobs was to go get postage for the meters in the building. So she would walk in and ask to requisition a check. She would say it’s for the post office, two thousand five hundred dollars. Someone would sign out the check, called a Quick Check, and give it to her. It consisted of an original and two copies on a voucher. She would stick the check into an IBM typewriter and make it out to United States Post Office, two thousand five hundred dollars, and take the check in to an assistant controller, who would sign it and give it back to her. Then she would return to her office, pull the check apart, file the two onion-skin copies, and put the original back into the typewriter. Since she had a self-correcting typewriter, she would lift off the words “United States Post Office” and type her name on the check, her real name.
She would deposit these checks, or cash them, at her bank. She did this for about four years. At the end of that time, she had taken $278,000 of the company’s money.
During those four years, no one questioned anything about these instances. Every month when the checks came back from the bank, she would go down the hall to the person who had received the incoming returned checks. She would tell her that she needed to see the checks, she was looking for one that her department wrote. She would take them into her office, remove the originals, and destroy them on a shredder. All the reconciliation for the company was done by the onion skins, not by the original checks, which matched.
Personally, I will not use a bank that won’t give me my canceled checks back. The big thing today is to give images of your checks. But only images of the front. Thus, I don’t see who endorsed the checks. How do I know someone didn’t forge a signature and cash it? How can I notify my bank in thirty days that a check was forged, if I never was allowed to see if it was forged? So I get the actual checks returned to me.
No one wondered why the young accounts processor had a new car almost every year, went to Jamaica three or four times a year on vacation, and always had new jewelry. When she was finally caught and admitted it, there were questions like, didn’t the company notice that it’s postage cost went up 300 percent? Wasn’t anyone the least bit suspicious that every month this woman had to look at the checks? As a matter of fact, when it was all said and done, only two checks were available for the court trial, because all the others had been destroyed in a shredder.
Embezzlers tend to be compulsive, and the money they steal they spend freely. Thus, one of the obvious giveaways that someone is stealing from you is that the employee starts living a suspiciously lavish lifestyle. When the mailroom worker drives up in a new Ferrari, you have to wonder. But it never fails to amaze me how often employers accept lame excuses for unorthodox spending. There was the case of the budget director for a California school district. He earned $76,000 a year. That’s not a bad living. But how could that be enough for the fur coats his wife started wearing? The fancy house they lived in? How did that pay for a Mercedes and a Rolls-Royce? Nobody who works for my school district drives a Rolls-Royce. When anyone wondered, he simply replied with a sly smile that outside investments paid for these frills. The real answer was he had managed to embezzle about $2 million by writing checks to himself out of an old health-insurance account that the other school administrators thought had been closed years before. He diverted money to that account from the district’s building programs, food services, and insurance rebates.
THE BURDEN IS ON YOU
I believe that companies have a moral obligation to their employees to have controls in place. It’s entirely unfair to put an employee in a position where it’s very easy for him or her to steal. People are people, and by not having controls, you’re basically putting up a sign that reads: “Steal from me. I’ll never know.” A study that was done a few years ago concluded that 10 percent of employees would steal all the time, another 10 percent would never steal, and the remaining 80 percent would steal given the right motive. That’s a scary survey. It’s telling a company it has to worry about 90 percent of its workforce.
So I think that if you don’t have temptations in place to begin with, you avoid a lot of problems. It can be simple things. One restaurant chain furnishes its workers with uniforms without pockets. It sounds silly, but it takes away temptation. My experience with embezzlement has led me to come up with a series of steps that I feel represent the best internal controls to deter theft, and I’d like to run through them.
The most important thing is to review your hiring procedures for permanent and temporary positions, so you keep people with dubious backgrounds out of your company. We have to get back to common business practices and good sense. In most of the embezzlement cases I get involved in, the employee who stole from the company also stole from the previous company he worked for. If the company had run a sound background check on that employee, then the loss would probably not have occurred. I believe trust is a good thing. I believe controls are better. I believe a preliminary employment application is best.
And you have to make phone calls, not just look at pieces of paper. I know that if I walked into a New York hospital tomorrow and applied for an internship, as long as I presented credentials, I doubt anyone would make a call. But as I told you in the last chapter, anyone can create credentials. When you check references, you need to pay particular attention to dates and time gaps in a resumé. What was going on then? Had the person been fired and unable to get another job? Was he in jail?
When you’re filling a position in a particularly sensitive area, think about hiring an outside firm to tackle a complete background check. Run a credit bureau report on that employee. Does he have a gambling problem, which would show up on a credit report? Is he deep in debt? Is he about to file for bankruptcy? These are the elementary things you should know about him before you allow him to handle your money. Call up the former employer. He may not be willing to tell you, “Oh yeah, that guy stole us blind and we had to fire him.” But you can ask, “Would you hire this employee again?” If he says, “No, we wouldn’t,” then that tells you there was an incident there.
I’m not saying you need to go to these extremes with everyone. If a guy is going to paint my building, as long as he can paint, I’m not too worried. But it’s got to be done with anyone who puts his fingers on your money and who regularly goes into secure areas. All the time, when I go into a secure room at a company where they keep their checks, I ask them who has access. And all the time, they say, “Oh, only three people, and we’ve checked them out twenty different ways and they have ID cards that have to be swiped.” I say, “What about the janitorial service?” “Oh yeah,” they reply, “they come in and clean.” Well, you’ve got to check out the janitor, too. When using temporary employees in financial areas, have them bonded. And rotate personnel in financially sensitive assignments on a regular basis.
VET YOUR VENDORS
You absolutely must protect the accounts payable and procurement functions by restricting access to the master file records of your vendors. Changing or adding new vendors should require supervisory approval and supporting documentation, because otherwise any employee can set up a company name and have the company start billing and getting paid off of accounts payable work. I was involved in a case in Atlanta, at a billion-dollar company, where a woman who had been there for three or four years set up a vendor file with her own initials. She called the company by those initials, WJK Inc., and then simply started billing the company for services and, of course, they were in the vendor file. And the company paid the bills. After about three years, more than $4 million was stolen.
Someone who’s independent of the buying and payment functions ought to review all new supplier entries. That review should always include a telephone call to the new supplier, and get that number from directory information to make sure it’s the real one. When you make the call, verify the name, address, and Federal tax ID number.
If you want to guard against payments to ghost employees that don’t exist, as well as improper changes in pay rates, you also have to restrict access to the personnel master file records. A supervisor ought to have to approve adding any new employees or changing anyone’s pay rate. Otherwise, you’re going to find yourself paying a dishonest worker five checks a week—or fifty. A fellow in the business office of the German Army regularly paid checks to a battalion that didn’t exist. He was the battalion, and he was just lucky he never got summoned into battle.
Another practice that should be carefully monitored is outsourcing. Businesses outsource so many things today, including accounts payable. How do you know the people you outsource to aren’t cheating you? One company outsourced its security detail; the guard firm assured the firm that it had checked out everyone. Well, they missed one guy. He had an arrest record for stalking. Fortunately, he didn’t stalk anyone
in the company, but he did steal a bunch of laptop computers. So you’ve got to be careful, and I don’t believe in ever outsourcing accounts payable. You’re not saving a lot of money and you’re relinquishing control. You can outsource payroll, but not accounts payable.
YOU NEED MORE THAN BREADCRUMBS
A really basic thing to do is to create audit trails, but businesses have gotten away from this practice. Most companies create no records whatsoever. If you ask them, “Who authorized this change?” their answer is, “Gee, I don’t know.” Thieves aren’t going to suddenly have a moral awakening one day and turn themselves in. You need evidence of wrongdoing. That’s why audit trails were invented.
All access to master file records should be protected by a password and restricted by job function. Computer systems should then automatically create an audit trail of all changes made to those master records, including who made the change. A report of the changes should be printed and reviewed by someone independent of the employee who made the changes. This report is sometimes called an “access matrix.” Checking the access authority of each employee should be part of this review. Determine a standard “access profile” for each employee, and restrict the master file records to these employees. And immediately investigate any unusual or suspicious activity. Most computer systems are designed with audit trail capabilities, but companies rarely use them.
In one recent case, an accounts payable supervisor at a major manufacturer felt his mortgage was a little too large for his comfort. So he did a touch of editing in the master file that contained the company’s suppliers. Since he had no oversight, he could pretty much do as he pleased. He changed one of the vendor names to the name of his mortgage company, and edited in a reference to his loan number. Instead of his company sending a check to the supplier, it sent a sizable principal payment to the employee’s mortgage holder. What tripped him up was that mortgage companies generally won’t accept a large principal payment without specific written instructions. Since the guy wasn’t able to intercept the payment to include a written note, the mortgage company returned the check to the manufacturer and the fraud was uncovered. It would have been caught with an audit trail.