Chapter 8
Fraud Data Analytics for Payroll Fraud

Fraud scenarios occur in payroll for a variety of reasons. First, employees are motivated to increase their net payroll. A supervisor is motivated to increase the net payroll of a good employee or the supervisor is motivated by receiving a kickback from the employee. Human resources payroll grades are unreasonable. Senior management is motivated for personal enrichment or to disguise a bribe, which is an FCPA issue. Whatever the internal person's motivation for committing the fraud scenario, payroll systems are vulnerable to internal employees committing fraud scenarios through the payroll system.

On first appearance, internal controls in most payroll systems seem sound. Separation of duties between payroll and human resources functions are deemed adequate. The company has a form for every step of the process. Approval controls are abundant throughout the entire system. However, fraud auditors should not be fooled by the evidence of an internal form, the appearance of separation of duties, and approval signatures in planning their fraud data analytics plan.

The predictability or vulnerability of the payroll system to a specific fraud scenario is how the internal control works in the real world. I refer to this as the difference between control theory and control reality.

In the legal system, there is a phrase, “form over substance or substance over form.” Payroll systems definitely have a “form over substance” from an internal control perspective. There is a form for every step. There is a form for new hires, a form to change your profile, and a form for termination. The question is, does our payroll process have “substance over form”? The key to understanding where payroll systems are vulnerable to fraud is by understanding how robust your internal controls are at each key control. The fraud auditor needs to understand the answers to who, what, where, how, and when the internal control is performed. The fraud auditor must understand the substance of the process over the form of the process.

The who question correlates to the trust factor of fraud opportunity. Supervisors and employees develop personal relationships. These relationships may cause a less robust approval process. Who relates to who actually causes the employee master file to be updated. Are human resources a true control function or an update function? Are human resources or payroll a “form” control or a “substance” control?

What is the span of internal control? How many employees does a supervisor monitor? Do employees work on staggered shifts? Does this work environment create opportunities for time reporting fraud?

Where does the hiring process occur? In a retail environment, hiring occurs at a store level. The manager interviews the employee and submits the necessary paperwork to human resources. The manager is perfectly situated to place a fictitious employee on the payroll. An employee quits work, but the supervisor continues to submit time sheets for the employee and diverts the employee's payroll check.

How is human resources notified of a change or an addition? Is the employee required to go to human resources, or does a supervisor forward the necessary paperwork?

When is the procedure performed? Is the procedure performed during normal business hours or after hours?

The intent of these questions or statements is not to suggest that internal controls are not operating as intended by management, but rather, the concept of understanding where your company is vulnerable to fraud.

Inherent Fraud Schemes for Payroll

The inherent fraud scheme structure is the starting point for fraud data analytics in payroll. The inherent scheme structure for entities is similar to vendors, except in payroll the entity structure is an employee. There are three entity structures in payroll fraud scenarios:

  1. Fictitious employee occurs by creating the identity for a person that does not exist in real life. The person committing the scenario in essence creates an identity for the fictitious employee.
  2. Assumed identity employee occurs by taking over the identity of a person either for a temporary time period or on a permanent time period. This entity structure is similar to the assumed identity for shell companies.
  3. Real employee is complicit in the fraud action. In payroll, complicit is defined as the real employee receives the payroll payment.

The fraud action statements for payroll are:

  1. Payment for services not performed; often called the ghost employee scheme. The entity structure of the inherent scheme for the ghost employee is a false entity (employee), a noncomplicit employee, or through a complicit employee.
  2. Overtime fraud is payment for services not performed that are in excess of the standard hours.
  3. False adjustment scheme occurs to the gross pay, deductions, or net payroll. A supervisor, the payroll function, or corporate controller is the typical perpetrator of the fraud scenario. The internal person creates and processes a payroll transaction that inflates gross or net payroll.
  4. Manual payroll disbursements are payroll payments that are initiated, calculated external to the automated system, and the payroll data are manually entered into the automated system. Manual payroll payments occur for many reasons: final payroll payments, bonus payments, to correct an error, and to commit a fraud scenario.
  5. Theft of stale payroll checks occurs when an employee does not receive their final paycheck, for whatever reason, and an internal person diverts and negotiates the check.
  6. Inflated sales commissions or sales bonuses occur by intentionally manipulating performance statistics.
  7. Disguised compensation occurs when management overrides human resource policies and provides am employee with additional compensation. While the employee is not complicit in the scheme, the employee benefits from the fraud scenario.
  8. Payroll‐related expenditures are those expenditures that relate to employee benefits that are not considered wages in the traditional sense. That is, employees working in a foreign country are eligible for allowances such as tuition reimbursement plans. The fraud scenarios in these areas would depend on the nature of the benefit.
  9. Employer fraud involves a company that intentionally is underpaying employees. These schemes require the fraud auditor to understand the labor law, which is beyond the scope of this book. However, with the frequency of these cases reported in the media, I would be remiss in not listing the scheme.

Understanding How Payroll Is Calculated

The good news is that fraud data analytics is easier in payroll than in vendor payments. The payroll system tends to have less data integrity issues, so data cleansing routines are less critical. The payroll calculation tends to be accurate, which is different from authorized and consistent with company policies. Therefore, most payroll data interrogation procedures and sample selection criteria are specific identification strategies versus data interpretation strategies. Now the bad news: Because of all the subsystems that are required to calculate net payroll, more time is required to understand all of these systems and gather the data.

In payroll fraud, there are two key numbers: gross payroll and net payroll. Understanding how both numbers are calculated, stored, and reported will become the basis of your fraud data analytics plan. The planning for the fraud data analytics plan requires the fraud auditor to understand the data that resides in the following files:

  • Human resources database.
  • Time and attendance reporting database.
  • Payroll registers record the data used to calculate gross payroll and net payroll.
  • Annual payroll summary table—the annual summary of one year's payroll registers.
  • Change files for human resources, time, and attendance and payroll registers.

Starting with the human resources database, identify what information can be used for fraud data analytics. In human resources, there is the obvious information, name, address, and so on; the other relevant items of information are:

  • Employee hire date
  • Last update
  • Employee classification systems as to job titles
  • Salary grade as to the maximum salary within the grade
  • Employment status: regular full time, contract employee, temporary status
  • Country of residence

The time and attendance system starts the payroll calculation. For hourly employees, time and attendance system is the basis of their gross payroll; for full‐time employees, it indicates whether the employee is using personal time. The fraud auditor should understand how the information is created, changed, and reported. Other necessary information is the creator ID, the approver ID, the computer ID, job duties if employee performs different jobs and different rates, date, and time records for creating and changing the time record.

The table structure for payroll has two primary tables for fraud data analytics, the payroll register table, which has the results of the payroll calculation, and the payroll summary table that is used for tax reporting and various fringe benefit requirements. The fraud data analytics should be based on the payroll register table; however, the payroll summary table is useful because the table size is small in comparison to the size of all the payroll registers for the year.

The net payroll calculation is gross payroll minus deductions equals net payroll. The gross payroll is based on a salary grade, divided by the number of pay periods. Hourly employees are paid based on the number of hours multiplied by an hourly rate. Gross wages are classified based on an internal earnings code; the fraud auditor should obtain a copy of the earnings code as part of the planning.

Within the payroll system, there can be many earnings codes that mirror how the business operates. Some of these earnings codes are for classification of wages, such as vacation time. Other earnings codes are designed to increase gross payroll, such as a one‐time bonus payment. Within fraud data analytics the earnings codes are an integral part of searching for fraud in payroll.

There are two types of deductions from gross wages. Those deductions required by the government and voluntary. The fraud auditor should obtain a copy of the deduction codes as part of the planning.

Now that regular gross payroll is calculated, the next step is to understand how adjustments to gross payroll, deductions, and net payroll are reported and where the adjustment transaction is recorded in the database.

Lastly, how is net payroll calculated? Within some companies, employees are reimbursed for expenses through payroll. The company includes the reimbursement as an adjustment to net payroll.

Planning Reports for Payroll Fraud

The first report that should be created is a gross payroll and net payroll by employee. The difference between net and gross should be calculated and percentage of employee net payroll to employee gross payroll. The informational items on the report should be the number of payroll payments, the employee number, the employee grade, employee title, and department number.

There should be summary reports on payroll information:

  1. By payment code, the number of employees paid through direct deposit versus manual payroll check.
  2. By earnings code, a summary of gross wages also includes the frequency of the earnings code occurring in the payroll registers.
  3. By deduction code, a frequency count of employees using the deduction code.
  4. By employee, the total number of automated payroll payments and the total number of manual payroll payments. The start date and termination date are critical to determine if the number of payroll payments is consistent with your expectation (payroll payment frequency report).
  5. By employee, the total number of hours reported for hourly employees.

Each of these reports can be further refined based on what the reports reveal. Summarization and filtering routines are useful in allowing these reports to be user friendly. Using the payroll frequency report:

  • Summarize the total number of automated payments and the total number of manual payments.
  • Filter out all employees when the number of payroll payments is consistent with their employment period.

Remember, the planning reports are intended to assist the auditor in the likelihood analysis versus the sample selection process. Using the payroll frequency report, if no manual payroll payments were issued, then no fraud scenarios could occur through manual payments. Before you start creating fraud data analytics reports, study the planning reports to ensure you understand the data.

FDA for Ghost Employee Schemes

The term ghost employee is widely used throughout the audit profession. It generally is defined as payroll payments to a person who does not exist in real life. Using the inherent scheme approach, there are 11 ghost entity types. The fraud action statement is the same for each entity type: payment for services not performed.

Fictitious Employee That Does Not Exist

The fictitious employee is added to human resources file by someone with direct access or through indirect access. In many organizations, the hiring process occurs remotely from corporate human resources. For example, in retail, the store manager performs the hiring function and then submits the necessary paperwork to human resources, causing the fictitious employee to be added to the master file.

FDA Plan for Fictitious Employee That Does Not Exist

The plan can focus on the entity data, payroll register, or cross‐match to other data files to ascertain evidence of work performance. The entity data can focus on missing data and specific identification of data. The duplicate test can search for common linkage between two employees. The payroll register may have anomalies in the gross, deductions, or net payroll calculation.

Generally, employees on a world basis have a government identification number. The critical question becomes how sophisticated are the local government business systems in identifying an invalid government number for the citizen or foreign national. If yes, then an invalid number would soon be detected by government reporting; if no, then government identification numbers are not problematic for the person committing the fraud scenario.

So, where can we find a government identification number?

  • When a person dies, the government identification number becomes inactive. However, in the year of death, the number will remain active for payroll reporting.
  • If the government does not make a government identification number inactive, then perpetrator can use a dead person's number.
  • Accounts payable—the person may have started working as a contractor.
  • Foreign nationals who leave the country and return to their home country.
  • In the United States, an employee may also have an ITIN number. These numbers start with the number nine and are also nine digits.

The employee master may search for employees missing normal employee information or perform a duplicate test to link two individuals together, one real and one fictitious. The first step is the data availability analysis to determine which fields are typically populated by human resources. The missing analysis should be based on information that would normally exist for a real employee. The scoring sheet concept is critical to using the missing data approach in that some information is simply more important than others.

  1. Missing government identification number or an invalid number
  2. Missing address or bank account. (In the missing test, an employee without a street address would be considered missing address.)
  3. Employee is in payroll register but no record in the human resources database
  4. No health insurance code
  5. No retirement code
  6. No emergency contact person
  7. No personal telephone number
  8. No employee personal email address
  9. No last evaluation date, assuming information is recorded in human resources
  10. Creation date
  11. Grade level and job title
  12. Department number

The duplicate test searches for a common linkage between two employees. The test can result in many false positives if the sample selection criteria are based on one criterion. The first test is a duplicate government identification number. System internal controls should not allow a duplicate number, but better safe than sorry. The second duplicate test would focus on duplicate bank account number and duplicate address. Now, depending on the person committing the scenario, the second attribute is a duplicate department number. The reason for duplicate department number is that the payroll charge needs to be recorded to a general ledger account. Assuming the person committing the scheme is a budget owner, then the budget owner's account number is the most likely place to avoid detection. If the person committing is in payroll, then a judgmental identification of departments with ghost employee payroll charges would not be as evident. If the scheme is committed as part of a bribe scheme, FCPA violation, then the budget number may not provide a logical connection.

The payroll register provides the gross payroll, deductions, and net payroll for the fictitious employee. The payroll register anomalies are:

  • No voluntary deductions.
  • No voluntary government tax withholdings.
  • Net payroll is a high percentage of gross payroll.
  • Gross payroll is above the 50 percent tier for the grade level.
  • Employee is not recorded in the human resources database.

The best test to identify a ghost employee is evidence of work performance, the ability to match an employee in the payroll registers to an employee in a security database. Common databases are building access, parking garage access, computer access, or internal telephone system. The first level of the test is to determine if the employee in the payroll register is listed in the security database. The second level of the test is to determine if the listed employee is showing activity in the security database.

While evidence of work performance is the best test for identifying ghost employees, there are challenges with the fraud data analytics test. The first challenge is matching an employee's name between two unrelated databases. If employees are assigned an employee number, the match is relatively simple. If the match occurs on name, then the match will have spelling issues, much like the address field. The second challenge is associated with the diversity of the workforce. Finding one database for a diverse employee workforce may not be possible. The retention of access security might be limited. Lastly, how robust is the enforcement of the security program? With this aside, matching your employee database to a secondary database is the best tool to identify ghost employees.

Real Employee, Not Complicit, Temporary Takeover of Identity

In this scenario, the employee departs the workplace and the supervisor does not notify human resources of the employee's departure until weeks later. The scenario typically occurs in entry‐level positions or positions that have regular turnover. During the employee absence the supervisor submits the necessary time and attendance reports to cause a payroll payment. The person committing the scenario is typically a department manager, and the employee is receiving a manual check. While the supervisor could submit a change to the employee's bank account, the action seems less likely. If the person committing the scenario is a payroll person, the fraud data analytics should search for a change to bank account close to the termination date.

FDA Plan for Real Employee, Not Complicit, Temporary Takeover of Identity

The first criterion is all employees who have a termination code because the scenario is a temporary takeover. We then create two homogeneous databases of terminated employees: employees paid with direct deposit and employees paid with a manual check. If the employee is paid with direct deposit, there needs to be change to bank account. If the bank account is changed, then the employee is selected for testing. If the employee is paid with a manual check, then there is no further data analytics. The sample selection is based on judgmental criteria. If the time and attendance records are automated, then examine the record to determine who created the record.

Real Employee, Not Complicit, Permanent Takeover of Identity

In this scenario, the employee departs the workplace and the supervisor does not notify human resources of the employee's departure. The supervisor submits time and attendance reports to cause a payroll payment. The scenario can occur either with a manual check or by causing a change to the direct‐deposit bank account. The key with this scenario is to understand the wage and tax reporting within the country. If the terminated employee is not notified of wage and tax withholding, then this scheme could occur forever. If the employee is in a country where wage and tax reporting is reported to the employee, then concealing the scheme is more difficult but not impossible. This is why country code is important. If the employee is a foreign national and the employee leaves the country on a permanent basis, then wage reporting is not a robust detection control.

FDA Plan for Real Employee, Not Complicit, Permanent Takeover of Identity

The fraud data analytics plan should search for change to either the employee master file or the net payroll calculation. In the employee master file, the fraud data analytics should search for change to banking information or the address. In the payroll calculation, the change would be a decrease in withholdings or an increase in the net payroll. The employee's country of residence may also help. Nonresident employees would have a higher likelihood of having their identity assumed because government wage reporting for that person is less critical. If the time and attendance records are automated, then examine the record to determine who created the record.

Real Employee, Not Complicit, Employee Who Is Reactivated

In this scenario, the employee departs from the workforce and human resources are notified. However, at a later time, someone causes the employee to be reactivated on the payroll. In essence someone is taking over the identity of the employee.

FDA Plan for Real Employee, Not Complicit, Employee Who Is Reactivated

The first step is to identify all employees who are reactivated. The second step is to determine if there were any changes to banking information or address information. If the time and attendance records are automated, then examine the record to determine who created the record.

Real Employee, Not Complicit, Pre‐Employment

In this scenario, a supervisor or payroll causes a payroll payment to occur in the employee's name before the employee actually starts working for the company. The first payment is diverted. The payment is usually associated with a manual check.

FDA Plan for Real Employee, Not Complicit, Pre‐Employment

While this scheme sounds unlikely, the scheme has occurred. The likelihood depends on the nature of the workforce. The fraud data analytics for the fraud scenario will most likely not be able to identify those employees where this scheme has occurred. Remember, fraud data analytics is not designed for all fraud scenarios. The fraud data analytics for this scenario is the process of comparing the first payment to the second payment and identifying change—that is, change from manual check to direct deposit, change in voluntary deductions from gross payroll.

Real Employee Who Is Complicit and Performs No Services: Asset Misappropriation

In this scenario, the employee is a real person and typically in collusion with a manager. The employee has a personal relationship with the manager. The employee is often referred to as a no‐show employee. The employee is typically hired with the intent of being a no‐show employee.

FDA Plan for Real Employee Who Is Complicit and Performs No Services: Asset Misappropriation

The previous routines are generally not effective because the person is real person and there is no change. Matching to a security database is the best opportunity to identify the no‐show ghost.

Real Employee Who Is Complicit and Performs No Services: Corruption

In this scenario, the employee performs no services and the payroll payment is a bribe. This scenario is typically associated with a senior manager who is in a position to override normal internal controls. While the employee is in essence a no‐show employee, the intent of the payroll payment is associated with corruption versus asset misappropriation.

FDA Plan for Real Employee Who Is Complicit and Performs No Services: Corruption

The fraud data analytics will need to search for PEPs (politically exposed persons) as defined by FATF (Financial Action Task Force). There are various government and commercial databases that might be used as the matching database.

Another approach, although more time consuming, is to create a report of all new hires within the scope period, providing start date, gross salary, job title, date job title created or changed, and department code. Create a second report of contracts that link to customers that are considered government customers under the FCPA or other relevant bribery laws. Compare the hire dates to relevant customer contract dates. The sample selection is judgmental based on correlation to start date and customer contract date. The second consideration is job title and department code.

Human Resources Error Resulting in a Real Employee to Continue Receiving Direct Deposit after Departing from the Workforce

Throughout the years, I have heard that an employee who terminates employment notifies human resources; however, through an error the employee is not removed from the active payroll. The employee continues to receive a regular payroll payment and does not notify payroll of the ongoing error. While the scenario is not a true fraud scenario, I would be remiss in not mentioning the scenario.

FDA Plan for Real Employee Who Is Complicit

The previous routines are generally not effective because the person is real and there is no change. Matching to a security database is the best opportunity to identify the no‐show ghost.

Real Person Who Is a Temporary Employee

The temporary scenario can occur through a fictitious person or through a real person. The reason I have listed the permutation is the temporary employees tend not to have the same rigid human resource controls because the person is temporary. Oftentimes, the hiring supervisor has a high degree of control, which is what causes the scenario to occur.

FDA Plan for Real Person Who Is a Temporary Employee

The first step is to identify all employees with the code. The next step is a summary step as to gross wages and the number of payroll payments. The sample selection will be judgmental. If your company has a large seasonal employment force, the fraud data analytics will need to apply all of the previously described ghost employee schemes to the temporary employee.

Real Person in Payroll Register but Not in the Human Resources Database

This scheme is typically committed by someone in payroll. The person is paid through an override feature, manual check, or poor internal controls.

FDA Plan for Real Person in Payroll Register but Not in the Human Resources Database

Create a list of all employees in the payroll register and match the list of employees to the human resources database. The sample selection is all employees in the payroll register, but not in the human resources database. A second test is a record count of all active employees to the number of employees listed on the payroll register. It is important to know how employees on leave are listed in human resources; otherwise, the reconciliation procedure will result in a false positive discrepancy.

FDA for Overtime Fraud

Overtime fraud is simple; an employee falsifies the number of hours the employee actually works. Most overtime schemes are not complicated; the employee determines that no one is monitoring the hours submitted on a time card. Overtime fraud is a crime of opportunity. To understand the concept of opportunity, the fraud auditor needs to understand the permutations associated with the person committing the fraud scenario:

  • Employee alone overstates her hours worked and the supervisor unknowingly approves overtime. This opportunity can occur in a staggered work‐day or by the supervisor not carefully checking time cards or not being present during the overtime hours or just a general neglect of their duties. Remember, how robust are your internal controls?
  • Employee operates in collusion with another employee to falsify their payroll hours. Once again, this will occur without the knowledge of the supervisor. In a manual card system, the employees enter arrival or departure information for each other. In an automated system, an administrative employee with access to the time reporting system changes the time record after supervisor approval.
  • Employee and supervisor operate in collusion. The supervisor may be receiving a kickback from the employee or for some motivating reason, providing the employee disguised compensation.
  • Employee and payroll employee operating in collusion. The payroll person may be receiving a kickback from the employee or providing the employee disguised compensation for whatever motivation. The payroll person overrides the properly reported hours. To conceal their actions, the time card is altered, destroyed, or a new version is created.
  • Employee forges the approval of the supervisor. In an automated time card system, this would occur through a weak password control procedure.
  • Employee working in payroll overstates his own hours worked.

FDA Plan for Overtime Fraud

The initial search for overtime abuse is simple; the fraud data analytics searches for all employees reporting overtime. I would encourage the use of the year‐to‐date summary table as a starting point for total hours. Overtime wages can be earned by both full‐time employees and part‐time employees. Using the specific identification strategy identify all employees reporting overtime wages. For large databases, I would create two summary databases, employees having overtime and employees that do not have overtime.

The created database should contain employee number, employee name, hire date, total hours reported, gross payroll, overtime wages, and department codes. Summarize the two files by department code as total employees by department having overtime and employees in the same department not having overtime. If your company operates multiple shifts, it may be necessary to summarize by department by shift. The purpose is to identify how prevalent overtime wages are within the company and by department in the company, which is an example of understanding the data report.

The second stage of the fraud data analytics is to search for patterns of abuse. To accomplish this step, the fraud data analytics will need to access either the time record system or the payroll registers. The patterns of overtime that are consistent with overtime fraud to search for are as follows:

  • Excessive hours for an employee. There are two approaches: First judgmentally select a number of overtime hours and then identify all employees exceeding the number of hours. A second approach is to compute the average number of overtime hours reported by employees; exclude all employees who did not report overtime hours from the calculation. Then use the mean or median for excessive hours.
  • Cluster of employees reporting overtime hours in one operating unit. It may be an indicator of employees operating in collusion or employees in collusion with a supervisor. The two preceding databases are useful for this analysis. Summarize by department the employees not receiving overtime and summarize by department employees receiving overtime. The report of employees having overtime should also have total hours of overtime, total dollars of overtime paid. Link the two reports by department number. Review the report for a department which only has a few employees receiving overtime.
  • Pattern of recurring overtime hours reported (i.e., four hours every day). This analysis is a form of number anomaly analysis.
  • High number of overtime hours in one day. Similar to the excessive total hours, the analysis should select a number of hours.
  • Off‐period overtime is hours reported on a nonscheduled workday.
  • Leave and overtime. Search for employees on paid leave, vacation time, or other paid leave who are receiving overtime wages.
  • Changes in the time reporting system would indicate an override by someone, either a department administrative employee responsible for department time reporting or someone in the payroll function.
  • Compare the hours reported in the time and attendance system, assuming system is automated to the hours in the payroll register. The purpose of the test is to identify a payroll person changing the hours reported to the hours paid.
  • The use of access security databases might be effective, assuming that the company requires all employees to log in and log out. The fraud data analytics would compute the hours worked through the access security log and then compare the hours reported for payroll purposes. It is difficult to find one database for all employees. Many times, the analysis may only be applicable to a limited number of employees.

As a caveat, the number of overtime hours a person may work might be attributable to personal behavior traits, family issues, or supervisor rules.

FDA for Payroll Adjustments Schemes

There are three categories of payroll adjustment schemes: adjustments to gross pay; adjustments to deductions fields; or adjustments to net payroll. The key to understanding false adjustment schemes is to understand how payroll is calculated within your database system. In the database, there are a series of earning codes for gross payroll. The payroll system automatically calculates the “regular earnings” and the system automatically classifies payroll based on time and attendance records—that is, regular earnings or regular earnings classified as vacation wages for purposes of benefits. However, there are other earnings codes to increase an employee's wages (e.g., bonus payments) or to classify a wage as a benefit (e.g., vacation pay).

In the gross pay false adjustment scenario, an employee receives an adjustment to gross payroll. The employee supervisor may have initiated the adjustment as a form of disguised compensation or a payroll person may have recorded the adjustment to receive a kickback. Whatever the motivation for the scheme or internal control deficiency the adjustment is easy to find.

In the false adjustment deduction scenario, there are two methods. The first is to enter a contra number in the deduction field, which increases net payroll. The second false adjustment scheme is when a deduction does not occur within the payroll calculation but later is added to the employee's year‐to‐date earnings record through a false transaction. To illustrate, at the time of gross pay and net pay calculation, there are no taxes withheld from the employee's net payroll calculation. Later, an income tax adjustment transaction directly updates the employee's year‐to‐date table by increasing the employee's income tax withheld on the annual wage reporting statement to the government.

In the net payroll false adjustment scenario, the employee's net payroll is increased through an adjustment to net payroll. Many companies will reimburse employees for out‐of‐pocket expenses through payroll versus accounts payable. The indicator of this scheme is a journal posting to a non‐wage account or a reclassification entry transferring the payroll charge to a non‐wage account.

In one investigation, the controller gross payroll was $60,000 and his net payroll was $120,000. The documentation supporting the adjustment to net payroll was to reimburse the controller for out‐of‐pocket expenses ranging from office supplies to purchase of office equipment.

FDA Plan for False Adjustments to Gross Payroll

In the planning stage, the fraud data analytics plan created a report of gross wages by employee by grade. Employee's gross wages exceeding her grade level is the first clue that a false adjustment scheme is occurring.

The first step is to summarize an employee's earnings for the year by the earning codes. The exclusion theory would eliminate all employees with only earning codes of zero or normal earning codes associated with benefits. For the remaining employees, we would summarize by employee by earnings code to provide the gross dollars by earnings code and frequency of occurrence of the earnings code. I would include the employee's grade level in the report. In this way, we could also determine if any of the employees in the test have exceeded their salary range. The sample selection is based on an employee who has a frequency of earnings codes other than normal earnings or a large adjustment to gross payroll.

FDA Plan for Contra Entry Deduction Scenario

The contra entry test is simply the process of searching for a contra entry in the employee's earnings record. The contra entry is a negative number in a field that all the deductions should be a positive number. By entering a negative number, gross pay less deductions actually increases net payroll. Once the contra entry is identified, summarize the dollar impact and the frequency of occurrence.

FDA Plan for False Transaction Deduction Scenario

The fraud data analytics will require two sets of data. The first data set is the payroll registers for the calendar year. The second data set is the internal database table used for wage reporting to the government. Using the payroll registers, the fraud data analytics would calculate the annual earnings record from the payroll registers. Then the recomputed earnings record would be compared to the summary table used for government earnings reporting. The sample selection would be all employees where there is a difference between recomputed table and the internal table of annual earnings.

The approach could also search for manual adjustments to an employee's year‐to‐date earnings records. If there are only a few employees with manual adjustments, the fraud auditor would review the employee's earnings records through the online system. If the number of manual adjustments is high, then it may be necessary to calculate the net payroll for those employees with manual adjustments.

FDA Plan for False Adjustments to Net Payroll

The planning report of comparison of gross payroll to net payroll is the first report that will flag abuse in this area. A second planning report is to summarize journal entries originating from the payroll system. The predictability factor would be the dollar value of debits to general ledgers other than wages. Yes, the initial posting could be a debit to wages with a subsequent reclassify journal entry.

FDA for Manual Payroll Disbursements

There are many reasons why an employee may receive a manual payroll payment versus an automated payroll payment ranging from bonuses to final payment resulting from termination of employment. The planning report that counts the number of payments should highlight this fraud scenario. Care must be taken to ensure the summary report captures all payroll payments. Questions to ask are:

  1. In what data tables are manual payroll payments stored?
  2. Do manual payroll payments have a different sequence of control numbers from the automated payroll payments?
  3. How are manual payroll payments recorded in the general ledger? Is the entry automated, or is the posting a manual entry?
  4. What is the process for final payments to employees after their final workday?
  5. What is the company policy on paying employees for unpaid vacation time, personal time, and sick time?

FDA for Manual Payroll Payments

The fraud data analytics approach will depend on the answers to the previous questions. One approach is the frequency of payroll payments by employee. A second report should search for journal entries originating from a payroll payment to a nonsalary general ledger account. A third report would search for the control number sequence associated with the manual payroll payments. The reports described in the false adjustment section may also highlight the scenario.

Another category is the search for payroll payments after termination date. The scenario would need to identify whether the employee or payroll is complicit in the payroll. If the employee is not complicit and is paid with direct deposit, then we would search for a change to bank accounts. The scenario is easier to commit when the employee receives a paper check.

The fraud data analytics creates a file of all terminated employees through the termination date. The terminated employee file would then search for all payroll payments to an employee in the terminated employee file. The termination date is compared to the payroll register, for both automated and manual payments; the resulting report should identify the frequency and dollar value of all payments after termination date. The sample selection is based on the answers to the manual payroll payments questions. So, if it is normal for an employee to receive one final payroll payment after termination date, then a frequency of two or more would be the sample selection criteria. Second criteria would also be the dollar value of the final payments.

FDA for Performance Compensation

Employees paid based on performance can be motivated or can rationalize their behavior to falsely increase their performance. A manager may assist the employee through a disguised compensation scheme or to receive a kickback from the employee. The key to building a fraud data analytics plan is to first read and understand the performance criteria plan. The fraud auditor should then identify the methods that an employee could falsify their performance statistics. The most common techniques are to:

  • Decrease the performance criteria during the year when it becomes evident that the employee cannot achieve the target. The fraud data analysis would create two files: the performance criteria at the beginning of the year and the performance criteria at the end of the year. The sample selection is based on a reduction of the performance criteria and the employee receives a performance bonus.
  • Record false sales transactions at the end of the reporting period to achieve the performance level. There are two approaches, search for false sales recorded in the final quarter or search for reversal of false sales in the next quarter. The starting point is to identify all employees who achieved their performance bonus. The report should identify both the performance target and the total sales for the performance period. The analysis should identify total dollars the sales exceeded the target and a percentage calculation. The second file is sales returns and adjustments for all customers associated with the sales representatives. I would stratify the report by the week or month that the credit was posted. This can be tricky, because following the logic of the analysis, there will be types of credits, credits for real sales and credits for false sales. The low‐sophistication approach is to cause the credits immediately after the year end; the more sophisticated approach is to cause the credits to be posted later in the preceding quarter, but before an aging analysis would identify the false sales.

FDA for Theft of Payroll Payments

Believe it or not, sometimes employees do not pick up their final payroll check. The scenario occurs because the final payroll check is provided to someone, either human resources or an operations manager. At some point, the person holding the check falsely negotiates the check.

Employees are often entitled to final paycheck for reasons other than hours worked (i.e., unused vacation pay). Believe it or not, employees are not always aware they are entitled to a final payroll payment. How the scenario occurs in your company will depend on your organizational structure. The scenario can occur through a direct deposit, if payroll changes the bank account number either on a temporary basis or final basis. The scenario can occur through the theft of a manual check and false negotiation.

Using the speed of payment test, compare the payment date to the bank clearing date. Since payroll checks are usually negotiated quickly, the speed of payment testing is actually searching for checks that are not negotiated quickly.

Summary

Fraud in payroll happens in large companies and small companies. While the traditional ghost employee seems to be the popular fraud scenario to discuss, the ghost schemes involving noncomplicit real persons is a more likely scenario. Overtime fraud most likely occurs in companies that have a base of hourly employees. False adjustment schemes as a form of disguised compensation occur with a greater frequency than fraud statistics would suggest.

In one fraud data analytics project, we identified an employee who was receiving an additional $200 per week in net payroll. When the employee's supervisor was questioned, not only did he admit it was false but he justified his actions as the best way to keep a good employee. Rationalization of events in payroll fraud scenarios by employees and supervisors should be expected by the fraud auditor.

If you have a limited time budget, what are the three fraud data analytics tests the fraud auditor should perform, and why should the fraud auditor perform the analysis?

  1. The gross‐to‐net payroll report will identify anomalies in the relationship of gross‐to‐net payroll. It may not tell the fraud auditor what scenario is occurring, but it will tell the fraud auditor where to look.
  2. Summarize journal entries posting the payroll register to the general ledger searching for debits to nonwage accounts. Also look for reclassification journal entries. The person committing the scheme needs to hide the payroll scheme. Since comparison of wages to budget is a common management control, the perpetrator needs to hide the payroll scheme in a general ledger account that is not as visible as the salary account.
  3. Search for the ghost employee that links to a bribe scheme. My recommendation is not based on the ease of locating but rather the impact that occurs if your company is investigated for violation of the bribery acts around the world (notably, the FCPA and the UK Bribery Act).
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset