"Excerpted from IOMA's "Payroll Managers Report" June 2003 issue.
Large amounts of money flow through your company's payroll account. The potential for fraud is significant, and the consequences can be devastating. Whether it's time sheet manipulation or check fraud, today's technology requires payroll professionals to be diligent in finding the red flags of fraud and instituting internal controls to stamp it out.
"Fraud is primarily a crime of opportunity," Greg Litster, president and CEO of SafeChecks (North Hollywood, CA; 800-755-2265) told attendees at the 21st Annual Congress of the American Payroll Association in Las Vegas. Forgers are not looking for a challenge, so the harder you make it for them to alter your checks, the less vulnerable you are to their manipulations. By implementing preventative measures, you can significantly decrease the number of opportunities employees have to siphon off money from the payroll process.
Equally damaging is the fraud employees commit through time sheet abuse. For example: An employee at a large university in Washington state amassed 49,000 hours of overtime, standby, or callback time, for a total of $264,543.
And the potential for damage is widespread. "All employees have the ability to commit payroll fraud," concluded Joseph R. Dervaes, CFE, audit manager for special investigation for the Washington State Auditor's Office (e-mail: firstname.lastname@example.org .gov), in an analysis of payroll fraud in The White Paper (a publication of the Association of Certified Fraud Examiners; Austin, Texas; 512-478- 9070; www.cfenet.com).
Internal controls are your first line of defense against time sheet fraud. In the case of the university employee, the fraud went on for 19 years, according to Dervaes. The employee was not entitled to overtime pay, even though he was allowed to submit his time sheets without supervisor approval. In addition, "Contrary to the university's policy, the employee's total salary exceeded 25% of his base pay almost every year, but no one knew because the payroll system did not prepare an exception report for review and approval."
His advice: Conduct payroll audits via your computer system and flag everyone that receives certain categories of pay such as overtime and standby time. "We then stratify the identified population of employees from the highest to the lowest dollars. Usually we can identify fraud at the top of the list."
Time sheets are like a blank check. Almost all payroll fraud, observed Dervaes, occurs after the supervisor has approved the time sheets. For example: Unauthorized charges for regular hours, overtime, standby, callback, or compensatory time, or annual or sick leave. How? Employees use the blank lines on the time sheets to alter payroll information after approval by a supervisor.
Tip: Remind line managers that approved time sheets must be sent directly to payroll, not returned to the employee because that is when he or she has the opportunity to falsify them. Also, managers must always remember to eliminate any unused lines on time sheets or highlight the last authorized entry on the document either prior to or during the approval process (see the sidebar, "Tips on Preventing Time Sheet Fraud").
Tips on Preventing Time Sheet Fraud
- Each employee should sign and certify his or her time sheet and then have it approved by a supervisor or designated authority for key managers at the top of the organization.
- Electronic time sheet systems should use passwords or other access controls to prevent employees from accessing supervisor or approval fields.
- No one should approve his or her own time sheet.
- When an employee works in more than one office, management should designate one supervisor at each location to approve the individual's time sheet prior to certifying it for payment.
- Review managers' overtime requests carefully because policies usually prohibit managers from receiving overtime.
- Some entities have policies that prevent overtime in excess of a certain percentage of the employee's base salary, such as 25%, unless specifically approved by the CFO. In these cases, to ensure that employees have obtained the required approvals, the software for the payroll systems should routinely prepare exception reports that list any overtime that exceeds company policy.
(Source: "Payroll Fraud: The Straight-Line Concept," The White Paper, The Association of Certified Fraud Examiners)
In some cases, managers and employees may conspire to commit fraud. For example: With today's tight corporate budgets, raises are small and sometimes nonexistent. A manager who means well and has staff retention in mind may give an employee a raise by allowing fictitious overtime charges, noted Dervaes. Less sympathetic managers may authorize fictitious overtime and then instruct the employee to kickback a large chunk of the money.
Protecting the checks you cut. Litster outlined these physical elements of a check that make it more difficult for individuals to get away with fraud: controlled paper stock, chemical reactive paper, toner anchorage, thermochromatic ink, copy-void pantographs, artificial watermarks, laid lines, chemical wash detection boxes, dual image numbering, micro-printing, high-resolution borders, prismatic printing, warning bands, and holograms. (For more information, call 800-615-2265, and request a copy of Frank Abagnale's Check Fraud and Identify Theft Volume II. It's free.)
SafeChecks uses paper from Boise Cascade Corporation, which, according to Litster, reacts to more than 80 chemical solvents forgers might use to "wash checks."
Litster recommended adding at least eight security features to your checks; just one will not stop today's technology savvy crooks. While there is no such thing as a "fraud-proof check," high- security checks will deter forgers. He also stressed the importance of maintaining control over check stock, saying, "This may be the most important internal control" to minimize check fraud.
Next, look at the security features of your check-writing system. Make sure there is adequate security for controlling printed checks and any associated reports.
- Install your check-writing system on specific workstations involved in the check issuance process, not on the network.
- Require a user name for log-on.
- Create a "security profile" for each user. Ask: Should a user be permitted to print checks for only a specific checking account or for all checking accounts?
Your software should be capable of restricting user access to specific check-writing functions while creating an audit trail showing how each check was created, selected, and printed. Tip: Restrict the capabilities of users to reprint checks damaged during the printing process, and establish procedures to control the reprint of an entire check run. Also, noted Litster, decide whether the user should be allowed to print reports on all accounts or only for specific ones.
What about the occasional manual check? Litster said your system should offer the option to segment the issuance of manual checks. Again, set a policy on whether the same individual should be authorized to create and print manual checks or if it would be better to separate the two functions.
Laser printers: A boon to legitimate companies-and check forgers. Litster observed that many laser checks are cheaply designed and can easily be altered. Toner anchorage, high-quality toner, and a hot laser printer are the essential ingredients for preventing altered checks. If a check is not properly manufactured using toner anchorage and correct ink coverage, the toner will peel off with tape. Still, noted Litster, no laser checks, including those that are properly manufactured, can withstand certain physical devices in the hands of a skilled forger. Positive pay may be the answer here.
Positive pay: Your last line of defense against paycheck fraud. The vast majority of attendees at Litster's session use positive pay- not only on their payroll account but also on all corporate banking accounts. With positive pay, a file containing check numbers, dates, amounts, and payees is transmitted to the bank (for more information, visit www. positivepay.com). The bank then prints checks whose details match the transmission and rejects checks that are not in the positive pay file, exceed a specific dollar amount, or carry stale dates.
Many banks now offer image-based positive pay, which PMR deems a useful improvement. With this service, the bank alerts a company's payroll department when an exception item appears during processing. The company can then download an image of the exception and make a payment decision.
Still, positive pay will not catch added or altered payees or counterfeit checks using legitimate check numbers and dollar amounts with new payees. Litster noted that several banks (including Chase and Mellon) are developing a positive pay system, called Payee Name Verification, that compares the payee name. Matching the payee name, check number, and dollar amount will stop most check fraud attempts. Tip: To minimize the addition of payees to your checks, use an asterisk fill-in above and after the payee name.
Closing thoughts. Because of revisions to the Uniform Commercial Code, the responsibility for losses due to check fraud is shifting to the "person in the best position to have prevented the fraud." For the sake of client relationships, Litster said, banks once absorbed check fraud losses. But due to the soaring rate of fraud,fewer banks are willing to be so generous.
"Excerpted from IOMA's "Payroll Managers Report" June 2003 issue. Reprinted with permission of IOMA (the Institute of Management & Administration). Copyright 2003. For more information about IOMA or to subscribe to Payroll Managers Report or any other IOMA publication, visit our website at http://www.ioma.com or contact 212-244-0360 x 245, or email to email@example.com