Now You See It, Now You Don't

Company Check and Credit Card Fraud

By Robert Tie



check-fraudPaul Rodrigues, CFE, CPA, MST, CFF, closed the manila case folder and pondered its contents. A company had engaged his firm to investigate an apparent — but difficult to identify — embezzlement.

Rodrigues heads the fraud and litigation practice and is a principal at Chortek & Gottschalk, LLP, a CPA and business advisory firm specializing in forensic accounting and government and private sector auditing in Chicago, Milwaukee and Washington, D.C.

Pulling out a legal pad, he briefly recapped the facts of the case: $1.2 million missing, and neither the client nor the external auditors had any idea how, when and who might have committed it. "Clever," Rodrigues thought. "What kind of person would be smart and knowledgeable enough to pull this off?" he asked himself.

With 20 years of experience, it did not take Rodrigues long to come up with an answer: someone who knows the client's books inside out and has close tabs on what the auditors look at. Primary suspect: the CFO, who was a CPA and arranged the company's external audits.

Doodling on the pad, Rodrigues next asked himself what a person with that kind of power and information would do to conceal her embezzlement: Perform the illicit transactions during a period outside the audit scope.

That query led to another: Even if the CFO had succeeded in hiding the evidence from the auditors during the review period, how did she hide it from everyone in the company for the rest of the fiscal year?

Rodrigues thought that a key clue in this fraud just might resemble one in Arthur Conan Doyle's "Silver Blaze," a short story that appeared in The Strand magazine in December 1892.


"The solution to this case depended on a detection technique that's far from new, but that investigators sometimes overlook," Rodrigues said.

He recounted how, in Doyle's intricate tale, Sherlock Holmes is engaged to investigate a case of horse-racing-related fraud. In short order, Holmes noticed that a typical and reasonable occurrence mysteriously had not taken place in this case. It all began in the dead of night when a fraudster abducted Silver Blaze, a champion stallion, from its guarded stable. The horse's groom could not alert anybody because the thief had drugged him. But that was not all.

Here is how Dr. Watson chronicled Holmes's detection of a further clue — one both elusive and informative — that Inspector Gregory of Scotland Yard and everyone else had missed: the stable guard dog had never barked.

" 'Is there any other point to which you wish to draw my attention?' [Gregory asked Holmes].

'To the curious incident of the dog in the night-time.'

'The dog did nothing in the night-time.'

'That was the curious incident,' remarked Sherlock Holmes."


Rodrigues reasoned that the absence of incriminating transactions during the audited period might spur the auditors to review payments made during the rest of the year. However, unless those payments were suspicious, they would be difficult to distinguish from legitimate ones. Was the only alternative a painstaking and expensive review of the documentation for every transaction over the past year? No, there was a better way, Rodrigues decided. He would look for a typical and reasonable occurrence that had not taken place.

In "Silver Blaze," Holmes correctly concluded that if a stranger had approached the stable, especially at night, the dog would have barked loudly. It therefore was clear that the dog had kept silent because the nocturnal visitor was familiar to him. In fact, the trainer had abducted the horse to inflict a hard-to-detect wound that would hobble the champion in an upcoming race and enrich the crooked trainer, who bet against it.

Analogously, Rodrigues looked for apparently legitimate transactions that occurred throughout the year but not during the period under audit.

"That's exactly what was going on," Rodrigues said. "The CFO knew that the auditors typically examined transactions made during the first and fourth quarters."

Rodrigues saw that seemingly normal payments to certain vendors recurred from April through September each year but not during the auditor's testing periods. That subtle red flag led him to examine those remittances.

"Some of them were 'double' payments to a vendor the CFO's employer did business with," Rodrigues said. "She had obtained a personal credit card from the same issuer that served the company. Because all her personal billing statements went to her home, no one at work knew she had her own account. When the CFO's personal credit card bills were due, she paid them by executing fraudulent transactions at work. Unless you had examined the documentation of the company's payments, you wouldn't have suspected that some of them were for the company's debts and others were for the CFO's personal debts, which of course were not documented in the company's records. The hard part was knowing exactly which payments to look for."

But Rodrigues had made the hard part easy by identifying apparently routine payments that were absent during audit periods. That promptly led him to the fraudulent "needles" in a "haystack" of legitimate transactions. Thus, he quickly solved the case at minimal expense to the greatly relieved and appreciative client. The fraudster avoided prosecution by agreeing to an out-of-court structured settlement that confiscated the proceeds of her company retirement account. The company's insurer also covered part of the embezzlement loss.


Armed with specialized knowledge and access to every part of an organization's accounting system, such fraudsters as the CFO above can do great damage quickly while leaving few visible signs of their crimes.

"This type of perpetrator won't leave any evidence of disbursements to themselves," Rodrigues said. "And they'll also keep the books in balance by recording off-setting transactions. So, after you've preserved the accounting system's evidence by creating a forensic image, look for changes in check numbers, payees and amounts."

Accounting systems of all sizes have options for maintaining a transaction history. If this feature is turned on, auditors and investigators can use it to examine transactions and determine who executed them and when, Rodrigues said. Even if the log has been disabled, the system still might contain valuable evidence a CFE can retrieve with the help of the system vendor.

The objective is to identify all modified, deleted or voided transactions. Focus first on any modified checks, Rodrigues said, and request images of them from the client company's bank. Then compare each image to how its related disbursement is recorded in the system. This should reveal any instances in which a fraudster has issued checks to himself or to a shell company and modified the system to falsely reflect disbursements to legitimate payees.

In this manner, a CFE also can determine whether fraudsters have altered check payment amounts or check numbers. Rodrigues recalled a case in which a fraudster forged five checks, all with the same check number. Amazingly, the bank paid them all, he said, demonstrating its inattention to protecting depositor funds.

Likewise, CFEs should compare deleted and voided transactions with checks that actually cleared. Send the bank a list of the numbers of all deletes and voids, and request images of any paid checks bearing those numbers. Any matches are leads to whoever endorsed those checks and to the bank where they deposited them.

Equally dangerous and resourceful are fraudsters who cannot modify transactions but succeed in adding phony vendors to the accounting system.

Most businesses search their records monthly or quarterly for vendors that are unapproved or have a name or address similar to that of an employee, Rodrigues said.

"That process will detect the clumsy fraudster," Rodrigues acknowledged. "But a clever fraudster will add to the system an illegitimate vendor he controls, cut a check to that account and then immediately change its status to 'inactive.' Often that conceals the fraud; many companies review only their active vendors. So CFEs should check for payments to inactive vendors. In one of my cases, whenever the fraudster wanted to steal some money, he re-activated the illegitimate vendor he had created, printed a check payable to it, and then changed the status back to 'inactive.' "


Chortek & Gottschalk partner David Friedman, CFE, CPA, CFF, CICA, also plays a key role in the fraud and litigation practice, investigating a wide range of check and payment frauds. A common factor in such cases, he said, is insufficient or nonexistent segregation of duties.

"One big case I worked on years ago had this problem in spades," Friedman said. The controller of a small accounting department of a manufacturing company had complete autonomy, including the ability to make wire transfers into and out of — for investment purposes — the $50-million profit-sharing plan. Senior management just did not want to get involved; they found monitoring the plan activity too detailed and tedious.

On the Friday before Labor Day, under the guise of investing, the controller fraudulently wired $9 million from the profit-sharing plan to his bank in Baltimore. He subsequently moved the money to a bank in Miami, then to Bermuda and then on to his bank in Brazil. Saturday morning he flew to Rio de Janeiro.

By the time his employer realized what had happened, the controller had escaped. He had planned and executed his fraud perfectly, knowing that the extradition treaty between the U.S. and Brazil does not apply to money-laundering charges. Years later, he returned to the U.S. after agreeing to return what was left of the money in return for not being prosecuted.

"The moral," Friedman said, "is to segregate all duties that might enable an employee to single-handedly commit such frauds without anyone realizing it."

Do not judge the effectiveness of a transaction approval process solely on quantitative criteria, Friedman cautioned. It is also a matter of which — not just how many — employees are involved. For example, no single officer should be capable of unilaterally authorizing large transactions. Obtaining a second officer's OK should be mandatory.


The 2010 Federal Reserve Payments Study observed that although more than three quarters of noncash payments are electronic, paper checks will be with us for some time to come. In 2009 — the most recent period for which data are available — U.S. businesses and individuals wrote 27.5 billion checks.

CFEs therefore must strive to maintain and strengthen their employers' and clients' awareness and mitigation of the risks of paper checks. The ACFE's "Fraud Examiners Manual" and the ACFE website (ACFE Check Fraud Resources) offer extensive technical background and practical guidance on this topic.

Friedman described a client company that devised and then neglected its own unusual plan for protecting its paper check stock.

"A small company converted a gun safe into a storage case for thousands of blank checks," Friedman said. "The storage case was unlocked all day. If a check had disappeared from the bottom of a pile, no one would have noticed for months. Forging a signature was no big deal. Unless the company had additional protection, that check would clear."

Banks offer businesses two versions of additional protection: positive pay and reverse positive pay.

With positive pay, every time a business writes checks, it sends its bank a list of their numbers, amounts, dates and payees, which shows that the checks are valid and that the bank should honor them. The bank will not pay checks that are not on the list. Typically, the system automatically generates the list and sends it to the bank.

With reverse positive pay, the bank notifies the client when someone presents a check for payment. The bank will honor the check unless —within a brief period — the client says not to.

"CFEs should advise their clients never to agree to reverse positive pay," Friedman said. "If you somehow don't timely instruct the bank not to pay a check you don't recognize, the bank has the right to honor it and stick you with the loss if the check turns out to be fraudulent. Positive pay is the safer alternative."

Friedman said he knows of a business that used reverse positive pay because it was cheaper than positive pay. And the company chose an unusual option that Friedman suspects might no longer be available: When a check would come in, the bank would ask the company for permission to honor it. If the company said no or did not answer, the bank would not clear the check.

For a while, the company diligently responded to the bank's requests, and there were no problems. However, when the company closed for the December holidays, the bank did not. Unfortunately, many of the company's checks still had not yet been presented. And when the bank contacted the company no one was there to answer.

"Hundreds of valid checks bounced because the bank never received permission to clear them," Friedman said. "The company had to stop payment on the originals and re-issue them. It reimbursed clients for any losses and changed its procedures, but the damage had been done. It hurt their reputation and cost them $100,000."

Recently, another reason emerged for some companies to consider positive pay.

"Increasingly, businesses that decline positive pay might have to sign a waiver in which they release their bank from liability for any check fraud that would have been discovered if the company had accepted positive pay," Friedman said. "One of the larger banks has implemented this policy, and many smaller ones are following its lead. Positive pay isn't cost-effective for every company. But it's good insurance, and CFEs should recommend it to clients that write numerous checks. Right now it's one of the best ways to protect yourself from counterfeit checks."

Robert Tie is a New York business writer. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on or ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to