�Shooting the messenger: Demeaning or penalizing people who bring
risks to management’s attention
�Brushing it off:Rationalizing or trivializing bad behavior so that
employees continue to exploit the situation and managers do not con-
front suspicious behavior
Some common examples of fraud ....................................................
One type of fraud involves employees, who may be unaware of controls in
place to prevent fraud, testing the waters to see if they can get away with
something. For example, say a retail clerk discovers that customers pay for
their catalog merchandise at the customer service desk. The clerk then finds
a customer’s order, gives it to him, receives the payment, and places it in the
cash drawer. Payment comes in the form of check, credit card, or cash. The
customer signs a receipt of merchandise and that record goes in the drawer
with the payment copy. But the clerk is having difficulty making ends meet,
so one day she decides to keep the cash and destroy the merchandise receipt
for a $20 transaction. The clerk waits to see if there are any questions about
the missing money. When no one questions her, she does it again; the next
time, removing payment for two transactions. When the control (which
matches the receipts to a shipment manifest) is eventually performed, it
reveals missing merchandise. The controls that were invisible to the clerk
gave her an opportunity to test the waters.
Another type of fraud involves savvy employees who know exactly how the
controls work and can manipulate them to their own advantage. For example,
a payables clerk who is responsible for managing payments knows that pay-
ments that don’t reach the vendor are almost always questioned, and vendor
reconciliations between payables and payments are done periodically.
However, the payables clerk knows that reconciliations are sometimes four or
five months behind. Every year, the company makes a charitable contribution
in three installments. The amount is significant during good years and is usu-
ally reduced in bad years. The clerk changes the vendor name and address
for one payment cycle to divert a payment to himself and, immediately after
the payment cycle, reverts the name back to the charity. The charity never
complains about not receiving the third installment because they assume the
company has reduced its contribution because of a bad year. In this case,
there was no segregation of duty between vendor changes and payments.
This oversight allowed the clerk to divert the payment by using his own
authorized capabilities for unauthorized purposes. The vendor reconciliation
ignored the insignificant amount, among the millions in payments, and the
clerk was able to pay his aging parents’ healthcare bills: It’s another case of
desperation meeting bad controls.
108 Part II: Diving into GRC
