❘❙ Fraud Prevention ❙❚ Case studies of Fraud in the hospitality industry A retrospective of how real frauds could have been prevented By Anna McFarland , CFE, CHAE, CHTP, CPA and Phil Newman, CPA A t more than 270 pages, the 2012 Report to the Nations on Occupational Fraud and Abuse (the Report) issued by the Association of Certified Fraud Examiners (ACFE) can be difficult to digest. However, as one might expect, the biannual publication provides valuable insight, supported by real world statistics, into the various facets of fraud. Financial professionals in the hospitality industry might wonder how much of this information is pertinent to their organizations and their individual responsibilities in relation to improving fraud prevention and detection. This article offers a review of two cases of fraud — one at a hotel and one at member-owned club — and demonstrates how the findings of the Report could have been used to prevent or detect the frauds earlier. For purposes of this article, the major sections of the Report are focused on: the cost of occupational fraud; how it is committed; how frauds are detected; the profile of the organizations falling victim to fraud, including a discussion of their controls; and details regarding the perpetrators of fraud. While it is interesting to understand the overall impact of controls in these cases of fraud, the most powerful information to help companies develop effective anti-fraud controls relates to how fraudulent schemes were uncovered and how much the amount of damage caused by fraud was reduced when a specific control was instituted. When determining the usefulness of a fraud prevention control for an organization, it is helpful to consider how fraud is typically uncovered from the perspective of the size of the company affected, as well as from the type of fraud occurred. Figures 1 and 2 (page 31) from the Report provide this information. Anna McFarland , CFE, CHAE, CHTP, CPA (annamcfarland36@gmail.com ) is a global hospitality consultant based in Kaufman, Texas. She is also a project leader on the Global Hospitality Accounting Common Practices, HFTP Global Past President and a frequent speaker at HFTP educational events. Phil Newman, CPA (philip.newman@mcgladrey.com) is a partner at McGladrey Pullen, LLP based in Ft. Lauderdale, Fla. He is also a frequent speaker at HFTP educational events. Reprinted with permission from the Fall 2013 Volume 28 Number 4 issue of The Bottomline, the journal of Hospitality Financial and Technology Professionals. Learn more at www.hftp.org. 30 Fall 2013 ❘❙ Fraud Prevention ❙❚ Regardless of the size of victimized organization, a tip proves to be the most common method of detection — 36 percent of the time for small entities (defined as those with less than 100 employees) and nearly 47 percent of the time for those larger organizations. Management review is also shown to be critically important for all companies in detecting fraud. Meanwhile, it is interesting to note that fraud in all classifications of organizations was more likely to be caught by accident than by external audit. This statistic serves as a reminder of the purpose of external financial statement audits as it relates to detection of fraud. The ACFE classifies fraud schemes into three broad categories: Asset Misappropriation Cases, Corruption Cases and Financial Statement Fraud Cases. Again, as depicted in Figure 2, regardless of type of fraud, the most common method of detection is a tip. External audits prove to be more useful detecting financial statement fraud than either of the other two categories of fraud. Internal audits, uncommon in private clubs, are frequently conducted by hotel and casino organizations and appear to be equally effective in detecting all three types of fraud. In another attempt to measure the effectiveness of controls, the Report compares the median loss suffered by those organizations that had each anti-fraud control in place with the median loss in companies that did not have that control (page 32). While all controls were led to a reduced median loss, formal management reviews, employee support programs and hotlines were associated with the largest reductions in financial losses. Entities that did not have any of these three controls in place suffered median losses that were approximately 45 percent larger than organizations with these controls. These findings are interesting in that they suggest that managerial reviews and employee support programs, at least in terms of dollars of fraud prevented, are just as effective as hotlines, with fraud training also proving to be highly effective. 36.1% 46.6% Tip 14% 15.1% Management Review 12.8% 4.1% Internal Audit 9.9% 16.5% By Accident 7% 3.2% Account Reconciliation 5.3% 4.7% Document Examination External Audit 4.8% 2.3% Notified by Police 4.3% 2.3% Surveillance/Montioring 2.4% 1% Confession 1.9% 2% Figure 1. Detection Method by Size of Victim Organization ■ <100 Employees ■ 100+ Employees 1% 1% Other 0.5% 1.4% IT Controls 0 10 20 Tip 7.4% 4.3% 4.8% By Accident Account Reconciliation 4.5% 2.2% 1.9% 0% Detection Method by Scheme Type 2.6% 4.8% 14.3% Notified by Police IT Controls 5.3% 0.9% 3.8% Figure 2. External Audit Other 42.1% 54.1% 41.9% 3.3% 3.3% 5.7% 2% 0.9% 1.9% ■ Asset /Misappropriation Cases ■ Corruption Cases ■ Financial Statement Fraud Cases 1.7% 0.9% 1.9% Confession 1.1% 0.7% 1.9% 50 14% 14.3% 14.3% Internal Audit Surveillance/Montioring 40 15% 12.4% 6.7% Management Review Document Examination 30 1% 1.3% 1% 10% 20% 30% 40% 50% 60% Source: 2012 Report to the Nations on Occupational Fraud and Abuse The Bottomline 31 ❘❙ Fraud Prevention ❙❚ Median Loss Based on Presence of Anti-fraud Controls Control Percent of Cases Implemented Control in Place Control Not in Place Percent Reduction Management Review 60.5% $100,000 $185,000 45.9% Employee Support Programs 57.5% $100,000 $180,000 44.4% Hotline 54.0% $100,000 $180,000 44.4% Fraud Training for Mgrs/Execs 47.4% $100,000 $158,000 36.7% External Audit of ICOFR 67.5% $120,000 $187,000 35.8% Fraud Training for Employees 46.8% $100,000 $155,000 35.5% Anti-fraud policy 46.6% $100,000 $150,000 33.3% Formal Fraud Risk Assessments 35.5% $100,000 $150,000 33.3% Internal Audit/FE Department 68.4% $120,000 $180,000 33.3% Job Rotation/Mandatory Vacation 16.7% $100,000 $150,000 33.3% Surprise Audits 32.2% $100,000 $150,000 33.3% 9.4% $100,000 $145,000 31.0% Code of Conduct 78.0% $120,000 $164,000 26.8% Independent Audit Committee 59.8% $125,000 $150,000 16.7% Management Certification of F/S 68.5% $138,000 $164,000 15.9% External Audit of F/S 80.1% $140,000 $145,000 3.4% Rewards for Whistleblowers Source: 2012 Report to the Nations on Occupational Fraud and Abuse Application to the Hospitality Industry Case Study 1: Private Member-owned Country Club The general manager (GM) of a private club pleaded guilty to stealing almost $2 million from the club through fraudulent payrolls and illegally-written checks. He admitted to mail fraud, wire fraud and money laundering in connection with a scheme to steal from the club. Over a period of five years the GM created fictitious employees, kept former employees on the payroll and placed individuals on the payroll who provided personal services to him. He made electronic payments to these “ghost employees” and deposited them into his personal accounts. The GM also wrote checks drawn on country club accounts to pay his personal expenses, including leasing and buying vehicles for his personal 32 Fall 2013 use. He wrote checks made payable to his personal business. The GM and his colleague, the controller of the club, were indicted in U.S. District Court on numerous counts each of wire and mail fraud. The scheme came to light after the club appointed a new treasurer who questioned duplicate invoices that had been presented to her for approval and payment. This case ostensibly involved asset misappropriation, though some financial statement fraud would have been involved, as well to conceal the fraudulent transaction. Focusing therefore on the detection methods discussed in Figure 2, it is evident that this scheme could have been detected in its infancy with a tip. Given that the scheme lasted for approximately five years, it is necessary to ques- tion how such a large fraud, which involved several functions of the clubs finances (e.g., payroll, cash and fixed assets), was not noticed or reported by someone with the club. Presumably the bogus expenditures were charged to various departments — under the noses of each department head. Questions that emerge include whether the department heads were part of the scheme or simply too scared to report anything for fear of losing their jobs, and whether the club employees had a mechanism for reporting any unusual occurrences. Given that two senior members of the management team were involved, it could have been that the employees would not have known how or to whom they were to report issues. Instances like this make the value of a hotline unquestionable, though staff must be trained as to its appropriate use. ❘❙ Fraud Prevention ❙❚ That leads to the effect anti-fraud training might have had in this case. Had employees been made aware of their responsibilities to prevent and detect fraud and to be attuned to instances of unusual practices, then the fraud may have been detected much earlier. The Report notes that anti-fraud training reduces the duration of fraud by 50 percent — the same reduction in duration attributed to an entity having a hotline in place. In fact, the ACFE study notes that something as simple as job rotation/mandatory vacation, reduces the duration of a fraud scheme by as much as 62.5 percent. In this country club case study, forced vacations for the controller and general manager could have led to a much smaller loss. While managerial review is noted as a common detection method, by size of organization or by type of fraud scheme, in a case like this one, the effectiveness of such activity might be difficult to appreciate given that members of management were complicit in the fraudulent activity. In the private club world, a case like this highlights the importance of board and committee oversight in financial governance matters. While such bodies should not be involved in day-to-day operations, given the limited controls in most clubs, those who are in financial stewardship roles, such as the treasurer, must be diligent in their duties. In this case, ultimately it was the treasurer who exercised her role as a reviewer to uncover the size of the ongoing fraud. Case Study 2: Prestigious Boutique Hotel The owners of a well known boutique hotel in a major metropolitan area announced that an investigation into an alleged fraud scheme at the property had recently been concluded. The vice president (VP) of operations of the management company that operated the hotel had admitted to stealing more than $500,000 from the hotel and similar properties also managed by the management company. The scheme was uncovered during the first financial statement audit of the hotel in many years when unusual items on the bank reconciliation were questioned by the auditors. With the assistance of the hotel’s controller, the VP had used cashiers checks to withdraw funds from the hotel’s bank accounts for personal use. The scheme had been hidden from auditors of other hotels in the group by circulating funds from one hotel to another just before the financial statement audit commenced. The investigation into the fraud had uncovered numerous discrepancies in the hotel’s records, including checks that had been cashed without signatures, as well as notices to auction the hotel, issued by local taxing authorities, for non-payment of real estate taxes. It was also discovered that the VP had stolen payroll tax deposits from his previous employer and was working through a payment plan to repay the amounts stolen. This case also involves financial statement manipulation to disguise the theft of assets, namely cash. Given that the fraud focused on the theft of cash under the control of two individuals, one might question the impact a hotline would have had in this situation. That is until noticing that the fraud was hidden from other audit firms in the group by circulating funds among the various properties. What questions did the controllers at the other hotels ask when transfers were made close to year-end and before the annual external audit might have commenced? If those controllers had a hotline to which they could have reported concerns, the losses could arguably have been reduced by as much as 45 percent. The hotel case highlights an area of the Report that not yet touched upon, but is one that deals with an impor- tant aspect of fraud prevention. In the Report, less than six percent of the fraudsters had prior convictions, while a similar proportion had been charged, but not convicted. These statistics should not diminish the importance of background checks on employees in positions of trust. In this hotel scenario, such a background investigation would arguably have uncovered a prior offence(s) committed by the VP. The hotel case lasted about three years before the auditor uncovered the discrepancy in the bank reconciliation. While the duration of a fraud scheme ranges from 12 to 36 months in the Report, depending on the category of the fraud, the median duration for all cases in the study was 18 months. It would seem that a greater level of financial review by other management company personnel, including but not limited to an effective internal audit department, would have prevented or expedited the discovery of this fraud. Hospitality Clearly, hindsight is always 20/20 and it is easy to look back at cases of fraud to identify what could have been done differently to stop or prevent the fraud in the first place. The reality is that no organization or department is immune to fraud. All members at any organization have roles to play in respective positions and everyone has an inherent responsibility to understand what constitutes fraud as well as how to prevent and detect it. For those who are committed to fraud detection and prevention, a detailed review of the 2012 Report to the Nations on Occupational Fraud and Abuse is highly recommended. ■ Source • Association of Fraud Examiners. 2012 Report to the Nations on Occupational Fraud and Abuse. http:// www.acfe.com/rttn.aspx The Bottomline 33