For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

Abuse, Waste & Other Shenanigans: Reportable Conditions


  • Classify an audit finding as: an internal control weakness; a violation of contract or grant agreement; fraud; or abuse and waste.
  • Differentiate among the elements of a finding.

If the auditee exhibits any of the following three conditions, and these conditions are significant or material, the auditor should describe them in their audit report in the form of a “finding” and recommend corrective action:

  1. Internal control weaknesses
  2. Noncompliance
  3. Fraud

But those aren’t the only less than stellar conditions an auditor may come across; the auditor may also see that the auditee is abusing their power or wasting government resources. In years past, the GAO considered abuse as a reportable condition and did not mention the concept of waste.

In the 2018 version of the Yellow Book, abuse is no longer a reportable condition. Instead abuse is joined to waste and together they are described as indicators that the other reportable conditions exist.

In this chapter, we will cover the definitions of the three reportable conditions as well as the definitions of abuse and waste. We will cover our professional responsibilities regarding the reportable conditions and talk about how to describe the reportable conditions in findings using the five elements of a finding.

Our Responsibility Is Limited

The Yellow Book repeatedly points out that we are responsible for the reportable conditions only within the context of our audit objectives. So, we are not responsible for fraud, noncompliance, and internal control weaknesses throughout the client’s operations (thank goodness!). We are only responsible for those three conditions as they relate to our audit objectives.

Definitions of the Reportable Conditions

Let’s define each of the reportable conditions in more detail. First, internal control weaknesses, next noncompliance, and then fraud.

Here is how the GAO defines an internal control weakness:

8.53: … A deficiency in internal control exists when the design, implementation, or operation of a control does not allow management or personnel to achieve control objectives and address related risks. A deficiency in design exists when a necessary control is missing or is not properly designed so that even if the control operates as designed, the control objective would not be met. A deficiency in implementation exists when a control is properly designed but not implemented correctly in the internal control system. A deficiency in operating effectiveness exists when a properly designed control does not operate as designed or the person performing the control does not have the necessary competence or authority to perform the control effectively. 

Here is how the GAO defines non-compliance:

8.68 …   instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements …

Here is how the GAO defines fraud:

8.73     Fraud involves obtaining something of value through willful misrepresentation. 

Each of the Reportable Conditions Has Criteria:

One thing that makes auditors very happy is audit criteria. Without audit criteria, we don’t have anything objective to measure our audit subject against.

Internal controls can be (and per the last chapter, now will be!) evaluated against the COSO model or the Green Book.

Compliance can obviously be evaluated against our some of our favorite audit criteria: law, regulations, contracts, or grant agreements.

Fraud must be evaluated against statute. A fraudster cannot be brought to court unless the prosecution can prove that a crime – per statute – was committed.

So, for each reportable condition, an auditor can comfortably bring issues up in a finding because they will have some firm criteria to base their finding on. As we will see later in this chapter, criteria is one of the five elements of a finding.

Abuse and Waste Are Subjective

In the case of the concepts of abuse and waste, the auditor must apply their judgment instead of criteria. This is not a happy spot for auditors to be.

Because abuse does not involve any firm criteria, it has been downgraded from a reportable condition to a ‘concept.’

Here is the definition of abuse:

6.23     Abuse is behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances, but excludes fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate.

Who is this prudent person? You’ve got me! I’ve never met one, so we won’t be able to give them a call or refer to their judgment when we are trying to decide if someone is acting abusively.

We have a similar problem with waste, which is defined for the first time in the 2018 version of the Yellow Book.

6.21     Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose. Importantly, waste can include activities that do not include abuse and does not necessarily involve a violation of law. Rather, waste relates primarily to mismanagement, inappropriate actions, and inadequate oversight. 

This time, this non-existent prudent person is not mentioned, although we still aren’t left with any firm criteria to hang our hats on.

I am sure that you have had unresolvable conflicts with your loved ones over what constitutes waste. What my husband thinks is wasteful, I think is normal or necessary, and vice versa. For instance, I insist on using Orville Redenbacher raw popcorn kernels when I make popcorn. Orville Redenbacher is expensive compared to the cheap bags of generic popcorn. Several times he has snuck cheap popcorn into my Orville Redenbacher jar to make a point… but I busted him! He thinks I am being wasteful. I think Orville Redenbacher is necessary. Who is right? Me, of course!

He insists on Coke Zero and refuses to drink generic diet cola brands. He sees no hypocrisy in this.

This is exactly the kind of silly debate that auditors should not get into! Without firm criteria, limiting the amount that should be spent on popcorn or sodas, no one wins.

The GAO recognizes that abuse and waste are difficult for auditors to work with because of the lack of firm criteria, so they downgraded abuse from a reportable condition. They married abuse to the newly defined concept of waste and point out that abuse and waste can be indicators that fraud, non-compliance, or internal control weaknesses have occurred.

6.20     Given the concept of accountability for use of public resources and government authority, evaluating internal control in a government environment may also include considering internal control deficiencies that result in waste or abuse. Because the determination of waste and abuse is subjective, auditors are not required to perform specific procedures to detect waste or abuse in financial audits. However, auditors may consider whether and how to communicate such matters if they become aware of them. Auditors may also discover that waste or abuse are indicative of fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements. 

Thinking through Some Examples May Help Us

Let’s walk through two scenarios involving of less-than-stellar behavior and see whether these one of the three reportable conditions (fraud, noncompliance, internal control weaknesses), abuse and waste, or something else.

Scenario 1: First let’s consider the case of a government employee who works for a retirement system in Massachusetts. Let’s say she wants to visit her daughter in California soon. She sees an opportunity to have the retirement system pay her way when a seminar relevant to her job is offered only a half-hour’s drive from her daughter’s home. This same seminar will be available near her offices in Massachusetts in a few months and the state will not have to pay travel costs for her to attend.

Here is the scale of less-than-stellar behavior in government – from bad… so bad you want to see the person behind bars (fraud) – to just plain silly.

  • Fraud
  • Noncompliance
  • Internal Control Deficiency
  • Abuse
  • Waste
  • Unethical
  • Silly/stupid

Abuse, and waste are not reportable conditions; neither are unethical, silly, or stupid behaviors.
Let’s go from the bottom of our list up. Yes, this is pretty stupid and obvious upon examination. Unethical? Yes. Is she wasting government resources: Yes. Abuse…maybe not. An internal control deficiency? Maybe. Someone should be reviewing her choices and making sure that the travel expenditure is worth it. Non-compliance? No, I don’t think so. Fraud? Should she go to jail? No, I think jail time is a little too harsh.

Yes, she is wasting the government’s resources, but we are going to have a hard time writing a finding from that perspective because we don’t have any criteria. The Yellow Book tells us that waste and abuse can indicate that another reportable condition is present.

6.20     Given the concept of accountability for use of public resources and government authority, evaluating internal control in a government environment may also include considering internal control deficiencies that result in waste or abuse… Auditors may also discover that waste or abuse are indicative of fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements.

If this issue is relevant to my audit objective and if I want to bring it up in my audit report, I would frame this issue as an internal control weakness. Someone should have prevented her from traveling unnecessarily through by reviewing her travel plans.

Scenario 2: Let’s go through another scenario. Let’s say that we are auditing prisoner accounts at a county jail. And we find that the jail clerk has not been returning funds to inmates after they are released.

Let’s go through this one from the top! Is this fraud? Well, aren’t you eager to throw someone behind bars? I didn’t say the jail clerk took the funds home with her! I only said she just didn’t return the fund to inmates. If she took it home, yes, it would be fraud. If she just left it sitting in the county’s bank account, we are not dealing with fraud but instead noncompliance or an internal control weakness. Is it waste or abuse? No. Unethical? Yes, if it was intentional. Silly or stupid? Maybe she just has too much to do and let this task slip. I don’t think I’d call that stupid.

I’d probably frame the finding as noncompliance in this scenario. Maybe an internal control weakness. Later in this chapter, we will talk about how to write noncompliance and internal control weakness findings.

Now that we understand how to identify reportable conditions, let’s talk about our professional responsibility regarding them.

Our Responsibility to Detect the Reportable Conditions

Do you remember the audit trifecta I introduced during our discussion of independence? When applied to independence, the trifecta is called the ‘conceptual framework.’ The trifecta is a three-step process: 1. understand your subject, 2. assess risk, and 3. respond.

This time, the standards rename the trifecta and refer to it as ‘designing your audit to detect…’
Whenever a standard-setting body pulls the trifecta out of its hat, you know that the standard-setting body wants you to think and wants the thinking documented. The most intense thing the standards can ask you to do is think through the steps of the trifecta, and thus what follows are some of the GAO’s most intense standards.

With a slight variation in language, the GAO is asking auditors to go through all three steps of the trifecta when it comes to each of the reportable conditions. The language is a little more convoluted when it comes to internal controls than the language surrounding the other two reportable conditions. Let me start with the most straightforward presentation of the trifecta among all three reportable conditions – the trifecta applied to noncompliance.

The Trifecta Applied to Noncompliance

Look at this quote from the Yellow Book regarding the auditor’s responsibilities regarding noncompliance and find the steps of the trifecta.

8.68     Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 

Step one of the trifecta, “understand the subject” has been changed to “identify any provisions… that are significant,’ the risk assessment step is addressed head-on, and the last step of the trifecta, the response, is now “design procedures to detect.” The whole trifecta as it applies to non-compliance has all been addressed in one short paragraph.

The Trifecta Applied to Fraud

The trifecta gets a little trickier when it comes to our responsibility for fraud, but it is still in there! It is just enhanced. And there is a difference between the requirements to apply the trifecta in financial audit standards and in the performance audit standards. Financial auditors must follow the AICPA standards regarding fraud – and these standards are more detailed and specific than the GAO’s standard for performance auditors.

Here is a table outlining both standards:

1. understand the subject

  • Ask questions of auditee
  • Consider fraud risk factors
1. understand the subject

  • Gather and assess information
  • Consider fraud risk factors
2. assess risk

  • Brainstorm with team
  • Assess magnitude and likelihood of potential frauds
2. assess risk

  • Brainstorm with team
  • Assess magnitude and likelihood of potential frauds

3. respond with procedures


3. respond with procedures


What is the difference? The performance auditor does not have to ask questions of the auditee. Financial auditors following the AICPA standards for fraud occasionally end up insulting the auditee with these questions because they are very direct. The questions stop just shy of accusing the interviewee of committing fraud themselves!

Here is what the Yellow Book directs performance auditors to do regarding fraud. Try again to find the trifecta!

8.71     Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals’ incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 

8.72     Assessing the risk of fraud is an ongoing process throughout the audit. When information comes to the auditors’ attention indicating that fraud, significant within the context of the audit objectives, may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. 

The trifecta is presented out of order in those last two paragraphs, but it is still there; understanding the audit subject is called “gather and assess information,” the risk assessment is addressed head-on, and the response is called “extend the audit steps and procedures.”

The Trifecta Applied to Internal Controls

The application is becoming more complicated as we move through the reportable conditions. Did you notice? The trifecta is clearly laid out in the non-compliance requirements, obscured ever so slightly in the fraud standards and then, as you will see, strangely overcomplicated when it comes to talking about internal controls.

Step 1 of the Trifecta – gathering information

8.40     If it is determined that internal control is significant to the audit objectives, auditors should obtain an understanding of such internal control. 

Step 2 of the Trifecta – assess risk

8.49     If internal control is determined to be significant to the audit objectives, auditors should assess and document their assessment of the design, implementation, and/or operating effectiveness of such internal control to the extent necessary to address the audit objectives. 
In this case, the GAO does not use the term ‘risk assessment’ but instead uses the terminology “if significant.” So, risk is obscured, but an auditor can’t determine what is ‘significant’ without doing a risk assessment!

Step 3 of the Trifecta – respond

8.51     Assessments of internal control involve designing and performing procedures to obtain sufficient, appropriate evidence, as required in paragraphs 8.90 through 8.94, to support and document the auditors’ findings and conclusions on design, implementation, and/or operating effectiveness of controls that are significant to the audit objectives. The controls being assessed are generally the key controls identified during the planning phase of the engagement, which may include controls at both the entity and transaction levels. Changes may be made to the initial determination of key controls based on additional information gathered during the course of fieldwork. 

I told you, overcomplicated! But the three steps of the trifecta are there for internal controls, too.


Now that you know that there are three triggers for a finding, you also need to know how to write a finding. The GAO is very specific about what goes into a finding; findings per Yellow Book standards include five elements:

  • Condition
  • Effect
  • Cause
  • Criteria
  • Recommendation

Where Did These Elements Come From?

The elements of a finding are the standard elements of a persuasive argument outlined centuries ago by Greek philosophers. Legend has it that an audit manager at the GAO earned a master’s in philosophy and was wise enough to include the elements of a persuasive argument in the Yellow Book. At the time, his colleagues thought he was crazy (as is often assumed about philosophy majors), but now we applaud his contribution.

The elements of a finding are where the GAO puts legs on its concepts of accountability and transparency and are central to the way that government auditors think about their work at the micro level (reportable conditions) and the macro level (as questions we must answer with our audit objectives). But I am getting a little off track! Let’s go back to the micro level and talk about how to use the elements to support a finding.

Questions Answered by the Elements

Each element answers a question for the reader that they need answered in order to be persuaded to change. The recommendation describes the change that needs to occur.

CONDITION: What is the problem?
EFFECT: Why does this problem matter? What is the impact?
CAUSE: How did the condition happen?
CRITERIA: Says who?
RECOMMENDATION 1: How do we resolve the condition?
RECOMMENDATION 2: How do we resolve the cause?

Here are the GAO definitions of each of the elements:

6.26     Condition: Condition is a situation that exists. The condition is determined and documented during the audit. 

6.28     Effect or potential effect: The effect or potential effect is the outcome or consequence resulting from the difference between the condition and the criteria. When the audit objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, effect is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks. 

6.27     Cause: The cause is the factor or factors responsible for the difference between the condition and the criteria, and may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor contributing to the difference between the condition and the criteria. 

6.25     Criteria: For inclusion in findings, criteria may include the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations in the report. In a financial audit, the applicable financial reporting framework, such as generally accepted accounting principles, represents one set of criteria. 

6.52     (RecommendationsAlong with assisting management or oversight officials of the audited entity in understanding the need for corrective action, clearly developed findings assist auditors in making recommendations for corrective action. If auditors sufficiently develop the elements of a finding, they may provide recommendations for corrective action. 

The Hardest Element to Develop Is the Cause

Filling in the blanks on these elements might look easy on paper, but when presented with a real-life scenario, most auditors struggle with coming up with a solid cause. The GAO has formally recognized this struggle by recommending for the first time in its standards that auditors use an internal control weakness as the cause:

6.18     Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings. 

6.29     Regardless of the type of finding identified, the cause of a finding may relate to one or more underlying internal control deficiencies. Depending on the magnitude of impact, likelihood of occurrence, and nature of the deficiency, the deficiency could be a significant deficiency or material weakness in a financial audit. 

6.30     Considering internal control in the context of a comprehensive internal control framework, such as Standards for Internal Control in the Federal Government or Internal Control—Integrated Framework can help auditors to determine whether underlying internal control deficiencies exist as the root cause of findings. Identifying these deficiencies can help provide the basis for developing meaningful recommendations for corrective actions. 

If internal control weaknesses are the cause, they can’t also serve as the condition statement. OK, an auditor CAN start a finding with an internal control weakness as the cause, but that choice often ends up with the auditor saying something rude and personal about the auditee. Let me show you what I mean by using a few examples.

Did I Show Up to Work on Time?

Let’s pretend that you have been tasked with concluding whether I show up on time for my seminars.

I show up at least an hour ahead of start time because I often find the venue and the AV in disarray. I also need a little time to get settled in and accustomed to the environment so that I can adjust any plans I have for eliciting interaction from the audience.

Whether or not I show up on time for my seminars is a question of fact; do I or don’t I show up on time?

Because getting to work an hour ahead of the start is so important for me, I layer on a variety of controls to make sure that I am on time. One thing I do is set at least three alarm clocks: my iPhone alarm, my bedside plug-in alarm, and a battery powered alarm. If I am in a hotel, I ask for a wake-up call. If I am home, I alert my family to the need to get me up in the morning.

Why so many layers of redundant controls? Because all of them have failed me at one time or another. Sometimes two of them fail me.

Whether my alarm clocks go off is a different question than whether I got to work on time. Whether my alarm clocks go off is an internal control question.

Now is the question of fact or the question of controls a more important question to answer?

  • The question of fact: Did Leita show up to work on time?
  • The control question: Did Leita’s alarm clocks go off?

Yes, whether I showed up to work on time is the most important question to ask.

And it is possible that I showed up at work on time and it had nothing to do with my alarm clocks? Yes. Sometimes I naturally wake up ahead of my alarm clocks.

And is it possible that my alarm clocks worked but I still didn’t make it work on time? Yes! Maybe I got hung up in traffic or got lost on the way.

Now, let’s imagine that I did not make it to work on time because I only set one alarm and it didn’t go off. Here is the resulting finding:

CONDITION: Leita was late to work

EFFECT: She delayed the start of the seminar by 40 minutes while she adjusted her mike and toyed with the LCD projector.

CAUSE: Her alarm clock did not go off

CRITERIA: Contract clause 20b says that the seminar starts at 8:00 a.m.

RECOMMENDATION 1: Leita is on time for work

RECOMMENDATION 2: Leita, set another alarm clock

Findings are always easier to write if you start with a fact-based statement as the condition and then use a control weakness as a cause.

Now imagine that instead of starting with the fact-based statement as the condition statement, I started with the control weakness as the condition:

CONDITION: Leita’s alarm clock did not go off

EFFECT: Leita was late to work

CAUSE: Operator error – Leita set the clock for 5:00 p.m. instead of 5:00 a.m.

CRITERIA: International time standards clearly state that a.m. represents the term ante meridiem, meaning before midday and post meridiem (p.m.) meaning after midday.

RECOMMENDATION 1: Leita should ensure her alarm clock goes off by setting a new one.

RECOMMENDATION 2: Leita should get a clue what a.m. and p.m. mean.

Yes, that was silly. The criteria was were silly. The cause got personal. See how badly things can turn out when you start with the control as the condition statement? Still not convinced? Let’s try a more realistic scenario.

An Audit Example

Here is a more realistic example. Let’s say that you are auditing a school lunch program. And let’s say that you find that kids who are not eligible for a government-subsidized lunches are getting free lunches. Here is a simple outline of what a finding might look like:

CONDITION: Ineligible children served free lunch
EFFECT: School spent $XX,XXX in federal funds on the ineligible lunches in 20XX.
CAUSE: No screening for eligibility
CRITERIA: Federal grant terms and conditions, clause XXX says…
RECOMMENDATION 1: Ensure only eligible students enjoy free lunch
RECOMMENDATION 2: Screen for eligibility

See how nicely that works if you start out the finding with a statement of fact as your condition and use a control weakness as a cause. Just like the GAO suggested.

If you choose “not screening children for eligibility” – a control weakness – as your cause, where are you going to go next? What is the cause going to be? Did they not screen for eligibility because they forgot? Didn’t care? Didn’t know they were supposed to? None of these comments are flattering, edifying, or insightful. Try not to go there! Start off with the statement of fact (Leita is not at work, kids are not eligible) and use a control weakness as the cause.

Solid Findings Look Like This

Here is a simple formula for a solid finding:

  • CONDITION: Noncompliance described
  • EFFECT: Quantification of noncompliance
  • CAUSE: Failed or non-existent control
  • CRITERIA: Compliance requirement
  • RECOMMENDATION 1: Ensure compliance
  • RECOMMENDATION 2: Repair or establish control

Or alternatively, a finding might look like this:

  • CONDITION: Did not achieve program goals
  • EFFECT: Quantification of impact
  • CAUSE: Failed control OR noncompliance
  • CRITERIA: Compliance requirement
  • RECOMMENDATION 1: Ensure meet goals
  • RECOMMENDATION 2: Repair control or ensure compliance

Weak Findings Look Like This

Again, if you do not take the GAO’s advice to make internal control weaknesses the cause, you might end up with a disparaging remark about the client’s ability to do their job. The following format is not ideal:

  • CONDITION: Internal control failure described
  • EFFECT: Quantification of impact
  • CAUSE: Another failed control or disparaging remark about the client’s ability
  • CRITERIA: Green Book
  • RECOMMENDATION 1: Repair or establish internal control
  • RECOMMENDATION 2: Repair or establish secondary internal control or do your job!

Special Reporting Requirement for Financial Auditors

Speaking of transparency, the GAO also wants financial auditors to be transparent regarding the auditor’s responsibility for the three reportable conditions. So, the GAO requires that financial auditors add language regarding the reportable conditions to their audit reports that is not required by the AICPA.

A financial auditor following AICPA financial auditing standards always includes an opinion on the financial statements in their audit report. Auditors following GAO standards must add language specifically addressing the auditor’s work regarding internal controls and compliance. If the auditor finds the remaining reportable condition, fraud, they are expected to address the fraud in this additional language also.

Most auditors put this additional language in a separate letter in the audit report.

Here is what the GAO says about this additional language:

6.39     Auditors should report on internal control and compliance with provisions of laws, regulations, contracts, or grant agreements regardless of whether they identify internal control deficiencies or instances of noncompliance. 

6.40     When providing an opinion or a disclaimer on financial statements, auditors should report as findings any significant deficiencies or material weaknesses in internal control over financial reporting that the auditors identified based on the engagement work performed. 

6.41     Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect

  1. noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the financial statements or other financial data significant to the audit objectives or
  2. fraud that is material, either quantitatively or qualitatively, to the financial statements or other financial data significant to the audit objectives.

6.42     Auditors should include either in the same or in separate report(s) a description of the scope of the auditors’ testing of internal control over financial reporting and of compliance with provisions of laws, regulations, contracts, and grant agreements. Auditors should also state in the report(s) whether the tests they performed provided sufficient, appropriate evidence to support opinions on the effectiveness of internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements. 

6.43     If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity’s internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 

The Language Differs Depending on the Financial Audit Objectives

Some financial auditors opine on whether the financial statements are presented in accordance with accounting standards, period. Let’s call those Plain Jane financial audits. Some financial auditors conduct the Single Audit. The Single Audit includes an opinion on the financial statements as well as an opinion on compliance for major programs.

On a Plain Jane financial audit, the auditor does not opine on compliance or internal controls in the additional language.

For the Single Audit, auditors opine on compliance for major programs. Single Auditors also have a heightened responsibility for internal controls over compliance. These additional responsibilities on the Single Audit are reflected in specifically designed additional language regarding compliance and internal control.

The AICPA provides example language for both audits – the Plain Jane financial audit and the Single Audit – on its “Government Audit Quality Center” website. I recommend that you use the wording suggested by the AICPA verbatim! Don’t get creative with this language; just make sure you included it when you report on a Yellow Book financial audit!

Example Language for a Plain Jane Financial Audit

Here is an example of the additional language regarding compliance and internal control for a Plain Jane financial audit. This language does not apply to the Single Audit. Please do not rely on this example for your work as the letters are frequently updated by the AICPA!

Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards (for a Governmental Entity) 

(No Material Weaknesses Identified; No Significant Deficiencies Identified; No Reportable Instances of Noncompliance or Other Matters Identified) 

Independent Auditor’s Report 

[Appropriate Addressee] 

We have audited, in accordance with the auditing standards generally accepted in the United States of America and the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States, the financial statements of the governmental activities, the business-type activities, the aggregate discretely presented component units, each major fund, and the aggregate remaining fund information of Example Entity, as of and for the year ended June 30, 20X1, and the related notes to the financial statements, which collectively comprise Example Entity’s basic financial statements, and have issued our report thereon dated August 15, 20X1. 

Internal Control over Financial Reporting 
In planning and performing our audit of the financial statements, we considered Example Entity’s internal control over financial reporting (internal control) to determine the audit procedures that are appropriate in the circumstances for the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of Example Entity’s internal control. Accordingly, we do not express an opinion on the effectiveness of Example Entity’s internal control. 

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. 

Our consideration of internal control was for the limited purpose described in the first paragraph of this section and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies. Given these limitations, during our audit we did not identify any deficiencies in internal control that we consider to be material weaknesses. However, material weaknesses may exist that have not been identified. 

Compliance and Other Matters 
As part of obtaining reasonable assurance about whether Example Entity’s – financial statements are free from material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of financial statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed no instances of noncompliance or other matters that are required to be reported under Government Auditing Standards. 

Purpose of this Report

The purpose of this report is solely to describe the scope of our testing of internal control and compliance and the results of that testing, and not to provide an opinion on the effectiveness of the entity’s internal control or on compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards in considering the entity’s internal control and compliance. Accordingly, this communication is not suitable for any other purpose. 

[Auditor’s signature] 

Little frauds are a big deal in government.

Please enjoy Chapter 1 of An Auditor’s Responsibilities for Fraud in the Government Environment, available at


  • Differentiate between auditing for fraud in the government environment and auditing for fraud in the commercial environment

Fraud – it’s a costly thing! Whether it is committed in the government environment or the commercial environment, those who practice it leave victims in their wake and rob taxpayers and businesses of their money.

You’ve heard the stories about the small town sheriff who used prisoners to landscape his backyard. Or the court clerk who takes bribes to dismiss traffic tickets. Or the school lunch lady who takes home a portion of the kids’ lunch money every day.  Cities are going bankrupt because their leaders rewarded themselves with huge salaries, perks, and pension benefits.  These stories of fraud crop up every day in the press and make us think badly of our government leaders.

But we also see similar stories in business.  Let’s not fool ourselves into believing that corporations are any better than the government at running things. I have had the privilege of working at a dozen or so Fortune 500 companies and they all have their quirks, and all have suffered from employee fraud.

Maybe it is just the people with whom I hang out, but most dinner conversations eventually include a few criticisms of our government.  And the tacit agreement among most of my friends and family is that corporations operate more effectively and efficiently than government.  But I think they are wrong.  I think both corporations and governments are flawed.  I have never encountered a perfect organization.  Have you?

My husband recently treated me to an Apple laptop – which I love by the way. And I was curious about how Apple had created such great products so I watched a MSNBC business documentary about Apple. It turns out that Apple folks argue, and fail, and torment each other while creating products.  Time is wasted, people get their feelings hurt, and the company loses massive amounts of money. But, they create a great product in the end, don’t they?

Governments, with all of their faults, create great products and services for us, too.  They pick up our trash, fix our roads, educate our children, and respond to emergencies.  Even the tiniest cities are responsible for a wide range of services, from police and fire protection to courts, water and sewer, garbage disposal, inter‑government relations, health programs, parks and recreation, bus systems, and airports. No wonder things get out of hand every so often.  The more stuff there is to manage, the more opportunities for fraud to be committed.

Fraud Defined

Unfortunately, leaders and managers of government programs and of businesses engage in bad behaviors such as fraud, illegal acts, violations of contracts, abuse, and unethical behavior. This text focuses on fraud that occurs in government: more specifically, what you should do when you detect fraud in government.

In this text, I hope to give you the ability to discern between fraud and other bad behaviors in government.  I also hope that you will be able to recognize fraud when you see it and know what your professional responsibilities are regarding fraud.

So, first you need to know what fraud is.

According to the dictionary[1], fraud is: “deceit, trickery; specifically: intentional perversion of truth in order to induce another to part with something of value from someone else or to surrender a legal right.

This is how the Government Accountability Office (GAO) defines fraud in the Yellow Book:

8.73     …Fraud involves obtaining something of value through willful misrepresentation. …

Basically, fraud is a willful act in order to gain something for personal use. In super simple terms, fraud is lying, cheating, and stealing. When it happens in business it is bad. When you have fraud in government it is often much, much worse.

Victims of Fraud in Government

When a bookkeeper steals money from a businessman, it is ugly and wrong.  But how much nastier is it when a bookkeeper takes monies destined to feed impoverished children? The elderly? War veterans?  Take your pick of disadvantaged or deserving groups, and the government probably helps them in some way.  When fraud occurs in the government, there are many helpless victims, and it is a crying shame.  It is one thing for business owners or corporations to lose their resources but another when fraud consumes the resources that are destined to become school lunches, infant formula, military armor, or low-income housing.

When I was in public accounting, auditing a car parts manufacturer in Eagle Pass, Texas, my ultimate customer was the owner of the business or the banker who used the audit report.  But when I audit a HUD project, a low-income apartment complex, whom is my ultimate customer?

Yes, HUD, the feds, the state, the city, the management of the housing project all are involved and concerned about the project.  But my ultimate customer is a 3 year-old toddler living in the complex with her single mother who works two jobs to keep the family together.

I have had the opportunity to work for a variety of governmental audit organizations including federal, state, and local government audit organizations. The stories I hear about and witness regarding governmental waste, fraud, and abuse are numerous and sad.

A Higher Purpose

When government works well, it is a wonderful thing.  And our job, as government auditors, is to make the government work better.

The 2018 version of the Yellow Book contains an introductory statement letter from Gene Dedaro, the Comptroller General of the GAO.  He said, in part:

Given the current challenges facing governments and their programs, the oversight provided by auditing is more critical than ever. Government auditing provides the objective analysis and information needed to make the decisions necessary to help create a better future.

The Yellow Book itself states:

1.07     Engagements performed in accordance with GAGAS provide information used for oversight, accountability, transparency, and improvements of government programs and operations.

One city auditor has a personal mission that transcends the day-to-day work of auditing.  He believes his ultimate goal is to make sure that the city’s resources are directed to those who don’t have a voice, to those who are disenfranchised and in need of help.  Bravo! I am glad to know he is on the job.

3.08     A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embodies the concept of accountability for public resources, which is fundamental to serving the public interest.


Little Misbehaviors can be a Big Deal in Government

If you have not worked in government before, I need to warn you that little things can easily become a big deal.

One of my buddies got a job as a city manager of an east Texas town.  Early in his tenure, a scandal rocked his office.  His executive assistant used the city’s stamp machine to mail her Christmas cards.  The local press went wild over the whopping $60 in postage and painted his office as wasteful and out of control.  He had to let her go to save his job and the jobs of others in his department.

This boils down to for whom we work when we work for the government: the citizens.  Citizens own the government.  They work hard, pay their taxes, and choose lawmakers to create programs to do very specific things – such as build a library, feed low-income children, or clean up the beach.  It really upsets and angers them when their money is misspent or flat out stolen.

Materiality in Government

And that brings us to the topic of materiality.  Materiality is a term used in auditing to indicate the importance of a matter in relationship to other matters.  Risk-based auditing requires auditors to delineate between important or risky matters and insignificant matters. The auditor cannot and should not look under every rock for problems, examine every transaction, or consider every risk because they will never finish the audit project!

You may hear an auditor saying something like, “That is not material.”  And what he is really saying is, “I am not going to look at that because I don’t care as much about that as I do something else.”  For instance, an auditor may not examine a petty cash account of $200 but will examine equipment worth $70,000.

One wise auditor in a class I held in California pointed out that many of his corporate clients are high-flying, incredibly busy executives who could care less about a small fraud.  Small frauds could be managed by front line managers and do not warrant inclusion in the audit report.

In a corporation, access to the stamp machine, the copy machine, goodies, cake, and spa retreats are all perks of the job.  Remember when AIG spent $500K on a spa retreat for executives one week after the feds bailed them out?  The public was outraged, and AIG simply said, “Oh, we always do that. What’s the big deal?”

But in government, expectations for what is acceptable behavior are different. One federal inspector general for whom I work forbids his employees from holding birthday celebrations or eating in the office on government time. He does not want to be perceived as wasting taxpayer dollars.  When I work for a government, I have a hard time finding a cup of coffee, much less a pastry or a massage!

Once I attended the annual picnic at a state audit organization where they gave out awards for the most stupid finding of the year.  A guy named Jesse won the award for writing up a finding for a questioned cost of 52 cents.  Yep.  The federal grantor had told the state auditor they wanted to know about everything they had found. Jesse was just doing his job, literally!

While the AICPA (American Institute of Certified Public Accountants) standards are primarily written for audits of financial statements of commercial entities, the GAO (Government Accountability Office) standards are written for audits of governments.  The GAO counsels us – but doesn’t require us – to set a lower materiality level on government engagements than on engagements following AICPA standards. Here is their reasoning:

6.03     …Additional considerations may apply to GAGAS financial audits of government entities or entities that receive government awards. For example, in audits performed in accordance with GAGAS, auditors may find it appropriate to use lower materiality levels as compared with the materiality levels used in non-GAGAS audits because of the public accountability of government entities and entities receiving government funding, various legal and regulatory requirements, and the visibility and sensitivity of government programs.

Over and over, the GAO’s Government Auditing Standards distinguish between the purpose of their standards and the AICPA’s purpose for their standards.  And here the GAO says that government programs are more visible and sensitive.  In other words, little things matter in government! And what do we know about government? They care about it all!  Little, big, all of it!  So, a broader range of bad behaviors is reportable in this realm.

Do you think the federal grantor who doesn’t want employees eating cake on government time would care about the stamp machine incident?
Probably.   So while you might not report a small fraud for a business owner, you probably should in government.

The 2018 version of the Yellow Book identifies several methods by which you can report fraud depending on its significance or materiality.

If the fraud is material, then the auditor must write a finding and include it in the audit report. This language is excerpted from the financial audit standard, but the performance audit standards say something similar:

6.41 Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect … 2 fraud that is material, either quantitatively or qualitatively, to the financial statements or other financial data significant to the audit objectives. 

And if the fraud is not material, but still warrants the attention of management, the auditor should communicate with management in writing:

6.44 Auditors should communicate in writing to audited entity officials when …b. the auditor has obtained evidence of identified or suspected instances of fraud that have an effect on the financial statements or other financial data significant to the audit objectives that are less than material but warrant the attention of those charged with governance. 

Accountability is an Ideal for Which We Strive

The GAO likes the concept of accountability so much that they changed their name from the General Accounting Office to the Government Accountability Office.  They even refer to auditors in their literature as “accountability professionals.”

Because we citizens are the owners of our government, we have a right to see where our money goes. Good governments seek transparency in their actions and their financial information. And if we know what the government does because they are transparent, we can hold those working for the government accountable for their actions.  That is the theory, anyway.

1.02 The concept of accountability for use of public resources and government authority is key to our nation’s governing processes.1.03 As reflected in applicable laws, regulations, agreements, and standards, management and officials of government programs are responsible for providing reliable, useful, and timely information for transparency and accountability of these programs and their operations.Legislators, oversight bodies, those charged with governance,and the public need to know whether (1) management and officials manage government resources and use their authority properly and in compliance with laws and regulations; (2) government programs are achieving their objectives and desired outcomes; and (3) government services are provided effectively, efficiently, economically, ethically, and equitably.

But accountability can be hard attribute to any one person in government.  Because of the complexity of government and the vast array of services the government offers to its citizens, losses due to fraud, waste, and abuse in government are often absorbed into the complex bureaucracy, and no one is held accountable.

When my children were small, we visited my aunt in Jefferson County, Alabama. My aunt lives  just outside of Birmingham, and she warned my children not to get in or touch the pretty lake on which she live because it was contaminated. In 1993, Jefferson County, Alabama was prosecuted for contaminating local creeks with raw sewage.

To fix the contamination problem, the county issued bonds to finance water treatment facilities.  The project has been plagued with corruption and the county commissioner was jailed in 2010 for accepting bribes.

And to add insult to injury, an unscrupulous Florida investment banker talked the county into defeasing the bonds using a complicated swap.  Then the county suffered from low tax collections in 2008, and had to lay off 1400 workers.  For a time, it appeared that the county would go bankrupt and default on the bonds.

No one, including the state of Alabama, wants the county to go bankrupt! Birmingham is the state’s most vibrant city. A failure there would make Alabama look less appealing to investors and industry. So the initial $3 billion dollars in bond debt was renegotiated and reduced to less than $1.4 billion.

Is anyone in government in jail for these poor decisions regarding the bonds? Did anyone responsible lose his or her jobs? And who ate the other $1.6 billion?  These mysteries may never be solved because so many were involved in the decisions.[2]But the citizens of Jefferson County deserve better.


Fraud occurs in both corporations and governments. Government auditors have a higher purpose, and that is to protect the recipients of government programs and citizens from fraud, waste, and abuse of their resources.

When auditing for fraud in the government, you need to be aware that:

  • Victims of fraud in government are ultimately the individuals that government intends to help.
  • You should reduce your materiality level when auditing governments.
  • Citizens want and deserve government leaders to be held accountable (and for every penny) for fraudulent activities.

[1]“Fraud.” Online Merriam-Webster Dictionary. April 10, 2012.
[2]Matthew Bigg. “Alabama’s Jefferson county sees hope for debt deal.” Reuters[London]. April 9, 2010.

Expense Reimbursement Fraud Schemes

We are still working through the cash disbursement schemes mentioned in the fraud tree.  For a picture of the fraud tree, see this link: Last time we discussed the categories of fraudulent disbursements, we covered payroll schemes and billing schemes. This time we will cover the third out of five schemes classified by the Certified Fraud Examiners as cash disbursement schemes and expense reimbursement schemes.


Go tell that long tongue liar,
Go and tell that midnight rider,
Tell the rambler, the gambler, the back biter,
Tell ’em that God’s gonna cut ’em down.
Run on for a long time
You can run, Lord, for a long time.
You can run, Lord, for a long time
But let me tell you God Almighty’s gonna cut you down.
Traditional folk song


Expense Reimbursement Schemes

Another way to falsely extract money from your employer is to make up fake or inflated business expenses.  Under this section of the tree, the Association of Certified Fraud Examiners lists four components:

  1. Mischaracterized expenses
  2. Overstated expenses
  3. Fictitious expenses
  4. Multiple reimbursements for expenses

Mischaracterized Expenses 

When I was in college, I worked as an accounts payable clerk at a high tech company for a summer.  One of my jobs was to review travel expense reports for compliance with corporate policy.

The company did not pay for movies in the hotel room – especially not adult movies.  Adult movies are more expensive, so I knew that one executive was being – shall we say ‘creative’ – with his entertainment charges.  The phone call was a little tense, “Your film is not allowable, sir…”

Robert Half International, a professional recruiting firm, asked 150 senior executives with some of the nation’s largest companies, “What is the most outrageous thing that an employee has tried to pass off as a work-related expense?”  It turns out creative employees have tried to expense tropical fish, traffic tickets, the cost of transporting a pet gerbil overseas, ‘lodging’ at a storage facility, expensive silk sheets and silverware, excursions to Europe and the Masters, health care coverage for a pet, and my personal favorite, divorce costs.  I can see the reasoning there: employers expect so much nowadays, they probably trigger most divorces in the US.[1]

Overstated Expenses

I enjoyed working with a Medicare audit group in 2008.  They were responsible for finding fraud, waste, and abuse in the Medicaid program.  That is quite an undertaking since so many people and so many systems are involved, and so many folks are in need. Doctors, hospitals, nurses, pharmacies, suppliers, patients, and families can be mighty creative in getting just that little extra from the federal government by overstating expenses.  Here is another executive summary from a GAO audit.

Medicare Fraud, Waste, and Abuse: Challenges and Strategies for Preventing Improper Payments[2]


GAO has designated Medicare as a high-risk program since 1990, in part because the program’s size and complexity make it vulnerable to fraud, waste, and abuse. Fraud represents intentional acts of deception with knowledge that the action or representation could result in an inappropriate gain, while abuse represents actions inconsistent with acceptable business or medical practices. Waste, which includes inaccurate payments for services, also occurs in the Medicare program. Fraud, waste, and abuse all can lead to improper payments, overpayments and underpayments that should not have been made or that were made in an incorrect amount. In 2009, the Centers for Medicare & Medicaid Services (CMS) – the agency that administers Medicare – estimated billions of dollars in improper payments in the Medicare program. This statement will focus on challenges facing CMS and selected key strategies that are particularly important to helping prevent fraud, waste, and abuse, and ultimately to reducing improper payments, including challenges that CMS continues to face. It is based on nine GAO products issued from September 2005 through March 2010 using a variety of methodologies, including analysis of claims, review of relevant policies and procedures, stakeholder interviews, and site visits. GAO received updated information from CMS in June 2010.

GAO has identified challenges and strategies in five key areas important in preventing fraud, waste, and abuse, and ultimately to reducing improper payments. GAO has made recommendations in these areas. CMS has made progress in some of these areas, and recent legislation may provide the agency with enhanced authority. However, CMS faces continuing challenges. 1. Strengthening provider enrollment process and standards. Checking the background of providers at the time they apply to become Medicare providers is a crucial step to reduce the risk of enrolling providers intent on defrauding or abusing the program. In particular, GAO has recommended stricter scrutiny of providers identified as particularly vulnerable to improper payments to ensure they are legitimate businesses. 2. Improving pre-payment review of claims. Pre-payment reviews of claims are essential to helping ensure that Medicare pays correctly the first time. GAO has recommended that CMS further enhance its ability to identify improper claims through additional automated pre-payment claim review before they are paid. 3. Focusing post-payment claims review on most vulnerable areas. Post-payment reviews are critical to identifying payment errors and recouping overpayments. GAO has recommended that CMS better target claims for post payment review on the most vulnerable areas. 4. Improving oversight of contractors. Because Medicare is administered by contractors, overseeing their activities to address fraud, waste, and abuse is critical. GAO found that CMS’s oversight of prescription drug plan sponsors’ compliance programs has been limited. However, partly in response to GAO’s recommendation, CMS oversight of these programs is expanding. 5. Developing a robust process for addressing identified vulnerabilities. Having mechanisms in place to resolve vulnerabilities that lead to improper payment is vital to program management, but CMS has not developed a robust process to specifically address these. GAO has recommended that CMS establish an adequate process to ensure prompt resolution of identified improper payment vulnerabilities.

Here in Austin, the directors of an electric co-op, the Pedernales Electric Cooperative (of which I am a member), paid themselves ten times the salary of the nation’s second largest co-op!  Board members were reimbursed for about $700,000 in expenses between 2002 and 2006 for everything from first-class airfare to top-tier hotel stays to costly purchases of meals, furniture and concert tickets, according to court records. All of these board members were, thankfully removed in shame, but not before they lived the high life for a good long while.[3]

Fictitious Expenses

Yes, another Medicaid story!  The plethora of Medicaid stories shouldn’t be too surprising since over 20% of our federal budget is spent on Medicaid.[4]

The number one crime in Miami isn’t drug trafficking; it is Medicare fraud. A 60 Minutes investigation uncovered hundreds of tiny pharmacies and doctors’ offices in South Florida that weren’t staffed or open; some were really just storage facilities!

One fraudster shared with 60 Minutes how easy it is to set up a fake supplier or pharmacy and bill the feds using names and social security numbers of real patients. Hackers steal the names and social security numbers from legitimate doctors’ offices and pharmacies and sell them for up to $10 a name to these illegitimate ‘suppliers.’  One retired judge’s social security number was used to charge for a prosthetic right and left arm.  Only problem is, he still has both arms and they work just fine!

Medicaid auditors are understaffed and overwhelmed. And most scammers are able to operate without any trouble – quietly ripping off $20-40 thousand a day.[5]

An aversion to IT Cost a New Zealand Company $1.7 million!

A simple fraud, using Microsoft Excel templates to create the 350 bogus invoices, lasted six years and made Trevor Uialatea Esera richer by $1,758,193.  As the company’s IT manager, he was responsible for signing off expenditures, preparing the IT budget, and ordering equipment and computer software.

He created fake invoices from three companies. Two of the companies – Intergra Images and Software Plus – were bogus, and the third had no idea what he was doing. Court documents described the fake firms as “companies of his own invention.”

Esera’s bosses were oblivious to his fake invoicing because senior staff at Rinnai, a water heater manufacturer, had little or no experience in IT.[6]

Multiple Reimbursements for Expenses

Have you seen the website that lets you create fake receipts?  Just Google ‘fake receipts,’ and Google lists pages and pages of sites.  One of the sites is generic, but for a small fee you can upgrade to get better logos for well-known companies.  Here is an image of what you can create using one of these sites:

Looks pretty good, doesn’t it?

If you think you can get away with it, why not submit the same expense more than once!  You’d score extra points for commiting two frauds at once – a fake receipt and double payment on the same receipt.  You over-acheiver you!

I receive ridiculous proposals and promises of riches every day via email. “Please let me introduce myself.  I am blah blah from X, Africa seeking to transfer funds to the United States.  I will share the proceeds with you, blah blah.”  A CPA in my class confessed that one of his elderly clients fell for this scam and lost $50,000 because he gave the scammers his bank account number.

I have heard of (but can’t tie down with a news story) scammers creating hundreds of fake invoices and sending them to every corporation they can find.  Even if only 2 out of a hundred pay, they still have something with which to buy that coveted wide-screen TV!

I can easily see this happening, because when I worked as an accounts payable clerk the summer of my junior year in college, one of my horribly boring tasks was to match up the vendors’ monthly statements to their invoices.  It was hard to reconcile the two because the vendors would call complaining that we weren’t paying them in a timely manner and the accounts payable supervisor would often pay whatever was in front of her… It was a mess.  Several times, we decided to pay whatever the came in through the mail because we were getting so backed up.   We wrote a check, crossed our fingers and hoped for the best.



[1] Robert Half International. Can You Expense a Tropical Fish?  What Workers Try to Put on the Company Dime. September 24, 2009.

[2] United States. Govt. Accountability Office. Medicare Fraud, Waste, and Abuse: Challenges and Strategies for Preventing Improper Payments. June 15, 2010. GAO-10-844T.

[3] Claudia Grisales. “Settlement Reached In Pedernales Co-Op Lawsuit.” Austin American Stateman. March 11, 2008.

[4] Policy Basics: Where Do Our Federal Tax Dollars Go? Center for Budget and Policy Priorities. April 14, 2010.

[5] Ira Rosen and Joel Bach. “Medicare Fraud: A $60 Billion Crime A.G. Holder Tells 60 Minutes More Oversight Is Needed; Scammer Explains How Easy It Is To Steal Millions.” Sixty Minutes. WCBS. October 25, 2009. Television.

[6] Kerry Williamson. “Bogus invoices got IT chief $1.75 million.” The Dominion Post [New Zealand]. December 12, 2009.

Fraudulent Disbursements – Billing Schemes and Payroll Schemes

More in the series on getting to know the fraud tree better. To get a better sense of where we are on the fraud tree and which branch we are talking about in this newsletter, please see the entire fraud tree at

Learn to do good;
seek justice, correct oppression;
bring justice to the fatherless,
plead the widow’s cause.
Isaiah 1:17

Misappropriating cash through fraudulent disbursements is a sizable portion of the fraud tree because there is a lot of room for creativity.  See an illustration of the fraud tree here:   In this newsletter, we will cover billing schemes & payroll schemes.  In future newsletters we will cover expense reimbursement schemes, check tampering, and register disbursements.  Five creative categories under fraudulent disbursements in all!

With fraudulent disbursements, the fraudster causes an organization to disburse funds through some trick or device such as submitting false invoices or forging checks.  The disbursement is often disguised as a legitimate business activity so that it can slide through the accounting system undetected by controls.

And with these sorts of schemes, the fraudster is usually caught when they get too bold or too greedy.  If they would just keep it small, they could supplement their income for decades!

Billing Schemes

Here the fraudster creates a valid looking bill and causes the organization to issue payment for the fraudster’s personal benefit. The Association of Certified Fraud Examiners classifies billing schemes into three categories:

  1. Shell companies
  2. Non-accomplice vendors
  3. Personal purchases

Shell Companies 

In this creative scenario, the fraudster creates a fake company that has a valid sounding name and then sends checks from the victim company to their fake, or shell, company.

In my hometown, LouAnne Aponte stole over $800,000 from a large not-for-profit, Family Connections, for which she was the executive director. For six years she forged a well-known local CPA firm’s name on audit reports to avoid questioning by auditors and to satisfy federal grant requirements.

In March 1993, Aponte formed a business named Excite and Challenge, and then paid Excite and Challenge from Family Connections funds.  She used the money to pay her mortgage for a home in a tony Austin neighborhood and bought herself a convertible Mercedes.

For a decade LouAnne Aponte also volunteered as the treasurer for the Texas Association of Child Care Resources and Referral Agencies.  Aponte was accused of stealing over $100,000 from that organization.

Aponte had a history of theft dating back to the 1980s when she stole about $60,000 from two employers. In 1987, she served only four months of a four-year prison sentence for her crimes. Unaware of Aponte’s past, the nonprofit Austin Families hired Aponte in 1990 when she was still on parole.

Having served only two and a half years of her 25-year sentence for the crimes against Family Connections, Aponte was up for parole in May 2013.[1]

Straw students are like shell companies, aren’t they?

Creating fake students has always been a popular scam when it comes to milking money out of student financial aid programs.  When you actually see students in a classroom in college environments, it is hard to keep a scammer from succeeding – but how do you verify online students?

Between 2006 and 2009, Trenda Halton defrauded Rio Salada College in Arizona for over a half a million dollars.  Having discovered how to defraud the registration system of Rio Salado College, Halton worked with four accomplices to create 136 “straw” students.

In her scheme, she recruited “straw” students who prepared and filed bogus admissions applications, financial aid applications, and Pell Grant applications in the students’ names. The financial-aid recipients received aid money after Rio Salada deducted tuition.

Halton’s cover was blown when a Rio Salado employee noticed that the applications all had the same handwriting and the students were enrolled in the same classes. In 2009, Halton was indicted with 64 other defendants and charged with offenses such as conspiracy, mail fraud, financial aid fraud, and making false statements in connection with financial aid.

Rio Salada’s small distance learning college was a prime digital target for Halton. Other colleges that have been victimized by online financial-aid fraudsters include the University of Phoenix’s Axia College, Michigan’s Lansing Community College, and Texas’ Dallas County Community College.[2]

Non-Accomplice Vendors

My small business has several names, and I have been married 15 times.  OK, OK, I have wed only twice.  But I have three last names!  And the bank will take any check from me using any of my last names or business names.

A banker in one of my classes told me that the bank doesn’t check endorsements or names on the check if the amount is under $10,000.  The volume of checks is just too high for them to watch.  Banks also put on the back of your bank statement that you have 60 days from the date of the statement to resolve any discrepancy, otherwise the bank is not responsible.

So imagine taking a valid vendor name – say ABC Pest Control – that your organization would spend money on and changing the address on the payment to your own PO Box.  And if you have already succeeded depositing checks under ABC Enterprises, the bank will take it. You will enjoy the money, and your organization probably won’t know the difference.

Personal Purchases

Whether personal purchases are considered fraud by an organization depends on the type of organization.  In the corporate environment, use of the company credit card to buy golf equipment while entertaining clients could be perfectly valid.

2 shoesIn government, we never entertain!  OK, we seldom entertain, but governments would seldom find the purchase of golf equipment valid.  Remember our discussion about what fraud is, what abuse is, and whether something is worthy of the attention of those in charge of governance? That applies to personal purchases, big time.

But HP wasn’t as lenient with their money as some other corporations.  They ousted their CEO, Mark Hurd, in 2010 for expense report irregularities and for hiring a model/actress that he had a personal relationship with to represent HP at trade shows for $5000 to $10,000 a pop.[3]

Payroll Schemes

Another way employees can extract money from their employers using a false disbursement scheme is to make false claims for compensation.  The fraud tree is divided into four parts under payroll schemes:

  1. Ghost employees
  2. Commission schemes
  3. Workers compensation
  4. Falsified wages

Ghost Employees

In this scheme, the government is charged for employee wages for fake employees or, if you prefer, “phantom” employees.

3 ghostsDo you remember Paul Bremer? He was the administrator of the Coalition Provisional Authority (CPA), the transitional Iraqi government. In 2007, Bremer acknowledged to the House Committee on Oversight and Government Reform that during the 2003 to 2004 rebuilding of Iraq, for which he was responsible, America had paid nonexistent “ghost employees.”

Bremer suggested that the organization feared the consequences of stopping payments to determine who were truly employed. Those who were employed supplied the Iraqi ministries with security, and Bremer did not want to anger these 74,000 armed men.

The problem of the “ghost” employees was just one piece of the puzzle of the missing $8.8 billion that the CPA distributed to Iraqi ministries. Stuart Bowen, the Special Inspector General for Iraq Reconstruction stated that the problem was not a major reason that so much money was unaccounted for. He blamed the lack of transparency for the missing funds.[4]

Commission Schemes


The Pyramid

Although I can’t imagine this happening in government, or that a commission/pyramid would be relevant in government, you may have personally been the victim of a pyramid scheme in your past.  In a pyramid scheme, the fraudster promises consumers or investors large profits if they can recruit others to join the program.  Some schemes purport to sell a product, but the product is really just a cover for the pyramid.

Victims of a pyramid scheme are often asked to inventory load – or buy stock inventory of a product in order to sell.  In this way, the company does make profit, and the folks on the top of the pyramid profit, but the front-line salesmen are stuck with a bunch of inventory they can’t sell!

Also beware of claims that the product is selling like hotcakes!  Who is buying the hotcakes: actual customers or just players in the pyramid?[5]

A few cautions about marketing ‘spin’!

I remember my mother buying a horrible car – a Ford Taurus – in the 90s because the dealer told her it was the best selling car in America.  Yes, it was, but only because Ford made incredible deals to get the rental car industry to buy beaucoup of them. Consumers hated the car and for good reason.  Ah, marketing spin wins again!

A well known vitamin company in the US is advertising that they are the first vitamin company to get clearance from an organization they say is an independent evaluator of vitamin quality.  Only problem is that the vitamin company founded, funds, and shares staff with this independent evaluator.

And it isn’t just creative Americans: Customer complaints against four of the United Kingdom’s largest energy firms led to an investigation of nPower, Scottish Power, Scottish and Southern Energy, and EDF Energy by the energy regulator Ofgem.

Many of the complaints were against door-to-door salespeople and telemarketers who were persuading customers to switch suppliers. Customers were given misleading information and quotes, which resulted in the customers being in worse positions than before switching suppliers.

Confirming the customer complaints, Ofgem’s 2008 investigation showed that changing firms at the persuasion of pushy door salespeople left almost half of gas customers and electricity customers worse off.

As of September 2010, energy regulators were considering fining suppliers a portion of their annual revenue if customer complaints proved true.[6]

A bit about the the Ponzi

Although a Ponzi scheme is not specifically mentioned on the fraud tree, it is definitely worth talking about!  A Ponzi scheme is similar to a pyramid scheme, except there is no product to sell, and the schemer doesn’t pay a commission to salespeople to find new recruits. A Ponzi schemer uses the money from new recruits to pay existing members.

The most notorious Ponzi schemer of our day is Bernie Madoff who defrauded investors out of $60 billion.  Madoff paid investors significant returns using money he collected from new investors, which he never truly invested.

Enticing new investors by paying his investors more money allowed Madoff to keep the scheme rolling for about two, maybe three, decades. Madoff told investors that their investments were earning high returns and would give them large payouts to keep them onboard.

While he probably believed that his venture could last forever, it couldn’t withstand the decline of the stock market. In 2008, he could no longer keep up his lie. Investors weren’t paid on time because of his inability to yield sufficient cash out of his holdings.

On March 10, 2009, Bernie Madoff was charged with eleven felony charges including securities fraud, investment adviser fraud, mail fraud, wire fraud, three counts of money laundering, false statements, perjury, false filings with the United States Securities and Exchange Commission (“SEC”), and theft from an employee benefit plan.  On June 29, 2009, Madoff was sentenced to 150 years in prison.[7]

Workers Compensation

5 boxI like to work, don’t you?  I like to get something done and create new things.  But not everyone is motivated to create – some people think the world owes them a living, and false workers comp claims are an easy route to income without exertion.

It makes me very sad to see a video on 60 minutes of a guy moving a piano who has been claiming workers comp for three years.  Can you imagine being related to that guy? How could he, and you, stand it?

Here is an executive summary from a report by the GAO on fraudulent benefits:

Social Security Administration: Cases of Federal Employees and Transportation Drivers and Owners Who Fraudulently and/or Improperly Received SSA Benefits[8]


This testimony discusses the results of our investigation of the disability programs managed by the Social Security Administration (SSA). SSA administers two of the nation’s largest cash benefit programs for people with disabilities: the Disability Insurance (DI) program, which provides benefits to workers with disabilities and their family members, and the Supplemental Security Income (SSI) program, which provides income for aged, blind, or disabled people with limited income and resources.

In 2008, the DI program provided about $104 billion to some 9 million beneficiaries, and the SSI program provided about $38 billion in financial benefits to some 7.5 million recipients. Given the magnitude of these cash benefit payments, it is important for SSA to have effective fraud prevention controls in place to minimize fraudulent and improper payments.

This statement summarizes our most recent report, describing cases of federal workers, commercial drivers, and commercial vehicle company owners who fraudulently or improperly received disability benefits. The objectives of the investigation were to (1) determine whether federal employees and commercial vehicle drivers and company owners may be improperly receiving disability benefits and (2) develop case study examples of individuals who fraudulently and/or improperly received these benefits. In conducting this investigation, we compared DI and SSI benefit data to civilian payroll records of certain federal agencies and carrier/driver records from the Department of Transportation (DOT) and 12 selected states.

We found the following:

1) Thousands of federal employees, commercial drivers, and owners of commercial vehicle companies received Social Security disability benefits during fiscal year 2008, though we could not determine the extent to which beneficiaries improperly or fraudulently received payments. Because further investigation is required to determine whether these individuals are entitled to receive payments, our analysis provides only an indicator of potentially improper or fraudulent activity. Federal salary data from selected agencies for October 2006 through December 2008 show that about 1,500 federal employees may be improperly receiving payments. These employees were (1) DI beneficiaries who received federal salary above the earnings threshold for more than 12 months after the start date of their disabilities or (2) SSI recipients who received more than 2 months of federal salary above the maximum SSA earnings threshold for the SSI program after the start date of their disabilities. Based on their SSA benefit amounts, we estimate that these federal employees received about $1.7 million in benefits a month.

2) Based on our overall analysis above, we selected 20 nonrepresentative examples of federal employees, commercial drivers, and registrants of commercial vehicle companies who received disability payments fraudulently and/or improperly. The 20 cases were primarily selected based on our analysis of SSA electronic and paper files for the higher overpayment amounts, the types of employment, and the locations of employment, and thus they cannot be projected to other federal employees, commercial drivers, or commercial vehicle owners who received SSA disability payments. In each case, SSA’s internal controls did not prevent improper and fraudulent payments, and as a result, tens of thousands of dollars of overpayments were made to individuals for 18 of these 20 cases. For the 20 cases, our investigations found the following: (1) For five cases, we believe that there is sufficient evidence that the beneficiaries committed fraud to obtain or continue receiving Social Security disability payments by withholding employment information. (2) For 10 cases, SSA improperly increased the benefit amounts of the disability payments because the individuals had increases in the reported wages on which the disability benefit payments are based.

(3) Several individuals from our cases were placed in long-term, interest-free repayment plans for improperly accepting disability overpayments, even though SSA can charge interest. One individual’s $33,000 repayment plan was in $20 monthly installments–resulting in a repayment period of 130 years. For 10 cases, the individuals were continuing to receive disability benefits as of October 2009. For 18 of these 20 cases, the individuals also received $250 stimulus checks as part of the American Recovery and Reinvestment Act of 2009 (Recovery Act) while they were improperly receiving SSA disability payments. According to SSA officials, most of these individuals were entitled to and would have received the $250 stimulus checks even if SSA had properly suspended the disability payments to them. Specifically, SSA officials stated that beneficiaries covered under the DI program would have been covered under an extended period of eligibility (EPE), which is a 36-month period in which SSA does not pay any benefit amounts (i.e., payments are suspended) if the beneficiary has earnings above the substantial gainful activity (SGA) threshold. According to SSA officials, all working DI beneficiaries covered by an EPE received the $250 stimulus check.


Falsified Wages

Here is a report from the NY Attorney General regarding contractors who falsified employee wages:6 nurse

Three Contractors Arrested For Underpaying Employees And Falsifying Business Records In Connection With New York City Housing Authority Construction Projects[9]

State Attorney General Spitzer and New York City Department of Investigation Commissioner Rose Gill Hearn today announced that three construction contractors were arraigned on felony and misdemeanor charges arising out of their falsification of records that made it appear that $367,000 in legally required prevailing wages were paid to 19 workers on New York City Housing Authority projects, when, in fact, such wages were not paid.

Mohammed Abdur Rashid, and his company Columbus General Construction Inc., and Tarcisio Ferreira and Harrison Jarvis, whose construction companies are now defunct, were charged with failure to pay wages, falsification of business records, false filings and perjury in connection with Housing Authority contracts at the Edgemere and Arverne Houses (Ocean Bay) located in Far Rockaway.

The defendants entered “not guilty” pleas in Queens County Criminal Court, and were ordered to return to court on October 15, 2003.

“The message is clear: falsifying records and failing to pay the prevailing wages on a public work project are serious violations of the law. Contractors who engage in such tactics can expect criminal sanctions,” Spitzer said.

“These contractors unjustly chose to enrich themselves rather than pay employees their rightful wages. DOI will not tolerate this type of fraud or other acts of dishonesty and will investigate them with vigor. Upon recovering any improprieties, DOI will seek to prevent the company in question from obtaining future contracts with the City,” said Commissioner Gill Hearn.

The joint investigation by the Attorney General’s office and the Department of Investigation’s Office of the Inspector General for the Housing Authority revealed that between July 2, 2001 and December 31, 2002, Rashid, Ferreira, Jarvis, and their respective companies employed nineteen workers at the Edgemere and Arverne Houses. The work was subject to federal and state prevailing wage laws, which dictate the hourly rates that must be paid to employees working on public projects. In each case, the defendants are alleged to have failed to pay workers prevailing wages, and attempted to conceal their wrongdoing by filing false payroll showing that their employees were paid properly. The workers received between $70 to (sic) $110 per day instead of up to $48.53 per hour, which they were entitled to by law.

The Attorney General is also seeking restitution for the underpayment of wages to employees, which totals more than $367,000.

As a result of the continuing cooperation between the OAG and DOI, over one million dollars in wage restitution orders have already been obtained this year. 

Next time… more on fraudulent disbursement schemes including expense reimbursement schemes.

[1] Andrea Ball. “Woman who stole from nonprofit up for parole two years into 25-year sentence.” Austin American Statesman. May 14, 2013.

[2] Marc Parry. “Online Scheme Highlights Fears About Distance-Education Fraud.” The Chronicle of Higher Education. January 13, 2010.

[3] Ben Worthen and Joann S. Lublin. “Mark Hurd Neglected to Follow H-P Code.” Wall Street Journal. August 8, 2010.

[4] Melinda Henneberger. “Bremer paid ‘Ghost Employees’ to avoid ‘Real Trouble.’” Huffington Post. February 6, 2007.

[5] Debra A. Valentine.  Prepared statement. “What is a Pyramid Scheme and What is Legitimate Marketing?” International Monetary Fund’s Seminar On Current Legal Issues Affecting Central Banks. Washington, D.C. May 13, 1998.

[6] Tim Webb. “Ofgem investigates doorstep gas and electricity sales agents.” The Guardian [UK]. Web. September 2, 2010.

[7] New York State. Department of Justice. United States v. Bernard L. Madoff and Related Cases. FBI, August 5, 2009.

[8] United States. Govt. Accountability Office. Social Security Administration: Cases of Federal Employees and Transportation Drivers and Owners Who Fraudulently and/or Improperly Received SSA Benefits.  August 4, 2010.

[9] New York. Office of the Attorney General. Three Contractors Arrested For Underpaying Employees And Falsifying Business Records In Connection With New York City Housing Authority Construction Projects. Media Center. September 2003.

Misappropriation of Cash: Larceny & Skimming

More in the series on getting to know the fraud tree better.  To get a better sense of where we are on the fraud tree and which branch we are talking about in this newsletter,  please see the entire fraud tree at


  • Differentiate between skimming schemes
  • Differentiate between schemes to misappropriate cash

“I was a guy sitting in a courtroom making $100 million a year, and I think a juror sitting there just would have to say, “All that money? He must have done something wrong.’ I think … it’s as simple as that,” 
On 60 Minutes: Dennis Kozlawski, CEO of Tyco,
who was convicted of misappropriating more than $400m

Of the three main branches of the fraud tree (corruption, asset misappropriation, and fraudulent statements), asset misappropriation has the largest number of categories or sub-branches.   Please notice that assets include not only cash (my favorite asset!) but also inventory and equipment, which will be covered in a later chapter. Let’s begin with the beautiful green stuff.

Cash can be taken from an organization at one of three moments:
1.    When the cash is received,
2.    When cash is hanging around ‘on hand,’ and
3.    When the cash is disbursed.

You will often hear about the theft of cash using two terms: larceny and skimming. The difference is in the timing: larceny is the theft of cash that the organization has already accounted for, and skimming is the stealing of money before the organization has the opportunity to account for it.

A third way to take cash is through fraudulent disbursements. Because of the multitude of ways to take money in this manner, we will cover fraudulent disbursements in a later chapter.


When someone commits cash larceny, the fraudster steals cash from an organization after it has been recorded on the organization’s books and records.

Of Cash on Hand 

Larceny of cash occurs at cash registers or other cash collection points, the mailroom, or from deposits in transit.

One of my clients, a large hospital, instructs its medical clinic clerks to take their cash proceeds to the bank each day before they go home. So, nearly a dozen clerks board a downtown bus with a bag of cash and take it to the bank!  What an opportunity for larceny!

Cash larceny is detectable if the accounting records are properly maintained and analyzed and will become apparent during cash register or bank account reconciliations.

From the Deposit 

I found several juicy examples of seemingly harmless government clerks quietly taking thousands…

Courthouse accounting clerk steals $12,000 a week
Marie Morey, a 38-year-old single mother of two worked in the probation department of a Massachusetts court.  She employed a host of complex accounting maneuvers to pocket some $12,000 a week for three years and left amid sharp questioning from suspicious auditors.

Morey, the only person in the department authorized to change entries in the court’s accounting system, used her position to manipulate the records and bank deposits to cover her tracks.

Morey is also accused of pilfering courthouse fees paid in cash and then submitting falsified money orders to mask the theft.  It is believed that she pocketed cash and substituted money orders to make it look like the proper amount of money was deposited. 1

Mayor’s assistant colludes with payroll clerk to steal $370,000

Dorothy Triplett, a payroll clerk in Washington Park Village, Illinois, was sentenced to 18 months in prison for stealing over $143,000 and colluding with the mayor’s assistant to steal $370,000.  Triplet had access to the village’s financial information. Court documents show that money was transferred to various accounts under Triplett’s name several times a month, and sometimes up to three times a day. The transfers ranged from $200 to $5,825.98.  2

Have you heard about the administrators of Bell, California  who fraudulently collected excessive taxes from citizens and then awarded themselves huge bonuses and raises? Here is an excerpt from a report by the State of California Controller 3:


The City of Bell is located in Los Angeles County, California. The population was 36,664 in the 2000 census. At 2.5 square miles, it is 13th among the 25 geographically smallest cities in the United States with a population of at least 25,000.

City residents voted to become a charter city in a special municipal election on November 29, 2005. Fewer than 400 residents, representing approximately 1.1% of the city’s total population, turned out for the special election. The charter provided more autonomy to city management and exempted the city from needing to follow state contracting procedures or complying with a state law that limits council members’ salaries.

News media reports in July 2010 revealed that some City of Bell administrators and council members were receiving disproportionately high salaries.

Many Bell citizens became outraged and called for the suspension of the salaries of these officials, and later, the resignation of several council and staff members. On July 23, 2010, some administrative officers resigned their positions with the city, while the mayor and the city council continued to govern the city until September 21, 2010, when the mayor and three of four Bell City Council members were indicted on felony charges.

On July 24, 2010, the Bell City Council hired Pedro Carrillo, a partner of Urban & Associates, Inc., as the Interim CAO. The newly-appointed interim CAO requested that the SCO audit the City of Bell. In response to this request, the SCO agreed to perform a series of audits including one to review the expenditures of state and federal funding the city received.

For accountability and transparency, it should be noted that the issues identified in this audit report also exist in payments made to the interim CAO’s firm, Urban & Associates, Inc. From August 25, 2008, to June 28, 2010, the city made payments totaling $222,000 to Urban & Associates, Inc. based on approval by the former CAO. Despite making repeated requests, neither city staff nor the interim CAO could provide the SCO auditors with a valid contract to identify the scope of services to be performed by Urban & Associates, Inc. and conditions and terms of payment. We reviewed Bell City Council minutes and city resolutions and found no evidence suggesting that the Bell City Council had approved a contract for Urban & Associates, Inc.


Under the former CAO, the City of Bell management ignored and circumvented internal controls and the Bell City Council failed to exercise proper oversight governing the city’s procurement activities. For the period of July 1, 2008, through August 31, 2010, the City of Bell reported total state and federal expenditures (excluding Fund 04–Gas Tax Fund) for contracts and purchases in the amount of $2,356,018. Of this amount, we reviewed $1,944,085 (82.52%) and determined that $710,459 was questionable. The questioned amount represents 36.54% of the total amount reviewed. We question the payments because they were made without a valid contract or outside the scope of the contract. In addition, none of the goods or services was procured through competitive bids.

In previously issued SCO reports, we found evidence suggesting that the former CAO may have used public funds for personal gain. The fact that the former CAO was able to select vendors without proper approval and without competitive bid raises serious questions about possible conflicts of interest, favoritism, and other improprieties.


In a skimming fraud, cash is stolen from an organization before it is recorded on the organization’s books and records. So skimming must take place as the cash is received before the accounting system captures it.

Skimming is an off the books type of fraud, as it is never recorded. Obviously, skimming is more difficult to detect than larceny because there is no direct audit trail. Employees who deal directly with customers and handle customer payments often have an opportunity to skim.

The skimming section of the fraud tree has three categories:

1.    Skimming from sales
2.    Skimming from receivables
3.    Skimming from refunds

Skimming from Sales 

Cash businesses are more prone to skimming than businesses paid by check, credit card, or electronic transfers. But businesses receiving checks can be affected by skimming as well; checks that are stolen can be deposited in false company accounts that have a similar name but belong to the thief, not the company.

Under skimming from sales, the tree is further divided into:

1.    Skimming from unrecorded sales: the fraudster puts cash into their pocket and does not properly ring up the sale.
2.    Skimming by understating sales: the customer pays full price, and then the fraudster enters a discounted sale in the accounting records.

Unrecorded Sales

In this scenario, a sale never makes it into the books at all, as opposed to an understated sale, where the sale is recorded, just not at full price.

One summer when I was in college I worked in an art gallery in Houston.  My mother was one of a handful of salesmen, and I helped with inventory, data entry, filing, and accounts payable. The owners of the gallery were siblings, although the sister owned the majority interest and reminded her brother of this frequently!  He was, as you can imagine, a disgruntled partner.

Many pieces of art, mostly lithographs, oils, and prints, were let on ‘consignment’ to designers who would show them to their clients but keep them for as long as they needed. Some pieces of art never came back as some designers disappeared or moved without returning the art.  And some of the art got damaged during framing or transport.  The brother had a half-baked system for tracking this inventory. Of course, he benefited from this poor excuse of a system; he pocketed cash sales while his sister wasn’t looking.

One of our customers was a gentleman who worked for Chili’s, which was growing fast and building restaurants throughout the southwest.  This man’s job was to find art and other weird appropriate artifacts to populate the walls of the restaurants. He purchased in cash hundreds of southwestern prints from the gallery.  The brother pocketed the cash, and that was the last anyone said about it.  I was only 19, but that didn’t look kosher!

One day, I got bored and needed to get up from my desk, so I took it upon myself to straighten out the inventory, put new plastic sleeves and backing on some pieces, and alphabetically organize the art.  I wanted a record of what they had, once and for all! The brother didn’t like that!  He found me something else to do in the framing department until my tenure was over.

Not the lunch lady in the hair net!
Even sweet old lunch ladies can be tempted to skim.  The former bookkeeper of the Concord School District in New Hampshire stole between $300 and $400 from the lunch program every day for seven years. By the time she was indicted she’d stolen $418,876!  That is a lot of milk!

During the bookkeeper’s nine years with the school lunch program, she was responsible for counting the roughly $5,000 students spent each day in the district’s cafeterias. She was the only district employee who handled deposit slips.   4

A little vending machine money can go a long way!
During his four years as manager of a recreation center in Michigan, Scott Muir kept the profits from the two vending machines at the center.  He initially forwarded the profits to the city treasurer’s office a few times, but then stopped because no one was double-checking his work.  He embezzled $40,000 before he was caught.  5

$300,000 from utility payments
A former cashier with Colorado Springs Utilities pleaded guilty to stealing more than $300,000 over a nearly four-year period.  Donna Inzer, 69, took money from utility payments and then altered the daily balances so the thefts wouldn’t be detected when deposits were made.   6

And taking money from children… Shame, shame, shame!
William Snyder, 48, and Kevin Beaver, 43, formed REMAX Classic in 2005 and collected donations for the Children’s Miracle Network. They continued to collect donations from 2006 to 2009 but didn’t give the money to the charity. When the theft was discovered in late 2009, they gave $52,000 to the charity. The men were accused of stealing from charity, people with disabilities, a bank, a school and the tobacco tax fund. Beaver pleaded guilty to theft and was sentenced to five years of probation.7

Bogus charity
That case reminds me of an ex-brother-in-law who set up gum and candy machines in gas stations and mechanic’s garages that had a big sign at the top saying that the money was going to a bogus charity that sounded very much like a true, well known charity – the title of the charity was just off by one word!  And my ex-brother-in-law, who had a problem with cocaine, collected and pocketed the money and had the audacity to brag about it at a Passover dinner!  Amazing.  Drugs do indeed make you crazy.

3-10-2A-2 Understated Sales

While most skimming is done via unrecorded sales, it can also be done via under-recorded sales. A skimmer sells 10 widgets at $100 each, but records 8 at $100 each and pockets the $200. Or he could record 10 sold, but at $80 each, and achieve the same result.

Scale manipulation
A scale house operator figured out how to manipulate scales at a paper mill and share the proceeds with truck drivers. Aaron Freeman, an employee of Temple-Inland in Rome, Georgia manipulated the scale house computer system to produce two weight readings when a single truck passed through the paper mill’s scale: a reading for the weight of the timber actually delivered, and a second reading for a phantom load.  Freeman then recruited drivers to take credit for the phantom loads, and the drivers shared their $4.8 million in payments with Freeman.  8

Skimming from Receivables 

Skimming doesn’t only happen in face-to-face sales situations. It can also occur in the mailroom.  If the fraudster is creative, he can figure out a way to deposit checks intended to cover receivables.

One $27,000 check triggers 14th arrest
Lisa Michelle Darden stole a Georgia Department of Revenue check while working in the state-processing center, which handles tax refunds, returns, and payments.

Investigators said they found that she had a lengthy criminal record and should never have been working there in the first place.  Investigative TV reporter, Jodie Fleisher, found that she had been arrested more than a dozen times in the past 15 years.  The Department did not conduct a background check as she was brought in by a temp agency. 9

Under receivables skimming, you will find two categories on the tree: write-off schemes and lapping.

Write-off Schemes

VanDyke Walker, an accounts receivable specialist for the Hartsfield-Jackson International Airport in Atlanta, embezzled at least $235,000 of city revenue over a six-year period. Walker was responsible for receiving $40 to $50 payments for badges, fingerprinting, and vehicle permits collected by the security division from employees who need access to the airport. The findings came after an internal audit started in March 2009 found “numerous irregularities.”  Walker threw away his copy of reconciliation reports and rewrote them in order to facilitate the scheme. 10

Lapping Schemes

Lapping is a complicated ongoing fraud usually perpetrated by an employee who has custody of cash and check payments plus responsibility for accounts receivable recordkeeping. The fraudster receives a payment to a legitimate customer’s account receivable and pockets it for himself. To cover this up, the fraudster replaces the stolen amount at a later date using receipts from another customer. This is repeated over and over and over again.

Former Hospital Secretary Indicted in Connection with Allegedly Stealing Over $200,000 in Check-Lapping Scheme 11

A former administrative assistant at Beverly Hospital has been indicted in connection with stealing hundreds of thousands of dollars from Sodexo, Inc., a hospital vendor, in a scheme where she took cash from the hospital’s cafeteria and other sources and fraudulently changed accounting system entries to cover her theft, Attorney General Martha Coakley’s office announced today.

Diane Thistle, age 63, of Beverly, was indicted by an Essex County Grand Jury on charges of Larceny over $250 and Making False Entries in Corporate Books.

In April 2010, the Attorney General’s Office began an investigation into Thistle’s alleged activities after the matter had been referred by Beverly Hospital and one of the hospital’s vendors, Sodexo, Inc. Thistle was an administrative assistant at Beverly Hospital for over 14 years, and one of her duties was to oversee the processing of checks and cash generated by the food services division. She was supposed to collect cash that came in from the cafeteria and checks that came in from catering jobs. In the spring of 2009, the hospital decided to stop using Sodexo to manage its food services and the two parties began the process of settling their account. Sodexo’s records showed that invoices to the hospital totaling hundreds of thousands of dollars remained open. The hospital’s records, however, showed that those invoices had been paid in full. After this discovery, Sodexo immediately initiated an audit of the account.

Authorities allege that Thistle stole money from the account using a “check-lapping” scheme. Investigators discovered that Thistle allegedly stole cash that came to her from the cafeteria revenue and then replaced the stolen cash with older checks that the hospital intended as payment for catering. When the amounts did not perfectly match, Thistle would insert her own personal checks into the deposit to balance the amounts. When the hospital paid Sodexo, Thistle received the check and arranged for its deposit into the vendor’s food services bank account. Thistle would then access Sodexo’s cafeteria records and fraudulently change the entry for that day’s cash intake. She allegedly entered a new amount that equaled the catering invoice. Thistle would then pocket some or all of the cafeteria cash, but deposit the hospital’s catering check as if it were the cafeteria cash.

As a result, Beverly Hospital’s records would show it had paid its catering bill, while Sodexo’s records would falsely show that the deposit was for cafeteria revenue. At some later point, Thistle would pay the open catering invoice with an older catering check from the hospital, and use her own personal checks to balance the amounts if necessary.  Authorities allege that between 2005 and 2009, Thistle stole over $200,000 from Sodexo and used those funds for her own personal use.

An Essex County Grand Jury returned indictments against Thistle yesterday.  She is scheduled to be arraigned in Essex Superior Court in Salem on July 22, 2010.

The case is being prosecuted by Assistant Attorneys General Marc Jones and David Waterfall, both of Attorney General Coakley’s Corruption and Fraud Division, and was investigated by financial investigators Davin Lee and Jessie Dean and members of the Massachusetts State Police.  Beverly Hospital and Sodexo, Inc. cooperated fully with the Attorney General’s investigation.


Unfortunately, I haven’t found a true-life example of skimming from funds.  But when the register is open to give a customer a refund, the fraudster can alter the records and take a little cash.  Where there is a will, there is a way! If you have a story, please share it with me at

Peter Schworm and John Ellement. ”Clerk held in sophisticated $2m theft.” The Boston Globe.  December 4, 2009.2 KSDK. “Former Washington Park payroll clerk sentenced to prison for theft from village.” Web. March 20, 2009.3 John Chiang. State of California. Office of the Controller. City of Bell Audit Report: State and Federal Expenditures: July 1, 2008 through August 31, 2010. Report. Press Release. November 2010.

4 Meg Heckman. “Lunch money embezzlement to end in deal.” Concord Monitor. September 16, 2008.

5 Francesca Chilargi. “Former city manager take plea deal in skimming scheme.” The News Herald [Southgate, MI]. August 27, 2009.

6 Associated Press. “Former Springs utilities cashier admits embezzlement.” Web. May 8, 2008.

7 Donna J. Miller. “Men accused of stealing from charity, people with disabilities, a bank, a school and the tobacco tax fund: Court Watch.” Web. December 14, 2010.

8 Georgia State. Department of Justice. Final Three Defendants Sentenced to Federal Prison for “Phantom” Timber Scheme. Web. February 2011.

9 Jodie Fleisher. “Woman Accused Of Stealing $27K Check.” [Atlanta]. Web. January 20, 2010.

10 “Airport worker accused of theft. Report says man stole $235,000 of city funds over six years.” Atlanta Journal Constitution. A11. September 3, 2009.

11 Commonwealth of Massachusetts. Attorney General’s Office. Former Hospital Secretary Indicted in Connection with Allegedly Stealing Over $200,000 in Check-Lapping Scheme. Coakley, Martha. Press release. Salem: Commonwealth of Massachusetts. July 1, 2010.

Fraud Risk per the GAO’s Green Book

Just because you’re unaware of the risk, doesn’t mean it isn’t there

Just because you aren’t conscious of something dangerous, doesn’t mean it isn’t lurking.   One of the most important themes of the GAO’s Green Book (and the 2013 COSO model it is sourced from) is consciousness.  Instead of just playing along with the crowd without regard to the risk, the Green Book encourages you to become conscious of risk, imagine the worst, and then plan to prevent it.

Do you think that people in the 1940’s had a sneaking suspicion that smoking was unhealthy?  Or do you think their desire to be glamorous like all those smoldering (forgive the pun) Hollywood movie stars overrode their common sense?

And in the 70’s my mom and dad slathered themselves with olive oil and lay in the sun to get a reddish brown ‘tan’.  Coppertone products promised to magnify the power of the sun.  Now my dad gets skin cancer removed from his face, arms, and hands every six months or so.

Everybody went nuts buying non-stick cookware in the 80’s only to find out that the Teflon emits dangerous gasses into your food when heated.  In the 90’s we all started drinking bottled water with no concern for the environmental impact, and in the 2000’s we went ‘wireless’ and may be exposing our brains to harmful radio waves.  Lately, we all have to concede that if we transact with the world at all, our personal data is out there and available to criminals in Russia.

I am thinking of that classic parental line here, “If your crazy friend Carl jumped off a bridge, would you do it to?”  Going along with the crowd can be dangerous.

Sometimes you can pre-empt negative consequences

It is all very nice to look back in hindsight and realize that you shouldn’t have followed the crowd and jumped off that bridge.  But sometimes, you can work ahead of a problem to prevent bad results.

For instance, I opened a new business account at a bank recently.  And I know that it is dangerous to give my bank account number to folks who are making deposits into my account and/or who have the power to withdraw money from my account.  But I put the risk out of my mind because I didn’t think I could do anything about it.

Hand me the Coppertone, I’ll play along!  My thinking was, “That’s how business is done and I want to play.”

But my new bank has thought about this risk and offered me not one, but two checking accounts.  I can share one checking account number with vendors and customers who are coming in and out of my account and the other account – where the bulk of my money is – is accessible and known only to me and my bookkeeper.  Nice.

Fraud is real but it isn’t entirely unavoidable

The Certified Fraud Examiners estimate that 5% of an organization’s annual revenue is lost to fraud.

And although the Certified Fraud Examiners don’t say it outright, they are implying that most organizations suffer fraud.   If an organization grows to over 100 employees, someone is probably doing something squirrely.

I spent a year writing a self-study book on Fraud for Government Auditors.  Unfortunately, I wrote it in 2008 as our economy was crashing.   As I wrote, I became hyper-aware of bad behavior and fraud everywhere I went.  It was exhausting and disheartening to see fraud every time I left the house or read the news, so 8 years later, I have turned the consciousness dial down quite a bit and become mostly numb to it once more. There is only so much moral outrage you can muster day after day after day.

The Green Book asks the leaders of the organization to think about fraud before it happens.  It is asking them, for at least a few days while they prepare a risk assessment, to muster some moral outrage before the organization actually suffers fraud so that they can plan around it, just like my new bank.

Fraud risk specifically

So in our last chapter, we discussed inherent risk in general and how the Green Book encourages us to think about the risk of death, injury, shame, loss of money or non-achievement of goals.

Now, we are going to focus on fraud risk specifically.  Fraud can cause injury, shame, loss of money, or non-achievement of goals.  But occupational fraud, the fraud discussed in the Green Book, is not likely to cause death.

The GAO dedicates a good portion of the chapter in the Green Book on risk assessment to assessing fraud risk.

Principle 8 states: 8.01: Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 

Luckily, the GAO’s green book doesn’t stop there, but instead, shares several models that will help us be more conscious of fraud as we are assessing fraud risk: the fraud tree and the fraud triangle. We are going to discuss each in turn.

Like a good spiritual guide, the fraud tree and fraud triangle enhance consciousness

Both the fraud tree and the fraud triangle have helped me see fraud where I didn’t see it before.  And once your consciousness has been raised, you see new things everywhere.

You may have experienced this with your car.  I am the happy owner of a plain white Lexus sedan.  Before I owned a Lexus, I was oblivious to how many were on the road. Now I see them everywhere.  You remember that weird movie called The Sixth Sense… where the lead declares “I see dead people!”?  I see Lexi.

A broad overview of the fraud tree

As a supplement to this article, I am also going to publish a series of chapters from my book on fraud so you can get to know the fraud tree in more detail.  Be looking for those over the next few weeks. But in this short article, we are just going to do a broad overview of the fraud tree.

So don’t read any of those newsletters or read the rest of this newsletter unless you want to see fraud everywhere.


A fraud investigator once told me, fraud is lyin’, cheat’n, and steal’n.  But the Certified Fraud examiners are more formal about classifying fraud and use much better grammar.  The Certified Fraud Examiners came up with a whole taxonomy of occupational fraud which they dubbed the ‘fraud tree.’  If you are having a hard time reading the graphic below, visit the Certified Fraud Examiners page at for a clearer graphic.

Fraud Tree

The fraud tree divides fraud into three categories:


Misappropriation of assets

Fraudulent reporting

Corruption includes bribery and extortion – which are flip sides of the same coin.  When a person without power pays a person in power for a favor, it is a bribe. When a person in power demands payment from someone who needs a favor, it is extortion.

A contractor with a Texas county told me that he and all of the other contractors knew that in order to win contracts, they would have to give expensive gifts to the county purchaser. Whenever requests for proposals were discussed with contractors, the purchaser would mention things he needed for his house – like a new grill or a lawnmower.  The contractors knew that whoever was first to buy the grill or lawnmower would win the contract. Eventually, the purchaser’s requests became more extravagant and frequent. The contractors had to take turns bidding on contracts, so they could distribute the extra expense more evenly among them.

Corruption also includes illegal gratuities.  An illegal gratuity is when you reward or pay someone in advance in hope of future favor. This is the way the US Congress works. Corporations and lobbyists support campaigns and slather favors on Congressmen in hopes that the Congressman’s decisions on future legislation will be favorable to them.

The last category in corruption is conflict of interest.  This is a wide category of bad behaviors where favors are granted to friends and family.  My friend has recently been elected treasurer of her homeowner’s association.  She has already found out that the chairman of the board is awarding work to companies that his daughters own.  My friend suspects, but cannot prove yet, that the chairman owns the companies and that the daughters are owners on paper only.

The second branch of the tree is misappropriation of assets. Misappropriation of assets is when cash or other assets of the organization are stolen or misused.  Notice that the fraud tree has two main branches under misappropriation of assets – 1. cash and 2. inventory and other assets.


Cash can be stolen in three ways; cash can be taken after it has been captured in the accounting records (larceny), or before it hits the accounting records (skimming), or it can be disbursed in what looks like legitimate transactions for illegitimate purposes, like payments to fake (ghost) emplo

yees or fake (shell) companies.  As you can tell from the tree, cash misappropriation includes a wide variety of creative categories for fraudsters to choose from.

Other assets, like inventory and fixed assets can be stolen or misused.  The mail clerk in a state agency I worked for was using the state’s van on weekends to deliver pizzas!

And the last category is fraudulent statements.  We are all aware of the infamous financial statement fraud scandals at Enron and WorldCom that wreaked havoc on our national economy.  But we might not be as well acquainted with non-financial statement fraud.  A false claim or statement for personal gain falls into this category.  Fifty-eight percent of hiring managers said they’ve caught a lie on a resume per a Career Builder Survey concluded in 2014.  And many governments use performance measures to convince grantors and the citizenry that they are doing a good job handling public resources. But as you can imagine, sometimes these performance measures are altered, manipulated, or even completely made up.

One of my favorite stories about fraudulent performance measures is about the Public Works Department in the City of San Deigo. Their Public Works Department said they filled potholes within a week, when the truth is most potholes took months to repair.  When asked about the discrepancy, the Public Works Department said that their definition of repaired does not meet most people’s definition of repaired.  Tricky?  Yes.  Fraudulent?  I’d say so because the managers in the Public Works Department benefited from exaggerating the Department’s effectiveness.  See the amusing article about this fraud here:

When I audited performance measures at a state department of criminal justice (the state prison system), I found that most measures were pulled directly out of the sky.  They were estimates that made the department look good, not measures of real results.

If you were reading closely, you might have noticed a small difference in wording

I don’t really know why the GAO and the COSO model chose to leave out non-financial statement fraud from their literature, but they did.  Here is the quote referring to the fraud tree in the Green Book:

Green Book 8.02 Management considers the types of fraud that can occur within the entity to provide a basis for identifying fraud risks.  Types of fraud are as follows:

  • Fraudulent financial reporting – Intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. This could include intentional alteration of accounting records, misrepresentation of transactions, or intentional misapplication of accounting principles.
  • Misappropriation of assets – Theft of an entity’s assets. This could include theft of property, embezzlement of receipts, or fraudulent payments.
  • Corruption – Bribery and other illegal acts.

See how the Green Book doesn’t talk about fraudulent statements in general but fraudulent financial statements only.

If you are an aficionado of SAS 99 (now AU 316), the AICPA’s guidance on an auditor’s responsibility for detecting fraud, you may recognize that the AICPA focuses their discussion of fraud on fraudulent financial statement reporting only.  This makes sense because the AICPA is clear about its audit objective – to opine on whether the financial statements are created in accordance with an accounting standard (usually GAAP).  But the Green Book – because it covers an entire organization, should include all components of the fraud tree.

If you know the reason for this, please share.  Otherwise, I am going to say it is a flaw of the Green Book until someone can convince me otherwise.

Next time, we will discuss the fraud triangle and do an example fraud risk assessment.


Lost your password?