Widgetized Section

Go to Admin » Appearance » Widgets » and move Gabfire Widget: Social into that MastheadOverlay zone

What Would You Do?

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.

By Carl Gabrini
January 21, 2019

One of my favorite books on bureaucracy is “Inside Bureaucracy” by Anthony Downs ‘published in 1967. In it he wrote about the complexity of controls within large bureaucracies. The implication I took away from reading it is that the more complex control systems become the more challenging managing them becomes. However, I was recently reminded that one unintended consequence of all the focus on elaborate control systems is often a window is left unlocked somewhere. In today’s cyber-world that window is frequently peoples’ behavior. Writing from personal experience we took great pains at the state auditor’s office I worked at to ensure our communications, data and working papers were secured. But the key control always came down to individual behavior and decisionmaking. When I began my teaching career, I was shocked by how often our email system was compromised by malicious outsiders who gained access through fraudulent emails to staff or faculty. I can recall chuckling with my colleagues wondering who it was that fell victim to the same email most of us received and deleted, realizing it was a scam. The saying goes beauty is in the eye of the beholder, I suppose that is true of common sense as well. The most effective methods for combating fraud do not always rely on complex, overlapping and expensive control processes and systems. It might be that combating some fraud only requires simple and inexpensive common sense.

My wife and I were sitting and reading together when she asked if I had heard about a scam that just took place at one of our local healthcare systems. I responded no and asked her to read it to me. After listening I thought to myself, I was a controller once, what would I have done in similar circumstances? I requested a copy of the police report from the city police records office to learn more. The scam was initiated when the chief financial officer (CFO) received an email they believed to be from their contractor asking to change the payment instructions stipulated in their contract. The CFO, believing the email to be legitimate, requested and received the necessary information to change payment methods. Instead of remitting payment by check, they would pay electronically. The email exchange provided all that was needed to facilitate the electronic payments to a legitimate bank account in a legitimate bank. Life went on as usual for about two weeks. Two payments totaling about $1.25 million were transferred to the bank account provided in the email.

The police report indicates that the CFO was sitting in a fraud training when a bad feeling came over them. They called the contractor directly and learned no payments were received and no email requesting a change to the payment method was made. Hence the police report and the subsequent ongoing investigation. Who knows what the fallout from this incident will be for this organization and the individuals involved? But it got me thinking, what would I have done in the same situation? It is not totally out of the realm of reality to consider it. I recalled one time when a bank vice president offered to wire transfer several million dollars on my authority to a bank of my choosing without any other approvals. I was floored and refused. I explained how I follow procedure no matter how inconvenient that might be. I exercised my common sense. The situation did not feel right, so I went with my professional experience that told me to follow accepted procedures.

That brings me to the point of my first column of 2019; common sense and professional judgment are often our most important defense against fraud. Upon receiving the email requesting the change in payment instructions, I would have called my counterpart at the contractor to confirm the request and ask for a change order to the contract documenting it since payment terms are typically part of the language in a contract. That action would have occurred before any payments were made or even before a reply was sent to the original email. I recognize that people have busy schedules and sometimes what we initially view as a minor detail turns out to be a big problem. My guess is that it happens every day. This incident reminded me how important or own diligence is when combating fraud in the cyberage. Fraud knows no boundaries and does not discriminate based on the business sector. Fraud prevention is everyone’s job. In this present case a simple phone call made would have saved $1.25 million and a major organizational headache.

Author: Carl J. Gabrini is Assistant Professor of Accounting at the Wright School of Business, Dalton State College and earned a PhD in Public Administration at Florida State University. Email address [email protected].

1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 2.83 out of 5)

Leave a Reply

Your email address will not be published. Required fields are marked *