Employee expense reimbursements: Legitimate or fraudulent?
By Abigail Grenfell, CPA, president, Internal Control and Anti-Fraud Experts, LLC
Expense reimbursement schemes fall within a subset of fraudulent disbursements underneath the "asset misappropriation" umbrella. So, what exactly are expense reimbursement schemes, how do they occur, which type of organization is most vulnerable, and most importantly, what are the best practices organizations can adopt to reduce their risk of these fraud schemes?
Stats on expense reimbursement schemes
The Association of Certified Fraud Examiners (ACFE) defines an expense reimbursement scheme as "any scheme in which an employee makes a claim for reimbursement of fictitious or inflated business expenses."
The ACFE collects, analyzes and publishes statistics related to the estimated amount businesses lose each year, median duration of time to discovery, and characteristics of victim organizations in their biennial Report to the Nations on Occupational Fraud and Abuse. The table below provides a trend snapshot over the past several years. While the estimated median loss tends to fluctuate between $26,000 and $33,000 per perpetrator, the duration of the expense reimbursement scheme remains at two years.
|Estimated median loss
|Median duration to discovery
|< 100 employees
What were they thinking?
Large organizations with companywide expense reimbursement policies are not immune to expense fraud. If you're not taking a hard look at reimbursements, many instances of fraud can go unnoticed.
Several years back, while performing a routine Sarbanes-Oxley internal control test, I discovered a coordinated employee expense reimbursement scheme pervasive in a company's sales department. Despite being a publicly-traded company with an expense reimbursement policy, corporate American Express credit cards and expense reporting software, it didn't stop this department-wide fraud from being masterminded.
The company's expense reimbursement policy required receipts for an expense item exceeding $75. This seems reasonable and is consistent with IRS requirements. Employees were required to complete the online expense report, download charges from their corporate American Express card and scan the supporting receipts. The expense report was then routed to the reporting manager for review and approval. Once approved, the expense report went to the reimbursement manager in the accounts payable department for final review, tie out of receipts to charges, follow up and payment processing. On the surface, this appears to be a solid process with preventive controls.
My initial sample selection included a cross-section of employees across the organization and stratified over the various employee and management levels. One expense reimbursement report in the sample lacked a supporting receipt, yet it had been approved and paid. An attached review note stated the receipt was lost, and because the payment method was cash, a duplicate receipt was not obtained. That started me down a pathway of unexpected discovery.
I expanded my sample and, once again, found one missing receipt. Both missing receipts were for "meals and entertainment" for the same date and location, and the method of payment was "cash." Both employees were sales representatives and their expense reports were approved by the sales manager. Now why would someone, let alone two employees, pay for their out-of-town meal expense with cash rather than the corporate-issued American Express card?
A further sampling expansion focused specifically on the sales department and included submissions by all sales representatives and the sales manager. A pattern quickly surfaced including:
- Duplicate submissions by different employees for the same expense.
- Cash as payment type, including some expenses that could only be paid by credit card.
- Segmenting an expense (i.e., airport parking) across each weekday to remain under the $75 receipt requirement.
This experience emphasizes why internal audit needs to have unlimited access to documents and the electronic records necessary to complete required procedures. Without it, but for the one discovery in the initial sample, this department-wide fraud may not have been discovered.
The accounting defense to expense reimbursement fraud
Accounting is the last stop in the reimbursement process. When vigilant and supported by management, we are one of the best defenses to expense reimbursement fraud.
Even the strongest internal controls will not guarantee absolute prevention or detection of fraud. According to the Committee of Sponsoring Organizations, "Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations."
Below are a few weaknesses to remedy, as well as suggested internal controls to implement, that will help detect and deter potential expense fraud schemes.
- Formalize the expense reimbursement process. Many smaller companies without a formal expense reimbursement process are good candidates for an automated solution. Automated solutions come in various shapes and sizes. Business owners need to select a solution that fits the business need but doesn't overburden the accounting staff.
- Limit the use of personal credit cards. When an employee uses their personal credit card rather than a corporate card, the company cannot track the credit card statement to see if items were subsequently returned, even though the employee was reimbursed for the expense.
- Review and update policies. Expense reimbursement policies should be documented and reviewed at least annually.
- Monitor credit card holders and implement a two-step approval process. A listing of corporate credit card holders, credit limits and their job titles should be monitored annually. Cards should be recovered when an employee changes positions and no longer requires a corporate credit card. In addition, two approvals should be required to reduce the risk of unauthorized issuance.
An ounce of prevention
Both manual and automated controls can help reduce an organization's risk of false or fraudulent expense reimbursement.
Formal reimbursement policy. As mentioned above, one of the best preventive controls is a solid expense reimbursement policy. Strong policies include requiring original receipts for all expenses, requiring senior-level employees to pay group expenses, prohibiting segmented expenses, prohibiting personal credit card usage unless conditions warrant, and mandating prior authorization (including signatures and dates) on all employee reimbursement reports. Consequences for policy violation should also be clearly articulated in the policy.
Careful scrutiny of cash method of payment. With the widespread acceptance of credit cards (even taxis generally accept them now), cash payments should be carefully scrutinized. As in the case described previously, the cash payment method was one of the red flags in the department's fraudulent expenses.
Require detailed receipts. One of the simplest ways to sneak multiple reimbursement claims through is for one employee to submit the detailed receipt and another employee to submit the credit card summary receipt for the same expense. Watch closely for date and restaurant as the "tip" amount can be different and missed if the comparison is date and amount.
Review work/vacation schedules. Compare expense receipts to the employee's work and vacation schedule. This can help identify personal expenses submitted for corporate reimbursement.
Enforce your policy provisions. Lastly, consistently and continually enforce the provisions within the policy for everyone, including the chief financial officer and chief executive officer. An unenforced policy is an ineffective internal control. If employees realize the policy is not enforced, then they are less likely to abide by its provisions. Conversely, if an employee's reimbursement request is denied because it lacks proper supporting receipts, that employee and others will be more careful in the future.
Automated solutions can be very beneficial provided they are effective and efficient to use. Features to consider include:
- Detecting multiple reimbursement requests for the same expense (by date, amount and employees that attended)
- Automatic credit card transaction import
- Electronic receipt import
- Integration of expense reimbursement policy and suspension of noncompliant requests for resolution
- Secure Web-based and cloud hosted
- Trip planning and preapproval routing
- Approval hierarchy with automatic routing
- Audit trail
- Integration to common financial applications
- Advanced reporting
Also, maintain your keen awareness of opportunities for management override of internal controls and collusion. Implementing a secondary review and authorization for a portion of employee expense reports by the next level of management should be considered.
Organizations are not immune to fraud, despite the best policies, procedures and internal controls. You can reduce risk, however, by ensuring reimbursement policies are clear, concise, and are consistently followed and enforced. Accounting professionals are a critical component and must be supported when concerns are voiced.
Abigail Grenfell, CPA, MBA, CFE, CIA, CGMA, is president of Internal Control & Anti-Fraud Experts, LLC, a firm specializing in internal audit, internal control and forensic accounting.