The highly publicized fraud in the Jacksonville Jaguars organization exceeds $22M, and the control gaps that allowed it to happen can be found at all sorts of organizations, maybe even yours.
One of the Jaguars’ official statements about the case said that no other team employees were involved in or aware of his [the former employee’s] criminal activity. This is meant to be taken as a good thing. However, the more I heard about the case, my thought was, yes, no other employees, including management, appeared to pay any attention to what this employee was doing. No one but the accused seemed to be involved with monitoring spend or purchase activity. It is an extreme case about the lack of separation of duties.
Keep reading to learn more and see a control that every organization should follow to help detect fraud sooner versus later.
The Misused Power of One
It has been reported that the former employee (Amit Patel) was the sole administrator of the organization’s virtual credit card program. In this case, virtual cards are issued to individuals for making authorized business purchases (e.g., travel expenses), not virtual cards used by accounts payable to pay invoices.
Patel had full access to manage all aspects of the program, and there were no controls to stop him from committing fraud and no ongoing controls to catch it. Learn more about separation of duties. Patel could request new virtual cards, including for himself. He could manipulate and manufacture transaction data—easily hiding his fraudulent transactions—before passing the file over to the accounting department. He even oversaw department budgets.
Per news reports, apparently Patel is a nice person and was well-liked in the organization. But, as I have written before, even nice people can steal. If an organization ignores implementing effective controls because all their employees are nice, they will likely have a rude awakening at some point.
Addressing the Data Problem
Keep in mind that downloaded files—formats such as .xlsx .csv, .txt and even .pdf—can usually be edited. Patel used this ability to his full advantage.
I have long recommended that an organization’s auditing strategy should include obtaining the original data from the card issuer. In light of the Jaguars’ fraud, this control needs to go further. Someone other than a program administrator (PA) or program manager (PM) should obtain the original transaction data from the card issuer’s system for auditing purposes each month. Most of these systems have some type of “auditor” access role, separate from an administrator role.
If you are not using a third-party auditing solution for the monitoring of transactions, then the next best approach is to utilize readily available programs like Microsoft Excel. Again, an auditor or similar independent entity should make comparisons between card transaction data uploaded into an internal finance system and data from the card issuer’s system. Excel tools like conditional formatting can help you identify potential issues like someone editing information.
Access a previous blog post to see more about what to do with transaction data.
Further, the person performing an audit function should also pull a monthly report from the card issuer’s system showing new cards issued. Have any cards been issued to people who should not have one, per organization policy? As an example, many organizations prohibit a PA or PM from having a card. This brings me to my last point.
Even if the PA/PM is well-liked and trusted within the organization, no one should be exempt from an audit process. When is the last time your organization’s PA/PM was audited? See related tips.
Related Podcast
Mary Schaeffer of AP Now and I discussed the Jaguars’ fraud case on a recent podcast. Check it out on YouTube to hear what motivated this person to steal and the many control weaknesses that can be gleaned from the case.
Available Products & Services from Recharged Education
Submit a contact form to request a quote for what your organization needs.
Subscribe to the Blog
Receive notice of new blog posts.
About the Author
Blog post author Lynn Larson, CPCP, launched Recharged Education in 2014. With more than 20 years of commercial card experience, her mission is to make industry education readily accessible to all. Learn more…