The Case of the Fictitious Vendor -- how embezzlers use QuickBooks against you
It’s no secret that Intuit’s QuickBooks is the overwhelming choice of accounting software for American small and medium sized businesses. QuickBooks desktop and online sibling command a combined 80 percent of this market, with Sage and others left to pick up the crumbs.
Clearly, Intuit produces a product that business owners find useful and arguably indispensable. Less well-known is that QuickBooks is often the perfect tool used by dishonest employees to embezzle from their employers.
Embezzlers use a variety of QuickBooks schemes. One of their favorites: the fictitious vendor scheme. While this technique isn’t particularly sophisticated, it can be used by embezzlers to loot a company repeatedly, with disastrous effect.
What exactly is the fictitious vendor scheme, how do you as a business owner detect it, and how can you prevent it?
The fictitious vendor scheme springs from poor internal controls in the accounting and bookkeeping departments. Although embezzlers concoct many variations of this scheme, they all boil down to using a fake vendor as a means of submitting false billings for siphoning money from a business.
Here’s how a fictitious vendor scheme might work using QuickBooks:
An employee with access to all areas of QuickBooks first creates a new vendor, listing an address where he can receive mailed checks. If the employee is clever, he’ll choose a company name that varies slightly from that of a legitimate vendor already entered in his employer’s QuickBooks system. For example, if his employer uses a janitorial firm called Smith Brothers Janitorial, the employee might call his new company Smith Janitorial. Similar names are easily confused, making bogus vendors more difficult to spot in a QuickBooks report.
The employee then creates a false invoice issued by Smith Janitorial.
Next, the employee authorizes and prints a check payable to Smith Janitorial for the invoice he issued. If the employee does not have check authorization or signing powers, he has a choice: (1) Submit the invoice or check for approval and hope the authorizing individual will not notice that Smith Janitorial is not Smith Brothers Janitorial. Because fictitious vendor schemes flourish in poorly supervised environments lacking internal controls, unwitting supervisors often approve these payments.
If approval isn’t possible, the employee may resort to (2) forging the payor’s signature. Clumsy as forgery may be, most businesses do not exam their cancelled checks for forgeries or alterations.
Either way, the dishonest employee will connive the issuance of a signed check.
Once the check is processed through the company’s mail system, the employee waits for it to arrive and then deposits it into the Smith Janitorial bank account.
If the company pays bills electronically, the employee rigs approval by taking advantage of the same poorly supervised environment and then transfers the funds directly to his bank account.
At this point, the employee just committed an embezzlement.
It gets worse. Most embezzlers take advantage of the serial potential of the fictitious vendor scheme by submitting additional periodic invoices. Depending on the cleverness of perpetrator and the degree of control weaknesses of the victimized business, this scheme can continue for years before being discovered. This can mean death by a thousand cuts for the victimized business.
How can you detect this crime?
There are many ways of uncovering a fictitious vendor, including using sophisticated analytic software. There are also techniques you as a business owner can use right now:
1. In QuickBooks, run a Vendor Contact List report, then customize it to show when each vendor was created and last modified, as well as the “Print on Check Name.” It’s worth noting that QuickBooks captions a "Display Name” and “Print on Check Name.” The former is the vendor name that appears in your QuickBooks data and vendor reports. The latter is the name of the payee that appears on the check. These can be different names. Also, look for Inactive Vendors. By default, those don’t appear on reports. A crooked employee might hide the fictitious vendor by marking it as an inactive vendor.
2. Check the Audit Trail. QuickBooks Audit Trail is a feature that keeps track of all changes to your QuickBooks data, and who made those changes. Examining the Audit Trail is a great tool for sniffing out fictitious vendors.
For instance, run an Audit Trail report and search for deleted and voided transactions. A clever embezzler might print a check and then void the check number in QuickBooks, and then re-enter that check number under a legitimate actual vendor.
Be cautious about condensing a QuickBooks data file. While condensing a data file will save disc space, condensing will delete certain information from the Audit Trail. Since only an administrator can condense a file, an embezzler with administrative privileges could condense your company’s QuickBooks file and eliminate evidence of the crime.
3. Run a Budget vs. Actual report. This will give you a heads-up if an expense item is out of variance with the budgeted amount. If you see a variance, you can use it to drill down into the details.
4. Look for invoices that are vague or list unnecessary, unaccountable, or questionable services.
5. Run a Vendor Report and look for vendors without a taxpayer ID number and those with only a PO box address. Cross reference vendor addresses with employee addresses.
6. Take the time to review all cancelled checks and electronic transactions. Most banks no longer automatically include copies of cancelled checks with monthly bank statements, but they will if you ask so it’s worth a call to request this.
How can you prevent this crime?
An ounce of prevention is worth a pound of cure. Why wait for an embezzler to strike when you can easily prevent this type of scheme. Here are five steps you can take right now:
1. Assign administrative privileges only to yourself. Administrators can create, edit, and delete almost everything in QuickBooks, and change software settings. Unfortunately, many businesses, especially smaller operations, routinely grant administrative privileges to multiple employees. If you share administrative privileges, be aware that this gives a dishonest employee the power to destroy data, hide his tracks, and even lock you out of your own system.
2. Require all employees to use unique login IDs and passwords. Requiring your employees to use unique IDs means that you as the administrator can customize privileges of each user, as well as restrict each user from various sections of QuickBooks. This makes it simpler to track activities of each user while making it difficult for a dishonest employee to impersonate a different user.
3. Segregate duties. To prevent a fictitious vendor scheme, don’t give a single employee the power to create and edit vendors, and enter bills, and generate payments. As the administrator you can--and should--customize access and segregate each duty to different employees.
4. Don’t sign a check without first looking at the associated invoice. If your bookkeeper drops a stack of checks on your desk for signature, make sure each check is accompanied by a copy of its invoice, and take a moment to examine the invoice. This is Internal Control 101 but it’s the type of garden variety control weakness that embezzlers exploit. Trust but verify.
5. The Audit Trail. Examine the Audit Trail regularly and let your employees know that you review the audit trail. This puts them on notice that another set of eyes is watching their work and it creates the perception that dishonesty will be detected. Increasing the perception of detection is probably the strongest preventative action a business can take. Embezzlers hate it when they think someone is watching.