The audit discussed in this article included testing for fraud as part of a broader objective to identify the magnitude of payments to deceased pensioners, but the focus is on the fraud component. This article explains how computer-assisted audit techniques (CAATs) can complement those used by investigators to identify fraud and its magnitude, as well as how they can help identify who may have committed the fraud.

Background
The Atlanta Office of City Internal Auditor conducts performance audits that include determining if there are indicators of fraud, abuse, or illegal acts. The city also has a unit within its Law Department that conducts investigations to determine compliance of individuals with the law. We are both fairly new offices and both have authority to perform investigative work, but this audit was the first time we worked together on a project.

The Investigation
The Compliance Unit in the city’s Law Department began investigating a possible theft of city pension funds after the employee’s credit union notified the Pension Division that a pensioner had died but was still receiving his pension (Pensioner A). The Pension Division’s research revealed that the pensioner’s payments were directly deposited into an account at the credit union, but the deposits didn’t begin until almost a year after the pensioner died.

The investigators obtained statements for the credit union account to which the deceased pensioner’s payments were deposited. They discovered that the city was also depositing payments for another deceased pensioner (Pensioner B) into the same account and that the account was not in the name of either pensioner. They focused their investigation on a former Pension Division employee, primarily because the statements showed withdrawals from the account at an out-of-state ATM located near the home of the former employee’s family.

The former employee admitted that she had performed transactions in the city’s payroll system that allowed payments for the two deceased pensioners to be deposited into the credit union account and that she had conjured up the fraud with the assistance of a friend, who was not a city employee. The friend took his elderly grandfather to the credit union to open the account and purchased a post office box to use as the address for the account.

The Audit
As a result of the Law Department’s and Pension Division’s findings, the finance director and city attorney requested us to audit the Pension Division to identify the magnitude of payments to deceased pensioners and whether any other fraud may have occurred. We included a review of the control environment in our audit to identify the weaknesses that allowed the fraud to occur and continue undetected for 18 months.

The investigators gave us copies of the account statements during one of our initial meetings with them. Three things caught our interest as we reviewed the statements:
• The direct deposit for pensioner A did not begin until six months after the former Pension Division employee resigned. This led us to believe that other employee(s) were involved in committing the fraud.
• The first direct deposit for pensioner B was for a significantly larger amount than all of his other payments. This led us to question whether the fraud also involved altering the amounts of pension payments.
• There was a single direct deposit from the city that did not match the payments to either of the deceased pensioners already identified. This led us to question whether there was more fraud than what the investigators had identified.

Why CAATs?
The issues identified by the investigators, along with the questions raised by us during our review of the account statements, helped us determine the initial tests to perform. Our focus, in addition to the tests to identify the magnitude of payments to deceased pensioners, was to develop tests to identify whether additional fraud occurred and who performed the transactions involving the fraud.

We used CAATs because they are a proven technique for quickly identifying anomalies in data that could be indicators of fraud. We chose ACL as our primary tool because of its speed, the number of payment records (over 300,000), and the ease with which we could design our tests.

Data Tests
We did not have direct access to the city’s PeopleSoft system, so we requested Excel files of the pension payments made since the system was implemented in early 2000. The files included detailed information for each pensioner, including personal data (e.g., name, social security number, pensioner identification number, mailing address); the gross amount, deductions, and net amount of each payment; payment method (i.e., by check or direct deposit); payment date; which checks had been cashed; and bank routing and account numbers for direct deposits.

Our first step was to identify the one-time payment to the credit union account that did not match the payments for the two deceased pensioners. We searched the pension payment file for the month of the deposit to identify which pensioner’s net payment matched the amount deposited into the credit union account and found a single match. We identified the pensioner and produced a report of all pension payments made in her name. Although several payments were made under this pensioner’s name, the one-time payment was made to a pensioner with the same name, but a different employee identification number and a scrambled version of the real pensioner’s social security number. This fictitious pensioner’s gross payment was exactly $1,000 more and her tax withholdings were quite a bit less than the real pensioner’s amounts. When we later obtained direct access to PeopleSoft, we looked at the tax data screens for both pensioners and saw that the fictitious pensioner’s withholdings status was set as married with four exemptions to maximize her net payment. The real pensioner’s withholdings status was single with one exemption, resulting in more taxes being withheld.

Our next step was to look at the pension payments for the two deceased pensioners whose payments were deposited into the credit union account. We identified several facts that weren’t apparent from the account statements or from the information that the investigators had gathered:
• Deceased pensioner A:
--Prior to his death and for four payments after his death, his payment was a direct deposit to another bank. Checks began being mailed to the post office box purchased by the former city employee’s friend when the direct deposit stopped.
-- The pensioner’s name was not on either of the first two checks.
-- Checks were mailed for six months, but they weren’t cashed. There was an unsuccessful attempt to deposit one check into the credit union account through an ATM.
-- The direct deposit to the credit union account began in the seventh month.

• Deceased pensioner B:
-- His address was changed to a post office box four months after his death, but it was not the post office box purchased by the former city employee’s friend.
-- Checks were mailed to his home address for four months after his date of death, and the direct deposit payments to the credit union began right after his address was changed to the post office box.
-- The pensioner’s name was not included in the payment information for the first two direct deposit payments.
-- The larger first direct deposit represented a $5,000 increase in the gross amount.

We now knew several facts:
• There was more fraudulent activity than the investigators had identified.
• The credit union account was used to receive fraudulent payments in the names of two deceased pensioners and one fictitious pensioner.
• At least one other employee was likely to have been involved in committing the fraud.
• In addition to the obvious theft, the fraud involved altering payments by changing the first digit of the gross amount to a larger number.
• Post office boxes were used to conceal the fraud.
• Pensioner’s names were deleted from some of thepayments, either in an attempt to conceal the fraud or to make it easier to ensure access tothe cash from the fraudulent payments. With this information in mind, we developed
additionaltests to identify the potential of other fraud:
• To determine if there were other fictitious pensioners in the system, we:
-- Ran a test on duplicate last names, identified those with the same first name initial, and reviewed their personnel files to determine that they were
valid pensioners.
-- Computed hash totals of the digits in each social security number and compared those having the same total to determine if there were other fictitious pensioners with a scrambled version of a real pensioner’s social security number.
-- Submitted the pensioner database to the Social Security Administration (SSA) for verification of each pensioner’s social security number.
• To determine if there was additional fraud involving real pensioners, we identified:
-- Direct deposits going into a single bank account for more than one pensioner.
-- Payments made to more than one pensioner at the same address.
-- Pensioners whose direct deposit changed to another account after their death.
-- Pensioners whose method of payment changed after their death, either from direct deposit to check or vice-versa.
-- Pensioners with address changes after their death.
-- Pensioners who had gaps between payments (i.e., their payments stopped and then restarted at a later date).
-- Multiple payments to a pensioner in a single month.
-- Pensioners whose checks were cashed after their death.
• To determine if there were other altered payments, we:
-- Identified occurrences where only one digit of a pensioner’s payment changed.
-- Performed digital analysis on the first digit, the second digit, and the first two digits of the pension payments.
• To determine if there were any other potential occurrences of fraud, we identified:
-- Pensioners who received only one payment.
-- Pensioners whose name was omitted from a payment.

The tests indicated that the fraud committed by city employees appeared to be limited to the pension payments that were diverted to the credit union account. However, the tests also identified numerous instances of potential fraud by families of deceased pensioners (e.g., cashing several checks after a pensioner’s death). We referred these cases to the Law Department for investigation.

Transactional Tests
Once we knew the extent of the employee fraud, we wanted to know who did it. Some of the data screens in PeopleSoft include a field that says, “Last updated by online operator on [date],” but they don’t identify the online operator; and most of the screens don’t even state when the last update occurred. However, PeopleSoft’s audit function tracks the date and time for many types of transactions, as well as who performed them. Our information technology staff queried the audit tables in PeopleSoft to identify who performed the transactions that initiated the direct deposits to the credit union account. Their reports showed that the former employee and one other employee had performed these transactions.

We wanted additional confirmation that the second employee was indeed involved in the fraud because we knew she might be terminated after we showed our audit evidence to the finance director and the pension manager. We hired a consultant with expertise in PeopleSoft to perform additional queries. Our objective was to confirm the results we already had and to determine if this employee had performed other fraudulent transactions. The consultant extracted data from the audit tables that confirmed the employee’s involvement in performing numerous fraudulent transactions. The sequence and timing of the transactions also indicated that the fraud could have been the result of collusion between this employee and the former city employee.

Why the Fraud Occurred
The fraud occurred because there was virtually no segregation of duties in the Pension Division and the PeopleSoft system. Every employee could create new pensioners in PeopleSoft; update pensioners’ data, including their method of payment and address and tax information; and process payroll. The fraud was not detected for 18 months because there was also a lack of compensating controls, such as supervisory review of work and production and review of routine and exception reports.

Results of the Investigation and Audit
We identified over $2.1 million in payments to deceased pensioners, which included $76,000 in fraudulent payments to the credit union account. The former city employee and her friend were charged and convicted of theft of city pension funds for the fraud involving the two deceased pensioners. They were also ordered to pay restitution in the amount of the net payments they received on behalf of these two pensioners.

The city employee whom we identified as involved in the fraud was terminated. She appealed her termination, but the Civil Service Appeals Board sustained it based on our audit evidence. The Law Department has referred our evidence regarding the second city employee and the fraud involving the fictitious pensioner to the district attorney for review. They also forwarded several of our referrals regarding family members who cashed deceased pensioners’ checks. Criminal charges have been filed in some of these cases and are pending in others.

Lessons Learned
This audit gave us better insight as to how CAATs can complement criminal investigative techniques. It also taught us an important lesson about how we could have improved our coordination and sharing of information with the investigators from the very beginning.

We didn’t discuss specific audit tests and what results they might produce until we were ready to hire a consultant to verify which employees performed the fraudulent transactions. This was partly because we didn’t know exactly what data was available in PeopleSoft, especially with regard to the transactional data in the audit tables. However, the primary reason was that we each viewed ourselves as having distinct and separate roles in the investigation and audit, and we didn’t always recognize the need to share information. We learned that future audits involving fraud should include a discussion with the investigators of our need to have time to identify what data is available, the types of audit tests we might perform once we become familiar with a system, and what results our audit tests could produce. Most importantly, we both learned that we can complement each other’s roles by having a better understanding of what those roles are, improving our coordination with each other, and increasing our sharing of information. If we had done that for this audit, the city might have waited to seek prosecution until the full magnitude of the fraud, including both the amount of the fraud and who committed it, was known.

Note: The complete audit report of the Pension Division is available on the Atlanta City website at www.atlantaga.gov/client_resources/mayorsoffice/
special%20reports/pension%20audit%20report.pdf.

Harriet Richardson is the Deputy City Auditor of Atlanta, GA