We read a Justice Department press release yesterday about the conviction and sentencing of a man who falsified trip reports on a contract with the Postal Service for over-the-road mail transport. Over a seventeen month period, this individual made 10 trips totaling 1,538 miles but billed and was reimbursed by the Postal Service for 247 trips and about 55,000 miles. He did this by forging the approval signature of a Postal Service employee. At some point, the Postal Service employee noticed the forged signature, an investigation ensued, and the truck driver was charged, convicted, and sentenced.
As we often do when we hear about fraud, waste, and abuse, we attempt to determine the weakness in the internal control system that allowed this to happen. In this case, it is rather obvious. The Postal Service allowed this contractor to submit claims for reimbursement directly to the payment office. For those of you familiar with the Defense Department's billing system (iRAPT or WAWF), you know that after submitting a request for payment (e.g. progress payment, public voucher, or DD250) there are at least one or two "approval" steps before the payment office (i.e. DFAS) will process the payment. If its a public voucher for example, the request is cycled through DCAA (Defense Contract Audit Agency) for review and approval. There is simply no way for a contractor to submit a payment request directly to the payment office. Without the requisite approvals, the system will "bounce" the request.
In this case, the Postal Service violated a fundamental internal control principle by allowing the vendor (or contractor) to secure the approval signature and submit the payment request directly for payment. That should never have been allowed to happen. The Postal Service payment office should never have paid a bill that didn't come directly from the Postal Service "approver".
You might be able to draw parallels in your own organization. Does your Accounts Payable personnel perform a three-way match (purchase order, invoice, and receiving report) before paying an invoice? Is there any controls set up to prevent someone from "slipping in" an invoice for payment without the requisite supporting documentation and/or approvals? Can an employee submit a travel voucher for payment directly or do vouchers come from the approving official? Remember, fraud affects 85 percent of all companies and "trust" is not an internal control.