·         Hundreds of reconciling items existed between the lease receivable balance in the leasing system and the lease receivable balance in the general ledger.

·         The CFO and president had system administrator access to both the leasing system and to the general ledger.

·         There were a few leases in the portfolio that were significantly larger than the leasing authority assigned to the president.

·         The leasing system contained few IT application controls.

 

When the audit team reported these findings, management’s attitude changed remarkably. They became increasingly difficult to deal with and less accessible to the audit team. Management also tried to explain away the items by saying the system had numerous limitations that required them to be “creative” in their operations. However, the audit team remained concerned about these items, particularly the easy access to the leasing system and general ledger, in addition to the lack of strong process and general system controls.

 

Before long, the audit team’s suspicions were confirmed. The team determined the problem was not with the system; rather it was with management.

 

Confirmations

 

One of the standard audit procedures performed during any type of lending/leasing audit is to send confirmations to customers, verifying the remaining receivable balance and terms of the lease/loan.  Initially, management told the audit team that the leasing system could not generate these confirmations.  The audit team knew that similar requests for confirmations had been denied in prior years as well.  During this audit, management also denied a request for a data dump that included leasing customer information.  The reason behind this denied request:  It would take too much of the IT manager’s time.

 

The more management resisted the requests for confirmations, the more determined – and suspicious – the audit team became. As a last resort, the audit team decided to manually prepare the confirmations. The team requested a trial balance of all leases in the portfolio and randomly selected 50 leasing customers to receive negative confirmations; 10 of the largest lease customers received positive confirmations.  Management was not involved in mailing the confirmations.

 

One of the confirmations was returned due to an invalid address. This by itself was not suspicious; customers sometimes move and fail to notify the leasing company of their new address. The audit team verified the address on this confirmation to the address in the leasing system and the leasing note.  These addresses matched, confirming the address used to mail the confirmation was the one on record.

 

Follow-up

 

The next step was to turn to the Internet to find an updated address for the lessee named on the returned confirmation.  Internet searches confirmed the address was accurate.  The team then obtained the lessee’s phone number and called the customer.  The phone number was disconnected.  This was a big red flag.

 

When a confirmation is returned due to a bad address and the contact cannot be reached, the next step is to look at the payment history.  The audit team did the research, which revealed numerous small customer lease payments in odd amounts, sometimes 15 or 20 payments a month.  With no reasonable explanation available for such a bizarre customer payment history, this was another big red flag to the audit team.

 

Knowing the company made photocopies of all checks received for each lease payment, the audit team asked the payment processing clerk to provide a copy of the last payment received for this particular lease.  The clerk reported that the company did not receive checks as payments for this lease.  In reality, it was a defaulted lease.  Instead of applying actual customer payments, the gains on the sale of returned lease equipment were diverted from other leases and recorded as customer payments for this defaulted lease.

 

Not only were the red flags waving; now bells, whistles and sirens were going off.

 

The clerk explained that the CFO told her this practice was appropriate because “they were just moving funds from one place to another” and that the loss would be recorded somewhere else within the financial accounts. When asked if this was done for other leases, she answered “Yes.” In reality, the clerk had little knowledge of proper accounting practices and trusted the CFO’s claim that this practice was acceptable.  The audit team knew otherwise.

 

When offering up this information, the clerk had inadvertently revealed a scheme to disguise leases, which were actually delinquent, by diverting monies. The audit team knew exactly what to look for now and identified several other leases that were being paid with gains diverted from returned equipment sales. In addition to diverting gains to make lease payments on delinquent leases, the team identified several other leases that were issued for amounts that exceeded the leasing company’s lending authority.

 

Three of these leases were issued to one company that was no longer financially stable. To conceal these delinquencies, the leasing company modified the lease terms and decreased the payments owed each month. The lessee paid the reduced payment amount; as a result, the leasing system did not flag these leases as delinquent and were never reported to senior management.

 

In the end, the audit team uncovered that the president and CFO had perpetrated this fraud.  By disguising delinquent leases, the president and CFO molded a perception that company performance was better than in reality. As a result, they received larger performance bonuses.

 

The end result to the company was not so positive.

 

• The loss to this company was well over $100,000.
• The company ended up owning a lease portfolio that was substantially less stable than previously believed.
• The company had to spend money on consultants, attorneys, and employees to recover, clean-up and salvage what they could of the remaining leases.

 

Lessons Learned

 

While this company suffered from these actions, the lessons from this experience are valuable to other similar audits. 

 

1. The importance of following through on audit fundamentals.  Sophisticated automated audit tools are great, but are not worth much if the fundamentals, such as verifying confirmations, are ignored.  Auditing 101 can often be the best approach to detecting fraud.

 

2. The importance of audit committee support.  The audit committee chairman provided his cell phone number for the audit team to call any time it needed assistance, such as obtaining requested information.  The audit committee also invited the audit team to present, before the full board of directors, a walk-through of the executed audit process.  This established an understanding of the audit itself and reinforced the belief that fraud was indeed perpetrated.

 

3. The importance of proper management oversight.  The audit team reviewed leases for more than $300,000 and wondered how this could have been approved; the leasing company’s lending authority was $50,000.  Multiple $50,000 leases to one lessee were also discovered.  If senior management had asked for a report by lessee, they would have asked why XYZ Company has $500,000 in leases.  Poor oversight allowed these abuses to occur.

 

4. The importance of checks and balances.  System access is often a key component to committing fraud, thus it must be controlled and segregated.  This could explain why the external auditors also missed the fraud.  External auditors often do not think about risks and controls in the same way as an internal auditor.  This company also did little to control and segregate system access in its leasing operation.  Another important check and balance is to rotate people in and out of their positions.  If someone from the parent company had spent time in an important position within the leasing operations, many of these abuses could have been curtailed by a fresh perspective (or set of eyes) critically examining the process.

 

5. Have a healthy sense of skepticism.  The two leaders perpetrating the fraud were charismatic, confident, persuasive, and friendly.  Unfortunately, they were also defrauding their company.

 

The ultimate lessoned learned:  If suspicions of fraud are strong, pursue those instincts to determine if they are correct.