Recent problems at the Georgia Institute of Technology (Georgia Tech) in the Georgia Tech Research Institute (GTRI) Advanced Concepts Lab are representative of some of the challenges faced by organizations with purchase card programs. The good news for Georgia Tech is that the purchasing irregularities were identified, GTRI made a request of the Internal Audit department to investigate, and Internal Audit was able to confirm questionable purchasing practices and conflict of interest concerns.
The circumstances of this $475,000 fraud scheme were not unique. People in positions of authority were involved as either direct participants or passive enablers, (we’ve blogged before about the surprising statistic that 27% of higher level executives engaged in expense fraud), and the titles of those involved included a senior research technologist, two deputy directors, branch chief, principle research engineer, and assistant director of financial operations. On the surface, it is easy to understand how this crew got away with it. Given their positions of authority, this group could easily lie about projects and label them as classified in order to discourage questions. When reviewing reports or looking at individual totals on statements, I can see how things might be hidden or explained away.
However, purchase card programs don’t need to stop at the surface nor should they rely on what anyone has to say. Among the details that emerged were purchases of over $160,000 at Barnes & Noble and online retailers like Amazon. Invoices were altered to hide purchases for solar panels for one of the perpetrator’s homes and $5,000 in night vision gear from online retailer, Man’s Toys. The biggest problem is that the evidence of abuse should have been immediately seen. If Georgia Tech and GTRI were automatically analyzing 100% of these transactions, they would have seen patterns of behavior among the cardholders involved indicating abnormal purchasing behaviors. Using automated analysis, their purchases from Barnes & Noble in the aggregate would have represented significantly abnormal behavior relative to other cardholders. Further, it would not have taken an invoice to know that Man’s Toys was a retailer from whom no other cardholder purchased. Without knowing specifically, my guess is that as a retailer of night vision optics, Man’s Toys was using a merchant category code (MCC) rarely used by GTRI. This should have been an immediate cause for questions.
The investigation also found that a side company, also known as a “ghost vendor”, was established by a spouse of an employee and benefitted from fraudulent transactions. Again, automated analysis of all transactions would likely have uncovered that this “merchant” was rarely used. If investigated further, red flags should have been raised when that particular vendor appeared only to be frequented by certain cardholders, that the vendor was a Square vendor, and another, final flag for a specific or suspicious MCC code. It isn’t transactions themselves that raise suspicions, but the pattern of transactions and behaviors that make a case study for fraud. Since there was evidence that other invoices were fabricated and paid through purchase card transactions, it is likely that other “ghost vendor” indications may have been present.
Georgia Tech and GTRI are subject to Office of Management and Budget (OMB) Circular A-21, the set of rules governing the eligibility and calculation of costs in support of sponsored research, development, training, and other works produced in agreement with the US Federal Government. OMB A-21 includes a list of prohibited items as well as items that can only be reimbursed under certain circumstances. In this case, most of the money came from federal grants, thus prompting FBI involvement in the investigation. While Georgia Tech has repaid this money, it is likely to prompt increased scrutiny from the federal grantors in the future and it has caused money from other budgets to be used to repay the Federal Government.
There are two lessons we can learn from Georgia Tech. First, is that fraud at this level happens more often than you think (see our Spend Analysis Report for proof!) and second, is that it doesn’t have to happen. The indicators of improper use of the purchase cards were available, if only a little bit more digging were done initially. The signs were all there! While it seems difficult to leverage these indicators, the reality is that on demand analysis solutions like Oversight Insights On Demand™
makes these indicators easy to identify and cost effective to obtain. Most universities can access a turnkey analysis solution like Insights On Demand for Purchase Cards for a fraction of the purchase card rebate they receive from their card provider. The internal annual level of effort of no more than 10-15 hours per week, including the time to review, investigate, and ask questions makes solutions like Insights On Demand an attractive solution to identify and prevent unwanted activities. It is possible to automatically analyze 100% of an organization’s purchase card transactions with less effort than sampling 10% of the same organization’s transactions.
We will sometimes see organizations that have suffered problems like Georgia Tech and GTRI question the value of their purchase card programs and contemplate terminating the programs, which is a shame. Purchase card programs bring tremendous cost savings and efficiency gains to the organizations that use them. To throw away these gains based on the actions of a very small group of bad actors is harmful to the organization as a whole, particularly when low cost assurance alternatives like Insights On Demand for Purchase
Cards are available.