A company becomes concerned it is being targeted by fraudsters when it stops meeting its cash flow goals.
When a company realizes it's not meeting its cash flow goals, the CAE is called in to determine the cause.
Articles Grant Wahlstrom, CIA, CPA, CFE Apr 10, 2023
When a company realizes it's not meeting its cash flow goals, the CAE is called in to determine the cause.
Glow Bright has been in the business of selling floodlights to big-box retailers for over 30 years. A big-box retailer is a large physical footprint store that also sells a variety of products in bulk. The traditional big-box retailer business model helped Glow Bright grow to a $500 million business.
Unfortunately, in the last few years, the company’s sales orders have decreased as new competitors with a direct-to-consumer business model have entered the market. Glow Bright’s market share has suffered because many customers now prefer to shop from home. In addition, new technology-savvy competitors have introduced modern floodlights that connect to the internet of things.
Realizing that Glow Bright’s business model was outdated and that the company needed to adapt to the world of e-commerce, Oliver Lumiere, founder and CEO of Glow Bright, recruited Steve Magnolia, an industry veteran of big-box retail sales, to establish an e-commerce division. Magnolia believed that the key to the success of an e-commerce business was customer service and quick fulfillment. Magnolia transformed the company’s call centers into 24-hour-a-day fulfillment centers.
Magnolia bragged to senior management that within one minute, a customer could speak to a live agent who would fulfill all of his or her lighting needs. He even told the board and investors that his goal was to have same-day shipping on any order received before 3 p.m. The company allowed customers to make payments with a credit card or checking account.
Credit card payments are standard in e-commerce; however, checking account payments are less common because they require an automated clearing house transfer, which can take up to three days to complete (see “Clearing the Clearing House” on this page). Ryan Weld, Glow Bright chief product designer and a firm believer in the internet of things, designed a new type of floodlight with an embedded camera called the MAX-FORCE 2000. It was revolutionary; with the click of one button, the customer could call for assistance. The camera would send live video and audio to a customer’s smartphone instantaneously. It was easy to install and did not require an expensive monthly monitoring fee.
The MAX-FORCE 2000 was introduced with a national advertising campaign and was an immediate success. However, even though Glow Bright’s business was booming, the e-commerce division was not meeting its cash flow goals. Magnolia continued to gloat that sales were skyrocketing, and he asserted that any shortfalls in cash were not his concern and should be researched by the finance department. Concerned about the e-commerce division, Lumiere asked James DuVall, Glow Bright’s CAE, to determine the cause of the shortfalls in cash flow. DuVall had recently introduced data analytics into the company’s audit process and was eager to delve into the cash flow concern. In reviewing the e-commerce financial statements, DuVall’s team noticed a spike in the accounts receivable aging reports.
The Automated Clearing House Network is the most widely used system in the U.S. for electronic bank transfers. ACH transfers are commonly used for automated or high-volume transactions such as direct deposits and scheduled billing. Because they are processed in batches and must be verified by a federal ACH operator, ACH transfers can take days to complete.
Sender
authorizes the transaction and provides their banking details.
E-commerce platform
sends the details, called ACH files, to the sender’s bank.
Sender’s bank
debits the sender’s account and sends the files to an ACH operator.
ACH operator
reviews, verifies, and forwards the ACH files to the recipient’s bank.
Recipient’s bank
processes the payment and receives the funds.
Recipient
is credited the specified amount and the transaction is settled.
The auditors decided to focus the data analytics tools on the customers in the accounts receivable aging reports. They identified a cluster of customers who had dozens and, in some cases, hundreds of orders but only made one or no payment. DuVall and his team continued to dig into the nonpayments and discovered most of the customers were calling the customer care department during evening hours and placing orders using a checking account to make an ACH payment. Furthermore, the orders were being fulfilled without being reviewed, and there was an excessive number of customers placing orders for dozens of floodlights in a single order.
DuVall took his findings to Macy DeLuca, the chief financial officer. DeLuca had her team conduct a review of the sales orders in question. They found that the sales showed a good payment source in the billing system when the customer placed the order, but no money received when the ACH payment was requested.
DeLuca’s team discovered that Glow Bright’s payment system would identify that a valid ACH account was presented for payment. However, the billing system could not verify the transfer of funds for up to three days. DuVall worried that the company had become the target of fraudsters who were exploiting the ACH processing system and Glow Bright’s control deficiencies to obtain thousands of floodlights for little or no money. This led DuVall to consult with Genevieve O’Reilly, director of corporate security.
O’Reilly conducted background checks on the most egregious customers. She discovered that the names of many of the customers in question appeared to be aliases. O’Reilly suggested that these perpetrators were just stealing others’ identities, and that there must be potential victims of identity theft, so O’Reilly decided to conduct an internet search for resellers of the MAX-FORCE 2000. A review of several internet marketplaces identified sellers who were selling Glow Bright’s floodlights online. The quantity of units for sale led O’Reilly to believe that many of these devices could have been purchased by the fraudsters.
DuVall reviewed his findings with Lumiere and senior leadership, resulting in a series of changes. First, Glow Bright conducted research on payment systems and discovered that an IT solution was available that reduced the verification time for an ACH payment down to 24 hours. Next, the payment system was updated to correctly reflect the payment status of customers presenting credit cards or checking accounts for payment. Going forward, the company would not ship any product until payment from the customer was verified. In addition, Glow Bright updated its order system to require management review if a customer order exceeded predetermined thresholds.
O’Reilly and Glow Bright’s legal department worked with the various internet marketplaces’ fraud departments to take down online sellers who were suspected of selling stolen floodlights. Glow Bright supported law enforcement in criminal investigations where the fraudsters could be identified.
The e-commerce business creates payment challenges that bad actors may take advantage of. Internal audit should proactively troubleshoot payment verification processes to identify control gaps that may be exploited.
Any business engaged in e-commerce should verify payment before shipment.There are software products that can reduce the verification process of ACH payments down to 24 hours.
Businesses engaged in e-commerce should consider requiring management approval for customer orders that exceed a quantity or dollar threshold. Orders that appear to be too good to be true probably are.
When products are shipped before payment is verified, exception reports should be created to identify customers who are not paying for products and their accounts should be suspended until payment is received.
This article is also available on the All Things Internal Audit Fraud Podcast. Listen now.