Scenario : Aurora - uncovering a fraud that requires improved Internal Control and audit systems

Aurura Pty Ltd is a busy parcels delivery business that has experienced very rapid growth in demand for its delivery services during the Covid pandemic. This high demand has forced the company to ask its employees to work overtime, as well as employ extra casual staff, to meet custumer delivery targets.

Following the board's latest meeting, the CEO reveals that a significant financial fraud has been discoved by the Chief Financial Officer. The fraud was planned by the temporary payroll officer, Mr Raza Asul, and the logistics manager, Ms Shirley Jones.

Mr Raza Asul took over the payroll duties after the payroll supervisor was forced to take sickness leave after a serious car accident. The payroll supervisor was responsible for reviewing and signing off the payroll data produced by Raza, before the Finance department released payments. Due to the supervisors absence, Raza had taken over both roles: preparing the payroll run and then signing off.

Meantime, Shirley Jones was responsible for producing and authorising the overtime schedule for each week. She would send to Raza the approved weekly overtime figures for each employee, to enter into the payroll system.

Aurora's Human Resource department maintains standing data on all full-time and casual employees. The standing data is updated when an employee joins or leave the organisation. This data contains each employee's personal bank details used by the Finance department to pay the weekly staff salaries. The assistant head of Human Resources was designated by the CFO to be in charge of updating the standing data.

In order to improve security on site, all internal doors leading to the areas containing confidential information in the Finance and Human Resource departments had been fitted with a digital passcode entry system. To gain access to these restricted areas, authorised staff were required to enter a four-digit code to unlock the doors. But due to some glitches with this security system, all internal entrances had been left unlocked for a week.

Raza found out about the problem with the door locking system when he was having lunch with some of the HR staff. Late the following evening Raza was able to access the HR data where he added three false or 'ghost' employee names - all with the same false bank account details. He also knew that HR department had disabled the required four-digit security settings on all of its computers because most of the staff in that department regarded the need to continually update their passwords as too bothersome and unnecessary.

Shirley Smith submitted false overtime claims to the payroll department for the three 'ghost' employees. Using the company's payroll processing system, Raza was able to put through weekly payments for each of these ghost employees into the false bank account.

Arora's policy requires that significant variations in staff costs should be automatically red-flagged and discussed with the head all Finance, prior to payments being made. Initially, a junior but smart member of the Finance department queried the sudden rise in overtime payments with Raza, who downplayed and dismissed her concern by saying that "this overtime was needed to meet the staff shortage". So, no further action was taken.

Raza and Shirley were able to gain a significant amount of additional pay, which was deposited into the false bank account operated by these two fraudsters. The fraud was not uncovered until five months later, when the assistant head of HR conducted an audit review of the standing data. He realised that the three 'ghost' employees all had exactly the same bank account details.

In response, the CEO ordered a full review of the company's internal controls to ensure that a similar fraud cannot occur again. The board of Aurora has agreed to provide whatever funds are necessary to implement the findings and recommendations from the full review, to improve the internal control systems.

Question : Recommend practical steps to the CEO and CFO, to improve the internal control processes and stop payroll fraud happening again. Include these key factors in your answer and gain extra marks if you can fit them into the 'APIS' mnemonic - Authorisation; Performance reviews; Information processing; Physical controls; Segregation (separation) of duties.

i. Improved security systems in all departments

ii. Improved professional behaviour and ethics across the whole organisation

iii. Improved Accounting processes in the Finance department