In Hamburg, a decision was made at the beginning of the year about a particularly serious case of embezzlement and forgery. We looked into the case and came to the conclusion that a company could have discovered the fraud itself with the help of zap Audit. How? That’s what we are going to explain in this blog post.
Some background about the case
The case in question concerns a 28-year-old former official of the City of Hamburg, who had transferred 418,000 euros from the tax authorities to her own account, as well as to the account of her parents. The only reason that the fraud came to anyone’s attention was because a bank employee noticed the unusually high transactions and then informed the authorities.
The full article can be found on the website of the German regional broadcaster NDR (in German):
How could such a case be detected with the help of data analysis?
This is a question that could arguably be answered very quickly and easily as follows: namely, with a combination of our Financial Process Mining and an analysis of the subsequent data, which we shall refer to as a “dragnet investigation”.
Using Financial Process Mining, we first reconstruct all the processes that led to a document or posting in Financial Accounting. Since the convicted perpetrator actively transferred money from the city treasury to a private account, there will thus be a posting in Financial Accounting. The process is then transferred to the subsequent data analysis / grid search phase.
In the dragnet investigation, all process steps are screened and, depending on the indicator, are analyzed for abnormalities in the process steps before and after posting.
Which data indicators would have come up?
The list can be quite long due to the large number of indicators and some of them can only be clearly said to be applicable by making certain assumptions. However, this is not so much due to the indicators themselves as to the lack of information in the article. So, let’s take a closer look at the indicators and why they could have come up:
|ID||Indicator||Explanation||Influence(weak, medium, high)|
|66||Segregation of duties (creating/ changing master data and parameters for payment run)||It seems that the perpetrator could easily create master data and initiate a payment to the accounts.||high|
|66||Segregation of duties (creating/ changing master data and posting invoices)||It seems that the perpetrator was able to create master data without any problems and, where necessary, also check and post an invoice. The invoices, after being checked and posted, then enter the payment run, often along with many other invoices, and are paid.||high|
|38||A single user carried out the complete business process||The text does not reveal any accomplice, which makes this indicator relevant. It is always very risky when complete business processes can be carried out by just one person. There is no application of the “four-eyes” principle in such a case.||high|
|65||Processes with more than one change to the same master data field||Multiple changes to the bank account number, since transfers were made to both the perpetrator’s own account and the account of her parents. Users can disguise a transfer to a specific bank account by changing the bank account and then changing it back after the transfer has been made.||high|
|9||Multiple CPD payments to the same bank account||CPD accounts (one-time accounts) are collective accounts that are not assigned to a specific person. The perpetrator transferred money several times. If a vendor (in this case, the parent or perpetrator) has been entered as a CPD account, this indicator will pick it up. Multiple CPD transfers to the same bank account should be an exception, as otherwise a separate vendor account should be created.||medium – high|
|34||Vendors with multiple bank account changes||Using a single vendor account for the transfers, the perpetrator would have to change the bank account field several times in order to transfer money to herself and her mother.||medium – high|
|64||Business process starts with payment transaction||If the perpetrator does not use the same invoice as a reference every time, there may conceivably be sequences that start with a payment.||medium|
|32||Missing vendor||Assuming that the offender deleted the vendor account after the 12 transfers were made.||weak – medium|
|72||Referenced vendor changed between invoice and payment||The legitimate recipient had the same name as her mother. This may not even be noticed if the vendor is changed between invoice and payment.||weak – medium|
Table 1: Possible zap Audit indicators related to the case
In addition to the ID and the name of the indicator, a brief explanation of why the indicator would be show up in this case is given. The influence describes how relevant we consider the indicator to be if the authority concerned had used zap Audit.
Each indicator, taken in isolation, may initially only appear to be somewhat critical. However, it is when you put all of them together that the picture really starts to become clear. An individual finding is when an indicator gives a positive result for one object of investigation. Once you put all the individual findings together, you would probably no longer try to claim that the process / sequence does not look critical, would you?
This is another advantage of our automated auditing process. You not only see a finding in the report, but you can also display all findings at document level. On occasions, it is the combination of several individual findings together that can really arouse an auditor’s interest. Plus, not much effort has to be put into the process up to this point. All you need is a few details on how to set up a connection to your SAP system and a corresponding user, and the data extraction, financial process mining and analysis can then be run fully automatically. Are you still conducting your own data analyses and having trouble to see the connection between individual sequences / processes? Perhaps you are all too familiar with the pain that can involve?
Then what are you waiting for?
zap Audit is available to download free of charge. All the data extraction up to the point of generating an audit report is completely free of charge.
Embezzlement: Prison sentence for official employee
A 28-year-old former official of the City of Hamburg has been sentenced to a jail term of two years and ten months because of a particularly serious case of embezzlement and forgery. According to the judgment of the Altona District Court on Wednesday, the woman had transferred about 418,000 euros from the tax authorities to her own account and an account of her parents, as reported on NDR 90.3. The prosecutor’s office had demanded three years imprisonment; the defense entered a plea for parole.
The report says that the mother of two young children had no financial problems, earned quite a good living as a civil servant and was popular with her colleagues. During the trial, her supervisor described her as experienced expert in accounting: “You could only wish to have such an employee. That was at least the case until January 27, 2015. On this date, the former public authority official employee transferred money to her mother’s account for the first time. By chance, the legitimate recipient of the money happened to have exactly the same name as her mother. And, by mistake, she is supposed to have copied her mother’s account number into the form, the defendant claimed. The court however clearly believed otherwise.
Motive of woman remains unclear
The court also did not believe it to be a case of the “shifting of a decimal place” which resulted in an amount of 394,440 euros being transferred. In fact, the amount transferred should only have been 3,940 euros and 40 cents. The defendant did however admit that she had made the same mistake twelve times in four months. She was either unable to or did not wish to give any motive for her actions. Her lawyer suggested it may simply been the lure of thinking: “I can do this – a kind of digital kleptomania.”
Attentive bank employee
An employee of Hamburger Sparkasse noticed the unusually high sums of money being transferred from the city treasury to a private bank account. He duly informed the authorities. They noted that a total of 418,000 euros was missing from the treasury and filed a complaint.
The prosecution assumed that the defendant wanted to obtain a permanent source of income. To this end, she had opened an account under her maiden name. In addition, she also used her parents’ account to commit the fraud.