It's your own fault if you get robbed!

by Patrick Müller

29.04.2022

0 Shares

"If you get robbed, it's your own fault!" I'm not the one saying this, but Stephan Brannys, who in the 1990s stole hardware worth approximately €31 million from his employer. What’s fascinating about older cases like this is that the perpetrators are often more open about their actions and motivations after serving their sentences, making it easier to understand the circumstances. I had such an opportunity when Mr. Brannys spoke about his actions and the circumstances during a forensic training session.

For companies, the key question is how to detect early signs of systematic misappropriation and prevent them from happening, or how to identify embezzlement beyond scheduled inventory audits.

According to a recent fraud study by the Association of Certified Fraud Examiners (ACFE), the average time to detect fraud cases is between 12 and 18 months. Even in larger, publicly known theft cases, it took some time before they were discovered. Considering the current economic situation due to the pandemic, war, and supply chain issues, the question arises of what impact this will have on employee crime and how companies can enhance or begin using known prevention measures.

Are companies to blame if they get robbed?
The ACFE's study covers all types of fraud, including embezzlement of assets, which can be either cash or inventory and other assets. Such embezzlement cases are not rare. For example, a fraud involving €1.6 million worth of shopping vouchers occurred at the measuring instrument manufacturer Testo between 2010 and 2015. In the 1980s, unauthorized cash withdrawals at Metro AG amounted to around €18 million, and at Hewlett-Packard (HP), server components worth around €31 million were stolen.

What’s intriguing about these older cases is that the perpetrators often become more open about their actions after serving their sentences, providing insight into their methods and motivations. This openness helps improve prevention strategies. Stephan Brannys, for instance, mentioned his daily 25-kg thefts at HP: "Companies are to blame if they get robbed. I did it back then because I could. No other reason." Günter Schotte-Natscheff, on the other hand, had disagreements over Metro's payment system security and regularly complained about his supervisor: "(...) he has no idea, and I'd love to show him up." Shortly thereafter, he committed the fraud to prove his point.

If we categorize these statements within the Fraud Triangle, we can see that the opportunity and self-justification are closer aligned than in other fraud cases. Taking the current economic situation into account, we can assume that the incentive within the Fraud Triangle framework has significantly increased due to the pandemic, supply chain issues, and the effects of the Ukraine war.

In my opinion, the blame cannot entirely be placed on the companies. However, in various fraud and damage cases, there might be assessments to determine whether the internal control system (ICS) was appropriate, whether the risk assessment was accurate, and whether the resulting controls were targeted. Depending on the assessment outcome, this could lead to shared liability for the management or the board. For this reason, companies should assess their business processes and data for systematic misappropriation possibilities and address such issues in risk workshops.

Stages of Misappropriation
When examining various fraud scenarios related to asset misappropriation, we can generally identify four key stages: appropriation, concealment or cover-up, liquidation of the stolen goods, and use of the loot. These stages mostly apply to the theft of physical goods. In cases of cash misappropriation, the concealment may begin before the appropriation, and liquidation may not be necessary.

Comparing the misappropriation of cash with the misappropriation of physical goods, the advantage of cash is that it doesn’t need to be sold. The downside of cash (compared to physical goods) is that access to business processes, particularly accounting, is restricted to relatively few employees. On the other hand, the misappropriation of physical goods can be enjoyed by a wider group of employees. As a result, different scenarios require different monitoring and control measures.

Misappropriation of Financial Assets
When it comes to the misappropriation of financial assets, there are several ways to do it. Some examples are provided below. It becomes clear that the embezzlement of financial assets is not limited to employees in accounting departments.

Fraudulent purchase orders with fictitious suppliers are often used to extract large sums of money from a company. This money is then used for private purposes or further fraudulent activities, such as bribery. The primary activity here involves concealing the fictitious supplier and pretending that a real business transaction has taken place. A special form of concealment is the temporary manipulation of the bank details of current or former suppliers, instead of creating a new fictitious supplier. Depending on the perpetrator’s profile, the amounts may also remain below a certain threshold to bypass necessary approval processes. If such activities go undetected, the number of small transactions will determine the extent of the damage. Fraudsters typically try to process these fraudulent transactions just like legitimate ones, allowing them to blend into the overall volume of transactions.

To detect such fraudulent activities, it is advisable to closely examine supplier bank account details and ordering behavior. Start by checking if there have been any changes from an original bank account to a new one, which was later changed back to the original. If you identify such a pattern, the next step is to review the transactions that occurred when the changed bank account was active.

Another way to detect concealed supplier manipulation is to look for simple bank account changes from X to Y. Once you identify a pattern, which is likely, compare the order behavior before and after the change. Check whether the same materials, products, or services were supplied, if the volumes and frequencies are similar, if the deliveries were sent to the same locations, and if the same departments placed the orders.

To identify fictitious suppliers, focus on suppliers who only receive orders from one or a few cost centers and don’t supply goods but instead provide services. In your review, exclude orders where goods deliveries can be technically identified and physically verified. Avoid solely focusing on specific units of measurement, like services, as you might miss important quantities. For the remaining orders, examine whether the suppliers delivered only to one or a few business units. If such suppliers are found, it is advisable to first verify the legitimacy of the supplier. If the supplier is legitimate, then verify the bank details and have at least one transaction confirmed by the supplier's accounting department.

While fraudulent orders usually occur through normal ordering processes, there is also the possibility of manually initiating payments outside these processes in accounting, with a commonly used expense account used to cover it up. This is a hypothetical scenario because such transactions are usually validated and questioned by the ICS, internal audit, and external auditors during year-end audits.

To identify such transactions, you can start by logging the use of payment programs and identifying payments that didn’t originate from standard purchasing or payment processes. These can be identified from payment run data, as well as accounting data. You can also perform an analysis of offsetting accounts in the accounting data. Normally, the offsetting accounts for bank accounts should be general ledger accounts managed by ERP systems and not directly accessible by individuals. If you come across other accounts, you should investigate these transactions further and trace their origin.

Another method of misappropriating cash is through a "man in the middle" attack during the sales process, where funds owed to the company are partially siphoned off. In this scenario, a salesperson might use an intermediary company to divert a portion of the sales price. Alternatively, several sales can be bundled together to secure a volume-based bonus at the end of the year.

To detect such schemes, you can look at customers with drop shipments, where the billing and shipping addresses differ significantly. For such customers, first verify their legitimacy. Once confirmed, have a sample transaction verified by the customer’s accounting department.

In general, regardless of the misappropriation method, accounting involvement and the recording of the transaction are usually closely tied to the fraud scenario. In the following section, we will explore the misappropriation of physical goods, highlighting the distinction between appropriation and the accounting or IT system-based concealment of the crime.

Misappropriation of Physical Goods
Unlike the misappropriation of financial assets, physical goods cannot simply be transferred. They must first be appropriated and then removed from the company’s premises. In theory, personal and vehicle checks could easily prevent this, but in practice, these checks are costly and sometimes face legal challenges, which is why comprehensive checks are often avoided or conducted randomly. Despite security measures, systematic misappropriations still occur, exploiting loopholes. Similar to fraudulent business transactions, perpetrators try to blend in with normal activity, and with around 220 working days a year, they have ample opportunities to test weaknesses in the system when leaving the premises without actually taking anything. If they are caught, the consequences are often minimal.

There’s also a saying, "Opportunity makes thieves," which applies to the case of Stephan Brannys at HP, where he initially discovered a weakness unintentionally and without intent, only to exploit it later.

To identify such weaknesses, companies often hire external security consultants, but rarely involve their engaged employees. This additional input should not be underestimated, as employees are often well aware of the problems with processes and systems.

Concealment of Physical Goods Misappropriation
In addition to measures against the misappropriation of physical goods, it’s useful to analyze concealment methods used after the theft. Unlike the misappropriation of financial assets through fictitious business transactions, significant goods will be missing from inventories after their theft. To avoid detection and continue misappropriating, perpetrators use methods to adjust the inventory to the fraudulent, reduced reality. This often involves pretending the goods were of poor quality, scrapped, or given away as free samples, or intentionally bypassing inventory management to create opacity, allowing mid-year inventory discrepancies to be written off as adjustments.

To detect concealment entries in inventory management, examine the combinations of movement types (essentially reasons for inventory changes) for the respective materials and compare them with the programs, functions, and user types involved in the booking. This comparison is recommended because inventory systems often use terminal stations without individual user credentials.

After creating these combinations, it is advisable to first review rare combinations with high monetary impacts and then question materials involved in special processes such as scrapping and inventory discrepancy bookings, assessing their resale potential.

As mentioned earlier, physical goods must usually be liquidated. For this reason, goods with high resale value are particularly vulnerable. These typically include finished consumer products or raw materials. Regarding the HP thefts, it's worth noting that with a bit of entrepreneurial criminality, server components intended for business customers were modified to work in standard consumer computers, making them easy to sell to end consumers. For this reason, inventories of such goods should be closely monitored.

To detect suspicious inventory changes, it’s advisable to conduct trend analyses. If thefts are not covered up by adjustment entries, unusually high inventories will build up. With mass data analysis, you can calculate inventories per day, per material, and per location. While higher fluctuations are expected and not necessarily suspicious, focus on materials with consistently high inventories or those whose long-term trends show a sharp increase, deviating from the norm.

Transport items such as Euro pallets and mesh boxes, which are easily resold in secondary markets, are also particularly vulnerable. Due to their frequent turnover and trading between companies and shipping firms, these transport items are often not recorded in inventory or are tracked without a book value. Actual inventory levels are usually determined during the year-end audit, and any theft is included in these adjustments.

It is worth noting that in early April 2022, Tagesschau.de reported a shortage of steel wires, leading to a potential shortage of pallets. This would add another challenge to already strained supply chains and could boost the black market for transport materials. Therefore, it is advisable to keep a close eye on these items, both physically and in the system.

To combat such misappropriations, companies should reassess their established inventory management and possibly adjust the dates of inventory checks, securing the inventories of these goods with trend analyses.

Special Case: Procurement without Genuine Need for Direct Misappropriation
In the fraud case at Testo, there was a particularly sophisticated form of misappropriation. Here, vouchers were stolen and used personally, even though they were supposed to be distributed by sales to potential new customers or to maintain relationships with existing customers. Since there is rarely full traceability of the voucher recipients, and the redemption is linked to the perpetrator through a third-party company, such cases are often only identified through time-consuming contact with the supposed voucher recipients.

This case can be generalized as procurement without genuine need for direct misappropriation. Similar to financial assets, such purchases are usually made by a limited number of employees, meaning additional procedures and controls can be implemented to address these transactions.

The challenge often lies in timely detection. To identify such cases, you can use a similar approach as described earlier for financial misappropriations. This time, however, you analyze orders for expected goods deliveries where the quantities, for example, are in units but there are no inventory entries, and the goods receipt is confirmed differently. You’ll likely receive many results, so you should now analyze these orders regarding the referenced or described products or product classes. It is also helpful to link the orders to the corresponding expense accounts in the accounting system. This allows you to identify outliers through descriptive statistics for each expense account and to identify high-value, high-risk uses based on the general ledger account names.

As previously mentioned, follow-up on these cases often requires a disproportionate amount of effort, so it’s advisable to perform such analyses regularly to identify recurring or high-value transactions early, allowing for an individual risk assessment. For instance, a four-eye principle can be implemented when sending such vouchers.

Summary Recommendations:

Review business processes and data for systematic misappropriation risks and secure them.
Secure especially critical processes, such as manual payouts in accounting, with follow-up controls and mass data analyses.
Ensure that rare stock movements, such as scrapping, are traceable and conducted by individual users.
Analyze unusual inventories and trends regularly using data analyses.
Continuously detect and address process bypasses and deviations using data analyses.
In risk workshops, specifically address misappropriation risks and ask employees about potential scenarios.
Allow risk management and internal audit employees to gain hands-on experience with potential misappropriation scenarios.
Engage external consultants for training on possible misappropriations and to help detect loopholes.