Computer Consultant Helps Nab Bad Guys in Payroll Fraud Case

A CPA firm, assisted Guss Ginsburg of Beechnut Consulting Services, with expertise in database technologies and business, was successful in breaking a payroll fraud case recently.  The client company discovered that their payroll manager had been under-withholding from his regular paycheck in deduction categories such as federal income tax and social security.  In fact, he had figured out how to enter transactions into the payroll system to zero out withholdings in these categories.  Upon a preliminary investigation which determined that the manager had been doing this for a number of months, the company fired the payroll manager, and then brought in the CPA firm to investigate whether others in the company were involved and to determine the extent of the fraud.  Among the client’s other concerns were how they were being defrauded, and what they could do to prevent this from happening again.

Gathering the Data
After planning the project, the next step was to acquire the transaction data from the company’s payroll system.  The ideal solution is to get the data directly from the company’s accounting system, along with information about the structure and relationship of the various data elements.  However, this was not practical, since there was not a software expert in the company who understood enough about the internal structure of the accounting software and data.  Since the success of the investigation depended on getting meaningful data from their system, we used a different approach.  We requested that the Information Systems Manager run a report showing all the payroll detail transactions, listing each paycheck issued to each recipient in the past three years with all the details, indicating how much was withheld for each of a number of deduction categories, and the net pay for each check issued.  The report, instead of being sent to a printer (maybe 50,000 pages, lots of trees), was saved to a text file and provided to us on a disk.  We were then able to write a program to extract the data into files that could be interrogated with whatever questions the project manager needed answered.  The resulting database contained about 300,000 transaction records, and included information on employees, paychecks, and deductions.

Among the questions posed were:

  1. List all people who received paychecks where any mandatory deductions were zero, or below a defined threshold.
  2. How did the fraud occur?
  3. How much money was involved?
  4. Identify people with multiple social security numbers.
  5. Identify social security numbers used by multiple people/mailing addresses.
  6. Identify vendors in the Accounts Payable system with the same address as payroll check recipients.
  7. Were multiple vendors/payees showing the same mailing address.

We were able to provide answers to the above questions.  We concluded that there were about a dozen or so individuals involved in the scheme to defraud the company by various manipulations of the payroll system.  Using network log files, we were able to identify the workstations where the transactions were entered, as well as the date and time they occurred.  We also captured logged-on User ID’s, so we knew who all the conspirators were, as well as how they did the deeds.  There were some fictitious names on the payroll, some with identical social security numbers.   The final report to the client provided a clear road map of what their exposure was, as well as recommendations for implementing new controls in their payroll system.

About the author:  Guss Ginsburg is an Information Technology consultant specializing in auditing and investigative projects, using database technologies to help clients fathom the truth from oceans of corporate data.  He can be reached at