The out of control controller, part one A swipe too far. It was supposed to be a routine follow up. Bruce Kraus lead partner for the external audit team at Allied Engineering had just wrapped up his firm's field work when the company's CFO gave him a call, but it wasn't about the audit. The CFO sounded tense. He explained that controller Jane Simmons had allegedly racked up $15,000 in unauthorized personal expenses on her corporate American Express card. Krause was surprised.
Allied only issued cards to four executives, and Simmons was one of them each month. Simmons personally brought the CFOA check to pay off the company's credit card bill, and each month he signed it without reviewing the accompanying statement. That lacks oversight became a major problem. A staff accountant scanning receipts into the company's document management system spotted some unusual charges. When he flagged the issue to the vice president of engineering. The two launched a quiet reveal.
The charges weren't just questionable. They were personal. They brought their findings to the CEO. Simmons was questioned and immediately admitted to the theft. She was fired and escorted off the premises. But that was just the beginning. Part two, a wiped drive and a widening scope. Kraus and his forensic team moved quickly.
Their initial focus was the corporate credit cards where they confirmed that Simmons had used the company account for personal meals, gas flights for family members, and various other unauthorized expenses. But soon the red flags started piling up. It wasn't a one-off scheme. This had been going on for years and likely involved multiple methods of embezzlement to complicate things.
Further, Simmons had been allowed to take her laptop home after her termination, claiming it contained personal files. When she returned it two weeks later, the hard drive had been wiped clean. Investigators lost access to emails, files, and digital records that might have further clarified the extent of her activities. Even so, they pressed on the deeper they dug, the more they uncovered. Simmons had stolen approximately $250,000 over a five year period using 11 different schemes.
Four of them stood out. Part three, a pattern of deception. One, the gift card grab. Allied Engineering hosted two major family events each year. Attendees received $100 gift cards and Simmons helped plan the events, including ordering the cards. But Krause's team discovered she had quietly doubled the gift card order, keeping the extras for herself because she also handled the bank transactions and reconciliations. She was able to hide the discrepancy for years.
Two, the ghost on the payroll Simmons 16-year-old daughter Julie, worked a short clerical assignment when she left to return to school. Her record should have been terminated in the payroll system. It wasn't. Simmons simply switched the payment account to her own for months. Simmons was getting paid through her daughter's ghost employment. No one noticed three. The bonus bump.
After company events, Simmons sent handwritten bonus requests to the CEO, including herself among the planning committee. Once the CEO signed off, she discreetly altered the figures doubling or tripling her bonus. Because the request process was entirely on paper with no digital approval trail, the changes went unnoticed. Four, the company car caper. Two years earlier, allied had been preparing to auction a well-maintained company vehicle.
Employees were excited to bid on it, but the Friday before the auction, Simmons simply drove it home and gave it to her daughter Simmons controlled vehicle titles and insurance. So the theft went unchallenged. For nearly two years, the car remained an allied's name insured by the company before Simmons quietly transferred the title to herself and sold the vehicle. The kicker. Nearly everyone at the company knew she had taken the car.
Everyone except the C-E-O-C-F-O and Vice President of Engineering Part four aftermath executives at Ally decided not to prosecute Simmons due to her 22 year tenure. But she was required to pay restitution for as much of the $250,000 as possible. Krause reported that none of the individual schemes or the total losses reached the materiality threshold for the financial statements. Still, the reputational damage and internal control failures were glaring.
Allied's experience reveals multiple critical control failures and how even long trusted employees can exploit them. This has been the All things internal audit fraud podcast. Fictionalized accounts. Based on actual events brought to you by the Institute of Internal Auditors, i I a members can access the full story and this month's issue of Internal Auditor Magazine, including bonus materials on lessons learned.
To read more, visit internal auditor dot the iia.org for more fraud related resources, including guidance and thought leadership from the I A and the A cfe. Visit the iia.org/afe fraud.