In one of the simplest thefts I’ve read about, a nonprofit administrative officer wired $6.9 million from an Ohio bank account to a private Austrian account. In this post, I’ll show you how wire transfer fraud occurs and how to prevent it.
Stealing a Cool $6.9 Million
The nonprofit administrator originated with the wire with a fax, taking less than an hour. Since the officer was authorized to make wire transfers, no one at the bank questioned the transaction–until it was too late.
The fraudster landed in Austria, called his wife and said, “I’m not coming home.” Interestingly, the wife called the police and turned in her husband. He later came back to the states of his own volition. I guess, after a few boat rides down the Danube, he missed his family. Did he go to jail? Yes.
The nonprofit entity did not establish appropriate controls over cash wire transfers. One person (by himself) could move funds.
The fix for this weakness is to require (at least) two persons to consummate all wire transfers.
As you think about wire transfers, consider that they can originate with:
- Phone calls,
- Personal visits to banks, and
Determine how your bank handles wire transfers, and craft your internal controls accordingly.
Organizations should do the following to mitigate wire transfer fraud:
- Require the bank to limit daily wire transfer amounts (e.g., $25,000 per day for each employee)
- Require two persons to consummate all wire transfers to external parties (an essential control in my opinion)
- If the wire transfer request is made with a phone or fax, require the bank to call your organization back before the wire transfer is consummated
- The bank should require the use of unique passwords to access wire-transfer software; consider using a bank that provides bank token keys (small hand-held devices that generate unique identification numbers; these numbers are required to make wire transfers)
- Restrict bank accounts so that wire transfers can be made only to bank accounts of the organization (e.g., transfer from operating bank account to payroll bank account)
- Have someone peruse the daily bank account activity (using online access); at a minimum, reconcile bank statements in a timely fashion (large organizations should consider reconciling bank accounts more frequently than once a month; some reconcile daily)
- Require sufficient documentation for all wire transfer journal entries; require a second-person review of these entries
- Consider using a dedicated computer for all wire transfers; do not use this machine for any other purpose (malware is often picked up by computers as users visit tainted websites)
- Use all bank-provided wire transfer controls
- Any transactions over a certain high dollar amount (e.g., $50,000) must have the approval of the business owner/CEO
If you’re an auditor, consider–as you audit cash–whether these controls are in place.
30 Days of Fraud Series
If you found today’s post helpful, consider subscribing to my blog below. I am providing 30 posts like this one showing how various frauds occur and how you can prevent them.
Learn from the CPA Scribo newsletter!
Get my free weekly accounting and auditing digest with the latest content.