Some fraudsters funnel money into fake bank accounts. Today, I show you how one controller did so and walked away with millions—and then hid on the Appalachian Trail.
Fake Bank Account
In May 2015 James Hammes was arrested for the theft of $8.7 million from his former employer, G&P Pepsi-Cola Bottlers. After Mr. Hammes was confronted about the theft in February 2009, he left his home and hid on the Appalachian Trail, which runs from Georgia to Maine. Hammes assumed a hiking name of “Bismarck” and spent several years on the popular trail. Fellow hikers enjoyed Bismarck since he seemed to be one of them.
So how did he steal the money?
How the Funds Were Stolen
The FBI reported the following:
Court documents show that Hammes’ embezzlement began around 1998. As a controller, he was responsible for all financial accounting and internal controls for his division, including supervising accounts payable to several hundred outside vendors. He carried out the fraud by establishing a new bank account for an existing vendor at a different bank. He then deposited hefty payments to that vendor—often $100,000 at a time—in the phantom account that he alone controlled. He then could transfer money from the phantom account to his personal accounts.
“He knew how to cover his tracks by manipulating audits and ledger entries,” Jones said. “He got away with it for so long because he knew how to manipulate his subordinates and how not to raise accounting red flags.”
So, Hammes opened a fraudulent bank account at a bank that the vendor did not use and deposited vendor checks into that account. Then he transferred funds out of the fraudulent bank account to himself. Since he opened the account, he was the authorized check signer. Simple but effective.
You may be wondering how the theft could occur so long without detection.
Vendor Payment Controls Lacking
If extra payments were made to vendors (and it appears that occurred), then the company may not have been reviewing vendor payments. If appropriate controls are not in place, it’s easy for a fraudster to make fraudulent vendor payments without detection, especially if hundreds of monthly checks are processed.
Also, it appears the company may have lacked sufficient segregation of duties since Hammes was able to disburse extra vendor payments without detection.
Vendor Payment Controls
Periodically, review the total payments made to each vendor. For example, generate the total monthly payments made to XYZ Company. Then compare the monthly payments over a two to three year period. If payments increase greatly, then someone within the company may be making additional payments and stealing those checks. Or there may a legitimate reason for the increase. Either way, it’s wise to review vendor payments for anomalies.
Another test you can perform is to look for multiple addresses for the same vendor. There may be legitimate reasons for more than one address, but you want to create a list of vendor addresses and verify that they are appropriate. The same is true for electronic vendor payments: see if there are multiple bank accounts you are wiring payments to. Then determine if these are appropriate. Additionally, obtain the physical address of each vendor and determine if the company is real. Do not accept P.O. Box addresses for verification purposes; again, you need to know if the company exists. (See my article Fictitious Vendor Fraud: How to Prevent It.)
If your company pays hundreds of vendors, you may want your internal audit (or external auditors) to periodically test vendor payments for appropriateness. Tell your payables personnel this will be done from time to time on a surprise basis. This will help keep them honest.
Maybe with these controls, you can prevent payments to fake bank accounts and keep your employees off the Appalachian Trail.
For more information about auditing payables, see my article Auditing Accounts Payable and Expenses: A Guide.
Yes, wow. I love this story.
Chuck, I do think data mining and the evolving new tools will help us find fraud in the future.
Thanks, Linda. You know how I love fraud stories!
Andy, yes, some frauds involve double paying an invoice and stealing the second check. Then converting it to cash. Looking for duplicate payments can be a good fraud detection method.
I wonder if any of these fictitious payments would have been duplicates of legitimate purchases (which could have been caught by searching for duplicate payments per a previous Hall Talk post).
Haven been an outside auditor all my adult life, I know that conventional auditing procedures may not have caught the fraud. The vendor was a legit vendor, examination of the invoice or statement would not have disclosed the fraud, I assume that he was somehow able to manipulate the receiving document, the purchase order was probably either an open purchase order or he controlled it. I wonder if the fraud would have been found quicker pre-SAAS 99 or this high level of reliance upon assessment of risk. Unfortunately we will probably not know. I am hoping that big data and other types of machine learning etc. may reduce some of this type of specific fraud. I think that if we use Thompson Reuters and CCH as guidance that we become too reliant – there has always been this emphasis by the AICPA to not soley rely upon these practice aids, to basically think for ourselves. But the peer review pushes the auditor into reliance thereon. I do not have the answer
I do hope we have better guidance in the future, but as for me I have had to stop doing any attest services
Charles, Great article and good advice! Thanks
Wow.
Yes, Terri, brazen. I have never understood how people can live with their conscience, but they do.
Such boldness…opening another bank account??
How brazen so glad they were caught!