Auditing T&E Programs: Where to Find the Fraud

In his August 2008 column, Dan Swanson wrote about returning to internal auditing roots by looking at specific departments (finance, human resources, and so forth) rather than auditing’s flavor of the month—such as enterprise risk management, information security, and fraud control. 

Here I suggest internal audit units go further by returning to even more prosaic processes that exist in every organization: payroll, purchasing, and the ubiquitous travel and expense reports.

Though less glamorous than emerging hot topics like ERM and IT governance, these core areas still produce a high volume of transactions. With the complexity of computer systems and the participation of numerous employees, these functions remain primary risk areas for potential error, and they tend to experience their share of fraudulent and other inappropriate activity. More critically, problems found with these processes may suggest much larger or complex organizational concerns.

Why Audit Travel and Entertainment Expenses?

For many organizations, travel and entertainment (T&E) expenses represent a major source of discretionary spending. The sheer number of transactions and diverse sources of data and applications make T&E vulnerable to error, abuse, and fraud. Add the increasing use of travel and purchase cards, and that only compounds the complexity and potential for losses. More companies aggregate purchases to negotiate volume discounts and better deals that benefit when employees comply with T&E policies. Recouping a small percentage of excessive or improper T&E expenses can have a substantial impact on the bottom line.

T&E is also a good place for the less-experienced internal auditor to cut his or her teeth. The area doesn’t really depend on deep knowledge of company operations, and a new auditor can orient himself rather quickly and be comfortable.

Perhaps more importantly, adherence with expense reporting policies may be reflective of the ethical climate and the tone at the organization. If the workforce considers excessive or maverick T&E spending practices to be the norm, such conduct can readily spread to other behaviors where work pressures can increase the temptation for misconduct. 

Research consistently suggests that most people are the product of the environment they find themselves in. They look around and they do what others around them do or expect them to do. What this means is that most unethical behavior in business is supported by the context in which it occurs—either through direct reinforcement of unethical behavior or through benign neglect. In other words, abuse of T&E expenses is a gateway drug to bigger fraud problems you don’t want to have. 

Approaching the T&E Audit

Most organizations bear the costs associated for employees conducting business on behalf of the company wherever such business takes place. The primary purpose of T&E policies is for the employee not to incur financial loss or to realize financial gain while conducting company business.

If the workforce considers excessive or maverick T&E spending practices to be the norm, such conduct can readily spread to other behaviors where work pressures can increase the temptation for misconduct.

Typically the T&E audit involves a review of a sample of employee expense reports for compliance with company policies and directives. It may be appropriate to focus a T&E review on departments or employees with the highest volume and dollar amounts of travel and expense-related expenditures. Common “exceptions” or areas of improvement often involve the following:

•  Expense reports not always filed promptly and properly, including the lack of detailed receipts to support the expenditure;

•  Failure to specify a business purpose, and to identify participants on expenditures for meals, lodging and flights;

•  The per diem meal allowance not being followed;

•  Employees who, with the approval of their department manager, bypass the corporate travel department and book their own travel arrangements.

In the grand scheme of things, these issues may seem small or even petty. But consider some of the implications: Why would employees not follow the company T&E policy?

Policy Compliance

Many companies require all travel to be booked by the corporate travel department, presumably to minimize costs. If employees and their managers ignore the travel policy, should the internal audit or compliance department endeavor to enforce the policy? Or, as members of management, should they second-guess the expert who had been hired to run corporate travel?

The ultimate question here—and in any audit—is why the exception happened in the first place. Why do employees go outside the prescribed procedures for T&E expense? Why do their managers agree and approve? And, why hasn’t corporate travel seen this and responded to the needs of its customers (that is, the employees doing the travel and entertaining)? Sometimes, exceptions to a policy indicate more of a need to update a policy than to punish the violator. 

There is no doubt that the internal auditor should do additional work to get those answers. The auditor should examine expenses to determine if Internet bookings or unsanctioned travel agencies were in fact cheaper than corporate-approved travel agents. If other options are more economical, discussions should be held with corporate travel to determine if they are aware of this situation and what they plan to do in response. Perhaps the employees and senior management don’t fully understand the value of the discounts that the expert has negotiated, and a simple awareness effort will eliminate the negative perceptions. 

The Tip of the Iceberg

The internal audit department should dig even deeper to ascertain if the lack of compliance is symptomatic of a deeper problem: that policies are not taken seriously at the organization. Not all policies are equal, and non-compliance with an outdated one may not pose a concern—but a cavalier attitude toward travel policies may be indicative of an attitude that “this is in lieu of higher compensation” and “everyone else is doing it.” Those attitudes should worry any internal auditor, compliance officer, or senior executive.

The failure to comply with policies suggests that controls are weak. Why would a supervisor approve an expense report if it is not completed accurately with proper receipts, or if the charges are inappropriate? Why would an employee then receive reimbursement if the expenses have not been validated?

The opportunity for fraud or abuse arises when controls are weak. Why not exaggerate a few expenses here or there or bypass the travel department, since no one really cares? Internal controls that once existed may have eroded over time and what starts as a questionable act (and rationalized away as justified behavior) can gradually cross over into improper activity.

Abuse of T&E practices has resulted in bad publicity and poor employee morale. (Just think of all the news stories you read about employees zipping off to Hawaii on a junket, or entertaining clients at strip clubs.) How about the employee who routinely refuses a much lower fare because the flights are not at the most convenient times? The workforce readily observes when travel policies are ignored and not routinely enforced. 

Setting an Example 

An effective internal audit may reveal that a company has spent excessive sums on travel and entertainment expenses in a manner that fails to document adequately the reasonableness, necessity, and business purpose of such expenditures. Addressing such a finding should help to deter wasteful spending and abusive practices. Having systems that aggregate, monitor, and analyze expense data while confirming adherence to policies can go a long way to guide behavior. Monitoring and auditing T&E can highlight opportunities to negotiate better deals and rates, as well as keep circumvention of internal controls to a minimum.

Again, compliance by leadership with T&E policies can set the tone for the organization. Some companies promote an environment of fiscal prudence. The CEO of one of my former employers was admired for the example he set, rarely flying business class and often taking the cheaper, though less convenient fare. That’s the way to go.