A Thief in the Financial Controller's Office

For some companies US$4 million, the amount allegedly embezzled by a financial controller at global IT services firm Wipro, is very significant. But it’s not that large for the Indian giant, which had revenues of US$4.4 billion and profits of US$732 million in the first nine months of 2009. “The company’s internal investigation concluded that, while the matter should be taken seriously, the amounts embezzled were not material from a financial reporting perspective given the size of the company and the scale of its operations,” Wipro told its shareholders last month.

True enough, but the damage to the company’s reputation and credibility is surely far greater. Among Wipro’s wide range of services is consulting and advisory on financial management, including treasury and cash management and risk management. The company also prides itself on its CMM 5 Level status – that’s the highest level in the Capability Maturity Model developed by Carnegie Mellon University, indicating that Wipro’s processes are at their optimum. People can be forgiven for wondering: Is this a case of physician, heal thyself?
Other companies should not gloat, however. If a CMM Level 5 enterprise like Wipro can be hit by fraud, how much more vulnerable are those with no such certification? Wherever there is money, unfortunately, fraud is always a possibility. There are lessons to be learned from what happened at Wipro, both on how the embezzlement was made possible and the way the company is handling the matter.
Anatomy of a Fraud
The man at the centre of this storm is a chartered accountant whose dead body was found near a railway track in Bangalore in December, a few weeks after the embezzlement came to light. According to Wipro, this “junior member of the company’s controllership team” was discovered to have been transferring company money to his personal account from November 2006 until last year. The company has not revealed exactly how much was siphoned off, but media reports say the total is in the region of Rs20 crore, or US$4 million.
“Our investigations have revealed that only this employee was involved, and nobody else in the team had any clue,” Suresh Senapaty, Wipro’s CFO, told the Economic Times. “We have recovered more than half of the amount.” The company is now “undertaking actions with respect to stricter adherence to processes,” he added. “We have to be more alert in monitoring, and we need to tighten the processes for ensuring an early warning system and make it tougher.”
In its statement to shareholders, Wipro said it had “put into place additional initiatives to help ensure Wipro’s financial controls and financial reporting remain unassailable by anyone within and outside the company.” Changes have been made to “certain key positions in the controllership team,” said the company, because their association with the late employee has “created a conflict of interest for them.” Internal and external advisors are also reviewing and enhancing internal controls and procedures.
The internal report has not been made public, but the media has been quoting unidentified Wipro officials who requested anonymity. “The employee stole the password from a colleague and used it to transfer money to his and his family members’ personal accounts,” one of them told the Economic Times. The newspaper said the transfers ranged from 100,000 rupees (US$2,174) to 1.2 million rupees (US$26,088) at a time, which are not insignificant amounts. If true, they should have raised red flags within the company and the bank, which presumably has anti-money laundering policies in place.
Questions are also being raised about the way passwords are apparently being used in Wipro. Since the fraud was carried out over three years, the fraudster’s success indicates that the stolen password had not been changed in that period of time or, more likely, that he had successfully stolen the password every time it was changed. If no one else in the controllership team was involved in the embezzlement, this would seem to indicate extraordinary carelessness in that unit, or more charitably, placing too much trust in the integrity of each team member.
What Next
What else can Wipro do? The company is reportedly planning to rotate finance people in sensitive post more frequently than the current practice, which is once every three years. That’s not a bad idea. Forensic accountants say it is best practice to rotate jobs and segregate duties as part of the internal control system. Supervisors should see to it that their people take their holiday leaves, says Annie Chan, managing director at Mazars Corporate Recovery & Forensic Services in Hong Kong. “Make sure that their work is overseen by another person during the vacation period,” she adds.
In a story published in CFO Innovation last year, Chan observed that fraud is most commonly committed at the unit level, as in the Wipro embezzlement. She recalls a case she worked on in China, involving an employee in a brokerage who had been committing fraud for five years. “The employee was always the first one to open the door of the office in the morning and was the person who locked it at night,” Chan recounts. “That allowed him to conceal documentation and bring supporting documents to his home without letting other people in the office know about it.”
The employee transferred money from client accounts to certain other accounts – that is, to the accounts of his wife and daughter, who were also customers of the brokerage.
How do supervisors detect which subordinates are keeping suspiciously unusual working hours? “You can see from their access cards that their access [to the office] is unusual and you can look at their email accounts whether they send emails at unusual times,” says Anita Hou of Grant Thornton’s Forensic & Investigation Services unit.
Fraud may also be indicated by other red flags such as rapid employee turnover in the fraudster’s unit. That may suggest that “staff know something is happening but fear to report it, so they just resign,” says Hou. Other warning signals include an employee who never goes on holiday, refuses to share information with others, shows personality changes or exhibits sudden wealth. Media reports say the alleged embezzler at Wipro had bought jewellery and land with the money he stole, so there could have been signs like these which supervisors missed.
“If one of your staff is involved in litigation as a defendant, then you need to be on the alert,” says Chan. “If he faces financial difficulties, for example, he lost a substantial amount of money in the stock market, that could be red flag. Another potential [troublemaker] is an employee who has got a problem with senior management, who is dissatisfied with the company and may want to beat the system.”
Severe Punishment 
If fraud is detected, the miscreant should be punished severely and not allowed to quietly resign. In one case, she advised a client to announce to everyone that “Mr. So-and-So has committed fraud and is now in jail. People always weigh the costs and benefits. If they think the benefit is substantial while the chance of being caught is slim, then they may just take the risk.” One can argue that the Wipro controller has already paid the highest price – his life.   
Curiously, Wipro had not called in the police when the fraud was discovered in December. (Company officials were reportedly alerted to the embezzlement after receiving an overdraft notice from the bank). “That makes one wonder if there was something more than a simple fraud in the case,” writes one blogger. Were others involved? Was this part of larger scam? Was the audit committee negligent? Were the statutory auditors negligent?
It remains to be seen whether the Indian authorities would wade in on their own, given that a death is involved. Wipro evidently prefers to keep the case an internal matter. It may be that the market and the general public will soon forget about the incident as newer scandals hog the headlines. But Wipro should always remember how it was duped for three long years and make sure all the systems are in place and followed to the letter to ensure it does not happen again.
About the Author
Cesar Bacani is senior consulting editor at CFO Innovation.   


Suggested Articles

Some of you might have already been aware of the news that Questex—with the aim to focus on event business—will shut down permanently all media brands in Asia…

Some advice for transitioning into an advisory role

Global risks are intensifying but the collective will to tackle them appears to be lacking. Check out this report for areas of concern