june 2017 23 Internal audItor
To commen T on this article,
email the author at email@example.com
cards. A prepaid credit card is activated when the cardholder pays a small fee and “loads” the card by putting a
set amount of money on it. Once a prepaid credit card
is activated, the number is live until the card’s expiration
date or the holder cancels the card. When a transaction
occurs, the balance on the card is reduced. Dwyer discovered that the company’s billing and collection system
could only validate that a credit card presented was “live.”
In other words, the system could not determine if the
credit card presented for installation charges and recurring
payments was a credit card, gift card, or prepaid credit
card. Furthermore, if it was a prepaid credit card they
could not validate that enough funds were available for
the installation charges, let alone the recurring monthly
As luck would have it, Thomas Border, the IT specialist responsible for credit card transactions, had noticed
a pattern of abuse with prepaid credit cards. Together,
Dwyer and Border analyzed all credit card transactions for
a six-month period to identify and quantify a pattern of
abuse. To conduct the investigation, credit card transactions had to be matched to a bank identification number
(BIN) database to identify prepaid credit card usage.
The 16 digits on credit cards are the result of a complex
algorithm. The first six digits are referred to as the BIN.
The BIN can determine what institution issued the card
and the type of card it is. Dwyer and Border obtained the
customer account numbers associated with the cards and
the names of the sales representatives who made the sales
to identify who had either provided or accepted prepaid
Based on the findings, Dwyer then conducted investigations of the other sales representatives and discovered
a similar pattern of abuse. In some cases, Dwyer identified
sales representatives who signed up 25 to 30 customers on
a single prepaid credit card. Most of these accounts would
immediately default on their payments, but the sales representatives collected commissions on each sale, regardless. At one point, Dwyer estimated that the scheme was
costing the company almost $5 million annually over the
course of two years. The sales representatives involved in
the scheme were immediately terminated.
Ʌ Prepaid credit card usage is a common fraud scheme
among commissioned sales forces, so internal auditors
should compare all credit card transactions against a
BIN database to identify prepaid credit card transactions, find out which customer accounts used a prepaid
credit card as payment, look at the payment history
while focusing on customers who have made zero or a
single payment, and identify the sales representatives
on the account to uncover any wrongdoing.
Ʌ The many-to-one test identifies how many customer
accounts are associated with a single credit card number. After identifying a target list,
internal auditors should look at the
customer content (name, address,
and location) to see if they are family members or small businesses that
might be legitimately sharing a credit
card. If no commonality can be
identified, internal auditors should
investigate. Incidentally, this procedure also works for
Ʌ The scheme could have been caught sooner if the
finance department was working more closely with the
company’s credit card processor. Processors can assist
with identifying prepaid credit cards in their transaction database.
Ʌ Companies can decide not to accept prepaid credit
cards for recurring monthly payments, but it must first
check its agreement with its credit card processor as it
may be legally required to accept prepaid credit cards as
a form of payment.
Ʌ Exception reports identifying sales representatives
accepting prepaid credit cards should be produced
monthly and distributed to area general managers to
review for fraudulent activity. Internal audit should
be notified of any apparent fraudulent activity and
engaged to conduct an investigation.
Ʌ As a result of this investigation, and several other
observations, the company began conducting
enhanced customer screenings in the form of credit
checks on all prospective customers. Customers who
have low credit scores are now required to make
several months of recurring payments before system
installation can occur. Requiring several months of
recurring payments up front helps reduce fraudulent
use of prepaid credit cards.
Gran T Wahls Trom, cia, cPa, cFe, is the forensic audit
manager at a privately held company in Hollywood, Fla.
The scheme was costing the company
almost $5 million annually.