Asset Misappropriation II: Fraudulent Disbursements

Now we follow the money out the door. Fraudulent disbursement schemes are how employees make the organization pay out money it never should have — and here's the structural point that matters most: unlike skimming, these are on-book schemes. The thief uses the company's own payment process — accounts payable, payroll, the expense system, the checkbook, the cash register — so there is always a recorded transaction.

It just rests on a lie. The payment looks legitimate on its face; the fraud is in the underlying claim that justified it. That dual nature makes disbursement fraud both the most lucrative category of asset misappropriation, because the company's whole machinery is cutting the checks for you, and at the same time the most detectable, because every scheme leaves a record you can test if you know where to look.

The exam treats this as a taxonomy question, so memorize the five families as a set: billing schemes, payroll schemes, expense-reimbursement schemes, check tampering, and register disbursements. Picture them as the five doors money can walk out of. Let's walk each one.

Billing schemes are the largest disbursement category by both frequency and loss, so the exam leans on them hard. The idea is simple: cause the company to pay an invoice it shouldn't. There are three sub-types to keep straight.

In a shell-company scheme, the fraudster sets up a fictitious vendor — sometimes nothing more than a mailbox and a bank account in a name that sounds plausible — and submits invoices for goods or services that were never delivered, then approves and pays them. In a pass-through scheme, there's a real intermediary, but it's an entity the employee secretly controls; that intermediary buys goods at the market price, then resells them to the employer at an inflated markup, and the employee pockets the spread. The pass-through is sneakier than the shell company because real goods actually change hands, so the only thing wrong is the price.

And in a personal-purchase scheme, the employee skips the fake vendor entirely and just buys personal items on the company account or company card. The red flags to memorize: vendors with only a P-O-box address, invoices priced just under an approval limit, vendor names suspiciously similar to a legitimate supplier's, sudden spikes in spending with one vendor, and an employee who insists on personally handling everything about a single vendor and resists anyone else touching the account.

Two more families ride on routine, high-volume payments. Payroll schemes include the ghost employee — a fake or terminated worker kept on the payroll so someone collects the checks — plus falsified hours, inflated commissions, and bogus bonuses. Expense-reimbursement schemes come in four flavors the exam likes to test: mischaracterized expenses, where a personal cost is billed as business; overstated expenses, where a real cost is inflated; fictitious expenses, invented from nothing; and multiple reimbursements, where the same receipt is submitted more than once.

Both families thrive on volume and weak review, which is why analytics — duplicate-payment tests, employees whose addresses match a vendor's — catch so many of them.

The last two families. Check tampering is distinctive because the fraudster physically prepares or alters the payment instrument — forging the signature of the person authorized to sign, forging an endorsement, altering the payee, or, as an authorized signer, simply cutting a check to themselves. Register-disbursement schemes happen at the point of sale, where an employee processes a false void or a false refund to pull cash out of the register and make the books still balance.

The false void cancels a legitimate sale so the cash the customer paid can be lifted; the false refund records a return that never happened so cash flows back out to the employee. Note the contrast with skimming from the last lecture: a false refund is on-book — there's an entry, a recorded refund transaction — whereas unrecorded sales were off-book with no entry at all. Same register, completely different evidence trail, and the exam will test whether you can tell which one you're looking at.

If there's a recorded transaction behind the missing cash, you're in disbursement territory, not skimming.

The defense is structural. Segregate the three incompatible duties — authorizing a payment, having custody of the funds, and recording the transaction — so no one person controls a payment end to end. Lock down the vendor master file so new vendors get independent vetting.

Use positive pay at the bank to stop altered checks, and run data analytics for duplicate payments, round-dollar invoices, and vendor-employee address matches. On the exam, your move is two steps: first place the scheme in one of the five families, then name the specific sub-scheme. A scenario about a fake vendor is a billing shell-company scheme; a terminated worker still being paid is a ghost-employee payroll scheme.

Next, we leave cash behind for inventory and other non-cash assets.