Payroll and Inventory Fraud Schemes

Ghost employee schemes are the most studied payroll fraud type. The fraudster adds a fictitious name to the payroll master file, or prevents the removal of a terminated employee, and redirects the payment to an account they control. The scheme requires access to two functions that proper separation of duties keeps apart: the ability to add or maintain payroll records, and the ability to process or authorise payment runs. In small organisations where one person handles both, the risk is highest. Forensic auditors look for payments to bank accounts also used by known employees, payments to addresses that match employee records, and payroll records missing standard HR documentation such as a hiring form or tax declaration.

Timesheet fraud covers a range of behaviours: recording hours not worked, claiming overtime for normal hours, having a colleague clock in for an absent worker (buddy punching), and securing supervisor approval for inflated records. In hourly environments, the dollar value per event is low, but persistent small overcharges across many pay periods accumulate. In project-based environments, timesheet inflation also distorts project cost records, which matters for client billing and performance measurement. Detection focuses on comparison of timesheet hours against badge-in or access-card records, statistical analysis of overtime patterns, and supervisor interview.

Commission manipulation is distinct from the other payroll schemes because it requires manipulation of revenue or sales records, not just payroll records. A sales employee who records a fictitious sale to earn commission must also reverse or cancel the sale after the commission period closes if no real customer exists. Forensic auditors examine commission records alongside the underlying contracts, shipping documents, and cash receipts to verify that commissionable transactions correspond to actual completed sales. Post-period reversals are a specific red flag: a sale recorded in month twelve that is reversed in month one of the next year, after the commission is paid, is a classic pattern.

Unauthorised payroll adjustments include one-off changes to pay rates, tax withholding parameters, or deduction settings that generate a larger net payment. These may be made by a payroll administrator who modifies their own record or another employee's record without authorisation. Unlike ghost employee schemes, the payment goes to a real employee's account, making the scheme harder to detect through bank account analysis. Detection requires a complete audit trail of all master-file changes, with the change date, the user who made it, and the prior and new values, compared against authorised change requests from HR.

Physical theft of inventory is the simplest inventory fraud: stock is removed from the premises without authorisation. The theft may be by employees alone or in collusion with external parties such as delivery drivers or customers. The loss appears in the accounting records as an unexplained discrepancy between book inventory and physical count, which organisations attribute to shrinkage. The fraudster relies on the organisation either not conducting frequent physical counts or accepting shrinkage variances without investigation. Detection is by periodic physical observation and by comparing shrinkage rates across locations, shifts, or product categories to find anomalies.

Fictitious write-offs eliminate the book record to conceal a theft that has already occurred, or create a credit entry that the fraudster converts to cash. A warehouse manager who records that 500 units of a component were destroyed by water damage, when no such event occurred, is using the write-off to hide units that were stolen or sold without recording the proceeds. Detection requires matching every write-off journal entry against independent supporting documentation: a disposal form signed by a second person, a photograph or waste-disposal certificate, or an insurance claim. Write-offs without corroborating documentation are a primary red flag.

Inventory misstatement for financial reporting purposes is a financial-statement fraud technique that often overlaps with asset misappropriation. Overstating inventory quantities or valuations inflates assets and reduces cost of goods sold, which improves reported profit. This is typically perpetrated or directed by management rather than lower-level employees. Understating inventory conceals the impact of a theft. Both forms require the ability to manipulate either the physical count process or the pricing and valuation applied to counted quantities. The forensic auditor addresses this through independent physical observation and independent price testing.

Headcount reconciliation is the starting point for most payroll fraud examinations. The examiner extracts the complete payroll register for the period under review and compares every record against HR personnel files. The comparison checks that each payroll record has a corresponding hire date, job title, and termination date (if applicable) in HR records, and that the payment bank account is the one the employee supplied on their onboarding documentation. Secondary sources for verification include building access records (an employee who consistently does not badge in but receives overtime pay is a red flag), IT system access logs, and direct manager confirmation of active headcount.

Master-file change analysis examines every addition, deletion, or modification to the payroll master file within the review period. The examiner extracts the change log from the payroll system and categorises each change by type: new employee added, bank account changed, pay rate changed, deduction modified, or employee deleted. Each change is then traced to an authorised HR source document. Changes made outside the normal payroll cycle, changes made by payroll administrators to their own records, and bank account changes made close to a payment run are the highest-risk items and receive priority examination.

Duplicate payment analysis uses data analytics to identify cases where the same employee number, name, or bank account appears more than once in a single payment run, or where very similar names (catching spelling variants used to disguise ghost employees) appear across runs. Social security or national insurance numbers are the most reliable unique identifier for this test because they should be unique per person. In India, the Aadhaar number serves this function for payrolls that have completed Aadhaar seeding. In the UK, the National Insurance number; in the US, the Social Security Number.

For commission fraud, the examiner selects a sample of commission payments and traces each through the full transaction chain: the commission record, the underlying sales contract, the delivery or service completion record, the customer invoice, and the cash receipt. Post-period reversals are extracted and matched to the commission periods in which the original sales were recorded. Sales that were commissioned but subsequently reversed at rates significantly above the organisation's normal return rate indicate manipulation.

Physical inventory observation is the most direct procedure for detecting inventory fraud. The examiner is present at the count to observe whether it is conducted according to the organisation's count instructions, whether all locations are included, whether count teams are using the correct reference documents, and whether the reconciliation between the physical count and the book record is performed correctly. The examiner selects a sample of items to count independently and compares their results to the count sheets. A systematic discrepancy between the examiner's counts and the recorded counts in the same location is evidence of count manipulation.

Cut-off testing verifies that inventory movements in the period immediately before and after the count date are recorded in the correct period. The examiner reviews the last several receiving documents before the count date and the first several after it, and traces each to the inventory records to confirm the movement is recorded in the period the goods physically arrived. Similarly, the last several dispatch documents before the count and the first after it are traced to confirm goods leaving the premises are excluded from the count and from inventory records in the correct period. Timing manipulation, either including goods not yet received or excluding goods still on hand, is a common technique for inflating the counted balance.

Analytical ratio tests identify anomalies that warrant detailed investigation. Inventory turnover (cost of goods sold divided by average inventory) should be relatively stable across periods for a business with consistent operations. A sharp decline in turnover without a business explanation may indicate inventory overstatement. Days inventory outstanding is the reciprocal measure. The gross margin percentage is sensitive to inventory valuation: if inventory is overstated, cost of goods sold is understated and gross margin is inflated. Comparing gross margin across periods and against industry benchmarks is a routine starting point. Shrinkage rates are compared across locations, product categories, and time periods to identify outliers that suggest localised theft or systematic write-off manipulation.

Separation of duties is the primary preventive control for payroll fraud. The HR function that maintains employee records should be independent of the payroll function that processes payments, which in turn should be independent of the person who approves the payment run. Where complete separation is not possible, a compensating control is required: the owner or a non-executive director receives and reviews the payroll register directly before each payment run, compares it to the prior period, and investigates any additions, deletions, or material changes.

For inventory, the segregation of duties applies between the custody function (the warehouse team that holds stock) and the record-keeping function (the accounts or inventory control team that updates the ledger). A person who both holds stock and records transactions can conceal theft by adjusting the records. Physical access controls restrict entry to storage areas to authorised personnel only, reducing the pool of potential perpetrators of physical theft. Surveillance systems, bag checks, and random vehicle searches are additional deterrent and detection controls used in high-risk environments.

Cycle counting is a more effective inventory control than an annual physical count alone. The organisation divides its inventory into segments and counts one segment per week or month, so that by year-end the entire inventory has been counted multiple times. Frequent counting means discrepancies surface sooner, reducing the window during which a scheme can operate undetected. Cycle counts should be conducted by individuals independent of those responsible for the warehouse area being counted.

Exception reporting from the payroll and inventory systems provides an ongoing detective control. Reports that flag payroll payments above a threshold, payments to bank accounts changed within the last 30 days, overtime exceeding a specified percentage of base pay, or inventory write-offs above a specified value are reviewed by a manager independent of the person who processed the transaction. Automated exception reports are more reliable than manual review because they apply consistently to every transaction in the population.

When a forensic auditor identifies evidence of payroll or inventory fraud, the findings are typically reported first to the audit committee or board, not to management, because management may include the suspected perpetrator. The report sets out the evidence gathered, the estimated loss, the control weaknesses that permitted the fraud, and the recommendations for remediation. The forensic auditor preserves all working papers, data extracts, and documentary evidence in a format that can be disclosed in subsequent legal or disciplinary proceedings. Evidence handling follows the chain of custody principles covered in the broader forensic auditing definition and scope framework.

Legal frameworks governing the prosecution of payroll and inventory fraud differ across jurisdictions but share common elements. In India, public-sector payroll fraud may engage the Prevention of Corruption Act 1988 and the Bharatiya Nyaya Sanhita 2023. Documentary evidence admissibility is governed by the Bharatiya Sakshya Adhiniyam 2023, which replaced the Indian Evidence Act 1872 and updated the provisions on electronic records. In the United States, payroll and inventory fraud in interstate commerce may engage federal wire fraud statutes, and the Sarbanes-Oxley Act 2002 imposes specific obligations on public companies to maintain adequate internal controls over financial reporting. In the UK, the Fraud Act 2006 covers both asset misappropriation and financial reporting fraud, and the Financial Reporting Council's audit standards require auditors to consider the risk of fraud in financial statements.

The forensic auditor may be called upon to provide expert testimony about their findings. Testimony covers the procedures performed, the evidence examined, and the conclusions drawn, without offering a legal opinion on whether the conduct constitutes a criminal offence (that is for the court). The credibility of the testimony depends on the rigour of the documentation: working papers should record every step of the analysis so that another examiner could replicate the work from the same starting data and reach the same conclusions. For guidance on engagement planning and the boundaries of the forensic examiner's role, see Predication and Engagement Planning.