Audit Report

Fictitious (Ghost) Employees

February 28, 2019

City Auditor’s Office

Gregory L. McDowell, CPA, CIA
 Audit Report
Fictitious (Ghost) Employees
February 28, 2019

Purpose and Scope

This report addresses a narrow scope issue regarding the City’s internal controls related
to the detection and prevention of fictitious (ghost) employees – someone recorded on
the payroll system, who does not work for the City, i.e., was never employed, or has
separated. The review consisted of an assessment of the City’s employee separation
procedures as well as pay period testing for any abnormal payroll transactions (pay
periods ended 3/31/2017 and 9/28/2018).

We conducted this performance audit in accordance with generally accepted government

auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit
objectives.

Government Auditing Standards (§7.11) require disclosure of the following:

The scope of our audit was significantly limited by auditors’ inability to test
employee bank account numbers and social security numbers. While the Internal
Audit Charter grants audit personnel “full access to all of the City’s activities,
records, property and employees, as necessary to the performance of their audit
activities,” auditors have been prevented from using the requested data. The City’s
Human Resources and City Attorney’s Offices reached the opinion that auditors
could not use this type of information for audit purposes because City employees
have not been made aware of that possibility. While our findings are adequately
supported, additional findings and conclusions may have been determined if we had
been able to review all relevant data.

This report is intended for the use of the City Manager’s Office, City Council, and all
City Departments.

Conclusion
The City’s controls are not adequate to prevent the occurrence of fraud which could be
accomplished by compromising payroll records, resulting in payments to fictitious
persons.
Report of Internal Audit February 28, 2019
Fictitious (Ghost) Employees Page 2

Summary of Findings and Recommendations

The following findings are detailed, beginning on page 3:

1. The City should disclose to employees that personal information may be used for
audit purposes.

• Due to data access restrictions, Auditors did not perform common tests using
personal identifying information (e.g., social security numbers, bank accounts).
Internal Auditors who follow best practices regularly perform such tests to detect
potential fraudulent activity and ensure effective controls are in place.

2. Additional controls are needed to reduce the City’s exposure to payroll fraud
schemes.

• City Policy HR20, Employee Separation from the Workplace, provides a

framework for Departments to follow when an employee leaves the City. This
checklist should be required to be used by departments.
• Human Resources should conduct periodic personnel audits to monitor for
potential fraudulent activity.

Background

The City employs approximately 7,700. There are 21 Departments, each having multiple
divisions (406 city-wide). Employee hires and separations (terminations and retirements)
create administrative opportunities for fictitious employees to be created. The following
details FY 2018 employment activities.

Employee Census Analysis – FY18

Type Amount
Beginning Employee
7,497
Count, 7/1/17
Additions 1,046
(Separations) (656)
(Retirements) (192)
Ending Employee
7,695
Count, 6/30/18

Fictitious, or ghost employees, are individuals listed on the payroll register that receive a
paycheck, but do not provide any services to an organization. There are two main types
of ghost employees:
• a fictitious employee added to payroll either intentionally or inadvertently
• a former employee that was never removed from payroll
Report of Internal Audit February 28, 2019
Fictitious (Ghost) Employees Page 3

Audit Findings and Recommendations

1. The City should disclose to employees that personal information may be used for
audit purposes.

As the scope limitation paragraph above notes, audit effectiveness has been impacted
by data access restrictions imposed upon Internal Audit. The Internal Audit Charter
(signed by the City Auditor and four City Managers plus one interim Manager over
the past 20 years, and periodically shared with City Council) states that the primary
objective of Internal Audit is to provide reasonable assurance that the City has an
operating and effective system of internal controls. To accomplish this objective, the
charter grants auditors full access to all City activities, records, property and
employees as necessary to perform their audit activities. Auditors are strictly
accountable for the safekeeping of records and property examined, and for
maintaining the confidentiality of information obtained and reviewed during audits.

Using this authority, auditors regularly access sensitive documents and data when
called upon by management to conduct special reviews, including personnel
investigations.

Auditors did not perform common tests using personal identifying information (e.g.,
social security numbers, bank accounts) during this audit. Internal Auditors who
follow best practices regularly perform such tests to detect potential fraudulent
activity and ensure effective controls are in place. Prior to Audit’s access restriction
(many years ago), an employee was found to be using a false social security number.
When addressed by the employee’s management, the employee resigned without
explanation. No follow-up occurred.

Auditors can use access to personal identifying information to detect fraud and help
ensure that employees comply with City purchasing, ethics and program policies.
For example, comparison of employee and vendor addresses might identify an
employee who is also a vendor – which is prohibited by City policy. Audit tests
using such data could also identify employees processing, deleting or modifying their
own transactions in the City’s utility billing system.

According to the City Attorney’s Office and Human Resources, employees have not
been given notification that their personal identifying information will be utilized for
audit purposes, including the verification of compliance with City policy.
Employees are provided a form entitled “How Human Resources Uses Your Personal
Information” at time of hire. While audit activities fall under the “assist in the
administration of government” item included on the form, the form does not
specifically note that employees’ personal information will be used for audit
purposes. That issue can be easily resolved by specifically adding such notification
to the existing list.
Report of Internal Audit February 28, 2019
Fictitious (Ghost) Employees Page 4

Recommendation: Human Resources should add language to the “How Human

Resources Uses Your Personal Information” notice given to employees that discloses
personal information may be used for audit purposes, as part of the administration of
government.

2. Additional controls are needed to reduce the City’s exposure to payroll fraud
schemes.

According to the Association of Certified Fraud Examiners’ (ACFE) 2016 Report to

the Nations on Occupational Fraud and Abuse, payroll fraud accounts for 8.5% of
fraud cases that occur in organizations with over 100 employees, and that rate
increases to 13.5% in a Government and Public Administration setting. The median
loss of these schemes is $90,000 and the median duration before detection is two
years. Ghost employee frauds are generally successful because of organizational
weaknesses in internal control.

The City has established controls to mitigate the risk of payroll fraud. When an
employee joins the City, a new hire process is completed by the Department. All
required documents are sent to City Human Resources for verification and approval,
and then added to the employee’s personnel file. This reduces the initial risk that a
fictitious person can be added to the payroll. Additionally, the payroll time approval
process requires that no employee shall approve his or her own time.

City Policy HR20, Employee Separation from the Workplace, provides a framework
for Departments to follow when an employee leaves the City. Included in the policy
is a checklist that is recommended for Departments to use as part of the employee
separation procedure. A department can choose to use its own checklist and include
additional separation procedures as necessary to complete the process.

Departments were surveyed and asked if they used the checklist in the policy, or an
alternate. Responses are provided in the appendix.

For the two pay periods tested, payroll data was analyzed and compared to an
employee master file. From this sample, the following issues were identified – which
indicate potential fraud risk:

• Missing employee ID numbers

• Duplicate addresses
• Paychecks with no deductions
• Terminated employees remained on payroll registers

Each of these was reviewed and resolved. Explanations were obtained, including data
entry errors, lack of updated addresses, special payments which did not require
deductions, and tax-related actions.
Report of Internal Audit February 28, 2019
Fictitious (Ghost) Employees Page 5

Recommendation 2A: All Departments should use a Human Resources-mandated

employee separation checklist to document the employee separation process.
Departments would be able to add additional separation procedures as necessary. A
copy of the completed checklist would be retained in the Department’s employee
file.

Recommendation 2B: Human Resources should conduct periodic personnel audits

to monitor for potential fraudulent activity. This audit would include the following
procedures:

• Review employee master file for employees with duplicate addresses, PO

Box addresses, similar names, or missing information
• Compare direct deposit accounts for employees using the same account
• Confirm social security numbers are valid
• Verify terminated employees have a completed separation checklist on file
 Appendix

Follow HR20
Checklist in
Department Checklist (or
Employee File
similar)
Aviation Yes Yes
CATS Yes Yes
CDOT Did not respond Did not respond
Charlotte
Communications & Yes Yes
Marketing
Charlotte Water Yes Yes
City Attorney's Office Yes No
City Clerk No No
City Manager's Office Yes Yes
Economic
No No
Development
Engineering &
No No
Property Management
Fire Yes Yes
Housing &
Neighborhood No No
Services
Human Resources Yes No
Innovation &
Sometimes Yes
Technology
Internal Audit No No
Management &
Yes Yes
Financial Services*
Planning Yes Yes
Police Yes Yes
Solid Waste Yes No
Strategy & Budget Yes Yes

*Management & Financial Services was in place until August 2018, when the
department transitioned to Finance.