What I’ve Seen Firsthand: Fraud, Abuse, and the Internal Controls That Can Stop It

I want to start with a disclaimer: most of what I covered in our recent Government Forum wasn’t meant to be groundbreaking. The fraud schemes I discussed — expense reimbursements, payroll manipulation, procurement fraud — are well-documented. What I hope was valuable is this: I’ve seen every single one of them occur firsthand, either in my current role in the fraud and forensics practice at Brown Edwards or in past roles. That real-world grounding is what I want to bring to this post.

I started with Brown Edwards in 2016, spending more than six years primarily in the municipal audit space. I then joined the United States Trustee Program, a component of the Department of Justice, where I was responsible for overseeing the administration of bankruptcy cases in the Western District of Virginia — conducting bank and financial statement analysis, asset tracing, financial reconstructions, and Chapter 11 plan feasibility reviews. I came back to Brown Edwards about a year ago to help build our fraud and forensics practice. The demand for this work has been far greater than I anticipated.

It’s easy to take these concepts for granted. And that complacency — that sense that “it couldn’t happen here” — is one of the most dangerous forces I encounter. Every fraud, every error, every internal control weakness carries an organizational cost. Not just financial. And no matter how immaterial a fraud might be to a government’s statements as a whole, the ripple effects are real.

The Most Common Frauds — and Why They’re So Persistent

The two most common fraud schemes I see are expense reimbursement abuse and purchasing card misuse. They’re closely related, both fall under asset misappropriation, and they thrive because of one thing above all: opportunity. Every time an expense report is submitted or a purchase card is used, the opportunity presents itself. By the law of averages, eventually it will occur.

Expense fraud can take several forms. An employee might submit personal items alongside legitimate business expenses, making them indistinguishable at a glance. They might inflate or alter receipts — adjusting a tip, falsifying mileage, or adding a digit to a receipt amount. And increasingly, they can generate entirely fictitious receipts using AI image generation software. This is something I have discussed in other presentations: AI tools are now capable of producing authentic-looking invoices and receipts, complete with embedded folds and watermarks to simulate a crumpled paper from someone’s pocket. There is a virtually endless supply of source material online, which allows these schemes to go undetected longer than almost any other fraud type.

Purchasing card fraud follows similar patterns — missing itemized receipts, charges near holidays or vacation periods, purchases inconsistent with a cardholder’s job responsibilities, and multiple transactions on the same day at the same vendor to avoid per-transaction limits.

Both are what I consider gateway frauds. Because they’re extensions of routine daily activities, the barrier to entry is low. And in my experience, they often lead to larger, more complex schemes over time.

Payroll Fraud: It Often Requires Collusion

Payroll fraud is somewhat more difficult to execute than expense and purchase card schemes because it typically requires collusion among multiple employees. With appropriate segregation of duties, a single bad actor generally cannot pull this off alone.

The forms it takes are varied. Unauthorized raises or bonuses are not uncommon — an underperforming employee loyal to a manager receives a 7% raise while the organizational average is 2.5%, or a one-time bonus is used to reward a friendly employee under a thin justification. Ghost employees are less common in practice but among the most costly: a fraudster either creates a fictitious new hire or, at an employee’s separation, continues issuing paychecks by redirecting the bank information or mailing address to their own.

Two schemes I hadn’t commonly heard discussed before encountering them directly are new hire incentive fraud and dual-role schemes. New hire incentives — sign-on bonuses, car allowances, work-from-home stipends — can be tacked on to a legitimate hire as a way to mask payments that aren’t justified, and sometimes the payment is split between the new hire and the authorizing employee. Dual-role schemes involve adding job titles or responsibilities to an employee’s description to justify a pay increase, when in reality their day-to-day duties haven’t changed at all. In today’s environment of staff shortages, there are often legitimate reasons to give raises for expanded duties — which makes this fraud genuinely difficult to detect.

Procurement, Budget Amendments, and Grant Noncompliance

Procurement fraud tends to be larger in scale than employee expense fraud. It typically surfaces faster, but the financial impact is generally greater. Vendor kickbacks — where contracts are awarded on favorable terms and the awarding employee receives a financial payback, a vacation, or other benefit in return — are the scheme most people think of first. Conflicts of interest are equally serious and significantly harder to document. They extend beyond family relationships to business associates, friends, and peripheral acquaintances, and the internet has effectively eliminated geographic barriers that once made these connections easier to trace.

Budget amendments are another area of concern. In localities where management has the authority to enter amendments with little oversight, that latitude can be used to inflate budgets and mask overspending — often spending that stems from the expense and purchase card fraud we already discussed. I have also encountered situations where grant funds are reclassified through budget amendments to hide how those funds were actually used.

Grant noncompliance is something I’ve at minimum suspected on multiple occasions. It can take the form of applying for a grant, using the funds for other expenses, and submitting conforming invoices to the granting agency. In a more direct version, grants are awarded to a friendly vendor, the funds are drawn down entirely, and minimal work is completed. Because the money isn’t coming out of locality funds, the impact can go unnoticed internally for some time.

Red Flags Worth Watching

There are specific indicators worth monitoring across each of these fraud categories. For expense and purchase card fraud: missing itemized receipts from familiar vendors, increased spending around holidays or vacation periods, charges on weekends or days the cardholder was on PTO, and purchases inconsistent with the employee’s job responsibilities. Multiple transactions on the same day at the same vendor should always prompt a closer look.

For payroll fraud: overtime that is consistently approved by the same person, mid-cycle raises or multiple raises within a single year, recurring mailing addresses shared across employee records, paper checks being issued in an era of near-universal direct deposit, sign-on bonuses concentrated in certain departments, and employees carrying multiple job titles.

For procurement: new vendors whose services don’t clearly match their stated line of business, sole-source contracts that may not be genuinely sole-source, vendor addresses that cross-reference to employee addresses, contract terms that appear unfavorable to the locality, and reclassifications that could signal improper use of grant funds.

For budget amendments: approvals entered before formal governance approval, amendments that recur in the same line items year after year, and departments whose heads have unilateral authority to approve their own amendments.

Internal Controls: The Most Effective Weapon We Have

Prevention is the key. Internal controls, when they’re meaningful and consistently applied, are the most effective tool available. I know that internal control walkthroughs during preliminary field work can feel time-consuming and tedious — I spent years on the audit side and I understand that. But I want to encourage a shift in that mindset. A strong control environment doesn’t just prevent fraud. It reduces turnover, improves morale, and saves money — both in direct financial losses and in avoiding the cost of a forensic engagement like mine.

For purchasing and expense reimbursements: require pre-approvals with forms, conduct meaningful reviews that actually match expense reports to credit card statements, set transaction limits directly with the card provider, limit the number of cardholders, and conduct random unannounced audits. For payroll and HR: require multiple levels of review for new hires, document salary ranges and stick to them, require direct deposit, define qualifications for positions and limit provisional hiring, and maintain a strict and consistent review cycle. For procurement: keep thresholds current as costs rise, require training with real acknowledgment of consequences for deviations, enforce a genuine conflict of interest policy beyond the bare minimum, and conduct periodic reviews of bid awards. For budget amendments: always require a second approval for amendments made outside of governance, maintain a current narrative for how amendments are processed, and require timely entries.

I’ll close with a number that I think puts all of this in stark perspective. The GAO estimates that fraud accounts for three to seven percent of total obligations in government programs. That is a substantial number across all governments. Add to that the reputational cost — residents who lose confidence in their local government may move elsewhere, taking their tax revenue with them — and the risk of losing grant eligibility due to noncompliance, and the case for strong internal controls becomes impossible to ignore.

The most common way fraud is discovered is by accident. That alone should be a call to action.