Greasing the Wheels in the Oil Business
ABDULRAZAQ AL-MORJAN
When Sarah Mali was 14, she dreamed of working for a company in Saudi Arabia and buying a family house and a farm. Her dream reflected her background — that of a girl from a poor family in a poverty-stricken Arab country.
However, finding a job in Saudi Arabia, where 8 million international expatriates work, is not an easy task, especially for Arab people. Sarah planned to study English at the university to have a competitive advantage to help her realize her dream. When she was 18, she enrolled in a local university in her country. After four years, she received a bachelor's degree in English literature with honors. Afterward, she worked as a high-school English teacher in her home country for two years.
Through the school, Sarah met and subsequently married Sami Ahmed, who was the legal guardian of one of Sarah's students. After a year of marriage, Sarah and Sami moved to the United Arab Emirates (UAE), where she worked for Danh University as a human resource (HR) coordinator.
This move gave Sarah an opportunity to earn an M.B.A. at the university. During her employment, she was an HR generalist working on talent acquisition processes, employees' personnel records, and organizing employee benefits,
Over the next four years, Sarah continued working for the university and also had two children. The family moved to Qatar when her husband found a high-paying job in Tamimi Bank. While in Qatar, Sarah worked part time for Qatri Petrochemical as an HR policy translator. She was responsible for translating HR policy from English to Arabic.
One day Sarah went online and applied for jobs at ten different companies in Saudi Arabia. After two months and after almost giving up hope, she thought her ears were playing tricks on her when she was called by one of these companies, Riyadh Petrochemical Agency, to arrange an employment interview over Skype.
Three months later Sarah's dream finally came true when she received an offer from the company. She was hired as a benefit and compensation specialist. Her role was administering insurance contracts (medical, dental and life) and establishing and maintaining the needed documents for insurance programs.
However, moving to Saudi Arabia would not be easy; her husband did not want to quit his job in Qatar. Their conflict became worse and worse, and they divorced four months after she accepted the job offer.
Sharif Ibrahim was the youngest son of a middle-class family. He had a happy childhood, and his parents were generous with him. They worked in Dubai for 12 years and returned to their home country when Sharif was ten. At 18, Sharif went to a public university and earned a degree in management information systems.
After graduation, he moved to the United Kingdom to improve his English skills, as this language is a golden ticket for Arabs to find a good job with a reasonable salary. During his time in England, he attended and completed a number of computer and management courses. His educational journey was funded by his father.
After six months in the United Kingdom, Sharif received a call from one of his best friends, Hisham Ali, who worked in Saudi Arabia at the time. Hisham had nominated Sharif to work for Niman Company, which had a contract to provide a supplemental workforce to Riyadh Petrochemical.
Upon completing the job application, Sharif accepted the offer to work as an information technology (IT) administrator in the HR department. His role was to maintain HR personnel, benefit and compensation databases as well as create and manage HR user accounts. Sharif knew this opportunity in Saudi Arabia was the first, and a critical, step in his career. Therefore, he wanted to work hard to prove himself.
Two years later, after Sharif began to stand out as an excellent employee, Riyadh Petrochemical transferred him to permanent status rather than as a contractor with Niman.
In light of their backgrounds, it was clear that Sharif and Sarah were intelligent. They put all their efforts into improving the company and gained management's trust. Sarah also had excellent communication skills up to an executive-management level (presentation, papers and briefings).
Riyadh Petrochemical was established by the Kingdom of Saudi Arabia and produced products such as ethylene and polyethylene. Management developed strategic international partnerships to improve its competitive advantage and provide secure positions for the company's 2,000 employees from around the world.
Long-Distance Call for Help
While I was working as an independent fraud investigator and studying for my Ph.D. in England, I often spent long hours conducting experiments in the computer forensic laboratory at the university. Following lab procedures, I always left my cell phone in a locked cabinet outside the laboratory.
One day when I left the lab, I noticed I had a missed call from a friend of mine, Salem, who worked as an HR manager at Riyadh Petrochemical. At first, I was happy, thinking Salem might be calling to offer me a senior position in fraud investigations at his company. However, my hope was diminished when I listened to the message. He said, “When you hear this, please call me back. I need your assistance on a fraud allegation.”
When I got home, I immediately called him back. Salem told me, “I received an anonymous email alleging that one of our best employees, Sarah, has been abusing her authority.”
I asked Salem to clarify. He said Sarah was accused of submitting counterfeit invoices for reimbursement to Riyadh's medical insurance provider, Perfect Insurance. He added, “I do not believe it. I know how hard Sarah works to provide first-class HR services.” Salem was also upset because the anonymous email accused him of trying to bury his employee's wrongdoing to avoid putting himself in a shameful situation with his senior management. He told me he didn't know what he should do.
I assured Salem that as an independent examiner, “my job is not only to prove allegations but also to refute them.” I advised him not to prejudge the case because I needed to conduct an impartial investigation. I asked him to send me copies of all the invoices Sarah had submitted for reimbursement to Perfect Insurance along with her personnel file. Once I received them, I spent a long time reviewing them. My preliminary review indicated that all her medical invoices in the past six months had been issued by a clinic called Saffori.
The fact that all her invoices were from one clinic was a red flag for me. In addition, I discovered that Saffori was far from Sarah's residence, and she actually had to drive past two other clinics to reach it. Further investigation revealed that the two closer medical centers would not have cost her anything because they were preferred providers. Sarah would only have had to show her insurance card for no-cost treatment.
I next asked Salem to send me all the Saffori invoices that were submitted by Riyadh's entire workforce. The only invoices Salem found matching that description were from an IT employee named Sharif Ibrahim; he had submitted seven Saffori invoices in the past six months.
At that point, I thought Sarah and Sharif could both be connected to the allegations. They also clearly insisted on visiting this specific center. Two weeks later I traveled to Saudi Arabia, where I met with Salem to discuss an investigation plan for this case.
A Groundbreaking Case
This investigation was challenging for me. It was not only a critical step in my career but also a way to prove how vital internal fraud investigation is for companies in the private sector of Saudi Arabia. In fact, I was conducting the very first one at Riyadh Petrochemical. Therefore, I often worked 70 hours a week, sometimes 18 hours a day. I used numerous investigative skills, tools and resources to conduct this investigation, including transaction analysis, timeline analysis and digital forensics analysis of the suspects' electronic devices and data. I also interviewed witnesses and suspects. Before interviewing anyone, I used transaction analysis to examine Sarah's process for submitting her Saffori invoices for reimbursement. I quickly noticed that all of her invoices were issued and signed by the same Saffori employee, Ahmed, which was another red flag. One of Sarah's job responsibilities was to approve medical reimbursement requests before submitting them to Perfect Insurance, so she simply approved her own invoices and passed them along. At this point, I had three potential fraudsters: Sarah and Sharif working inside Riyadh and the mysterious Ahmed working at Saffori.
Next I met the head of Riyadh Petrochemical's legal team to discuss the case. I also asked for approval to interview the suspects and analyze their business cell phones and emails. Once I received permission, I set up an informal meeting with Sarah. She explained that she liked the doctors and nurses at Saffori and would rather pay the fees in cash and seek reimbursement than go to a preferred provider. She said that according to Riyadh's compensation policy, she had the right to visit any medical center in the Kingdom of Saudi Arabia, so she didn't think she was doing anything wrong. Then, almost as an afterthought, she said that Saffori was the closest medical center to her home. That was the clincher for me — I had already discovered that there were two medical centers closer.
I asked Sarah to give me her company cell phone and handed her a notice from the general counsel stating that I had permission to analyze it. She cooperated and passed me her phone. A turning point in the case came when I examined her phone and realized there were many suspicious, deleted text messages. Out of the 30 total messages I recovered, eight were to someone named Mark at Perfect Insurance, telling him that she had submitted her medical reimbursement requests and asking him to expedite the approval. Always, within hours of these texts, she received approval message from Perfect Insurance. However, based on Perfect's policy, the reimbursement process takes 10 to 15 working days. Clearly, Sarah's requests were receiving special treatment.
I also found that Sarah sent five interesting text messages to Ahmed at Saffori, including one that said “Are you on duty tonight? Can I come by?” Ahmed replied soon after, “Come anytime, your invoice is ready.” I ordered a background check on Ahmed.
I decided to review the bids for the medical insurance contract that Sarah had awarded to Perfect Insurance. It quickly became obvious that she favored Perfect Insurance during the bidding process. She gave the company unsupported high ratings while disqualifying other competitors for insufficient reasons. I also learned that Mark was a regional sales manager at Perfect Insurance and Sarah's point of contact during the bidding process.
My review of Riyadh's contract with Perfect Insurance revealed that the cost of a married female's insurance policy was double the cost for a single woman's. I thought that was strange, and I asked Salem to pull an updated list of current and recently resigned employees of all marital statuses. We compared the internal list of married women to Perfect Insurance's list and discovered that a significant number of single women were listed as married on the paperwork.
Another important finding was that Sarah did not remove employees and their dependents from the insurance list when they resigned, even though a part of her job was to update the list weekly. As a result, the contract was inflated by $150,000.
Looking Outside for Suspects
Next I turned my attention to Ahmed. The background check I ran showed that he was the receptionist supervisor at Saffori Medical Clinic, and one of his duties was to issue invoices to customers. Salem suggested that I meet with Saffori's boss, Abdullah, to discuss the situation. He agreed to meet me the following day. During the meeting, I filled him in on the case as I understood it at that point, and Abdullah was visibly upset. He brought Ahmed into his office and asked him to explain the situation.
Ahmed immediately asked Abdullah to forgive him. He admitted that he issued invoices to Sarah in exchange for $50 per invoice, even though she did not visit Saffori or receive medical services. He explained that Sarah was his second cousin and used her position as family to pressure him. He also told us that his salary did not cover his monthly expenses; his mother was sick in his home country, and he was paying for her expensive medical treatments. He was overextended with debt, and, to top it off, Sarah had promised to give him a good job and better salary if he cooperated.
When I reviewed the invoices in question with Ahmed, we realized that seven of them had been issued by someone else; these were Sharif's invoices. I decided it was time for us to talk.
When I met with him, Sharif insisted that his invoices were issued by Saffori after he received treatment there. I pretended to be convinced by Sharif, but as a digital forensic specialist, knowing that Sharif has computer skills, I assumed that he used Photoshop or similar software to create the seven fake invoices. I examined his work computer and found (and recovered) many deleted documents, among of them the seven invoices in question. He had indeed created them in Photoshop.
I reinterviewed Sharif to ask for an explanation, but he continued to insist that the invoices came from Saffori. I confronted him with copies of the invoices I recovered from his computer. He became nervous and said, “I don't know what you're talking about. I don't know where those came from.” However, after five minutes, he admitted that he generated the invoices because Sarah had made a deal with him. She would approve and process any reimbursement requests for Sharif's medical expenses and in return Sharif — who was assigned to cover Sarah's workload during her mandatory annual leave — would not remove the resigned employees and dependents from Perfect Insurance's contract list while she was away. He also said that Sarah included him in the fraud because he was having affair with her.
Before I had a chance to interview Sarah again, she resigned and moved back to her home country.
Lack of Accountability
I was able to identify four perpetrators in this case: Sarah and Sharif working inside Riyadh and Ahmed and Mark working externally. Both Sarah and Sharif submitted false insurance claims for reimbursement to Perfect Insurance, totaling $20,970. Sarah received fake invoices from Ahmed at Saffori worth a total of $6,720 and submitted them to Mark, and she processed Sharif's false invoices worth $14,250.
Sarah also inflated Riyadh's annual premium payment to Perfect Insurance by $150,000, using two mechanisms. She manipulated female employees' marital status on file and did not remove employees from the contract when they resigned. She also manipulated the bid process early on, when she awarded the contract to Perfect Insurance.
In the end, Sharif made a full confession in writing and was allowed to resign. Sarah returned home and sent her resignation in to Salem. Perfect Insurance returned the $150,000 to Riyadh Petrochemical.
Lessons Learned
I believe that organizations are usually slow in recognizing the importance and implications of internal frauds. The lack of fraud-control readiness is a serious challenge that faces internal investigators when dealing with such issues. Riyadh Petrochemical's internal auditors did not discover they were paying extra premiums to Perfect Insurance, and Riyadh's senior management blamed them for this fraud. One of my subsequent realizations was that many senior managers do not distinguish between the roles of internal auditors and fraud investigators. In fact, internal auditors do not usually detect fraud, uncover evidence or identify suspects; they focus on enhancing internal controls by examining current procedures and processes. The fraud investigators are the ones tasked with retrieving evidence and identifying wrongdoers.
I learned that many ethical employees observed unusual activities done by Sarah but did not come forward to report their suspicions in a timely manner for two reasons. First, they did not know whom they should tell and how to keep their identities confidential. Second, they feared retaliation, which led me to believe the employees did not trust management or Riyadh Petrochemical's system for handling tips.
Another lesson I learned was that the company lacked checks and balances, which allowed Sarah to perpetrate her fraud. There were no procedures in place to reduce Sarah's authority because she had absolute control over selecting the insurance provider, and no one verified the invoices she submitted to Perfect Insurance.
I closed this case with the lingering impression that management's decision to allow the perpetrators to resign, rather than taking legal or disciplinary action, was ineffective. This decision might encourage the offenders to commit more fraudulent acts, and it created an unethical workplace environment. Additionally, because Sarah technically resigned from Riyadh, backgrounds checks on her by any future employers would come back clean.
I strongly believe that people commit fraud when presented with the opportunity and by abusing their authority, knowing there is a lack of fraud deterrence. It was clear to me that this fraud occurred because Sarah had the opportunity and she was able to rationalize her actions to herself.
Recommendations to Prevent Future Occurrences
To prevent occupational fraud, I believe that government, organizational management and individual employees must share responsibility. We all have a critical role to play, taking into account the need for qualified investigators to take the lead based on their experience. By working together, often we can prevent fraud from happening while creating an ethical environment that can positively impact the entire national economy.
I proposed to Salem that Riyadh Petrochemical should institute an ethical business model (EBM), which comprises formal, informal and technology controls (FIT controls). EBM aims to promote an ethical environment within organizations to enhance the code of conduct and prevent fraudulent activities from occurring.
Formal Controls
Formal controls in EBM include establishing and updating proper organization policies, such as responses to conflicts of interest, codes of conduct and anti-fraud policies and procedures. Companies should also enhance internal controls by clearly defining the roles and responsibilities of each employee. Segregation of duties should also be addressed.
Formal controls should encourage employees to speak up by protecting them from retaliation, for example, by creating a procedure for anonymously reporting fraud and misconduct. Management should be objective, not subjective, by focusing on the content of a complaint, not on identifying a complainant. At the same time, the policy should not only protect whistleblowers but also reward them if they report accurate allegations.
Clearly defined parameters for misconduct and subsequent disciplinary action need to be outlined to staff, and management could consider creating a disciplinary action committee to take an appropriate action against perpetrators. Formal controls should also include background checks on potential new employees and vendors.
Informal Controls
Ethical and brave employees are a key resource for detecting offenses within an organization, and informal controls can cultivate a more diligent workforce. One approach is to stress employee education and awareness while promoting an ethical work environment. Human resources or the compliance department could manage such efforts, including annual training for employees. Also, at Riyadh Petrochemical in particular, I expressed the need for management to earn their employees' trust again. Leaders need to realize their critical roles and responsibilities in the fight against internal corruption, while employees should understand that they are responsible for reporting suspicious behavior when they discover it.
Technology Controls
Technology can help us detect suspicious activities and retrieve evidence while or after transgressions take place. Today, there are many powerful tools that help investigators understand what happened, when it happened and who did it.
- Computer forensics can recover deleted folders, files and emails from a subject's computer.
- Network forensics can collect evidence from network layers and monitor employees' unusual Internet activities, such as stealing intellectual property or leaking bid prices to suppliers.
- Mobile device forensics can monitor employees' text messages and other mobile communications used to leak information to facilitate fraud.
I also believe management should fight illegal behavior in the workplace not by allowing culprits to resign but by terminating them and pressing criminal charges.
About the Author
Abdulrazaq Al-Morjan has an M.S. in information security from London University and was one of the first Saudis to obtain a Ph.D. in the field of fraud and digital forensics from De Montfort University in the United Kingdom. Since joining KAUST in July 2009, he has assisted in the start-up of the internal investigation program and enhanced internal controls. He has conducted hundreds of successful complex investigations, such as frauds, theft of property, theft of intellectual property, cybercrimes and employee and supplier misconduct. Currently Dr. Al-Morjan is working as a specialist in digital forensics and investigations; he also helped the university build an advanced digital forensics laboratory, which saves the university money and allows collecting evidence from complex fraud and cybercrimes.