Utilizing Splunk to Identify and Prevent Payroll Fraud

Many people are surprised to discover how prevalent employee fraud – including timecard fraud – is in our country. It can be found at businesses of all sizes and in nearly every industry.

Consider these statistics from the ACFE 2020 Report to the Nations, released by the Association of Certified Fraud Examiners:

  • Occupational fraud costs an organization an average of $1.5 million.
  • Organizations lose an estimated 5% of their revenues each year to fraud.

Payroll fraud happens in 27% of all businesses, according to ACFE, and is the sixth most common form of occupational fraud in the U.S. and Canada, making up 13% of all cases.

Read or review the first article in the series about payroll diversion. 

Read or review the second article in the series about phantom employees.

Here are some common ways scammers carry out payroll fraud: 

  • Payroll Diversion
  • Phantom Employees
  • Time Card/Timesheet or PTO Fraud

In this article, we’ll explore the realities of time card/timesheet fraud and how Splunk can be leveraged to address it.

Real Life Example: Kansas Fire Department Leaders Cheat on Timesheets

An investigation conducted by KWCH-TV in Salina, KS, uncovered such a scheme within the city’s fire department. The same conclusion was later reached by an independent auditor: the battalion chiefs were taking vacation time, but not recording it.

The auditor’s report, presented to the Salina City Commission on Aug. 16, 2021, showed 265 shifts were identified as time off not applied to vacation. The value of this stolen time was nearly $200,000.

(KWCH said it additionally found 24 shifts where an additional $18,000 in personal time and sick time went unreported.)

A Fraud Discovery Two Years in the Making

Events leading up to the revelation of this fraud were set in motion back in 2019. That’s when the Salina human resources specialist contacted Tim LePage, the Salina fire captain who raised initial concerns about fraud, to discuss how the Fire Department managed its overtime.

During the conversation, the specialist informed the fire captain that his boss hadn’t used any vacation.

That caught LePage’s attention because he knew for a fact his boss had taken time off. When LePage looked into the matter further, he made an unsettling discovery. The leadership team’s familiarity with the system “allowed them to manipulate it for personal gain,” he said.

LePage, who retired in July after 22 years with the department, told KWCH he was relieved by the findings. “I’ve been vilified by a handful of people there, and I think this just solidified that I did my due diligence,” he said.

How Could This Time Card Fraud Have Been Prevented? Splunk.

If the Salina Fire Department had Splunk, this activity could have been captured via data analytics.

All technology systems generate data. Splunk searches and indexes log files, which helps organizations extract insights from their data. It can recognize patterns and create metrics.

In this scenario, fire battalion chiefs likely:

  • Worked out of an office in the fire station.
  • Logged into an organization’s network at some point, when working.

In the course of carrying out their duties – that is, when they were working – these employees left a digital trail of breadcrumbs generated by their online activities, such as:

  • Login records from an on-site computer, or data from a work device.
  • Badge swipe data.
  • Mobile phone accessing a wireless LAN at the fire station.
  • For remote workers, the Salina IT or HR teams might have looked at VPN logs and logs of access to company systems.

Leveraging Data Correlation: A Key Step

If the city of Salina had deployed Splunk, the IT or HR professionals could find within their data relationships between seemingly unrelated events – and determine which ones were relevant about time off taken. They could have also set up alerts.

“All of these are data you might pull in for other reasons, such as information security. But they can be used for additional purposes, including to detect payroll fraud,” said SP6 Director of Professional Services Chris Selvig.

Timecard Fraud: In Conclusion

All organizations are potential targets of employee theft, including timecard fraud.

Because it can be difficult to spot, businesses that incorporate the latest technology with human controls have a much better chance of preventing this type of crime than those that don’t.

Learn how the experts at SP6 partner with organizations of all sizes and business sectors to help them use the data they already have to detect fraud and prevent losses.

Your technology systems contain logs that can help you detect and prevent fraud. The SP6 fraud team is skilled at turning this information into measures you can put in place to protect your organization. Organizations often see a return on their investment within months.

We would be happy to answer any questions you may have. Contact us to set up a free consultation.