The audacious fraud orchestrated by Kayricka Wortham and her associates, resulting in a theft of nearly $9.4 million from Amazon, casts a spotlight on the vulnerabilities inherent in many corporate financial systems.

 

Wortham was an Operations Manager at the Amazon Warehouse in Smyrna, Georgia.  In her position Wortham was a supervisor and had the authority to approve new vendors and payment of vendor invoices.

 

How could this segregation of duties risk go unnoticed by both Amazon’s internal risk assessment process and the external audit?

 

Wortham used her position as an Operations Manager and conflicting duties at Amazon to steal approximately $9.4 million from the company.  Wortham created fake vendors and submitted more than $10 million in fictitious invoices for those vendors, causing Amazon to transfer approximately $9.4 million to bank accounts controlled by her.

 

Could AI have detected this fraud earlier?  Could this be happening at your business?

 

Wortham provided fake vendor information to unknowing subordinates and asked them to input the information into Amazon’s vendor system.  Once the information was entered, Wortham approved the fake vendors, thereby enabling those vendor accounts to submit invoices for payment on goods and services purportedly provided by the vendors to Amazon.

 

Should this have been identified by Amazon’s internal risk assessments?  Is it possible to have impenetrable segregation of duties across a business as large as Amazon?

 

After the fake vendor accounts were established, Wortham submitted fictitious invoices to Amazon for payment.  These invoices falsely showed that the fake vendors had provided goods and services to Amazon.  The invoices directed payment to bank accounts controlled by Wortham.

 

After Amazon received the fictitious invoices, Wortham approved them for payment, causing Amazon to transfer funds to the bank accounts controlled by Wortham. 

 

Is it possible, in real time, to identify the bank account number where funds are being sent and see if that account is owned by an employee?  Perhaps a simpler check.  Would it be possible to compare, in real time, the account name to the name associated with the EDI payment to ensure they match? 

 

The primary goal of this article is to elicit an intellectual conversation over these topics, which is why I am leaving most of these questions un-answered; however, for this I will respond with a simple “yes”.

 

On June 10, 2022, the United States Secret Service (USSS) Atlanta Field Office began investigating a possible multi-level embezzlement scheme involving an unusually large and significant flow of funds between various bank accounts in the form of transfers, ACH credits and debits and large dollar wires from one account to another that began on or about January 19, 2022.

 

A review of bank records from several financial institutions revealed that Wortham received substantial EDI payments from Amazon in various bank accounts.

 

During the investigation, USSS determined that Wortham had access to Amazon’s payee and invoicing databases and could add and approve vendors and invoices.  Amazon identified information demonstrating that Wortham told Amazon employees who reported to her to onboard vendors, including the vendors connected to various bank accounts owned by Wortham.  Wortham provided her subordinates with the vendor information they needed to enter into the system.

 

Could proper monitoring controls have detected this fraud sooner?

 

Although EDI payments are typically made by companies to its vendors, none of the accounts identified in the investigation showed signs of legitimate business activity such as payroll, payments from other customers, or payments to vendors.  Moreover, account names often did not match the names associated with the EDI payments.

 

Should businesses add a know your customer check when adding new vendors to the Master File?  Would that be cost effective, or could there be ways to do that at minimal costs?

 

Based on its investigation, USSS obtained multiple warrants and seized fraud proceeds from bank accounts that received funds obtained during the above-described embezzlement scheme.

 

This was an overview of the fraudulent vendor scheme that happened at Amazon in fiscal 2022.  This is a thought-provoking article; I would love to hear your thoughts on a few of the questions posed in the comments.  For context, Amazon was audited by a big 4 firm and was given a clean audit opinion, including compliance with the Sarbanes-Oxley Act (SOX).    

 

While publicly traded companies like Amazon are under the purview of SOX, it serves as a broader reflection of the challenges firms face in ensuring the robust application of segregation of duties.  For such companies, SOX compliance is an added layer in its financial controls framework that needs constant reinforcement.

 

A technological system that routinely checks vendor master files for discrepancies, such as questionable emails, doubtful incorporation dates, or irregular corporate registry details, can act as a vigilant sentinel.  Such an unbiased, constant analysis mechanism introduces a fresh layer of checks and balances, mitigating the risks associated with human oversight.

 

The common practice of engaging Big4 audit firms for compliance checks, which usually utilize a sampling method, might not always capture every nuanced irregularity.  It’s essential for corporations to acknowledge that while sampling has its merits, a more exhaustive scrutiny might be necessary for today’s intricate financial landscape.  An advanced system that continuously monitors all transactions and vendor inclusions can complement traditional audit processes.

 

Is there a way to utilize technology to further enhance the framework that SOX has started?  Are you confident your current internal control processes would detect and/or prevent a similar fraud happening at your business?

 

In conclusion, the Amazon incident underscores the criticality of reinforcing financial systems, especially in an age where ingenuity and digital tools can exploit even minor lapses.  While guidelines like SOX offer a framework, the dynamic business world demands constant evolution and adaptation of these controls.  Integrating advanced systems into financial controls not only acts as a deterrent for potential fraudsters but also instills greater confidence among stakeholders and the public.   

 

Let’s also add a disclaimer, that this is all based on our analysis of publicly available data.