Fraud Auditing, Detection, and Prevention Blog

Fraud Data Analytics: A Worked Example for Ghost Employee Fraud Schemes

Jul 12, 2018 12:38:00 PM / by Leonard W. Vona

Ghost employee schemes are a common fraud scheme during which there are people on the payroll who don’t work for the company in question but do collect a salary or remuneration.

Let’s take a closer look at how you can use fraud data analytics when creating an executing an audit program for ghost employees:

As covered in a previous blog on common fraud schemes, this particular kind of fraud sees a wage paid to the ghost and collected by a dishonest employee. This fraud does not necessarily require an accomplice but having one makes it easier to carry out.

Detecting Ghost Employee Schemes: A Worked Example

When approaching this scheme, starting with the fraud risk universe, the auditor is searching for asset misappropriation, which would be the theft of monetary funds through a ghost employee scheme.

The inherent scheme permutation analysis suggests that there are:

  • fictitious ghosts
  • assumed identity ghosts
  • real non-complicit ghosts
  • real complicit ghosts


The fraud action statement is fundamentally the same for each entity type, paid for services not performed. In reality there are over twenty identified ghost employee schemes. Therefore, the auditor will need to perform their likelihood analysis as to which permutations to include within their audit scope.

Illustrating Concepts: Fictitious Ghost

To illustrate the concepts this blog will discuss the following fraud risk statement:

Budget owner causes a fictitious person to be added to the HR system and the payroll system, the budget owner causes time and attendance records to be submitted in the name of the fictitious person causing the diversion of company assets.

Indirect Access Within the Example

In a previous blog post on fraud risk, the concept of direct and indirect access was discussed. The concept of “causes” is the fraud theory of indirect access to a database. As a reminder, when it comes to indirect access the authorized action of a budget owner causes a person with direct access to add the employee to a database. It is important that the fraud auditor understand the concept of indirect access.

In an earlier blog, we also discussed the importance of planning reports that are designed to help with the predictability aspect of the fraud scenario. The first report should be a report by employee number, employee name, employee start date and the applicable budget code. Using the payroll registers create the gross payroll, net payroll, calculate the difference between gross and net and calculate the percentage of gross to net.

It is worth noting that typically a fictitious “ghost” employee’ has a high percentage of net to gross because of the absence of voluntary deductions.

Building the Fraud Data Profile

The fraud data analytics plan starts with building a fraud data profile for:

  • Fictitious employee using the Human Resources data base
  • Payment profile using the payroll registers
  • Nonperformance of services using the time and attendance data base
  • Nonperformance of services using other data bases that require an action by the employee i.e. computer sign on; door access card and parking lot access card.


Fictitious Employee Using the Human Resources Database

To start with the Human Resource Database, your team would first run a missing data analytics report searching for those employees are missing “x” of data elements.

The key is to identify less common fields that are typically completed by most employees i.e. emergency contact person or telephone number.  Always search for an employee that has a blank street address and bank account number.

The second test is duplicate address or duplicate bank account number. While the likelihood is low for detection, you just do not want to miss something this easy. A more refined approach designed to alleviate the false positives is to first create a table of employees that meet the definition of “budget owner”. The table should have:

  • employee number
  • employee name
  • address
  • bank account
  • social security number
  • budget codes
  • employee start date


You will then perform the duplicate test on address, bank account and telephone number. The budget owner start date and employee start date can also help reduce false positives. The employee start date should be greater than the budget owner start date. In addition, it is always a good idea to run a duplicate social security number test within the Human Resources data base, simply because it so easy.

Note: A challenge for the budget owner is obtaining a valid social security number, so match Human Resources database to accounts payable. Maybe, the budget owner has used a social security number from a contract employee. The other place valid social security numbers maybe found is in the benefits file associated with dependents of the budget owner.

Payment Profile Using the Payroll Registers

Now moving onto the payroll register, the key here is to search for the anomaly in withholding from the employees’ gross payroll. So, before you build your score card, you should first determine how employees have no voluntary deductions for pension, health insurance, etc.

Then, your team can create the score card to identify those employees that score high on no voluntary deductions. If tax withholding is voluntary, search for employees with no tax withholdings. Depending on your employee hiring practices, you may need to create a few different homogenous data bases especially if you have:

  • summer employees
  • temporary employees
  • children of employees


Nonperformance of Services Using the Time and Attendance Database

Assuming the time and attendance report is electronic, this test is fairly simple in concept but may have some challenges in scripting the analysis.

Your team are searching for a time and attendance recorded that was created by someone other than employee named on the time and attendance record. The use of the table created of budget owners may be useful in this test. A duplicate test on time card creator and time card approver may also be useful.

Nonperformance of Services Using Other Databases Requiring Action By the Employee

There are many challenges in performing this type of analysis due to the mix of employees that reside with any given company.

The use of filtering is critical to create homogenous data bases that will match to the other data bases. For example, manufacturing employees may not sign-in on the computer network each day, whereas office administrative would sign-in on a daily basis .

Building access databases can be useful, assuming the employees are required to badge in and out each day. Before using this analysis, determine the reliability of the test for your base of employees.

Planned audit procedure

A critical step in every fraud data analytics plan is to ensure you have a planned audit procedure for the sample of employees selected via your fraud data analytics procedure. For the proceeding fraud risk statement, the examination of employee identification, the proverbial payroll payoff test.

Remember, the search for fraud starts with a logic based approach. Once the fraud risk statement is defined and understood the process of building your fraud audit program becomes easier. The comprehensive search for ghost employees would start with identifying all the ghost employee schemes relevant to your company and following the above process in building your fraud audit program. Contact us today if you need help building a comprehensive fraud audit program.  

Topics: Fraud Data Analytics, Fraud Schemes, Fraud Detection, Worked Example, Fraud Plan

Leonard W. Vona

Written by Leonard W. Vona

Leonard W. Vona has more than 40 years of diversified fraud auditing and forensic accounting experience. His firm, Fraud Auditing, Inc., advises clients in areas of fraud risk assessment, fraud data analytics, fraud auditing, fraud prevention and litigation support.