Case 1 — The ₦47 Million Procurement Fraud
Sector: Private sector services | Duration: 18 months | Loss: ₦47,000,000
A procurement officer created three vendor accounts with slight name variations of a legitimate supplier. Payments were consistently split just below the dual-authorization threshold. No flag was raised because each individual transaction appeared routine.
- What gave it away: A forensic audit identified that three vendors shared the same bank account number. Invoice formatting was identical across all three. Delivery notes for supposedly separate vendors carried the same handwriting.
- Control failures: No duplicate bank account check in the vendor master file. No threshold analysis of split transactions. Vendor onboarding performed by the same officer who processed payments.
- Lesson: Run a duplicate bank account report across your entire vendor master file today. This single query has a higher fraud detection rate than most scheduled audit procedures.
Case 2 — The Ghost Employee Network
Sector: Government agency | Duration: 4 years | Loss: Hundreds of millions of naira
A payroll officer added fictitious employees to the payroll over a four-year period. Salaries were paid to bank accounts controlled by the officer through a network of associates. Annual external audits focused on financial statements rather than payroll integrity.
- What gave it away: A routine headcount exercise as part of an office relocation revealed a discrepancy of 34 employees between HR records and the payroll register.
- Control failures: No independent reconciliation between HR headcount and payroll. No physical verification of employees. Payroll officer had both create and approve access in the payroll system.
- Lesson: Headcount verification is not an HR task — it is an audit task. It must be performed independently, unannounced, and at irregular intervals.
Case 3 — The Enron Corporation Collapse (Global Benchmark)
Sector: Energy | Country: United States | Loss: Over $74 billion in shareholder value
Enron's executives used special purpose entities (SPEs) to conceal billions in debt and inflate reported earnings. The scheme relied on the complicity of external auditors, weak board oversight, and a culture that prioritized reported performance over operational integrity.
- Control failures: The Audit Committee did not exercise genuine independence. External auditors had significant consulting revenue at risk — a material conflict of interest. Corporate culture rewarded aggressive accounting and punished those who raised concerns.
- Lesson for Nigerian organizations: Board independence is not structural — it is behavioural. An Audit Committee that does not ask probing questions, read management representations critically, or protect whistleblowers is not independent regardless of its formal composition.
Case 4 — The BEC Wire Transfer Fraud
Sector: Manufacturing | Loss: $2.3 million (illustrative composite)
An attacker monitored a compromised email account for three weeks before acting. Once they understood the organization's payment processes, vendor relationships, and approval hierarchy, they sent a single email appearing to come from the CFO instructing a finance officer to make an urgent international transfer to a new bank account.
- Control failure: No out-of-band verification requirement for payment instruction changes. Finance officer did not question the urgency framing. No callback verification to a known CFO number was performed.
- Lesson: No payment should ever be redirected to a new bank account based solely on email instruction — regardless of the apparent sender. One phone call to a known number prevents this scheme entirely.
Key Patterns Across All Cases
| Pattern | Frequency | Implication |
|---|---|---|
| Trusted, long-tenured employee | Very High | Trust must never substitute for controls |
| Control override or bypass | Very High | Override logging and monitoring is mandatory |
| Scheme detected by tip, not audit | High | Whistleblower channels are the highest-value detection investment |
| Multiple consecutive years undetected | High | Scheduled audits alone do not detect active, managed fraud |
| Early warning signs existed and were ignored | Very High | Red flag reporting culture is essential |
Key Takeaway
Real fraud cases are not historical curiosities — they are active training tools. Every case reviewed should prompt the question: could this happen here? If the answer is uncertain, that uncertainty is your audit mandate. The organizations that learn from others' losses are the ones that avoid their own.
Read: Fraud Awareness Fundamentals →