Financial Approval Process

A subject dishonestly makes false representations, fails to disclose information or abuses their access or position to make a financial gain and/or cause a loss to an organization. Methods to achieve this include unauthorized bank transfers, misuse of corporate cards, or creating fictitious invoices.

A subject with access to a billing system or indirect access to a billing system misuses their access to modify existing invoices, causing payments to be diverted to themselves, a business they own, or a third party.

A subject may misuse a corporate credit for their own benefit by making purchases that are not aligned with the intended purpose of the card or by failing to follow the policies and procedures governing its use.

A subject with access to a billing system or indirect access to a billing system misuses their access to create fraudulent invoices, causing payments to be diverted to themselves, a business they own, or a third party.

A subject misuses their direct or indirect access to dishonestly redirect funds to an account they control or to a third party.

A subject that self reports hours worked, and/or is eligible to claim overtime or an individual responsible for reporting such working time may falsify time records or make false representations to a working time system to cause payment or time in lieu for unperformed work.

Sanction violations involve the direct or indirect engagement in transactions with individuals, entities, or jurisdictions that are subject to government-imposed sanctions. These restrictions are typically enforced by regulatory bodies such as the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the United Nations, the European Union, and equivalent authorities in other jurisdictions.

Unlike export violations, which focus on the control of goods and technical data, sanction violations concern the status of the receiving party. A breach occurs when a subject facilitates, authorizes, or executes transactions that provide economic or material support to a sanctioned target—this includes sending payments, delivering services, providing access to infrastructure, or sharing non-controlled information with a restricted party.

Insiders may contribute to sanction violations by bypassing compliance checks, falsifying documentation, failing to screen third-party recipients, or deliberately concealing the sanctioned status of a partner or entity. Such conduct can occur knowingly or as a result of negligence, but in either case, it exposes the organization to serious legal and financial consequences.

Regulatory enforcement for sanctions breaches may result in significant penalties, asset freezes, criminal prosecution, and reputational damage. Organizations are required to maintain robust compliance programs to monitor and prevent insider-driven violations of international sanctions regimes.

The subject purchases a laptop (or similar endpoint) using a corporate payment method but does so outside established procurement and provisioning processes. By bypassing IT and asset management workflows, the subject introduces a corporate-funded but unmanaged device into the environment.

Such devices often lack standard security controls—such as endpoint detection and response (EDR), encryption, configuration baselines, or patching—and may not be tracked in asset inventory systems. While the subject may rationalize the purchase as operationally necessary (e.g., urgency, convenience, or perceived lack of IT responsiveness), the result is a sanctioned but invisible device with the potential to bypass monitoring and governance controls.

This behavior undermines organizational asset control, complicates investigative attribution, and introduces unmanaged endpoints capable of accessing sensitive networks and data.

The subject creates, obtains, or distributes prepaid debit cards as a mechanism for transferring or accessing misappropriated funds without direct attribution. The subject may load funds onto prepaid cards, often issued under false names, expired identities, or third-party aliases.

These cards may be used by the subject personally, handed off to co-conspirators, or leveraged to launder proceeds through ATM withdrawals, retail purchases, or online transfers. Their use enables dissociation from formal banking records and introduces delay or obfuscation in financial forensics.

The subject generates falsified internal work orders to simulate legitimate business activity, enabling unauthorized payments, resource allocation, or personal financial gain. These work orders are typically entered into official systems (e.g., procurement, HR, or service management platforms) and may reference real vendors or fictitious entities created by the subject.

Unlike invoice fraud, which occurs at the point of payment, this behavior targets the earlier procedural layer, embedding false tasks, contracts, or justifications into the organization’s internal operations. It is often used to pre-authorize expenditures or create documentation trails that appear procedurally valid.

Work order fabrication may be episodic or sustained, and is especially difficult to detect in high-trust environments or when the subject holds procurement authority. The behavior may surface during internal audits, budget discrepancies, or when a pattern of unusually consistent approvals is noticed across unrelated departments or timeframes.