fatcousin
// investigation guide

payroll fraud / ghost employee — methodology

payroll fraud is not a single suspicious paycheck. it is ghost employees paid after termination, unauthorized direct deposit routing changes, retro adjustments with no approval chain, overtime inflated against empty timesheets, and hcm headcount that no longer matches the register. your job is to freeze payroll audit exports before retention rolls, correlate adp and workday views of the same dollars, and hand finance a reconciled timeline before the next pay cycle sends more money to the wrong account.

what evidence exists and how fast it dies

artifactvolatilitytime to loss
adp / ukg / gusto payroll audit exportpersistent if savedrolling retention — often 90–365 days in vendor console
workday payroll result and payment exportpersistent if savedaudit log retention varies by tenant configuration
hcm headcount / worker status snapshotpoint-in-timesuperseded every pay cycle — export at triage time
wfm timesheet and punch exportrolling90–180 days typical; overtime disputes need same-period pull
ach / direct deposit change approval ticketsmixedlost if hr case system purges closed cases
svc account login / ip telemetry for payroll adminrolling30–90 days in identity and vpn logs

the first 10 minutes

  1. halt the next payroll run if fraud is active — finance controller sign-off, not it alone.
  2. export adp payroll audit log for the disputed pay period and prior two cycles.
  3. export workday payroll results, payment register, and worker status as of today.
  4. pull hcm headcount roster and flag any employee paid after termination date.
  5. export wfm timesheets for the same pay periods — match ot lines to punches.
  6. preserve direct deposit change tickets and approver identity for every routing swap.
  7. note svc-payroll-admin or shared mailbox accounts that touched changes — capture source ip if available.
  8. reconcile total disbursed dollars to approved headcount before announcing scope to hr.
  9. notify bank / ach processor if routing theft is confirmed — recall window is hours, not days.
  10. begin the path below.

the path

  1. 1. adp payroll audit log forensic analyzer

    adp payroll audit export. surfaces direct deposit routing changes, off-cycle payments, and approver identity gaps — the brennan fixture shows svc-payroll-admin swapping ACH routing from 198.51.100.88 without an HR case.why first: adp is often the payment rail even when workday is system of record. start where money actually moved.

  2. 2. workday payroll export forensic analyzer

    workday payroll export csv. parses payment posts, earning lines, and user attribution — brennan mismatch includes payroll posts and ach updates with no matching hr workflow.why second: cross-check adp hits against workday's view of who was paid and who authorized it.

  3. 3. payroll ghost employee detector

    payroll event export with termination and payment rows. flags employees paid after effective termination — ghost id e-88421 terminated 2026-01-15 then paid again 2026-04-08.why third: ghost employees are the headline fraud pattern. prove pay continued after hr marked the record inactive.

  4. 4. payroll unauthorized adjustment detector

    payroll adjustment event log. detects retro bonuses, manual rate changes, and tamper attempts outside approved adjustment windows.why fourth: routing theft and ghost pay often ride alongside quiet retro adjustments — catch both in the same pass.

  5. 5. payroll overtime inflation detector

    payroll overtime event export. highlights ot hours and dollars that spike without matching operational justification.why fifth: overtime inflation is a parallel fraud lane — insiders inflate hours before direct deposit redirects land.

  6. 6. cross hcm payroll headcount correlator

    hcm headcount export plus payroll run csv. correlates active employee count to dollars disbursed — brennan shows headcount drift versus pay run totals.why sixth: one ghost employee is a row mismatch; sustained fraud is headcount that does not reconcile to the register.

  7. 7. cross payroll wfm timesheet correlator

    payroll register plus wfm timesheet export. ties paycheck lines to clocked hours — surfaces ot paid without matching timesheet rows.why seventh: payroll-only analysis misses inflated hours. wfm correlation proves the hours were never worked.

  8. 8. case report generator

    structured findings plus evidence manifest. assembles examiner notes, dates, tool outputs, and hashed evidence files into a local pdf report.why last: finance, hr, and counsel need one package — not eight separate csv exports.

common false leads

  • one duplicate paycheck equals fraud — timing gaps between hcm termination and payroll cutoff create benign duplicates.
  • workday and adp always match — many orgs run adp as payment rail with async sync; mismatch is the signal, not proof of innocence.
  • direct deposit change had manager approval — forged email approvals and shared svc accounts bypass real four-eyes control.
  • overtime spike means hourly fraud — salaried retro bonuses and ghost employees also inflate registers without wfm rows.
  • terminating the employee fixes it — routing and ghost pay often target ids already marked inactive in hcm.

what we can tell you, what we can't

we can tell you:

  • adp audit anomalies — routing changes, off-cycle payments, approver gaps
  • workday payroll export inconsistencies versus hcm worker status
  • ghost employee patterns — pay after termination, inactive ids on active registers
  • unauthorized adjustment and retro bonus rows outside approved windows
  • overtime inflation spikes in payroll event exports
  • hcm headcount to pay run reconciliation gaps
  • payroll to wfm timesheet mismatches for the same period
  • structured local pdf case report from your exports and findings

we can't tell you:

  • recover stolen funds — bank recall and law enforcement territory
  • prove criminal intent without your hr interviews and approval chain context
  • pull live payroll vendor data — you must export csvs yourself
  • replace a certified fraud examiner sign-off for financial statement restatement

handing it off

  • finance / payroll: frozen pay run status, reconciled headcount, confirmed routing changes, and dollar exposure by period.
  • hr / hcm: ghost employee ids, termination versus last-paid dates, and svc account access review for payroll admin roles.
  • internal audit / counsel: case report pdf, hashed evidence manifest, and cross-system timeline for SOX or insurance notification.
  • law enforcement / bank: ach routing theft details, source ip for svc account changes, and payee account numbers from vendor exports — not browser tool output alone.

further reading

reference investigation

synthetic fixture brennan-payroll-fraud — brennan corp ghost employee e-88421 paid after 2026-01-15 termination, adp direct deposit routing swap by svc-payroll-admin from 198.51.100.88, workday export mismatch, and wfm overtime inflation, seed brennan-payroll-fraud:v1. compare output via npm run check:flagship.

fixture download: evidence zip · proof page: /forensics/proof/brennan-payroll-fraud · case playbook: case type tools

run the payroll fraud kit →forensics home
ready