Four Seasons Hotels and Resorts Hong Kong Fraud Case

As May begins, there are several topics I’d like to explore—such as recognizing Internal Audit Awareness Month and reflecting on the recent cyberattack at Marks & Spencer in the UK. However, a video I recently came across on YouTube caught my attention. It features a former internal audit professional discussing a striking case of internal fraud at the Four Seasons Hotel in Hong Kong. Given its relevance to the internal audit community, I believe it’s worth a deeper discussion.

Case Summary

In summary, a 39-year-old former accounting manager, Chan Yiu-choi, was sentenced to six years and six months in prison for embezzling over HK$26 million (US$3.35 million) from the hotel over a span of four years. Chan forged 112 cheques and redirected funds to nine personal bank accounts, using the stolen money to buy property, a Porsche, and other luxury items. His career path was unconventional—starting as a waiter at the hotel in 2013, then moving internally to an accounting clerk role before eventually being promoted to accounting manager in 2017. The fraud was finally uncovered when a suspicious payment triggered an investigation, revealing the full extent of his actions.

While the video commentary raised several interesting points, I would like to offer my professional perspective on a few key aspects.

1. Lack of Background Checks

The YouTuber noted that Chan had a prior criminal record. If accurate, this raises significant concerns about the lack of due diligence in the hiring process. In Hong Kong, obtaining a police certificate of good conduct can be cumbersome—it may take a month or more and cost upwards of HK$200. Human resources departments often do not fund this process, relying instead on self-declaration and reference checks.

This practice may be adequate for lower-level roles, but becomes risky when internal hires transition to financial or managerial responsibilities. It is worth questioning whether internal favoritism or personal relationships played a role in Chan’s fast-tracked promotion, especially considering he worked as a waiter in the hotel's restaurant where senior accounting staff could have had access to employee dining benefits—such as dining at Caprice, which costs HK$3,000 per head and often requires reservations three months in advance.

2. The Fraudster’s Patience and Strategy

The YouTuber described Chan as "patient," having slowly siphoned funds over four years. I agree—but I would add that Chan also possessed deep insider knowledge. His rapid promotion from a non-finance role suggests he was either extremely competent or had gained significant trust within the organization.

His scheme—112 forged cheques over four years—amounts to roughly 2–3 fraudulent payments per month, likely buried within miscellaneous expense batches. I beleive he avoided scrutiny by targeting small vendors and general ledger accounts like "Other Expenses" or "Miscellaneous Payments." These entries are often overlooked during regular reviews, making them ideal for concealing fraud.

As internal auditors, we are trained to investigate the meaning behind "Other." Miscellaneous categories should always raise red flags when they become repetitive or increase in volume.

3. Misconceptions of Accounts Payable Power

The YouTuber suggested that the accounts payable (AP) function has privileged rights, claiming that those in charge can control payment schedules, which leads vendors to treat them favorably. I disagree with this perspective; AP staff likely find it amusing. True power lies with those who select vendors and determine purchase order amounts. If you were a vendor, would you continue supplying goods or services with long-overdue payments? Clearly not. 

The AP team has limited influence during procurement, and fraud risk arises from those who can allocate resources, whether tangible or intangible. This includes not only vendor decisions but also roles like HR determining salary increases and even security personnel who control offloading schedules for deliveries at the warehouse. Each of these positions carries risks if adequate controls are absent.

4. Control Overrides and System Gaps

The video also claimed that Chan was able to override payment controls to alter cheque details. While this is alarming, it also reveals a broader failure in vendor management and segregation of duties on 3 way matching.

An effective Supplier Relationship Management (SRM) and Enterprise Resource Planning (ERP) system (e.g., SAP) should have captured and linked:

• Vendor details and bank information

• Vendor souring proof e.g. price comparison

• Signed vendor declarations

• Purchase requisitions (PR), orders (PO), and receipts (GRN)

• Payment approvals and audit trails

The fact that 112 forged cheques went unchecked indicates that payment controls were weak, approvals and verification were either absent or poorly enforced, and manual processes had not been minimized. In finance, cheques are treated as cash equivalents—each issuance should have triggered a rigorous review.

5. Responsibility and the Role of Internal Audit

Lastly, the YouTuber implied that the internal audit department was at fault for failing to detect the fraud. I respectfully disagree. Direct accountability should lie with the person in charge of finance operations. While internal audit serves as the third line of defense, it is not the sole guardian against control failures.

This is analogous to blaming the goalkeeper for every lost football match. A poor outcome could just as easily result from flawed coaching strategy, weak defense, or a lack of team coordination. Similarly, internal audit does not oversee day-to-day operations and should not bear sole responsibility for undetected fraud, especially when it arises from broader systemic or cultural weaknesses.

Additionally, the internal audit community is relatively small. I have seen internal audit recruitment notices from luxury hotels such as The Peninsula, Mandarin Oriental, and Mira Hotel—but rarely from the Four Seasons Hotel. This raises a relevant question: did a dedicated internal audit function exist for this property?

The Four Seasons Hotel Group is a private company partly owned by Bill Gates’ private equity fund, and the Hong Kong property may be managed as a joint venture with Sun Hung Kai Properties. If this is the case, each investor might have separate internal audit functions. However, when the investor and operator are different entities, it becomes unclear if there is a dedicated internal audit team for the Hong Kong hotel. The absence of such a team or unclear reporting lines could explain why significant fraudulent activity went undetected and fell outside their audit scope.

A Broader Lesson on Trust

This case also reminded me of a former supervisor who served as CFO of a listed company in China. He once remarked that fraud indicators vary by region and said he "wasn’t worried about Hong Kong employees." He felt minimal fraud controls were needed due to a perceived cultural trust. But fraud knows no nationality. More often than not, it comes from those closest to us—those we trust most.

Trust may reduce administrative costs and increase efficiency—but as this case shows, blind trust can be extremely costly.

Reference:

https://www.youtube.com/watch?v=fxYrckXPa0g