Consider a long time employee who is suddenly struggling with making ends meet at home. Through many years of service in the procurement department, he has gained the trust of co-workers, established personal relationships with vendors, and has an intimate knowledge of the controls system and any gaps that may exist. Almost effortlessly, he could approach a vendor to inflate invoices and direct surplus payments to his personal bank account. Such collusion is common in procurement frauds.
The economy these days is in flux. For some companies, the agenda is recovery while others are still struggling. Experience shows that fraud can flourish in times of economic boom or bust. 'Change' can have a significant impact on people at all levels in the organization. As management works through the turbulence, corners may be cut. Less staff resources may be available due to earlier cutbacks and the demands on experienced staff's time may be split between control responsibilities and managing the integration of newly acquired business units.
In either scenario, the offender will justify their actions: "the company won't miss this; it's a small drop in the bucket", or "I'll pay it back as soon as I am able". Perhaps less obvious; but equally alarming, it becomes increasingly enticing to accept gifts from a supplier when the demands on staff's time is expanded and compensation is frozen or not increasing to the extent of the former 'glory days' of growth and profitability when the economy was flourishing. Employees rationalize actions that are not in the best interest of the company and this attitude and abuse of opportunity can spread through the organization if not kept in check throughout the transitional phase of the business lifecycle.
In the push for short-term results it becomes more challenging to stay two steps ahead of the more unethical among us. Could this happen to you? Are you prepared? How confident are you with your answer?
Could This Happen to You?
Fraud does not discriminate It is very true that most payments to vendors are legitimate; but, consider what it would mean to your business if even a small proportion of such payments were fraudulent.
Fraud does not discriminate, not by geography or industry. Globally, KPMG's Forensic professionals have seen a rise in fraud over the past few years as industries and global economies have found themselves working to emerge from financial crises.
- In KPMG in the US' 2009 survey, 65% of respondents perceive fraud as a significant risk in their industry today while 32% expect fraud will continue to increase. The most significant risk for 31% of respondents is bribery, corruption, market rigging, and/or conflicts of interest. This perception is more predominant in government and healthcare industries (39%) than consumer markets and information, communication, and entertainment (21% and 15% respectively); but an admitted prevalence of fraud within 15% of companies is not something to ignore.1
- Respondents to KPMG's 2008 fraud survey in Australia and New Zealand have seen a significant increase in the occurrence of fraud, where 45% of respondents to that survey had experienced at least one fraud during the survey period. When reported, the average losses amounted to AUD$1 million.2
- KPMG in India's 2010 survey also notes an increase in the prevalence of fraud, particularly in supply chain fraud, including the procurement function. Seventy-five percent of respondents to that survey said that fraud in corporate India is on the rise. Respondents from the real estate and industrial markets industries identified the procurement process as the most vulnerable to fraud, 57% and 39% of the time respectively.3
Although respondents to the various KPMG fraud surveys all agree that fraud is a significant risk that has been on the rise, it is important to be aware that the nature of fraud conducted in each region may differ from that in your home industry. As businesses seek avenues to streamline production and reduce associated costs, supply chains are extending to new, international borders. Even smaller companies today deal with offshore suppliers who could have very different values, controls or business practices. Companies must recognize this and be extra diligent in managing these relationships.
With this type of experience, procurement fraud is something that simply cannot be ignored. People contemplating fraud or other actions not in the company's best interest can sidestep those internal controls operating as your first line of defense. Perhaps the more pertinent question in today's environment is 'why couldn't this happen to me?'
Companies should reduce the opportunity for employees to not act in the company's best interest by increasing the risk of being caught. This added risk to the individual can act as a rather convincing deterrent.
What Could Happen?
The first step in assessing the vulnerability of your procurement cycle and designing mechanisms to detect and prevent the fraud is to understand the common fraud schemes.
There are many procurement fraud schemes, with multiple themes and variations on certain basic fraud approaches. Some of the more common schemes are as follows:
- Phantom vendors or other manipulation of the vendor master file – by creating a record in the vendor master file that directs payment to a fictitious company or a legitimate company that does not provide services to the organization, an opportunity is created to generate a payment record and transfer money to a recipient that may be controlled by an employee or a third party in collusion with procurement personnel. Detection may be challenged where the magnitude of such payments are designed to fly under the radar of more senior approval authorities. A variation on this basic approach involves changing address and bank details of a legitimate but inactive vendor of the company, essentially hijacking a company's identity to facilitate illicit payments.
- Cheque forgery – perhaps easily lost in the volume of transactions, a manual cheque can be transacted through forgery of the designated approval authority.
- Fictitious invoicing and inflated billing rates – invoices could be generated for processing through Accounts Payable that do not relate to goods received or services rendered. Consider that an employee may generate an invoice payable to a vendor using their home address. Alternatively, unannounced to your diligent procurement staff, a vendor, even one that is regularly providing legitimate services to your organization, may submit an invoice for services that were not provided or at rates that are above those agreed upon.
- Conflicts of interest – where procurement personnel have a financial interest in the success of a supplier entity, their purchasing decisions may be biased towards that entity to the detriment of your organization.
- Vendor kickbacks and bribery – almost innocently, vendors may send gifts to procurement personnel because of long-term relationships. This can create a conflict where a personal relationship between the buyer and vendor is established that may put pressure on the buyer's efforts to act in the company's best interest. Less innocently, vendors may collude with procurement staff in order to 'work around' established procurement controls and fraudulently withdraw money from your organization. Suppliers may bribe a buyer in your organization
to purchase from them despite above-market rates or poor product quality. In another scenario, bribes or kickbacks may be offered to procurement personnel to approve fictitious charges.
- Bid rigging – through collusion between procurement personnel involved in the vendor selection process and outside vendors, or between outside vendors participating in the bidding process, inflated rates may be contracted for projects.
Are You Prepared?
How to Prevent It
The foundation of any fraud prevention program is the 'tone at the top', the message that management is conveying to guide how business is to be conducted. If staff see management abusing authority or promoting unethical activities, the flood gates are forced wide open for all staff to demonstrate the same abuse. Communication of behaviour expectations should be formalized in a code of conduct that addresses such matters as avoiding potential conflicts of interest and reporting suspected fraudulent activity. Formalizing the documentation alone is insufficient. It must be ingrained in the way business is conducted in a clear and unambiguous manner through active enforcement of its principles.
Fraud awareness training is also an effective tool in empowering frontline personnel to minimize inappropriate behaviour; but, it also sends the message to potential fraudsters that 'detection' is a priority and there are many eyes watching to minimize fraud opportunities.
Finally, invest the appropriate time and due diligence in performing a detailed fraud risk assessment surrounding the procurement process. In your business and industry today, what are the risks that pose the most significant threats? The answer to this question is ever evolving and requires regular evaluation. Focusing the efforts of procurement personnel on the key controls to mitigate these fraud risks is critical. Making staff accountable for the performance of these controls is also fundamental in ensuring their effectiveness. Conducting regular reviews of the compliance with the fraud prevention control program through audits is a good approach.
At a very practical level, one of the weaknesses common to many of the most basic (and easily preventable) schemes is control over a company's vendor listing. Adding vendors or changing vendor information needs to be tightly controlled. When activity with a vendor is dormant for a set period of time, the vendor should be deleted from the approved vendor list. Other internal controls related to common procurement processes, approval and monitoring should be reviewed to ensure that they are appropriate and sufficient to minimize risk in this area.
How to Detect It
Perpetrating these types of frauds often involves the 'side stepping' or overriding of controls that are designed to detect inappropriate spending. In these scenarios, it is important to be aware of the red flags that may raise suspicion before too much loss is suffered [see 'Red Flags' sidebar]. In KPMG in Australia's 2008 fraud survey, 22% of frauds reported by respondents were ultimately discovered after many red flags were ignored. In efforts to identify fraud earlier, an awareness of potential red flags and an establishment of reporting mechanisms to detect these indicators will be beneficial.
Many business information systems contain the facts that can point a finger at impropriety if the right lens is applied to the data. Data analytics tools can be used to focus detection efforts. Whether analyzing spending trends, irregular transactions, or potential buyer and supplier relationship indicators, these tools have the capacity to filter large volumes of information [see table]. Efforts to implement a continuous monitoring program with these tools, or response to a suspected fraud are two avenues for leveraging the vast capabilities of data analytics.
Procurement Fraud Red Flags
- Round dollar value invoices
- Lack of control around the bidding process including poor documentation, absence of appropriate competition
- Poor documentation of expenditures or failure to complete a match of invoices to receiving and order documentation
- Consistent use of a vendor who is delivering poor quality goods, particularly where this issue is concentrated with one buyer
- Duplicate invoice payments
- Excessive entertaining of procurement staff by suppliers
- Vendors with a post office box as the sole address
- Absence of a legitimate GST or HST registration number
- Off-hour transactions
- Out-of-sequence invoice numbers for a particular vendor
- Payments to inactive vendors
- Low initial bids followed by excessive change orders
- Poor cash management practices (i.e., paying invoices right away despite the accepted practice of 30 to 60 day payment terms in a particular industry)
- Cheques set aside for pick-up
Trends & Summary Reporting
- Duplicate invoices
- Unusual invoice sequencing
- Inactive vendors receiving payments
- Off-hour transactions
- Transactions exceeding approval authority or invoice splitting to bypass authority
- Vendors with fake GST or HST numbers
- Invoices received after payments are made
- Top vendors by payment type
- Top vendors with qualityissues (e.g., returns)
- Top vendors with the highest short shipment rate
- Vendor address or phone numbers vs. payroll records
- Vendor directors vs. procurement personnel
- Multiple vendors with same contact coordinates (address, phone numbers, PO boxes, etc.)
The procurement cycle is fundamental to the profitability of an organization, especially in times when top line growth is challenged. Increasing focus on this cost centre, controls and financial results can help avoid unnecessary cash flow leakage from fraud. While the cost of obtaining this business intelligence may seem to outweigh the probability of losses from such a theft, consider for a moment the other repercussions of such a breach of trust: loss of public trust, legal fines or sanctions, or damaged share price4.
1 Fraud Survey 2009, KPMG in the US, 2009
2 Fraud Survey 2008, KPMG in Australia, 2009
3 India Fraud Survey Report 2010, KPMG in India, 2010
4 Fraud Survey 2009, KPMG in the US, 2009, page 4, respondents identified these as the most concerning costs of fraud 71%, 54%, and 34% respectively.
Erin Wight is a Manager in KPMG's Forensic practice and holds a Chartered Accountancy designation. Over the course of her three years with the practice, Erin has participated in alleged procurement fraud investigations and has provided proactive fraud risk management services to clients. Her Forensic experience extends to data analytics, as well as litigation support, damage quantification, and contract compliance assignments. In addition to her Forensic experience, Erin has assisted clients with evaluating their internal controls over financial reporting, including the evaluation of fraud risk mitigation in the procurement cycle.
Contact: firstname.lastname@example.org or (416) 777-3019