We hope that the various perspectives shared by our panelists provided valuable insights on key procurement fraud risks, leading anti-fraud procurement practices and cross-departmental approaches to help combat potential procurement fraud. If you would like to view the archived webcast*, please click here.
The webcast featured a series of polling questions to identify how consumer markets organizations are preventing and detecting fraud. The results of these questions can be accessed by clicking here for your reference, and to assist you in comparing how the prevention and detection of fraud within your organization compares to that of other leading consumer markets companies.
If you have any questions with regard to the topics covered in this webcast, please feel free to contact one of the presenters:
- Amanda Aldridge, Partner, KPMG in the U.K., Global Forensic Lead – Consumer Markets
- Graham Murphy, Principal, KPMG in the U.S., US Forensic Consumer Markets Coordinator
- Kajen Subramoney, Associate Director, KPMG in the U.A.E., Head of Forensic Technology in the UAE
- Willy Kruh, Global Chairman, Consumer Markets, KPMG in Canada
* Please note that CPE credits are not available for replay participation.
Willy Kruh:
Hi everybody. My name is Willy Kruh and I’m the Chairman of KPMG’s Global Consumer Markets Practice.
I’d like to thank each of you for joining our first Global Consumer Markets external Webcast. And it’s focusing on the topic of procurement fraud, an issue that I know is of concern to many of today’s consumer market company’s especially in this very, very challenging economy.
Look out for the next little while we’ll have more Webcasts in the next month or two months on M&A and sustainability among other issues. So, thanks again, very much.
Let me try to set the agenda today. We’ve arranged for three of our procurement fraud experts from around the globe to speak with you today from preventing, detecting procurement fraud.
From the U.S. we have Graham Murphy, our Forensic Consumer Markets Coordinator who will be discussing procurement fraud risk and how your company can reduce its exposure.
Following Graham we have Kajen Subramoney, our Head of Forensic Technology from the UAE. He’ll be discussing the use of technology to detect procurement fraud.
And finally we have Amanda Aldridge, our Global Forensic Lead for Consumer Markets from KPMG in the UK who will explain how to best use supplier audits to counter fraud and loss.
From an administrative standpoint I know CP credits are important to many of you. Take a look at this administrative slide. A number of you will be eligible to receive continuing professional education credits for attending the Webcast.
To be granted these CPEs you must answer a series of online questions which will pop up on your media player at various intervals throughout the presentation.
These questions will pop up on top of the presentation slides and will remain for a period of up to - will remain for awhile to allow you to answer the question and register your participation. You must respond to a minimum of three questions per hour in order to be eligible for CPE credits.
Please do not view the presentation on slide show mode as polling questions will not appear. Many of the questions asked of participants will be used to gather information as to how consumer market companies are preventing and detecting procurement fraud.
KPMG will then summarize the results obtained from these survey questions and share these with the participants and many of you on a follow on message. So I please ask you to participate, it will benefit all of us.
If you have questions that you would like to ask to the presenters please submit these using the Ask A Question button on your screen. I will moderate the question and answer session at the end of the Webcast where we’ll have an opportunity to address those questions raised.
If you have technical issues during the Webcast please contact our Help Desk. Inside the U.S. the Help Desk may be reached on 1-866-956-4770. Outside the U.S. it’s 1-601-957-5017.
So again thanks very much. I’ll now hand it over to Amanda Aldridge who will discuss more in depth the topics we’ll cover in today’s Webcast. Amanda.
Amanda Aldridge:
Thank you Willy. Hello everybody. I’m Amanda Aldridge, I’m a partner in our forensic practice based in London and I lead our Forensic Global Team focusing on the Consumer Market Sector.
Before joining the forensic team I spent ten years as an external audit partner in our consumer markets group here in the UK and I was head of retail for five years from ’99 through 2004.
During that time and my time working in your sector I’ve seen a huge change in procurement and that’s really why we’re here today. We’ve seen an increased focus within procurement on compliance and looking at what procurements teams can do to manage the risk of fraud. And we’re seeing an increase and interest in procurement as a risk area by internal audit.
In particular we’re seeing this through out clients asking us for help through providing procurement specialists actually able to understand the risks in procurement and focus appropriate audit programs in that area.
We’ve also seen a massive increase in the amount of big ticket procurement fraud over the last couple of years. We’ve actually seen in the UK more serious procurement fraud in the last two years than in the previous 18 years combined.
We have to ask ourselves a little bit whether people are getting better at detection but there’s clearly an upwards curve for that. And so companies are starting to ask themselves the questions that we have on this slide and asking us to help them with answering those questions.
And that’s really what’s brought about this seminar. My own main area focus is on using contractual audit rights to ensure that suppliers are billing in line with contractual arrangements. I’ll be speaking later on that topic.
But first you’ll hear from Graham Murphy on wider procurement fraud issues and Kajen Subramoney on the use of data analytics to detect and prevent fraud in the procurement space. As Willy said there’ll be plenty of time for questions at the end.
And now over to Graham. Thank you Graham.
Graham Murphy:
Thanks Amanda. I will be discussing some of the risks associated with procurement fraud and how we’ve seen companies respond to these risks.
Historically companies have seen procurement as merely a transactional arm to place purchasing orders and to manage contracts instead of a function really to drive profitability.
Today many companies are reorganizing their efforts to realize the benefits that can be achieved by leveraging their expenditures across their business. Clearly a key element of this transformation is to manage the risks of fraud and abuse.
A study by the American Association of Certified Fraud Examiners estimates that the losses from such frauds are clearly significant but represent over half of the losses companies suffer from fraud.
Further the ACFE estimates that the biggest contributing factor to occupational fraud was the lack of internal controls. Perhaps no surprise here. But procurement is where the money is and where focus is clearly necessary.
Moving on to the next slide. It is first important to discuss what we mean by procurement. Companies are taking a much more holistic view of procurement to drive value through and into the organization.
Procurement can be broken into two distinct processes. The first is sourcing. And this is where an organization can create value. And what I mean by this is the ability to take costs out of the system thereby driving increased profits and thus value.
This process starts by identifying specific purchasing opportunities and culminates into negotiated contracts with vendors of course with the desired result of lower identified costs. At this point you’ve identified the savings opportunities but you have not yet realized them.
The second part of this process as noted is purchasing. The initial phase is to summarize the approved vendors of specific items in a supplier catalog. To realize the savings organizations must complete the purchasing cycle by requesting and ultimately paying for the products, again, at a now reduced cost.
This is a continuous process and to manage it an organization must continually look to how they manage their supplier relationships and continue to look for value opportunities.
As you might imagine within this value cycle there’s a number of opportunities for those so inclined to take advantage.
Since this is an area where it’s pretty normal to write checks or wire funds to outside entities, an area again ripe for fraud.
Depending on the nature of your business, your controls, your processes you may be susceptible to certain risks
such as phantom vendors where fictitious vendors are set up in your vendor master file and a list of payments are made.
There may be bid rigging where there’s collusion between your procurement personnel and the bidders or between, you know, between the bidders where they can collaborate to drive higher prices.
Grey market is clearly an issue where counterfeits and knockoffs can occur or where your suppliers generate unauthorized production putting your products at risk.
You know, and finally in this area - maybe not finally but we’ve all heard of the increased regulatory efforts in the area of anti bribery and corruption especially in developing economies.
Now moving onto the next slide, leading procurement practices and reducing your exposure. So now we’ve discussed the process and the risks, how do you protect yourself?
For the purposes of this discussion we have categorized how you might respond to these risks between core. The basic things that we all should be doing and some examples of some good or better practices that companies are looking at.
At KPMG we look at fraud risk management through the framework of prevention, detection and response. Prevention,
those controls designed to prevent misconduct from happening. Detection, if the misconduct does occur what can or should you do to catch it?
In the next section Kajen will be discussing the use of technology to detect fraud. And in the final segment Amanda will be discussing the use of compliance audits to validate compliance or expose instances of noncompliance. And finally what do you do in response if you find fraud or noncompliance?
On the right hand side of the slide is an illustrative diagram outlining various ways to address and improve your procurement processes. What will drive your organizations actions in this regard will depend on where you are already in the compendium in making such improvements. Next, how relevant the noted practices are on your various systems. And finally what is the balance of risk and reward for making such changes?
We would expect that most of your organizations should have the basic requirements covered from segregation of duties to common policies and procedures to forecasting your demand from suppliers.
The decision faced by most organizations is where to allocate resources to make improvements to their processes. These improvements will not only drive better efficiencies and lower prices but will likely impart better anti fraud controls.
We have listed a few of the better practices such as electronic catalogs that should promote better consistency and more frequent use of approved vendors and of course have better prices.
In addition better more integrated systems can lead to better measurement of effectiveness and motivating the right buying behavior. Further, greater visibility and real time reporting will lead to more timely and more effective management by exception. With such exceptions being for example, you know, fairness in pricing, identification of purchases from nonapproved vendors, inappropriate quantities of purchases compared to inventory levels or demand.
You should now see the first audience participation question popping up on your screen. In this regard we would like to get your views on to what extent does your organization have defined processes to manage your procurement and create value? As noted earlier we will forward the summary of all of your responses back to you.
Now next slide which should be Slide 9. Let’s take a few moments to discuss where in our experience companies are falling short. And I have listed a number of common system failures that we frequently come across when assisting our clients.
Maverick buying is where purchases are made from local nonapproved vendors. Often we hear this is done because it is, you know, easier or quicker to get the needed product. However you cannot always control the costs and such purchases might be from phantom vendors or where local purchasing agents are receiving kickbacks.
Just to reiterate and, you know, better to emphasize, this is an area where we see in almost every investigation of distant division or subsidiaries. However we don’t always find fraud we often just find people trying to work around the system to make their own lives easier. Either way it shouldn’t happen.
Many of you would likely be surprised how common it is for company’s to pay based on invoice alone, really, without even knowing whether the product was actually received. The basic requirement is the matching of the invoice to the purchase order to the receiving document so you can actually prove that you, you know, received the goods. And of course that’s why it’s so important to have segregation of duties with respect to these functions.
We have investigated many purchasing functions and it’s clearly a cause for concern if the approval limits or delegation of authority is not followed. Most organizations have, you know, we’ve reviewed have defined purchase protocols around hindering written quotations.
However far too many organizations do not keep the results of the process or what we might refer to as an audit trail -- the bids received, the related correspondence and the like, really to confirm that the process was working as it should have been. If such documentation is not mandated to be kept there’s a greater risk of abuse of the system making it more difficult to recognize exceptions and violations when they do occur.
Moving onto the next slide. We have summarized a number of red flags to be on the watch for and what we have seen time and time again in our investigations. In this day and age it goes without saying that you need to know who your customers and vendors are. Be very careful in your dealings with government officials. However in some jurisdictions is it often difficult to understand who is and who is not connected so you must be very careful.
Having a robust process to evaluate potential suppliers should uncover the red flags noted on this slide and hopefully the issues are raised in a timely basis. Again, if there are conveniently lost bids or minimal documentation as we oftentimes see retained you’ll likely want to dig a little deeper.
If someone has gone to the trouble to have a, you know, post office box listed as a street address then further investigation is likely warranted. This is an example of a red flag that lends itself very well to using technology to review the entire data set which will be discussed by Kajen in the next section.
Continued failing of quality standards by supplier and immediate concentration of such suppliers, you know, by a single buyer may be the warning signs of a buyer on the take.
There should be further investigation no question if there’s unnecessary middlemen in the process. We have seen in some of our work where entities have been set up for the sole purpose of paying commissions. These types of relationships should be reviewed carefully for obvious reasons.
Of course these are just some of the examples of common red flags that we come across and for which your internal audit and compliance groups should be on the lookout for.
Moving on to the next slide, risks to new world. With procurement assuming an ever increasing strategic role in many organizations it’s important to not only know the benefits but the associated risks of driving change within the procurement process. Many of the instance of misconduct that we get asked to investigate do not occur at head office but are often occurring at very distant locations where there are very different cultures and ways of doing business.
Not withstanding these different cultures and, you know, locally accepted ways of doing business corporations are really held to their own domestic regulatory standards. Again, very true in any bribery and corruption where there’s increasing regulatory efforts globally with ever increasing penalties. While FCPA’s a topic, you know, unto itself it’s safe to emphasize again you must know who you’re doing business with.
To drive costs and other efficiencies companies are setting up joint ventures, partners and other structures with local business people. These arrangements must be carefully entered into since to some degree you’ll be placing your reputation in their hands. Control and having the joint venture partner adhere to your business protocols is not always an easy issue to deal with.
Amanda will be covering supplier audits a little later on and it’s clearly an area which should be, you know, definitely considered for these audits.
How you specifically deal with the risks will depend on the unique aspects of each of your organizations and the structures you have in place. As your business dealings take on greater complexities and geographic dispersion so must your approach to dealing with them.
We often see as a best practice to move your procurement personnel or your buyers around periodically and of course have regular training in this area. I’d like to give you a good example of, you know, how and why this is important.
A little while ago we were called in to do an investigation for a company of one of it’s buyers. In this case the company was monitoring the types and expense of spends by it’s buyers who were responsible for certain categories.
What the company observed was that when the buyer was moved to a different category as part of a planned move a number of the suppliers appeared to move with them, which was curious since the categories were very different, from hard goods to soft goods and you would think the suppliers would be very different.
Upon investigation it was learned that some of the suppliers were nothing more than middle men involved in a scheme to, you know, defraud the company. Here is a good example where the control of moving the buyer and monitoring the spend really paid off.
Finally we are seeing an increasing role for internal audits that are becoming better versed in the challenges that lay before them and to specifically tailor their audit programs to consider the unique risk that procurement presents.
Again we see as a leading practice to perhaps internal audit hold a brainstorming session with the team prior to going into the market to discuss what specific risks might be present and really what to look for.
If you can and I would suggest if you can you should, have a discussion with someone in the market. Not necessarily the person that you’re going to be auditing but someone independent who would understand local schemes and risks. I can guarantee you’ll be more effective when you hit the ground.
Now you should see the second question pop up on your screen. This time we would like your views on who has primary responsibility for the management of fraud and misconduct risk in your procurement processes?
To summarize I’d like to leave you with, you know, following thoughts closing my section. Procurement is growing in importance in many organizations as they look to drive value in this very, you know, area of big spend.
Procurement is where the money is and as a result is an area ripe for fraud and misconduct. You have to do something. There are a number of real actionable steps that you can take to firm up your existing controls and perhaps implement some of the better practices to better protect yourself.
Again thank you. And now over to Kajen to discuss the use of technology in the prevention and detection of procurement fraud. Kajen.
Kajen Subramoney:
Thanks Graham. My name is Kajen Subramoney. I will be covering the topic of using technology to detect procurement fraud.
On to the next slide please. The indicators are clear that procurement fraud is costing business a large amount of money, up to 7% of annual revenue. And even more alarming is that fraud is widespread amongst a large population of lower level employees within our organizations.
Graham has provided us with a good introduction to some of the procurement fraud risks and has indicated that one of the ways to reduce our exposure is through the use of technology.
The key technology tool that we have at our disposal is forensic data analysis. The current focus in forensic data analysis is on being proactive. Daily our companies are collecting and using vast amounts of data for the purposes of running the business. But are we extracting additional value from this data which could help us in identifying fraud or the misconduct? That’s where proactive forensic data analysis comes in. Next slide.
Proactive forensic data analysis is a powerful weapon in our arsenal against fraud and misconduct. A holistic approach is always necessary and this includes the use of more traditional methods of fraud control such as the use of hotlines and fraud risk assessment programs.
In support of the holistic approach the focus area for proactive forensic data analysis is detection. By extracting and combining available electronic information, proactive forensic data analysis seeks to identify potential fraud, misconduct and waste through sophisticated analysis testing, cross matching and non-obvious relationship identification. A crucial step prior to performing this data analysis is getting an understanding of the data landscape.
What does that mean?
We are generally aware that we have a valuable amount of information residing in our financial systems. But often other valuable sources of information are overlooked. These include things such as itemized telephone call listings, access control logs for an office and other publicly available databases. All these can supplement any data that we may have and allow us to extract additional value. I will unpack these concepts during our discussion. On to the next slide.
You should now see a question pop up on your screen which is there to gauge your perceptions with regards the extend to which data analysis is used to detect and prevent fraud. The pop up will remain on your screen for a few minutes to allow you some time to answer the question. On to next Slide 17.
There are many different approaches to proactive forensic data analysis. All approaches are based on a basic set of principles and knowledge. In generic terms we can refer to the foundations of proactive data analysis as Detection 1.0 the First Generation.
This first level of analysis combines knowledge of known fraud schemes and indicators with a knowledge of business systems and principles. The skilled analyst is able to develop and implement tests which help identify deviations from what is expected to be the normal.
For example most jurisdictions have very well defined formats for certain sets of data, Value Added Text - VAT. VAT numbers are from such a set. If we understand the format or mechanism used to create VAT numbers by our tax authorities then we can very easily implement a test to determine whether the VAT number stored in our vendor master file is valid or not.
In one investigation using this knowledge helped identify fictitious vendors which were added to the vendor master file to facilitate payment to an employee whose bank details were loaded as the vendor’s bank details.
Similarly armed with the knowledge of how an organization conducts business tests can be developed to determine whether the procurement process follow the normal sequence. In other words we can determine whether invoices were received after payment and even if orders appear to have been split to defeat the delegation limits.
What you will have gauged thus far is that this approach is largely dependent on some prior knowledge. You may also be thinking that you’ve already seen many of these irregularities and that they can be very easily explained. I fully agree.
With this approach there is a risk of a large number of false positives. This means that there’s a risk that a large number of exceptions or irregularities that we have identified are not really problems but justified business peculiarities that can be easily explained. We thus need to enhance our approach to ensure that we get meaningful exceptions which warrant further investigation. Next slide.
Welcome to Detection 1.1. This is an enhanced version of the standard approach. This approach still relies on knowledge of fraud schemes but introduces scoring as a mechanism to prioritize or highlight areas of most concern.
In the example presented we are performing various tests on the population of invoices for the organization. The table lists the different tests we have excited in the first column on the left. The next two columns show the results of the different tests against two specific invoices. The green tick mark against the test for a specific invoice indicates that the invoice generated an exception on that specific test.
For example for invoice 12345A we can see that it scored an exception for the test around some amount. Similarly for invoice 98765S we see that it scored an exception for the test paid within a week and of course other tests as well.
Now if we were to look at each individual test in isolation we can expect that the resultant number of exceptions for teach test is generally large and it may not be practical to examine all paid within a week invoices for example.
However you can also see very clearly that when the results are combined in a scoring matrix the problem invoices start coming to the fore. You can see that the second invoice, 98765S has a score four compared to the first having a score of only one. By scoring and selecting invoices in this manner we can reduce the number of false positives requiring investigation and thus better allocate our limited resources.
Another benefit of this approach is that it allows for the identification of potentially anomalous behaviors which are highlighted when the tests are seen in a scoring matrix.
Up to this stage we have improved our original first generation approach. But we have limited ourselves to performing tests on the original source data only. The next step is to enhance our analysis by supplementing this data. The next slide.
On the next slide we see Detection 2.0. This takes data analysis to the next level. More than just performing standard data analysis we enhance our source data with information from other systems or from external sources.
Now during the normal course of business we would often perform a review of payments to vendors. We would then examine spend per cost center. This would provide a good indication of our organizations expenditure.
What if we were to supplement our vendor master file with publicly available information on the sectors that these vendors operate in? In our example by doing this we have identified that an organization classified as an automotive vendor has expenditure marked against the catering cost center. This spend which was previously considered normal
is now worth further investigating.
If we combine this information with employee master file information and itemized telephone listings we could identify a potential suspicious relationship between a vendor and an employee in position of influence.
Other methods could be to collect publicly available information on employees including where possible information relating to directorship’s of company’s. This information can then also be used to perform additional tests against a vendor master file to possibly identify potential conflicts of interest.
Taking the step even further - or this approach even further we could add geographical data and visualization to examine a population of data for trends or groupings which appear unusual. In essence in this approach we are using additional data or derivatives of the data to enhance the chances of detecting true anomalies. Next slide.
You should see another question pop up on your screen now. This question is to gauge your perceptions on whether accountability can be attributed to individuals through data analysis when a fraud is uncovered. As before the popup will remain on your screen for a few minutes to give you sometime to answer. Next slide.
What I want to get through across to you is that the key takeaway from this segment is that proactive forensic data analysis can be used to detect fraud and misconduct through a systematic analysis of the available data which includes data which is both internal and external to the organization.
One way to approach analysis systematically is to first gather all available knowledge. This involves identifying specific risks through knowledge of the business environment then defining potential schemes through a good industry knowledge and determining event indicators to alert the organization to problem areas. Using this library of knowledge we can then determine specific routines using scoring and data enhancement to help with preventing, detecting and deterring procurement fraud.
In a recent investigation within the consumer marketing sector we performed data analysis at one regional cluster of an organizations procurement data. The results of the test helped the organization set a benchmark.
Taking the process further we developed automation to run the same sets of analysis routines at each of the other regional clusters for the same organization. This allows for comparisons against the benchmark and thus prioritization of precious internal audit resources to improve the fraud risk control environment.
The organization can now re-run the same analysis monthly to track the effectiveness of it’s corrective measures and see in which of it’s regional clusters the biggest problems lie. In this way proactive data analysis has not only highlighted indicators of fraud but has also helped the organization budget resources and correct it’s approach where necessary.
On that note I’ve reached the end of my segment. Amanda will now cover the topic of supply audits and how we can make the best use of these audits to counter fraud and loss.
Amanda over to you.
Amanda Aldridge:
Thank you Kajen. So what do we mean by supplier audit? Let me take you back to what Graham was talking about around three way matching of invoices.
That works where you have goods received whether it’s something physically that’s come into your business and you can see it, feel it. And it works for some services where the delivery is very tangible and easy to record within your own organization so that you’re only paying for a service that you know that you’ve received.
But there are a lot of supplier relationships out there where customers rely on their suppliers to bill the right amount.
And these are contracts where there are pricing courses such as passing on elements at cost plus a markup, time and materials type billings or most favored customer clauses.
And those contracts generally will have audit rights, rights that the supplier has to actually go in - that the customer has to go into the supplier's site and check their records to make sure that they’re billing the right amount. And when we talk about supplier audits that are what we mean. We mean actually going into third party sites to verify the supplier data.
The type of data that is looked at when audit rights are exercised can range from looking at time sheets through to the invoices from the suppliers own suppliers, to look at costs and make sure they’re being passed on without an inappropriate markups.
And a big area of work is if there are rebates and discounts and making sure that any rebates and discounts received by your supplier from their suppliers are being passed on to you if that’s what the contract requires.
Moving on to Slide 23. Just to gauge the extent to which you’re using supplier audits within your business. To what extent is your organization exercising rights of audit? And the question will remain on screen for a few minutes for you to answer.
Moving on to Slide 24. This whole area of supplier audits is owned by different parts of the organization and different companies. We sometimes see this as something that’s very much owned by internal audits where they’re coordinating programs of review and other times where it’s owned by procurement. But there are many organizations out there that aren’t doing this at all.
Both internal audit and procurement are parts of the organization under a lot of pressure to show how they’re adding value to the organization and dealing with increased levels of complexities and risk that only adds to the challenge. The increase in regulations around anti bribery and corruption and data privacy and security also adds to the burden of dealing with and monitoring suppliers. And the impact of the credit crunch has really enhanced that drive for value and
the drive to keep prices down.
It isn’t - it hasn’t been unusual in the consumer market sector for company’s to be approaching suppliers and asking for percentage reductions in costs or prices to be held at prior levels just to enable those suppliers to keep doing business with a dominant customer. And there’s been some media comment not particularly favorable to the sector in that regard.
What’s achieved by doing a supplier audit is actually being able to be confident that your suppliers are only billing you for what you actually have. This isn’t about putting the squeeze on suppliers, it’s about making sure that they stay honest and that you’re paying the right price for what you have. Moving on to Slide 25.
There's another question here just to gauge within your organization if you’re doing this type of exercise of audit rights whether the primary responsibility is within internal audit procurement with operational management or with none of the above. And that popup will stay on the screen as a I move on now to Slide 26.
I’ve talked so far really about noncompliance with contractual terms. And the main focus of the whole presentation today has been around fraud. So what do we find? Do we find fraud or non compliance and what are we really taking about? Where do you find the dividing line?
This can really be an issue when findings from supplier audits are significant as it then goes to the root of the trust between the parties. In my experience it can be very difficult to determine what’s fraud and what’s noncompliance through the work we do on supply audits. Sometimes we find some evidence of clear intent to defraud but that’s pretty rare through exercise of audit rights. There’d need to be a more in-depth investigation.
And where there are suspicions of fraud within a supplier it’s more usual for the customer to hand over the investigation of that to the supplier itself for them to root out what issues that they have. Most often suppliers will claim that system inadequacies, incompetence of junior staff, human error, factors such as these are the reasons for over billings. And where the factual evidence is presented they’ll put their hands up and very often write a check or produce a credit note to enable their customer to get the value back.
It begs the question as well how often does a supplier actually voluntarily send an overpayment back? In the normal course of business it’s actually pretty rare. But once an intention to audit’s been notified it’s not unusual to find true ups to coming back through on later invoices.
I was reviewing a file only this morning where a month - within a month of them - of the customer notifying it’s intention to audit around 1% of spend had been credited through various lines on the following couple of weeks of invoicing as various true ups were made going back over the previous two years which was exactly the period that the audit had been notified for.
Moving on to Slide 27 now. This headline relating to (Tesco) was big news around four or five years ago. IPG had actually had to refund around 250 million pounds to clients around the world. Three million of this went to (Tesco) here in the UK. This balance had built up in IPG’s balance sheet from credits and rebates from media owners that they hadn’t passed back to their clients.
Marketing spends will be a sizable expense for many of you in this sector. Whether it be media, outdoor advertising, going to sale or online this is an area where if you’re not exercising your rights of audit you will be missing out on recovery.
We’ve recently uncovered items including overpayments in outdoor advertising because the time on display wasn’t honored. We found this by using a test where we looked at the - matched the time that had been charged through the billing system of the outdoor advertiser with the bookings of the teams that went out to actually change over the display material on the outdoor sites and found that the changeovers were happening at a greater frequency than the billings. So customers were being charged for a month on display but the material was being changed after two weeks.
We’ve also recently found billing in line with budgeted numbers for creative advertising and the balance being held within the agency for draw down on projects which hadn’t been through the official channels - using that as a work around. So while our client was getting value it was enabling more junior people than was intended to make decisions about creative advertising ventures.
And a common area that we find in this particular sector is markups and double billing of external costs. So external costs should be passed on net even if the rebates are attached we sometimes find that this is a 3% administrative markup and these values can add up. Or that an external cost has been billed as part of an invoice and also added as a disbursement effectively being recovered twice by the agency.
Moving on to the next slide. The size of the issue here is pretty significant. The research by Aberdeen Group is that it’s around $153 billion U.S. dollars a year around the world is lost through ineffective control and management of supply contract costs.
The little diagram here shows the customer on the left and the supplier at the top and shows data effectively in four buckets. There’s two buckets there that are visible to the customer. It’s their own data and the data that’s provided to them by the supplier. The supplier in addition has data that they can see that the customer can’t - the top right hand box. And there’s also data in the bottom right hand box which is the undetected errors - the unknown unknowns which neither party has seen. What a supplier audit will do is flush out for the customer what’s in both of those boxes.
What we find when we do this work is that over 70% of the third parties we review have actually made errors in their self-reporting or filed inappropriate claims or charged inappropriate prices or all of those litany of things that we find.
The takeaways from this part of the presentation are that unless you exercise your audit rights you really can’t be sure that your supplier is billing in line with the contract.
And I would also add that while many companies are concerned at the impact this will have on relationships they have with these suppliers, generally it will enhance relationships. And in the current environment you can’t afford not to be doing this.
And that’s the end of my session so I’ll hand back to Willy now.
Willy Kruh:
Thanks Amanda. Thanks very much. We’ve had a myriad of questions come in so let me get started and pose them to our presenters. And if you want to continue to ask questions while I’m doing that please do so.
Graham let me start with you. Is - in your experience - and maybe Kajen you can drop in if you need to, in your experience is fraud different in developed countries versus developing countries?
Graham Murphy:
Willy that’s an interesting question. If I think back to, you know, if I use the U.S. as a - say a developed country, you know, 2008 ACFE survey suggested that 7% of revenues are lost to fraud. That’s a really big number. So I - and there has been no real study that I’ve seen that sort of compares the extent of fraud between developing and sort of developed countries.
I would say that in developing countries there’s different cultures and local business practices which may not conform to business practices of, you know, developed countries. So what you see is there’s different schemes and sort of ways of doing business which in one jurisdiction might be acceptable but not acceptable in another.
We also see that regulators are taking a, you know, differing view in different jurisdictions. So I think that there’s enough fraud and abuse that’s going around in both, you know, developing and developed countries.
Willy Kruh:
And I think Graham what it also speaks to is that, you know, most countries cannot take a homogenous approach. You know, for those countries that are multinational, multiplication you’ve got different cultures, different nuances, different ways of doing business in every country. And I think probably you’d agree that if you’re going through look at a system of detecting fraud you’ve got to tailor it to the countries you’re in.
Graham Murphy:
Absolutely Willy. And, you know, as I said earlier in my remarks, you know, when internal audit is going into a geography or into a separate market it’s usually a pretty good idea to think about the risks specific to that market.
And in reality what we see within the U.S. there’s probably risk profiles in different parts of the country. A good indicator is the corruption perception index put out by Transparency International where risks, you knew, rates, you know, countries where they’re more susceptible than other countries.
And I’m sure everybody on the phone is or has seen that index which, you know, and it’s, you know, the developing countries, the brick countries are - some of them are, you know, higher on the index if you will.
Willy Kruh:
Graham thanks very much. Kajen we’ve got a question that’s definitely in your expertise, not in mine. It was can we get a little more info - you talked about the VAT number validity testing, how does VAT number differ from tax payer ID number? Just a little more info on the whole process.
Kajen Subramoney:
Basically VAT numbers or any other number which is issued by an authority - those numbers are generally controlled by means of a specific mathematical formula. Regulatory bodies will publish information on how these numbers can be tested. Knowledge of that testing mechanism or algorithm allows us to develop an electronic test so a large population of data can be tested for that.
The difference between VAT numbers and taxpayer ID’s is probably a jurisdictional issue. The key point being that any number which is issued by an authority will have a mechanism whereby that number can be tested for validity.
So we can take advantage of these mechanisms for testing these authority regulated and issued numbers against our databases which most companies and in many cases individuals will have against their names.
Willy Kruh:
Kajen just to follow up on that - just from a macro perspective. These various data analysis procedures you spoke about, they would potentially seem time consuming and therefore very costly. Can you just speak to that?
Kajen Subramoney:
The time taken to perform the analysis really depends on expertise I think from the first perspective. So the key factors are knowledge of the environment taken and the steps that may be necessary for an analyst to bridge the gap between his knowledge and the system.
In most organizations the systems are generally well known and the smaller systems which are less frequent are generally easier to pick up in terms of what can be done for that.
So the investment in the initial phase of doing the analysis is higher. The investment there is in terms of time required to set up the extraction profiles and other such things. But once that investment is made up front analytics going from that point onwards benefits from that investment in a large way.
Because then we can run analytics in month one, in month two, in month three at a much faster speed at much lower cost based on the knowledge gained in the initial set up phase.
So yes initially there may be a need for more investment and longer time but subsequent to the initial investment the analysis runs much quicker and at much lower cost.
Willy Kruh:
Thanks Kajen. And I’m getting more questions than I can keep track of here so thanks very much to everybody. Amanda...
Amanda Aldridge:
Yes.
Willy Kruh:
...what procedures can be used during an audit in order to detect rebates not passed back?
Amanda Aldridge:
That’s a good question. It depends on what types of rebate they are. I’ll give a couple of examples. I mean in the media space what we will generally try to do is to actually see the contract that exists between the media buying agency and the media owners.
That tends to be quite a sticky area that they resist letting us see when we are doing these audits. But generally as long as our client is ready to be pushy enough - that’s the customer or the media agency is pushing for this and we enter into a nondisclosure agreement not to be letting any of the commercially sensitive information back to our client then we will generally get to see those agreements.
Which then by correlating those with spend levels and analysis of the spend we can get a pretty good view as to whether we’re seeing everything.
Another example where we did a combination of work where we did an analysis of the whole purchase ledger including the credits within the purchase ledger and looking at the suppliers contracts with their suppliers. It was a mixture of the two.
Or some work we did where we were working for a convenience store operator who had a net/net buying agreement with a wholesale distribution business here in the UK. And we really - as I said we did a combination of analyzing all of the credits (unintelligible) through the purchase ledger.
We took a data dump of the purchase ledger and did our analysis on that and then correlated that where we were seeing the biggest rebates and also looking at where we weren’t seeing rebates and we expected to see them. And then took the relevant purchase data for our client that we were working for. So we had to get access to very large amounts of data to enable us to do that.
Another example which isn’t actually a rebate is something we did in shipping recently where we actually went to the third party ship operators and did effectively a - got a written confirmation from them that we were seeing everything when the truth is what came out of that is that we weren’t. So that is another option to use.
Willy Kruh:
Thanks Amanda. Graham I’ve got a couple of large company and small business questions and we’ll try - let’s try to keep them brief.
And one question was in regards to increase in fraud. Do you believe that there really is an increase - the 7% you mentioned? Or have we always had that? Is there better transparency, more scrutiny - example (SOX)? And do we have any quantitative evidence? I guess at the end of the day it doesn’t matter if 7% is the number that’s quite a significant number but do you have a view on that?
Graham Murphy:
Always have a view Willy. I’m not sure that there’s necessarily been an increase in fraud and if I’m seeing fraud more generally. I think we’re seeing an increase in procurement and supply chain type fraud because of the growing complexities of operating in foreign jurisdictions.
With respect to overall fraud at KPMG we conduct a fraud survey every so many years and we conducted the survey, you know, on a pre-(SOX) basis and on a post-(SOX) basis. And within statistically valid deviations they really haven’t changed a whole lot. And, you know, this is just surveying sort of sea level executives in a number of, you know, large corporations.
Willy Kruh:
Okay. Let me take you to a small business question, it’s an interesting question. Many of the small businesses have pressing priorities and resources constraints. So how should those small businesses manage and address relevant fraud risk?
Graham Murphy:
Yes. Great question Willy. Obviously you have differing issues between a large organization which can put in layers of controls in place as opposed to a small business which doesn’t have that luxury because of time and people.
So what you really run into - you run into some different fraud risks. You run into segregation of duties issues where you have to bifurcate the person performing the function and the person actually controlling what that other person is doing. And you have to maybe sometimes look for innovative ways to, you know, put those control structures in place depending in fact, you know, how small the business is.
Willy Kruh:
Right.
Graham Murphy:
You know, segregation of duties is a big issue in that you still have all the same other, you know, regulatory issues in purchasing and et cetera but it, you know, it’s generally smaller and potentially more manageable and there’s more knowledge of it through the organization because it’s smaller and more manageable.
Willy Kruh:
Well let me - so Kajen let me take that theme of smaller business or maybe not large systems. So if a company has an absence of an integrated system structure such as SAP or PS et cetera, can manual or simple IT testing be done in business processes for detection of fraud? And where can the person who asked the question find examples of some of these testing procedures?
Kajen Subramoney:
Thanks Willy. There’s no need for integrated system to be able to do these kind of tests. The key thing is to have an understanding of the business environment or the specific industry sector.
And knowing the kind of risks that that industry sector is exposed to or that specific business operation is exposed to.
With this knowledge it’s possible to, you know, craft a test based on what data is available to then test for these kind of things.
So I don’t know if there’s a source available where someone could find these of tests but it’s really trying to understand the business properly, understand the risks that are available and then looking at the available data, the available information on this ad hoc system to see if we can test on that system if any of these risks are present or are going to manifest themselves.
Willy Kruh:
Okay. Thanks very much. Amanda back to you on another supply audit question. Can you speak a little more specifically of what a company should look for when they have a contract that is cost plus?
Amanda Aldridge:
Yes. I can. In terms of the invoice matching then it depends on whether they’re actually seeing the end product. I use as an example if you’re - if it’s black tops on a cost plus basis then you’ll know how many new units have been deployed. So at least in terms of units deployed you’ll be comfortable so the invoices are right on that basis.
But whether you’re getting the (unintelligible) costs at the right level is something you can’t tell unless you go in and do the - do the third party audit. And then you’re in the issue of rebates which I spoke about a few minutes ago.
If you’re looking at something for example food manufacturing - I know a lot of ready meals for example are manufactured on a cost plus type arrangements and you’re looking therefore at factory costs where there’s a lot of input costs.
Generally what we find when we - when audit rights are exercised in relation to those types of contracts is that the issues aren’t so much with the direct costs, the actual cost of labor, the cost of the ingredient and the power to operate the factory, it will be allocated costs.
(Unintelligible) the issue allocation of overhead or if the processing plants being used for different customers at different points in time, how that split is made. That tends to be where the issues come.
Willy Kruh:
Let me ask you just a follow up and then we’ll just have a couple more questions. When you’re looking at these supplier audits, in your experience has this led to a breach with the client's relationship with that supplier?
No. It can actually enhance the relationship with the supplier. Sometimes in the short term it can cause things to be a little more tense than they might otherwise be. But what these types of agreements do is that they put all the balls in the suppliers court. And the exercising the right of audit forces more of a balance in the relationship.
It was - the rights of audit were there for a reason and it was to enable the customer to rebalance the relationship.
Willy Kruh:
That’s great.
Amanda Aldridge:
But generally I would say that our clients find it a positive thing.
Willy Kruh:
Graham let me end with you on a last question. I mean many in the audience consider the cost of the best practices that you laid out. Talk a little bit about your suggestions for best practice. Are they not really quite expensive?
Graham Murphy:
It depends. You know, I think the question earlier was talking about bolting on controls continuous monitoring...
Willy Kruh:
Right.
Graham Murphy:
...existing systems. That can get expensive if you start altering systems. But really some better practices of having, you know, common processes and actually have a policy that is throughout the organization that is written and is disseminated, that’s not that costly.
Looking at rationalizing certain categories, simplifying your spends, reducing your number of vendors - that doesn’t really cost a lot. You know, looking at electronic catalogs it doesn’t necessarily have to be that expensive and if those are, you know, Web enabled that everybody’s going to get access to that should - the benefits should greatly out weigh the cost of putting some of those things in.
But, you know, clearly the more you get into altering systems the more costly in effect, you know, you may not want to go down that path. The real leading edge stuff is business intelligence taking the information out of the systems to better, you know, look at performance metrics and the like. Those can get a little bit more, you know, complicated and involved and result in expenses.
Willy Kruh:
I think Graham at the end of the day if you accept the 7% number then you can do your own cost benefit on what you’re able to mitigate by putting in these procedures.
Graham Murphy:
There’s definitely a cost benefit that you should be evaluating. And, you know, like I said the ACFE comes out with 7% that’s a really big number. It’s almost shocking. But...
Willy Kruh:
Right it is. Anyway let me finish on that. Thanks everybody for your participation. Thanks everybody on the call. We look forward for future webcasts.
But thank you very much for today. Hopefully you found it useful.
Bye everybody.