Please note, this blog was written by Navjeet Vaid
Your employees and suppliers are likely stealing from you.
According to the Association of Certified Fraud Examiners, 22% of
reported fraud cases involve some form of billing scheme where the
target organization paid for products or services it had not
received. Take for instance, the case of Delta Airlines; the victim
of a $36 million vendor fraud spanning more than 10 years.
The scheme involved two long-standing employees at Delta, whom we
will call Bob and John. Bob owned a company that supposedly
provided voice and data services to Delta. He would send the
invoices to his accomplice, John, for authorization, in return for
a portion of the ill-gotten gains. Working in concert for more than
a decade, the two employees stole more than $36 million.
Typically, vendor or procurement fraud involves at least one
employee of an organization and sometimes, it also involves an
outside vendor. In the Delta case, the fraud scheme involved
collusion among two long-standing employees and a fictitious
vendor.
While the use of collusion made the detection of this fraud
significantly more difficult, the implementation of effective
internal control procedures could have helped to identify the
scheme and prevented further losses, such as:
- Periodic review of the approved vendor listing;
- Comparison of budget to actual variance for voice and data services (monthly, quarterly or annually);
- Internal audits of purchases and expenditures.
Vendor fraud is a risk for almost all organizations. The
following red flags and internal control weaknesses may enhance the
opportunity for vendor fraud:
No vendor approval process – Vendor
approval is essential in preventing vendor fraud. By approving all
vendors within the system, it reduces the likelihood of a
fictitious vendor being added to the system undetected. User access
controls in the IT system can ensure that the master vendor file
can only be accessed by authorized individuals.
Inadequate matching procedures (work order,
purchase order, bill of lading, invoice, payment) – By
matching work and purchase orders to shipping / receiving
information and invoices, an organization can protect itself from
issuing payments for goods / services that have not been
received.
No authorization limits – Authorization
limits typically help ensure that large payments are appropriately
approved and authorized, however, consideration should be given to
payments that fall just under the authorized limit. A fraudster may
submit invoices for amounts under the authorization limit in an
effort to keep the scheme from being detected.
Vendors with a post office box as the only address
– Generally, legitimate vendors who use a post office box for
mail delivery will also have an address for their corporate office.
Vendors identified with only a post office box may be an indication
of a fictitious vendor.
Complacent review process – Fraudulent or
unauthorized payments can be prevented by reviewing invoices prior
to the issuance of a payment. This review should be performed by an
individual with knowledge of the business operations and the nature
of expenses incurred.
A greater understanding of the organization's typical expenses can make the review process more effective. When reviewing invoices, the following questions should be considered:
- Does the purchase make sense? Are the goods and services required? Does the nature of the expenditure align with the company's operations?
- Who is the person originating the order/purchase? Does it make sense that this person would require or request the goods or services being purchased?
- Have all required supporting documents been provided? Have the goods or services been received?
- Has the expenditure been authorized? Is the amount of the invoice within authorization limits?
- Is the payment for a new or unidentified vendor? Is the vendor on the approved vendor list?
- Has the invoice been matched to the work order, purchase order and bill of lading (if applicable)?
Vendor fraud can take many forms. Some of the more common
schemes include:
Fictitious Vendors – Involves creating a
record in the vendor master file that directs payment to a
fictitious company that does not provide any products or services
to the company.
Manipulation of the Vendor Master File –
Involves changing the address and banking particulars of a
legitimate but inactive vendor of the company to a bank account
controlled by the fraudster.
Fictitious invoicing – Involves a vendor
invoicing the company for goods and services not received /
rendered.
By implementing controls and procedures to mitigate the internal
control weaknesses, companies are able to reduce the opportunity
for vendor fraud to occur. It is important for these controls and
procedures to be visible to employees. Oftentimes, the risk of
getting caught is enough to deter an individual from committing
fraud.
The use of internal controls, including reviews, authorizations,
approvals and training for employees dealing with the issuance of
payments can go a long way in reducing the risk of vendor fraud to
an organization. These measures combined with the proper tone at
the top and a well-documented and enforced fraud risk management
program can position a company to prevent, deter and detect
fraud.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.