Please note, this blog was written by Navjeet Vaid
Your employees and suppliers are likely stealing from you.
According to the Association of Certified Fraud Examiners, 22% of
reported fraud cases involve some form of billing scheme where the
target organization paid for products or services it had not
received. Take for instance, the case of Delta Airlines; the victim
of a $36 million vendor fraud spanning more than 10 years.
The scheme involved two long-standing employees at Delta, whom we will call Bob and John. Bob owned a company that supposedly provided voice and data services to Delta. He would send the invoices to his accomplice, John, for authorization, in return for a portion of the ill-gotten gains. Working in concert for more than a decade, the two employees stole more than $36 million.
Typically, vendor or procurement fraud involves at least one employee of an organization and sometimes, it also involves an outside vendor. In the Delta case, the fraud scheme involved collusion among two long-standing employees and a fictitious vendor.
While the use of collusion made the detection of this fraud significantly more difficult, the implementation of effective internal control procedures could have helped to identify the scheme and prevented further losses, such as:
- Periodic review of the approved vendor listing;
- Comparison of budget to actual variance for voice and data services (monthly, quarterly or annually);
- Internal audits of purchases and expenditures.
Vendor fraud is a risk for almost all organizations. The
following red flags and internal control weaknesses may enhance the
opportunity for vendor fraud:
No vendor approval process – Vendor approval is essential in preventing vendor fraud. By approving all vendors within the system, it reduces the likelihood of a fictitious vendor being added to the system undetected. User access controls in the IT system can ensure that the master vendor file can only be accessed by authorized individuals.
Inadequate matching procedures (work order, purchase order, bill of lading, invoice, payment) – By matching work and purchase orders to shipping / receiving information and invoices, an organization can protect itself from issuing payments for goods / services that have not been received.
No authorization limits – Authorization limits typically help ensure that large payments are appropriately approved and authorized, however, consideration should be given to payments that fall just under the authorized limit. A fraudster may submit invoices for amounts under the authorization limit in an effort to keep the scheme from being detected.
Vendors with a post office box as the only address – Generally, legitimate vendors who use a post office box for mail delivery will also have an address for their corporate office. Vendors identified with only a post office box may be an indication of a fictitious vendor.
Complacent review process – Fraudulent or unauthorized payments can be prevented by reviewing invoices prior to the issuance of a payment. This review should be performed by an individual with knowledge of the business operations and the nature of expenses incurred.
A greater understanding of the organization's typical expenses can make the review process more effective. When reviewing invoices, the following questions should be considered:
- Does the purchase make sense? Are the goods and services required? Does the nature of the expenditure align with the company's operations?
- Who is the person originating the order/purchase? Does it make sense that this person would require or request the goods or services being purchased?
- Have all required supporting documents been provided? Have the goods or services been received?
- Has the expenditure been authorized? Is the amount of the invoice within authorization limits?
- Is the payment for a new or unidentified vendor? Is the vendor on the approved vendor list?
- Has the invoice been matched to the work order, purchase order and bill of lading (if applicable)?
Vendor fraud can take many forms. Some of the more common
Fictitious Vendors – Involves creating a record in the vendor master file that directs payment to a fictitious company that does not provide any products or services to the company.
Manipulation of the Vendor Master File – Involves changing the address and banking particulars of a legitimate but inactive vendor of the company to a bank account controlled by the fraudster.
Fictitious invoicing – Involves a vendor invoicing the company for goods and services not received / rendered.
By implementing controls and procedures to mitigate the internal control weaknesses, companies are able to reduce the opportunity for vendor fraud to occur. It is important for these controls and procedures to be visible to employees. Oftentimes, the risk of getting caught is enough to deter an individual from committing fraud.
The use of internal controls, including reviews, authorizations, approvals and training for employees dealing with the issuance of payments can go a long way in reducing the risk of vendor fraud to an organization. These measures combined with the proper tone at the top and a well-documented and enforced fraud risk management program can position a company to prevent, deter and detect fraud.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.