Monthly Archives: August 2012

Pop Goes The Squirrel!

Hammy has been driving Verne crazy again over the hedge. Dark Verne is creeping back to the surface. And I bet this is what’s playing in his head right now …

RJ played guitar, Hammy played bass.
Name of the band is Over the Hedge.
Everybody tell me have you heard?
Pop goes the squirrel.

RJ played keyboard, Hammy played drums.
It drives Verne crazy and when the time comes.
Everybody tell me have you heard?
Pop Goes The squirrel.

It goes something like this: (p p p pop)

RJ and Hammy had a crazy dream.
See their pictures in a magazine.
Every wild critter needs a twirl.
Pop goes the squirrel.

RJ and Hammy getting smart (it seems).
Made more money on a movie screen.
Every little nest needs a bird.
Pop goes the squirrel.

One two three and four is five.
Dark Verne is plotting poor Hammy’s demise.
Mentos and coke and Microwave on high.
Pop goes the squirrel.

Six seven eight and nine is ten.
Make sure it works with nitroglycerin.
Say what planet are we on? The third!
Pop Goes The squirrel.

And Every time Verne wonders where the world went wrong,
Ends up lying on his face going ringy dingy ding dong.

And every time Verne wonders if the world is right,
Ends up across the cosmos in black arachnid’s night.

RJ played guitar, Hammy played bass.
Name of the band is Over the Hedge.
Everybody tell me have you heard?
Pop goes the squirrel.

RJ played keyboard, Hammy played drums.
At least until Verne with dynamite comes.
Everybody tell me have you heard?
Pop Goes The squirrel.

Worried About P2P Fraud? Here’s How to Prevent Even More of It!

In yesterday’s post we reviewed Accounts Payable News’ recent piece on “the top six ways to carry out P2P fraud” that every Supply Management professional should be aware of BEFORE implementing any P2P system. We did this because, as pointed out by Spend Matters UK “Procurement Related Fraud [is] On the Rise” (or at least more instances are being caught and prosecuted). The post chronicled four recent high-profile cases, of which two involved collusion between a buyer and a supplier (where the buyer purposely overpaid a supplier or helped them win a bid in exchange for cash kickbacks), one was a purely internal fraud conducted by a sole buyer (who set up dummy corporations that issued false invoices that were paid to a an account the buyer controlled), and one was an external fraud in which a criminal convinced accounts payable to change payment information for a genuine supplier to the criminals’ bank account.

In other words, we had a case of social engineering and supplier payment diversion by outsiders, a case of fictitious invoices for goods not actually delivered by an insider, a case of undermining of control by way of buyer-supplier collusion, and a case of tacit approval of unapproved “handling” costs to a supplier, who would pay a kick-back. All of the frauds Accounts Payable News warned us about have recently occurred in big organizations and ended up as high-profile cases before the courts. And at least three of these could have easily been prevented. Having a second party phone the supplier’s AR department to verify banking would have quickly revealed the social engineering fraud, verifying goods were received would have prevented payment of the fictitious invoices, and mandatory approvals for any costs above contract terms or market rates would have prevented the supplier overpayments. The undermining of control would be difficult to stop if it was a single party feeding a preferred supplier confidential information, but note that this is procurement-related fraud, and not pure P2P fraud.

In other words, as mentioned in yesterday’s post, if one solves two of three situations that are common among procurement frauds, fake data and lack of control to be precise, many frauds can be prevented. And while you can never solve the collusion issue, having to accept that the best you can do is discourage it, the reality is that you can minimize it. As pointed out by the Spend Matters UK,
Motive + Opportunity = Bad Things Happen,
and opportunity can certainly be minimized.

However, as implied by Spend Matters UK, what you really have to worry about is motive. The chance of fraud increases substantially when someone has a motive, and, as further pointed out by the post, motive increases greatly when there is:

  • Financial Need
    If someone is deeply in debt, has a gambling problem, or owes the mob money, that someone is going to be driven to get money anyway he can.
  • Psychologically Defective
    If someone has a pathological desire for thrills, and fraud is their fix, sooner or later, he’s going to try.
  • A sense of Entitlement
    This could take the form of greed, or of jealousy if the individual, who works hard, sees superiors getting big rewards for little effort while the individual gets little or no rewards for a lot of effort.

And while you can’t tell what a person is thinking, some people have easy tells that you can use to evaluate your chance of risk, and put additional controls in place if the chance of risk is high. For example, if a credit check shows the person is bordering on bankruptcy, that person could be more susceptible to opportunities for fraud, or at least to bribes. While it’s not necessarily the case, as some people would rather starve than steal a dollar, it should trigger extra precautions at least until you are sure the person is trustworthy.

In addition, basic psychological testing can often reveal a need to over-achieve or an undeserved sense of entitlement. These people could also pose financial risks to your firm and their financial control should be limited until their performance is adequately measured and your trust has been earned.

The simple fact is that people without a want or a need have no motive, and opportunity means very little to them. While it’s not as easy to weed out motive as it is to lock out a system, if millions are on the line, spend a few hundred on a background check, and if we’re talking an executive, a personality assessment wouldn’t hurt either.

Worried about P2P Fraud? – Here’s How To Prevent Most Of It!

Accounts Payable News recently ran a good article on “the top six ways to carry out P2P fraud” that every Supply Management professional should read BEFORE implementing any P2P system. While the sheer presence of a P2P system will discourage fraud, as fraud will be much harder to hide and/or require collusion if the system is properly integrated, it also enables fraud to be conducted faster and at a much larger scale if there are holes in the implementation. But first, let’s look at the frauds identified:

    • Social Engineering
      A user who doesn’t need admin access gets it by convincing IT that it will be quicker if they can create accounts for authorized individuals, or that they need it for testing after hours. If such admin access can be used to create new, fictitious, suppliers with banking information that don’t require payment approvals …
    • Fictitious Invoices for non-PO spend below the bar
      If invoices below a certain threshold, like $1,000, automatically get paid (without a purchase order or, worse, goods receipt match) from preferred suppliers if the line items are on an approved list, then all it takes is collusion between a buyer and supplier to generate and approve a few (dozen) false invoices and both get a free vacation on the Riviera.
    • Reassignment and Undermining of Control
      If a fraudster can convince others to reassign approvals or part of the payment process to himself, then he can approve invoices from fictitious invoices from fake suppliers, which are actually companies, and bank accounts, he controls.
    • Receipt of goods not actually delivered
      If the buyer, who never steps foot in the warehouse or on the construction site, receipts goods never delivered, the buyer can arrange for a supplier to be paid twice if the supplier sends an invoice before the goods, gets paid right away, and then drops off a second invoice with the goods, which is then matched against a PO and receipted. And, of course, the buyer would get a kickback.
    • Approval of unapproved handling costs
      Which were never in the contract, but of which a portion will be kick-backed to the colluding buyer.
    • Supplier Payment Diversion
      A smart buyer will open a bank account in a name that sounds like it is the suppliers name, like MJ Consulting if the supplier is M&J Consulting, provide finance with new banking instructions from a spoofed e-mail account, and collect the payments until AP discovers they have incorrect account information.

If you analyze these types of fraud, you see a couple of commonalities:

      • Fake Data
      • Lack of Control
      • Collusion

It’s very easy with modern technology to prevent the first two and make the third harder, in that more people will have to be in on the fraud for it to succeed. Specifically, if you take the following steps:

      • Lock down access to finance and admin functionality to only those who need it
        and, using fine-grained roles-based security, restrict admin functionality to only those functions admin rights are truly required by the person
      • Require 2nd party verification of all regulatory and financial data associated with a supplier
        as no one should be able to enter and confirm the same data element
      • Only a person performing a function can enter data relating to that function
        as only a warehouse or site worker will know when the goods are/are not delivered
      • Also require 2nd party verification of any data element that can trigger a payment
        So, a goods receipt, as a whole, should be verified by a foreman
      • Absolutely no automatic payments unless ( a) the supplier is verified, ( b) the supplier’s accounts are verified, ( c) the goods were verified as received
      • Absolutely no payment for an invoice above the minimum threshold for non-automatic payment without a PO
        even if verified supplier, account, and receipt of goods
      • Absolutely no payment for an invoice above the threshold for which approval is specified
        without a manager approval, even if there is a PO, verified supplier, account, and receipt of goods
      • Absolutely no P2P/e-Procurement systems that don’t encrypt user access information, account information, and approvals. Otherwise, all an enterprising fraudster has to do is either (a) get onto the server and (a) query the database for an admin login, (b) overwrite the account record with his own bank record or, and this is way too easy in some systems, (c) set the approved for payment flag next to the invoice to true. The approval field should be a system encrypted value that only the system can decrypt to a valid “pay on” date using salts, hashes, and ciphers.

This will solve the fake data issue, as there can be no fake data unless there is collusion, and the lack of control issue, as there will be no way around the workflow unless there is collusion. You can’t solve the collusion issue, but you can certainly discourage it. Criminals tend not to trust each other, and when three or more parties are required to pull off a heist, the odds are much more in your favour.

All Roads Lead to … Poland?

In the last three days I’ve seen articles about three different international logistics companies expanding operations (with new routes and delivery centers) in Poland as well as two articles about global supply chain cooperation, one on logistics cooperation between Poland and China, which was discussed at a recent seminar following an MOU with SAIETC, and another on technical / mining cooperation between Poland and India.

While it never made SI’s series on Cultural Differences or Cultural Intelligence, edited by SI’s resident global trade expert Dick Locke, the doctor, a technologist by training (and an enterprise software architect), has been keeping tabs on Poland as he believed it was not only a rising destination for IT offshoring, but one which could soon provide advantages over India. But he never expected Poland, with an outsourcing index of 5.6 and a rank of 16 over on Sourcingline (which tracks 38 global outsourcing destinations), to all of a sudden become so prominent.

After all, it was only in 2010 that Ernst & Young, in their European Attractiveness Survey, identified Poland as the top potential investment destination for their FDI (Foreign Direct Investment) projects. Typically it takes years for recommendations to become reality. However, and this is one thing Poland does have going for it, Poland is pushing for FDI very aggressively. The English translation of the Inwestycje w Polsce site, Invest in Poland, site is quite informative, the GDP growth is stable, the high unemployment rate (given the average education level) suggests lots of room for additional growth, and the fact that FDI has been stable around the 10 B Euro range for the past 4 years leaves room for growth. And when you consider that half of the 2.1 Million Polish students speak fluent English, that’s a globally-prepared well-educated work-force being churned out every year. When Horses for Sources said Poland was more than “just another” BPO location, they were definitely ahead of the curve. And where Poland is concerned, at least with respect to North American and Western Europe, they have a very good chance of competing with the Sourcing Raj.

Poland is definitely Open for Business.

 

The Hubris Hypothesis is Alive and Well in Supply Management

It looks like we’re back to the merger and acquisition frenzy again in the space, which seems to begin anew at the start of every boom in the continual boom-bust cycle that Wall Street so favours. Big cash-rich giants are again gobbling up cash-poor gnomes in an effort to bolster either the breadth of their offerings or expand their (potential) customer base. This is a good thing and a bad thing. If you’re on the market for supply management technology, or a customer of one of the cash-rich giants, this can be a good thing. If you’re a shareholder of the cash-rich giant, or a customer of the cash-poor gnome, this can be a bad thing. If you’re anyone else, it probably doesn’t affect you.

It’s probably a bad thing if you’re a shareholder of the cash-rich giant as 4 out of 5 mergers and acquisitions fail to deliver the expected value, and often fail to do so spectacularly. As Richard Roll notes in his classic paper on “The Hubris Hypothesis of Corporate Takeovers”, decision makers in acquiring firms pay too much for their targets on average. I believe this to be especially true in the enterprise software space where the value of a platform decrease at a rate that is in-line with the expected depreciation of a new car purchase. Every time a newer, better, piece of software hits the market, the value of all existing platforms drops. And since, in the enterprise software space, all acquisitions tend to do is freeze innovation on the platform of at least one party, if not both, until integration is achieved, value drops — and in this space, it’s rarely regained. While the value associated with software doesn’t disappear as fast as it does on Wall Street every time a newly created bubble finally bursts, it still disappears. And it’s not like we don’t have our own horror stories like the i2-Nike PR nightmare, the Hershey Foods WMS failure, or the ERP/MRP fiasco that brought down the multi-billion pharmaceutical Foxmeyer. And while none of these are directly related to M&A, they do demonstrate how any attempt to integrate even partially incompatible systems can wipe out hundreds of millions (or more) of value.

Similarly, if you’re a customer of the cash-poor gnome, it can also be a bad thing if your system is “locked down” until the features/functionality is integrated with the giant’s platform, that you will eventually be forced to implement (when the term of your original agreement runs out). Chances are that you bought the gnome platform because the giant platform wasn’t what you needed, was way more extensive than what you needed, or didn’t deliver enough value from the extra functionality relative to the cost.

But if you’re customer of the cash-rich giant, who, chances are, is no longer capable of innovating it’s way out of a wet paper bag, this can be a great thing. As soon as the initial integration headaches are solved, you’ll have access to new, innovative to you, functionality without having to find a new vendor, do custom integration, or even do extensive mods to the platform you have — especially if you’re using a hosted/SaaS service and it just gets enabled in the next release. And, if the giant is fair to you, as a loyal customer who had to wait, the additional cost won’t be that significant and will be drawfed by the new-found value your organization can generate.

But if you’re not a customer of the cash-rich giant or the cash-poor gnome (and not a shareholder of the cash-rich giant either), this is definitely a great thing. As we’ll delve into in more detail in a future post, when you’re on the market looking for a new supply management technology platform, you’re asking three questions (if you’re doing it right) before seriously considering a vendor: can the vendor support me, are they stable enough to support me, and are they still innovating. While it is often straight-forward to answer the first question, it’s hard to answer the second if the company is private and hard to answer the third if you’re not intimiately familiar with the space and the competition (as innovation can be relative). But if a vendor gets acquired, you know that it likely wasn’t stable enough as most companies that get acquired are cash-poor, have limited growth options on their own, or have a specific innovation or customer a cash-rich giant wants (and once a cash-rich giant sets their sights on a target, that target’s resources will be consumed with either friendly bids, or hostile bids, which would still limit its ability to support you). And if a vendor does the acquiring, then there is a good chance that it’s not innovating (at the rate it used to) or not capable of further growth without a fresh blood infusion (which would eventually limit innovation).

This means that every merger and acquisition identifies two more companies that, at the very least, should be given serious scrutiny before being added to your list of potential solution providers, if they should even make the list at all (at least until a succesful integration is completed — which, if one of the fish is really big, could take years) as a merger or acquisition usually signals a lack of innovation on one side and cash on the other. And, more importantly, it shines a light on those companies in the middle — stable, growing, and full of innovation ready and waiting to take your Supply Management practice to the next level.

A new wave of best-of-breed players is rising in the space. Since they haven’t yet been entangled by the hubris hypothesis, it might be time to give them a serious look.