Category Archives: Best Practices

The implications of Crying Thief!

Today’s guest post is from Tony Bridger of Assymetrix Consulting. Got a spending, process, or change management problem? Tony has a solution.

There is an old Nigerian Proverb that runs a little like: “One cry of “Thief!” and the whole marketplace is on the lookout.

However, crying “thief” has serious implications for many business, particularly those public organisations with shareholders who would quickly perceive financial crime as a systemic business process failure.     It is easier for management teams to internally manage fraud than to prosecute. Detection of large fraud is also an admission that both controls and deterrence are failing.   In a recent article, It’s Hard to Find Fraud in Big Spend Stacks …   the advent of AI could provide that vital detection of internal fraud.   It’s a sophisticated solution.

Whilst we are on the subject of proverbs, a key element in fraud management is “prevention is better than cure”. Companies that detect fraud have clearly not created the cultural norms that others take for granted that deter staff from committing fraud.   There are many cultural and technological capabilities that can reduce the incidence of fraudulent activity that are well within the grasp of many businesses.   Deterrence – or risk of detection is a critical cultural message.

With some careful risk analysis, it is quite easy to map out where company fraud is likely to originate. Finance, Procurement and staff expenses are usually the key internal risk areas.   Culturally, one of the first steps is to ensure that there is adequate separation of duties.   In finance, this is simply ensuring that a finance staff member does not have the capacity to both create a supplier vendor master entry – and pay an invoice.   This is a system administration role setting. The creation of “dummy vendors” and subsequent payments is often down to this simple failure.   Making all data elements (Business Number, address, contact details) as mandatory data items also reinforces the message on data integrity.   Many mid to high end systems will also allow user audit trail analysis if required. This simply captures the user-id of the employee accessing the key finance system forms.

For smaller companies, separation of duties can be an issue – but keeping a register of new supplier entries and reviewing this regularly is a key move.   In the procurement space, the person who creates the contract and then manages the winning vendor should also not be one and the same person if possible.   Again, hard to mobilize with limited staff and expertise – but a very clear signal around why is a powerful deterrent.   The idea is not to create a draconian working environment – it is simply ensuring that employees understand that this is designed to protect them – as well as the company.

Where possible, organizations should also use the power of their accounting system to the full.   Many of the low-end accounting systems have decent quality automation for transactions like staff expenses.   From experience, there are some subtle employee mindset changes generated with increased automation.   Almost all of us realize that entering data in to a system creates a record.   Once submitted, unless a request is made to vary the claim – the electronic evidence exists.   Paper can be lost, shredded or misinterpreted.

Almost all staff will recognize that these transactions can be retrieved many years later.   A very good business practice is to engage a vendor that provides duplicate invoice analysis services periodically.   This service can also detect anomalies and “odd” transactions.   A multiple repeated “same value” claim by an employee will almost certainly be found and analyzed. As many of these services are contingent based, they are quite affordable.   Regular auditing can also send clear signals on fraud risk assurance.

However, the combination of separation of duties, increased electronic transaction processing and periodic data analysis should send very clear cultural signals about what is acceptable. Staff will work out the “why?” comparatively quickly.

Organizations cannot effectively function if trust is lacking.   The notion of the cry of thief! Is far more acceptable if good management controls are in place and any subsequent fraud is detected. In effect, it’s a best effort approach to fraud prevention.

Thanks, Tony.

It’s Hard to Find Fraud in Big Spend Stacks …

Let’s start with T&E spend. While most organizations might believe that this spend, which is primarily for low value amounts on fairly well understood products and services, does not hide much in the way of fraud, that’s not always the case. Nor is the fraud limited to employees upgrading to business class, upgrading from rooms to suites, and spending a bit too much on drinks at the client dinner. (But even this can be very expensive. If this off-policy spend results in negotiated volume-based rebates failing to materialize, this can be very costly.) But that’s not the case. It cal also contain:

  • the same receipt for a $500 business entertainment submitted two (three, or even five) times, one month apart, on different claims and never noticed
  • a pet hosteling bill that looks just like a hotel bill
  • an invoice from Benny’s buddy Bob for 20% above market rates who drove him to the airport (instead of a licensed service at market rates)
  • that double billing by your no-longer favourite hotel for a room charged to your guest and then charged on your tab is really hard to spot (especially when some rooms were picked up and some rooms weren’t at your recent event)
  • collusion between an employee and a spouse who owns a travel “services” company can account for a lot of extra travel “services” billings that weren’t delivered
  • suppliers who know you have holes in your T&E monitoring can submit fake invoices for services never delivered
  • etc.

It’s really hard to find these low-impact fraud needles in a T&E haystack, but these needles can add up quickly — especially for products and services never even delivered! Only automated processing that can compare multiple entries across multiple dimensions and learn typical patterns can identify the majority of errant fraud that passes through your T&E system.

Moreover, as an organization learns to detect certain types of fraud, the fraudsters get smarter. No static system can keep up! AI based systems are key to an organization’s success.

In particular, AI-based systems that can work on multiple types of spend. T&E is just one category. There’s also invoice data for sourced and procured products and services that can be six to eight times the T&E volume in an average organization. And when we go broad, there are even more options for creative fraud from less-than-honourable parties. For example, you could see things like:

  • $4.95K shipping fees for $5 items because the tolerances in the system don’t kick anything up for review with shipping less than $5K
  • invoices from fake suppliers with the same name as your tendered suppliers with faked registry numbers and different bank information for payment
  • invoices from corporates owned by spouses of employees for services not delivered submitted by the employees and approved by colluding associates doing the same thing
  • etc.

For some of these instances, humans have almost zero chance of surfacing the infraction when its 1 invoice in 1000. A new solution is needed. A number of players are tackling the problem with modern AI solutions, but do the approaches have what it takes to find the gold in them there hills? Only time will tell.

Sourcing the Day After Tomorrow … Part XVI

In this series we have been reviewing sourcing today, the primary phases and sub-steps, and how they look strategic on the surface but often hide a lot of tactical work underneath. Moreover, sometimes “strategic” is simply a decision that is entirely based on the results of a sophisticated analysis that can be encoded in a very complex rule.

What does all this mean? It means that systems can do more of the work and with next generation sourcing systems, the strategic decisions will be made by expert buyers who know the market in ways designers of systems can’t. Expert buyers who can identify external stimuli that occur, and impact, the market once every five to ten years (that a new system wouldn’t know). Expert buyers who can better judge the impact of a new supplier on the market that the system doesn’t have the history on. Expert buyers who know the best way to handle unexpected demands or change requests in a negotiation process.

Strategic will change from data gathering to data analysis to knowledge evaluation where the analyst first learns to analyze the data gathered to better train and correct the system to knowledge evaluation where the analyst learns to identify the gaps in the analysis or the weightings that need to change. It’s going to become primarily an intelligence exercise, not an analysis exercise. Computers can do considerably more analysis and number crunching than we can in an exponentially smaller amount of time. As a result, more and more analysis will be given to the computers, and more and more intelligence will be expected of the user.

And the entire sourcing process will be affect. How much? In the beginning, more and more of each step, and then of each phase will be automated. But then, in the longer term, the sourcing process will change and adapt to one that is more suitable for the knowledge-based endeavour that it is. What will this look like? Time will tell, but we have our ideas. And we will address them in at a future time.

Sourcing the Day After Tomorrow Part XV

In this series we are doing a deep dive into the sourcing process today, and, in particular discussing what is involved, what is typically done (manually), and whether or not it should be that way. We have already completed our initial discussion of the initial project request review phase, the follow up needs assessment, the strategy selection phase, the communication phase, the analysis phase, and the negotiations phase. Now we are in the final contracting phase. At first glance, it looks like this is the second most strategic and human-driven phase there is, second only to negotiation, as it is humans (and lawyers in particular) who typically define standard terms and conditions, humans who identify risk and mitigation strategies, humans who define obligations, and humans who analyze the contract for compliance to goals. But is this the case?

So in this final step, the contract step, we have these final sub-steps:

  • Standard Terms and Conditions
  • Modification & Risk Mitigation to Supplier & Country
  • Key Metadata definition and obligation specification
  • Contract Analytics

If all of the standard terms and conditions are in existing contracts and the contract clause / template repository, there’s no reason that a system cannot automatically scan the contracts and repositories, identify the standard organizational terms in every contract, identify the standard terms for the category, and identify any terms, often not included, that would be relevant to the category. Probabilities can be applied and contract terms organized by weight. The buyer can then just bulk select or bulk reject the relevant clauses.

In the modification and risk mitigation step, a contract analytics engine can be applied to determine how well a particular clause addresses a certain risk of relevance to the organization based on context models and differentials. It can then compare that clause to the clauses that best address the risk and identify the necessary modifications, and do so specifically from a supplier or geographic context.

In the key metadata definition and obligation specification step, the goal is to identify the right metadata that needs to be tracked against the contract. This will be dependent on the terms and conditions, the goals, the obligations, and other key information that will be specific to the contract. However, contract analytics can identify, or at least suggest, much of this as well automatically based upon similar contracts, similar terms, similar goals, and similar obligations. This can greatly reduce the effort required by a buyer.

In the final step, the contract analytics step, the identification of risks, variances from a norm, and non-standard clauses can often be better identified by a contracts analytics engine that can cross-compare potentially risky clauses and variant clauses across hundreds, if not thousands, of contracts and identify deviations from the norm. A user just has to decide whether the variance is enough to be of interest to them, and properly setting a threshold can eliminate the majority of those variances that are not.

In other words, at the end of the day, contract analytics identifies the majority of standard terms and conditions that are of interest, the majority of standard clauses that will need modifications to address supplier and country risk, the relevant metadata and obligations associated with the contract, and any clauses that can be considered variant enough to warrant special consideration.

The majority of the work can be automated with a good contract analytics engine — the role of the buyer is to apply their intelligence to determine how accurate and effective it is. As the buyer trains the engine, it will become more and more accurate over time and the strategic work will be reduced to hours, sometimes minutes for simple contracts, compared to days or weeks.

In other words, the more we explore the sourcing process, the more we find out how truly tactical, or at least automatable, the majority of it is.

Sourcing the Day After Tomorrow Part XIV

In our series to date we have recapped Sourcing today and taken a deep dive into the key requirements of the review, needs assessment, strategy selection, communication, analysis, and negotiation phases. In each of these six steps to date, we found that while some steps were critical for a sourcing professional to undertake, others, while necessary, were a complete waste of skilled talent time as the majority of the tasks could be automated. And while we’re still at the point where some tasks have to be done by humans whereas no matter what, we’re almost certain that this is true across the entire sourcing cycle, but until we complete our analysis, we can’t be 100%, so that is what we’re going to do today and tomorrow.

So in this final step, the contract step, we have these final sub-steps:

  • Standard Terms and Conditions
  • Modification & Risk Mitigation to Supplier & Country
  • Key Metadata definition and obligation specification
  • Contract Analytics

In the standard terms and conditions step, the buyer identifies all of the organizational standard terms and conditions that are relevant to the product and services in question. This involves reviewing the standard conditions proffered by legal, previous contracts, and standard contracts put forward by competitors and selecting those that are relevant.

In the modification and risk mitigation phase, the buyer identifies which standard terms and conditions, prior contracts, and suggested terms (defined during the early phases) need to be modified to address risk on a supplier and/or country basis and makes some suggestions as to what needs to be done.

In the key metadata definition and obligation specification phase, the buyer needs to define the metadata that needs to be tracked against the contract, how it needs to be tracked, where it needs to be used, and even how to generate value from the metadata.

Finally, the user needs to analyze the contract for risks, variances, and clauses that are non-standard, identify, catalog, and track them over time. Plus, the user needs to determine the relative risks, variances, and clauses relative to other contracts to determine overall priority.

This sounds pretty buyer intensive and strategic, right? Not much room for automation, right? Well, we’ll find out in our next part!