Category Archives: Fraud

The implications of Crying Thief!

Today’s guest post is from Tony Bridger of Assymetrix Consulting. Got a spending, process, or change management problem? Tony has a solution.

There is an old Nigerian Proverb that runs a little like: “One cry of “Thief!” and the whole marketplace is on the lookout.

However, crying “thief” has serious implications for many business, particularly those public organisations with shareholders who would quickly perceive financial crime as a systemic business process failure.     It is easier for management teams to internally manage fraud than to prosecute. Detection of large fraud is also an admission that both controls and deterrence are failing.   In a recent article, It’s Hard to Find Fraud in Big Spend Stacks …   the advent of AI could provide that vital detection of internal fraud.   It’s a sophisticated solution.

Whilst we are on the subject of proverbs, a key element in fraud management is “prevention is better than cure”. Companies that detect fraud have clearly not created the cultural norms that others take for granted that deter staff from committing fraud.   There are many cultural and technological capabilities that can reduce the incidence of fraudulent activity that are well within the grasp of many businesses.   Deterrence – or risk of detection is a critical cultural message.

With some careful risk analysis, it is quite easy to map out where company fraud is likely to originate. Finance, Procurement and staff expenses are usually the key internal risk areas.   Culturally, one of the first steps is to ensure that there is adequate separation of duties.   In finance, this is simply ensuring that a finance staff member does not have the capacity to both create a supplier vendor master entry – and pay an invoice.   This is a system administration role setting. The creation of “dummy vendors” and subsequent payments is often down to this simple failure.   Making all data elements (Business Number, address, contact details) as mandatory data items also reinforces the message on data integrity.   Many mid to high end systems will also allow user audit trail analysis if required. This simply captures the user-id of the employee accessing the key finance system forms.

For smaller companies, separation of duties can be an issue – but keeping a register of new supplier entries and reviewing this regularly is a key move.   In the procurement space, the person who creates the contract and then manages the winning vendor should also not be one and the same person if possible.   Again, hard to mobilize with limited staff and expertise – but a very clear signal around why is a powerful deterrent.   The idea is not to create a draconian working environment – it is simply ensuring that employees understand that this is designed to protect them – as well as the company.

Where possible, organizations should also use the power of their accounting system to the full.   Many of the low-end accounting systems have decent quality automation for transactions like staff expenses.   From experience, there are some subtle employee mindset changes generated with increased automation.   Almost all of us realize that entering data in to a system creates a record.   Once submitted, unless a request is made to vary the claim – the electronic evidence exists.   Paper can be lost, shredded or misinterpreted.

Almost all staff will recognize that these transactions can be retrieved many years later.   A very good business practice is to engage a vendor that provides duplicate invoice analysis services periodically.   This service can also detect anomalies and “odd” transactions.   A multiple repeated “same value” claim by an employee will almost certainly be found and analyzed. As many of these services are contingent based, they are quite affordable.   Regular auditing can also send clear signals on fraud risk assurance.

However, the combination of separation of duties, increased electronic transaction processing and periodic data analysis should send very clear cultural signals about what is acceptable. Staff will work out the “why?” comparatively quickly.

Organizations cannot effectively function if trust is lacking.   The notion of the cry of thief! Is far more acceptable if good management controls are in place and any subsequent fraud is detected. In effect, it’s a best effort approach to fraud prevention.

Thanks, Tony.

Why You Have to Find that Fraud in Big Spend Stacks …

We recently published a piece on how it’s hard to find fraud in big spend stacks, and it is an important one. While fraud in most organizations might be relatively small, and might be mostly controllable by the right culture, processes, and systems (but that’s a subject for a future post), it’s still going to be there, and the most common form of fraud you are not going to detect is collusion fraud.

But this can be the most costly. Let’s say Bill and Ted both have invoice approval rights in the services procurement system and can singlehandedly approve services procurements up to 20K. Let’s say Bill’s buddy Bob has a services firm and let’s say Ted’s buddy Tim also has a services firm. Let’s also say that the organization also has a great need for temporary contingent labour to man the warehouse, clean the offices, and guard the assets of the company.

Let’s say that oversight of these services is left up to the approver for verification. Let’s say that Tim routinely sends two services guards when the general policy is to have three guards on duty and that Bob typically sends only two janitors to do the work that would typically be done by four by the old services provider. Who’s to say that Tim doesn’t send two guards but bill for three? And who’s to say that Bob doesn’t send two janitors and bill for four? And if these invoices are sent bi-weekly, they are going to fall well within approval limits.

Moreover, who’s to say that Ted doesn’t know about Tim’s over-billing and Bill doesn’t know about Bob’s over-billing? And who’s to say that Bill and Ted don’t have a deal to approve the over-billings for each other because their wives are getting an “efficiency consulting” fee from Tim and Bob’s companies?

Maybe this doesn’t happen in your company, but it happens more than one thinks, and just because you never detected this, how do you know it’s not happening? Invoices from real suppliers for real services at approved rates can still contain fraudulent over-billings for services not actually delivered, and those proceeds can still be partially kicked back through indirect channels to organizational employees.

But how do you detect this? Very sophisticated AI-based algorithms that detect unusually high approval patterns between two organizational employees, for amounts that should have been reduced with new contracts, that don’t match typical, anonymized, organizational patterns. And then human investigation to find the truth.

So why is this so important? Besides plugging the leaks? Because if you can’t find internal collusion, how will you ever detect potential cases of external collusion? And gather enough corroborating evidence to at least get an investigation going? If industries collude, and jack prices above market prices, the organization will lose considerably more than it will lose to Bill and Ted (from the evil, parallel, universe). And this happens more than you think too, it just doesn’t always get detected and investigated. Fortunately, sometimes it does, and sometimes, even if there is no certainty that fraud happens, regulators, presented with enough evidence still investigate — like they are doing now among the German automakers (which led to a surprise raid on BMW headquarters as recently reported in the New York Times) that are suspected of conspiring to hold down the prices of crucial technology (as initially reported in July). Regardless of the outcome, technology that can identify potential fraud and gather correlating evidence will keep everyone more honest, and that’s a good thing.

Oversight for more than just your Travel & Expense budget management

Oversight is an Atlanta-based software (as a service) company founded back in 2003 to help organizations monitor spending in an effort to identify errors, waste, misuse, and fraud in the grey area of enterprise spend. As every recovery firm will tell you, the average organization will overspend by 1% to 3% as a result of over billings, duplicate billings, unnecessary spend on superfluous demand, maverick spend, and even fraud. (And they make their living recovering a portion of that, typically a third, and then charging you 33% of the recovery as their fee. Sounds small, but 1/3 of 1/3 of 3% of spend is 0.33% of spend, and if the organization spends 100 Million, they get 330,000 for an effort that can be largely automated and, even worse, be avoided with proper up-front spend monitoring.)

For example, if all invoices are compared to invoices and goods receipts before payments are authorized, this can prevent overpayments. Duplicate billings can be identified in the same way (and duplicate payments prevented). Potential fraud can be identified by forcing all invoices from unknown suppliers, for unknown products, or for unexpected amounts to be manually reviewed. (This can’t prevent in-house fraud, where a buyer pays a fake invoice to a fake company controlled by a relative, or a co-conspirator, but it can prevent external fraud.) Unnecessary spend on superfluous demand will require up front requisition control, as will maverick spend, but at least there will be no overspend or duplicate spend that can be unrecoverable once the contract with the supplier expires.

Oversight is unique in that it is not so much a software platform but an insights platform. Employing a team of data scientists focussed on identifying new algorithms and techniques for fraud detection, Oversight uses their in-depth knowledge of fraud to build solutions that will help the clients identify potential cases of fraud that they could never hope to identify on their own. The best most companies can do is sample based audits and spot checks which are unlikely to identify much fraud as these will generally only be on a few percentage of invoices or transactions, and most employees who have been getting away with fraud for a while will not be doing anything obvious, and the fraud will not be detected without correlations across documents and systems. That’s where Oversight comes in.

The Oversight solution is a web-based software solution for automatic spend analysis and identification of high-risk or potentially fraudulent transactions that comprehensively analyzes T&E, purchase card, and accounts payable spend using a suite of statistical, clustering, data mining, break point, rule-based, evidentiary reasoning, and machine learning algorithms that look for discrepancies, suspicious patterns, known fraud, and risk indicators to identify those transactions that need to be manually reviewed. The dashboard-driven, or work-bench driven, interface allows an analyst to drill into suspicious transactions by country, organizational unit, risk level, or exception type and can be configured to show the analyst only those exceptions assigned to her, or her team, or every unresolved exception in the system.

When a user drills in by exception type, she sees an overview of the overall risks by country and can drill into suppliers to see the specific exceptions. When a user drills in by country, she can see the overall risk by supplier and then by exception. In other words, she can drill into at-risk transactions using country, organizational unit, supplier, and at-risk type in any manner they please.

Or, they can look for exceptions by process. Right now, Oversight supports the identification of at-risk transactions in the travel & expense, procure to pay, and purchase card processes and has recently added support for FCPA, Anti-Bribery, and Corruption Risk — including the identification of known politically exposed parties.

Plus, the platform not only integrates with all of the big supplier and financial data providers — such as Dunn & Bradstreet, Bureau van Dijk, and CreditSafe — but also integrates with providers of risk indicator data such as Ecovadis and Sedex Global. Plus, they maintain their own databases of known politically connected parties, gentlemen’s clubs, denied parties, and other parties that an organization typically should not be allocating funds to. This last capability is quite important … just ask American Express which once received a 241K strip club bill authorized by the CEO. (Source)

Since fraud attempts differ by country, and collusion is hard to detect with a standard m-way match invoice processing platform, Oversight brings a powerful offering to the expense management space. It’s a platform worth checking out. For a deeper dive into the platform, check out the recent coverage by the doctor and the prophet over on Spend Matters Pro [membership required]. (Part I is up with Parts II and III coming within a week.)

Societal Damnation 41: Fraud & Corruption

As per our damnation post last year, fraud and corruption is everywhere and running havoc on your organization and your supply chain. A recent Kroll Global Fraud Report in late 2013 found that 70% of companies were affected by fraud in the prior 12 months, which represented an increase of 15% over the previous twelve months. In other words, at the time, 7 in 10 companies were hit by fraud in the previous year. But it gets worse. The Economist at the same time also found that fraud was on the rise and predicted that it would continue to rise. If the rate of increase remained steady, then 4 of 5 businesses got hit with fraud last year and 9 out of 10 business will get hit with fraud this year. Yowzers!

Procurement fraud can be particularly costly and damaging regardless of if you are in the public sector or the private sector. The UK public sector estimated that fraudulent purchasing on an annual basis cost it £ 2.3 Billion in 2012! Zoinks! And while it’s harder to find good numbers for the US, a 2011 report by Computer Evidence Specialists found that Fraud cost the US $1.32 Trillion in 2010, of which 733 Billion was Corporate (with 68% committed by corporations and 32% committed by employees). Hamana! Hamana!

If you are a large organization, whether you want to admit or not, there is a small percentage of employees, suppliers, and customers that are looking to rip you off for as much as they think they can get. Every day of the week, including Sunday. Not everyone, not by a longshot, but enough people to make your job miserable.

So what can you do? As per our damnation post, a good start is to

  • have an invoice policy that is strictly followed that only accepts invoices from approved suppliers, only for approved goods or received services, and only at contracted or publicly advertised rates
  • have strict spending limits and controls that enforce them which ensure that only people with authority can grant approvals for bypass, and that such approval is clearly logged in an auditable fashion
  • careful inspections of all goods received to make sure the organization gets what was ordered and what is paid for

But that’s just a start. The organization should also:

  • analyze all invoices or expenses without a PO very carefully to ensure they are not duplicate, that the goods or services were received, and that the prices billed are the prices the organization committed to pay
  • have strict policies on who is allowed to buy and what they can buy and have a policy that repeated or serious offences can, and will, result in immediate dismissal
  • have a standard contract rider that no invoices for off-contract goods or services will be accepted without a PO that all contracted suppliers must sign, as this will severely limit how many unexpected invoices show up
  • use data mining and machine learning to identify potential fraud as the same receipt submitted 3 times two months apart, or patterns of the same no-receipt charges, or duplicate billings for the same service months apart will be immediately identified as suspect, for example
  • keep up on fraudulent statistics and schemes and identify methods to enable the quick identification thereof before new fraud methods and attempts cost the organization too much money

But whatever you do, don’t target employees and treat them like criminals. If you treat them like criminals, they will become criminals. Create good procedures and processes for invoices and payments, install solutions where it is easier to follow the procedures and processes than ignore them, and make it about cost control, not fraud prevention, and you’ll find that fraud just isn’t as much of a concern. (Fraudsters choose easy targets.)

Technological Damnation 92: Data Loss

It is the information age and data is the life blood of the company and the supply chain. The financial chain is controlled by data. The physical flow of goods is dictated by data. People communicate electronically through data packets. It’s all data. And losing that data is a damnation. Not just because data is lost, but because:

Lost Intellectual Property data is a loss of competitive advantage

Sometimes the only edge a company has is it’s intellectual property that it can use to create a slightly better product, do better in a foreign market, or lower its costs enough to undersell the competition when its products are no better. If that gets stolen, and one or more competitors get their hands on it, the advantage is gone and all of a sudden the product is no better, the edge in the foreign market is lost, and there is no cost advantage to exploit in the end product.

Intrusions that result in lost or stolen data are hard to trace

If your systems or networks get hacked, and your data is stolen, good luck figuring out who got your data, because chances are that not only will you not be able to figure out who hacked you, but you will not even be able to figure out where the hack came from. Right now, there are free hacking toolkits for every major OS on the deep web that can bounce packets off of dozens of anonymous proxy servers, fake TCP/IP headers, and exploit dozens upon dozens of security holes that can be launched successfully against the average system by budding script kiddies — so imagine what real black-hats can do if this is what they give away for free. Do you know how many zero-day exploits are in your systems? They do!

Even if the intrusions are traced, loss is hard to recover

Let’s say you are able to afford, and hire, the best white-hat trackers from the top security firms on the planet and they trace the hack to, let’s say, a rogue hacker in China or Russia. Do you think you’re going to recover anything? Nope. And even if you can trace the hack to your country or a country that you operate in, do you think suing a hacker who got an untraceable payment to a Swiss or Cayman Islands account is going to net you anything? No way!

Data loss prevention requires very powerful, expensive, digital vaults

The only protection your organization has is to install the best systems with the best encryption configured by real security pros. This is not easy to do. Considering that most web sites are full of security holes that are easily uncovered by open source products like PortSwigger’s Burp Scanner, imagine how hard it is to properly secure a database, an ERP, an OS, and the communication lines between them. So not only do you have to buy a top of the line system with embedded security, but then you have to find a real security expert to properly configure and harden the system — who is extremely pricey if you manage to find that person.

And loads of security training, awareness, review, and enforcement.

The majority of data thefts are not the result of hacks, but the result of disgruntled employees with access or social engineering. That’s why you need good policies, training, and enforcement. An admin should not grant carte-blanche access to data in a system to an employee who does not need it just because it’s too hard to set up the roles based security, even if the employee is happy and trust-worthy. Chances are that security will never be reviewed and if, in two years, the employee gets disgruntled or falls on hard times, that’s an exploit waiting to happen.

But the biggest risk is the average employee who writes her password on a post it inside her drawer, a receptionist who does a system test when asked over the phone, or an office admin who grants a workman access to the server room because they look like they should be there. The most common way a hacker gets access to your system is by posing as the janitorial staff who gets to go into every cubicle to empty garbage (and check desks for password post-it notes), as the vendor rep who wants to test the server connection (and has the rep go to a site that looks like the vendor portal admin screen and login for a speed / reliability test when all it does is capture the authentication data before passing through to a real site), or by dressing up as an IT shop employee there to fix the server — because once you’re on the live system, you can suck all the admin codes you want for a remote access later. Poor security practices opens holes bigger than the Vredefort crater.

And the average person does not understand this, even after repeated instructions and explanations as to why writing the password down is dangerous. So this damnation will be with us for quite some time.