Category Archives: Fraud

Oversight for more than just your Travel & Expense budget management

Oversight is an Atlanta-based software (as a service) company founded back in 2003 to help organizations monitor spending in an effort to identify errors, waste, misuse, and fraud in the grey area of enterprise spend. As every recovery firm will tell you, the average organization will overspend by 1% to 3% as a result of over billings, duplicate billings, unnecessary spend on superfluous demand, maverick spend, and even fraud. (And they make their living recovering a portion of that, typically a third, and then charging you 33% of the recovery as their fee. Sounds small, but 1/3 of 1/3 of 3% of spend is 0.33% of spend, and if the organization spends 100 Million, they get 330,000 for an effort that can be largely automated and, even worse, be avoided with proper up-front spend monitoring.)

For example, if all invoices are compared to invoices and goods receipts before payments are authorized, this can prevent overpayments. Duplicate billings can be identified in the same way (and duplicate payments prevented). Potential fraud can be identified by forcing all invoices from unknown suppliers, for unknown products, or for unexpected amounts to be manually reviewed. (This can’t prevent in-house fraud, where a buyer pays a fake invoice to a fake company controlled by a relative, or a co-conspirator, but it can prevent external fraud.) Unnecessary spend on superfluous demand will require up front requisition control, as will maverick spend, but at least there will be no overspend or duplicate spend that can be unrecoverable once the contract with the supplier expires.

Oversight is unique in that it is not so much a software platform but an insights platform. Employing a team of data scientists focussed on identifying new algorithms and techniques for fraud detection, Oversight uses their in-depth knowledge of fraud to build solutions that will help the clients identify potential cases of fraud that they could never hope to identify on their own. The best most companies can do is sample based audits and spot checks which are unlikely to identify much fraud as these will generally only be on a few percentage of invoices or transactions, and most employees who have been getting away with fraud for a while will not be doing anything obvious, and the fraud will not be detected without correlations across documents and systems. That’s where Oversight comes in.

The Oversight solution is a web-based software solution for automatic spend analysis and identification of high-risk or potentially fraudulent transactions that comprehensively analyzes T&E, purchase card, and accounts payable spend using a suite of statistical, clustering, data mining, break point, rule-based, evidentiary reasoning, and machine learning algorithms that look for discrepancies, suspicious patterns, known fraud, and risk indicators to identify those transactions that need to be manually reviewed. The dashboard-driven, or work-bench driven, interface allows an analyst to drill into suspicious transactions by country, organizational unit, risk level, or exception type and can be configured to show the analyst only those exceptions assigned to her, or her team, or every unresolved exception in the system.

When a user drills in by exception type, she sees an overview of the overall risks by country and can drill into suppliers to see the specific exceptions. When a user drills in by country, she can see the overall risk by supplier and then by exception. In other words, she can drill into at-risk transactions using country, organizational unit, supplier, and at-risk type in any manner they please.

Or, they can look for exceptions by process. Right now, Oversight supports the identification of at-risk transactions in the travel & expense, procure to pay, and purchase card processes and has recently added support for FCPA, Anti-Bribery, and Corruption Risk — including the identification of known politically exposed parties.

Plus, the platform not only integrates with all of the big supplier and financial data providers — such as Dunn & Bradstreet, Bureau van Dijk, and CreditSafe — but also integrates with providers of risk indicator data such as Ecovadis and Sedex Global. Plus, they maintain their own databases of known politically connected parties, gentlemen’s clubs, denied parties, and other parties that an organization typically should not be allocating funds to. This last capability is quite important … just ask American Express which once received a 241K strip club bill authorized by the CEO. (Source)

Since fraud attempts differ by country, and collusion is hard to detect with a standard m-way match invoice processing platform, Oversight brings a powerful offering to the expense management space. It’s a platform worth checking out. For a deeper dive into the platform, check out the recent coverage by the doctor and the prophet over on Spend Matters Pro [membership required]. (Part I is up with Parts II and III coming within a week.)

Societal Damnation 41: Fraud & Corruption

As per our damnation post last year, fraud and corruption is everywhere and running havoc on your organization and your supply chain. A recent Kroll Global Fraud Report in late 2013 found that 70% of companies were affected by fraud in the prior 12 months, which represented an increase of 15% over the previous twelve months. In other words, at the time, 7 in 10 companies were hit by fraud in the previous year. But it gets worse. The Economist at the same time also found that fraud was on the rise and predicted that it would continue to rise. If the rate of increase remained steady, then 4 of 5 businesses got hit with fraud last year and 9 out of 10 business will get hit with fraud this year. Yowzers!

Procurement fraud can be particularly costly and damaging regardless of if you are in the public sector or the private sector. The UK public sector estimated that fraudulent purchasing on an annual basis cost it £ 2.3 Billion in 2012! Zoinks! And while it’s harder to find good numbers for the US, a 2011 report by Computer Evidence Specialists found that Fraud cost the US $1.32 Trillion in 2010, of which 733 Billion was Corporate (with 68% committed by corporations and 32% committed by employees). Hamana! Hamana!

If you are a large organization, whether you want to admit or not, there is a small percentage of employees, suppliers, and customers that are looking to rip you off for as much as they think they can get. Every day of the week, including Sunday. Not everyone, not by a longshot, but enough people to make your job miserable.

So what can you do? As per our damnation post, a good start is to

  • have an invoice policy that is strictly followed that only accepts invoices from approved suppliers, only for approved goods or received services, and only at contracted or publicly advertised rates
  • have strict spending limits and controls that enforce them which ensure that only people with authority can grant approvals for bypass, and that such approval is clearly logged in an auditable fashion
  • careful inspections of all goods received to make sure the organization gets what was ordered and what is paid for

But that’s just a start. The organization should also:

  • analyze all invoices or expenses without a PO very carefully to ensure they are not duplicate, that the goods or services were received, and that the prices billed are the prices the organization committed to pay
  • have strict policies on who is allowed to buy and what they can buy and have a policy that repeated or serious offences can, and will, result in immediate dismissal
  • have a standard contract rider that no invoices for off-contract goods or services will be accepted without a PO that all contracted suppliers must sign, as this will severely limit how many unexpected invoices show up
  • use data mining and machine learning to identify potential fraud as the same receipt submitted 3 times two months apart, or patterns of the same no-receipt charges, or duplicate billings for the same service months apart will be immediately identified as suspect, for example
  • keep up on fraudulent statistics and schemes and identify methods to enable the quick identification thereof before new fraud methods and attempts cost the organization too much money

But whatever you do, don’t target employees and treat them like criminals. If you treat them like criminals, they will become criminals. Create good procedures and processes for invoices and payments, install solutions where it is easier to follow the procedures and processes than ignore them, and make it about cost control, not fraud prevention, and you’ll find that fraud just isn’t as much of a concern. (Fraudsters choose easy targets.)

Technological Damnation 92: Data Loss

It is the information age and data is the life blood of the company and the supply chain. The financial chain is controlled by data. The physical flow of goods is dictated by data. People communicate electronically through data packets. It’s all data. And losing that data is a damnation. Not just because data is lost, but because:

Lost Intellectual Property data is a loss of competitive advantage

Sometimes the only edge a company has is it’s intellectual property that it can use to create a slightly better product, do better in a foreign market, or lower its costs enough to undersell the competition when its products are no better. If that gets stolen, and one or more competitors get their hands on it, the advantage is gone and all of a sudden the product is no better, the edge in the foreign market is lost, and there is no cost advantage to exploit in the end product.

Intrusions that result in lost or stolen data are hard to trace

If your systems or networks get hacked, and your data is stolen, good luck figuring out who got your data, because chances are that not only will you not be able to figure out who hacked you, but you will not even be able to figure out where the hack came from. Right now, there are free hacking toolkits for every major OS on the deep web that can bounce packets off of dozens of anonymous proxy servers, fake TCP/IP headers, and exploit dozens upon dozens of security holes that can be launched successfully against the average system by budding script kiddies — so imagine what real black-hats can do if this is what they give away for free. Do you know how many zero-day exploits are in your systems? They do!

Even if the intrusions are traced, loss is hard to recover

Let’s say you are able to afford, and hire, the best white-hat trackers from the top security firms on the planet and they trace the hack to, let’s say, a rogue hacker in China or Russia. Do you think you’re going to recover anything? Nope. And even if you can trace the hack to your country or a country that you operate in, do you think suing a hacker who got an untraceable payment to a Swiss or Cayman Islands account is going to net you anything? No way!

Data loss prevention requires very powerful, expensive, digital vaults

The only protection your organization has is to install the best systems with the best encryption configured by real security pros. This is not easy to do. Considering that most web sites are full of security holes that are easily uncovered by open source products like PortSwigger’s Burp Scanner, imagine how hard it is to properly secure a database, an ERP, an OS, and the communication lines between them. So not only do you have to buy a top of the line system with embedded security, but then you have to find a real security expert to properly configure and harden the system — who is extremely pricey if you manage to find that person.

And loads of security training, awareness, review, and enforcement.

The majority of data thefts are not the result of hacks, but the result of disgruntled employees with access or social engineering. That’s why you need good policies, training, and enforcement. An admin should not grant carte-blanche access to data in a system to an employee who does not need it just because it’s too hard to set up the roles based security, even if the employee is happy and trust-worthy. Chances are that security will never be reviewed and if, in two years, the employee gets disgruntled or falls on hard times, that’s an exploit waiting to happen.

But the biggest risk is the average employee who writes her password on a post it inside her drawer, a receptionist who does a system test when asked over the phone, or an office admin who grants a workman access to the server room because they look like they should be there. The most common way a hacker gets access to your system is by posing as the janitorial staff who gets to go into every cubicle to empty garbage (and check desks for password post-it notes), as the vendor rep who wants to test the server connection (and has the rep go to a site that looks like the vendor portal admin screen and login for a speed / reliability test when all it does is capture the authentication data before passing through to a real site), or by dressing up as an IT shop employee there to fix the server — because once you’re on the live system, you can suck all the admin codes you want for a remote access later. Poor security practices opens holes bigger than the Vredefort crater.

And the average person does not understand this, even after repeated instructions and explanations as to why writing the password down is dangerous. So this damnation will be with us for quite some time.

Societal Damnation 40: Crime / Piracy

These damnations have been around longer than supply chains, and they aren’t going away any time soon. THe only difference is that today the types of crime an organization is exposed to today are much more varied than the crimes an organization was exposed to in the past. For example, terrorist attacks, identity theft, and cybercrime were not something the average large organization had to deal with on a regular basis, if at all.

But now, terrorist organizations, many of which are composed of individuals who are ex-military or trained by military and/or government agencies, are becoming common in many countries where there is significant civil unrest or animosity towards a people or government. And these terrorist organizations often target large shipments of goods that they need to sustain their efforts near the territories that they are based in — and this is not just restricted to weapons but also includes fuel, food, clothing, and personal electronic devices. It’s not just common thieves and criminal groups plotting to steal a few boxes or empty an 18-wheeler when the driver takes a lunch break — it’s a terrorist organization planning to steal an entire convoy of 18-wheelers (because they want the trucks too).

It used to be that identify theft was when one person impersonated another to fool an unsuspecting individual at a company or bank to gain access to funds or products, and this could easily be protected against by good security measures, passwords, and biometrics, but now we have the situation where the identify of entire companies is being stolen. This has become especially prevalent in the US since the introduction of MAP-21 (which SI likes to call RIP-21) which resulted in thousands of small transport companies going out of business when the minimum bond was increased from 10,000 to 75,000. Shortly after this happened, some very enterprising individuals decided to setup fake companies that pretended to be the company that was out of business. They faked registration documents, insurance certificates and bonds, and personnel records, presented themselves to 3PLs that the company previously worked with (stating that they managed to raise the bond money and were back in business), and even presented themselves to large manufacturers and retailers the company used to do business with. When contracts were awarded, they acquired trucks, hired drivers, and made deliveries. Some of them even operated just like a legitimate company for months until they were trusted with a multi-million dollar shipment of products that would fetch a similar sum on the black market — then they vanished overnight with millions of dollars of products. (See SI’s post on how increased cargo theft is the next impact of MAP-21.

And cybercrime has hit entirely new levels. It used to be that the best a hacker could do was steal a bank account number and password, do an ACH transfer, and make off with the operating account. But now, hackers can infiltrate your networks and make off with all of your bank account numbers and passwords, hack other networks and replace the corporate director and officer records, falsely represent themselves as your company to banks and lenders (by stealing the identities of your corporate officers and then hacking your virtual private networks and spoofing your IP addresses to access your bank accounts in what appears to be a legitimate access by the bank), take out massive loans and not only make off with every dollar in every account you have, but leave your company on the hook for millions more. And that’s if the hackers are being nice. Plus, while the hackers are at it, they hack your merchant terminals, steal all of your customer’s credit card information, sell it on the black market, and leave you with a massive media black eye that puts your brand reputation in the toilet.

If you thought the Fraud and Corruption (as chronicled in Damnation 41) was bad, just wait until you have to deal with the new terrorists, identify fraudsters, and cyber-criminals. And if you survive this first wave, then you get to deal with the Somali pirates! (And they are a whole lot meaner than the Saskatchewan pirates.)

Societal Damnation 41: Fraud and Corruption

Fraud and Corruption is everywhere and running havoc on your organization and your supply chain. A recent Kroll Global Fraud Report in late 2013 found that 70% of companies were affected by fraud in the prior 12 months, which represented an increase of 15% over the previous twelve months. In other words, at the time, 7 in 10 companies were hit by fraud in the previous year. But it gets worse. The Economist at the same time also found that fraud was on the rise and predicted that it would continue to rise. If the rate of increase remained steady, then 4 of 5 businesses got hit with fraud last year and 9 out of 10 business will get hit with fraud this year. Yowzers!

Moreover, Procurement Fraud can be particularly costly and damaging, in both the public and private sectors. For example, a recent article over on Supply Management on how Councils [were] told to do more to tackle Procurement Found found that there were 107,000 cases of Procurement fraud detected by local authorities in 2012-2013 that combined accounted for £s; 178 million! And this is just a drop in the bucket when compared to the total amount lost by the UK public sector to fraudulent purchasing on an annual basis, an amount that was estimated at £s;2,300 million in 2012! Zoinks!

It’s harder to find good numbers for the US, but a 2011 report by Computer Evidence Specialists found that Fraud cost the US $1.32 Trillion in 2010, of which 733 Billion was Corporate (with 68% committed by corporations and 32% committed by employees). This number might sound surprising but when you consider that between 2000 and 2007 a small South Carolina parts supplier collected about 20.5 Million from the Pentagon between 2000 and 2006 in fraudulent shipping charges, including $998,798 for sending two 19-cent washers to an Army base in Texas, it puts things in a different light. (Source archives.) Hamana, hamana!

If your organization is not on full alert 24/7, it is going to get hit with fraud from somewhere in the organization or the supply chain. It’s just a matter of time before an attempt is made. This fraud can take many forms, which can include, but are not limited to:

  • invoices from non-existent suppliers
    usually submitted by an employee for services (not received) or goods of questionable origin to try and defraud the company of money (or by a random third party trying to hope a small invoice slips through unnoticed)
  • invoices from suppliers for off-contract goods and services
    usually for smaller dollar amounts for services “to be received” or for goods that are priced above standard list price for “emergency provision and delivery” where a supplier is trying to eek out more revenue or an employee is colluding to get a kickback
  • bait-and-switch
    where the supplier promises you the newest high-end laptop with the top-of-the-line processor and memory chips, but you actually get last year’s model which has depreciated 30% less (because, not being an IT shop, the supplier thinks you won’t know the difference) or charges you for Grade 5 Bolts when in fact they are only Grade 2 Bolts (and which you intend to use in commercial busses used to transport passengers, giving you a legal liability as well as a case of fraud)
  • inflated T&E claims
    where meetings across town are 50 miles instead of 10, all meals are $1 below the per diem limits, significant “entertainment” charges (especially on the first and last day where the employee or manager was actually entertaining friends and relatives), etc. (or, and this happened, the same receipt is accidentally submitted on consecutive expense reports)
  • inflated performance claims
    where a buyer “negotiates” a year-end rebate in exchange for guaranteed volume at unnecessarily higher prices next year so that he can exceed his savings target and get a bigger bonus
  • “lost” / “damaged” stock
    that is “walked” off the truck by an employee during a pre-lot entry inspection or, if the merchandise is un-returnable / too costly to return, declared damaged and purchased at pennies at the dollars by an employee who will resell the undamaged products on his own

In other words, fraud can happen anywhere, and at any time, and if a Procurement organization is not vigilant, it will happen to them. Fortunately, steps can be taken to reduce the chances of most of these frauds. Having a policy that invoices will only be accepted from approved suppliers, that all invoices from approved suppliers for non-contracted goods and services and/or for goods and services at non-contracted rates will prevent most external fraud from slipping through the system. (Collusion can still bypass the best of controls, but, unless the system is hacked, you know exactly who perpetrated the fraud in this instance.) Having T&E limits without budget manager approval, automatic zip-code based mileage checks, and fixed per-diems (while more costly) can weed out a lot of T&E fraud. Careful inspections and a two-step process can minimize the chances of a bait-and-switch and good stock being written off. And waiting a quarter to verify the numbers then and now before issuing a bonus will discourage many employees from trying to inflate their savings (or sales) claims.

However, no system is perfect and a lot of process transformation, and diligence, will be required to minimize the risk of fraud and corruption and limits its impact if it does happen. For Procurement, it’s another damned if you do (as the effort takes time and resources away from good category management that is often the largest source of value generation) and damned if you don’t (as the losses from a single fraud could wipe out most of the captured savings).