Category Archives: Fraud

Why You Have to Find that Fraud in Big Spend Stacks …

We recently published a piece on how it’s hard to find fraud in big spend stacks, and it is an important one. While fraud in most organizations might be relatively small, and might be mostly controllable by the right culture, processes, and systems (but that’s a subject for a future post), it’s still going to be there, and the most common form of fraud you are not going to detect is collusion fraud.

But this can be the most costly. Let’s say Bill and Ted both have invoice approval rights in the services procurement system and can singlehandedly approve services procurements up to 20K. Let’s say Bill’s buddy Bob has a services firm and let’s say Ted’s buddy Tim also has a services firm. Let’s also say that the organization also has a great need for temporary contingent labour to man the warehouse, clean the offices, and guard the assets of the company.

Let’s say that oversight of these services is left up to the approver for verification. Let’s say that Tim routinely sends two services guards when the general policy is to have three guards on duty and that Bob typically sends only two janitors to do the work that would typically be done by four by the old services provider. Who’s to say that Tim doesn’t send two guards but bill for three? And who’s to say that Bob doesn’t send two janitors and bill for four? And if these invoices are sent bi-weekly, they are going to fall well within approval limits.

Moreover, who’s to say that Ted doesn’t know about Tim’s over-billing and Bill doesn’t know about Bob’s over-billing? And who’s to say that Bill and Ted don’t have a deal to approve the over-billings for each other because their wives are getting an “efficiency consulting” fee from Tim and Bob’s companies?

Maybe this doesn’t happen in your company, but it happens more than one thinks, and just because you never detected this, how do you know it’s not happening? Invoices from real suppliers for real services at approved rates can still contain fraudulent over-billings for services not actually delivered, and those proceeds can still be partially kicked back through indirect channels to organizational employees.

But how do you detect this? Very sophisticated AI-based algorithms that detect unusually high approval patterns between two organizational employees, for amounts that should have been reduced with new contracts, that don’t match typical, anonymized, organizational patterns. And then human investigation to find the truth.

So why is this so important? Besides plugging the leaks? Because if you can’t find internal collusion, how will you ever detect potential cases of external collusion? And gather enough corroborating evidence to at least get an investigation going? If industries collude, and jack prices above market prices, the organization will lose considerably more than it will lose to Bill and Ted (from the evil, parallel, universe). And this happens more than you think too, it just doesn’t always get detected and investigated. Fortunately, sometimes it does, and sometimes, even if there is no certainty that fraud happens, regulators, presented with enough evidence still investigate — like they are doing now among the German automakers (which led to a surprise raid on BMW headquarters as recently reported in the New York Times) that are suspected of conspiring to hold down the prices of crucial technology (as initially reported in July). Regardless of the outcome, technology that can identify potential fraud and gather correlating evidence will keep everyone more honest, and that’s a good thing.

Oversight for more than just your Travel & Expense budget management

Oversight is an Atlanta-based software (as a service) company founded back in 2003 to help organizations monitor spending in an effort to identify errors, waste, misuse, and fraud in the grey area of enterprise spend. As every recovery firm will tell you, the average organization will overspend by 1% to 3% as a result of over billings, duplicate billings, unnecessary spend on superfluous demand, maverick spend, and even fraud. (And they make their living recovering a portion of that, typically a third, and then charging you 33% of the recovery as their fee. Sounds small, but 1/3 of 1/3 of 3% of spend is 0.33% of spend, and if the organization spends 100 Million, they get 330,000 for an effort that can be largely automated and, even worse, be avoided with proper up-front spend monitoring.)

For example, if all invoices are compared to invoices and goods receipts before payments are authorized, this can prevent overpayments. Duplicate billings can be identified in the same way (and duplicate payments prevented). Potential fraud can be identified by forcing all invoices from unknown suppliers, for unknown products, or for unexpected amounts to be manually reviewed. (This can’t prevent in-house fraud, where a buyer pays a fake invoice to a fake company controlled by a relative, or a co-conspirator, but it can prevent external fraud.) Unnecessary spend on superfluous demand will require up front requisition control, as will maverick spend, but at least there will be no overspend or duplicate spend that can be unrecoverable once the contract with the supplier expires.

Oversight is unique in that it is not so much a software platform but an insights platform. Employing a team of data scientists focussed on identifying new algorithms and techniques for fraud detection, Oversight uses their in-depth knowledge of fraud to build solutions that will help the clients identify potential cases of fraud that they could never hope to identify on their own. The best most companies can do is sample based audits and spot checks which are unlikely to identify much fraud as these will generally only be on a few percentage of invoices or transactions, and most employees who have been getting away with fraud for a while will not be doing anything obvious, and the fraud will not be detected without correlations across documents and systems. That’s where Oversight comes in.

The Oversight solution is a web-based software solution for automatic spend analysis and identification of high-risk or potentially fraudulent transactions that comprehensively analyzes T&E, purchase card, and accounts payable spend using a suite of statistical, clustering, data mining, break point, rule-based, evidentiary reasoning, and machine learning algorithms that look for discrepancies, suspicious patterns, known fraud, and risk indicators to identify those transactions that need to be manually reviewed. The dashboard-driven, or work-bench driven, interface allows an analyst to drill into suspicious transactions by country, organizational unit, risk level, or exception type and can be configured to show the analyst only those exceptions assigned to her, or her team, or every unresolved exception in the system.

When a user drills in by exception type, she sees an overview of the overall risks by country and can drill into suppliers to see the specific exceptions. When a user drills in by country, she can see the overall risk by supplier and then by exception. In other words, she can drill into at-risk transactions using country, organizational unit, supplier, and at-risk type in any manner they please.

Or, they can look for exceptions by process. Right now, Oversight supports the identification of at-risk transactions in the travel & expense, procure to pay, and purchase card processes and has recently added support for FCPA, Anti-Bribery, and Corruption Risk — including the identification of known politically exposed parties.

Plus, the platform not only integrates with all of the big supplier and financial data providers — such as Dunn & Bradstreet, Bureau van Dijk, and CreditSafe — but also integrates with providers of risk indicator data such as Ecovadis and Sedex Global. Plus, they maintain their own databases of known politically connected parties, gentlemen’s clubs, denied parties, and other parties that an organization typically should not be allocating funds to. This last capability is quite important … just ask American Express which once received a 241K strip club bill authorized by the CEO. (Source)

Since fraud attempts differ by country, and collusion is hard to detect with a standard m-way match invoice processing platform, Oversight brings a powerful offering to the expense management space. It’s a platform worth checking out. For a deeper dive into the platform, check out the recent coverage by the doctor and the prophet over on Spend Matters Pro [membership required]. (Part I is up with Parts II and III coming within a week.)

Societal Damnation 41: Fraud & Corruption

As per our damnation post last year, fraud and corruption is everywhere and running havoc on your organization and your supply chain. A recent Kroll Global Fraud Report in late 2013 found that 70% of companies were affected by fraud in the prior 12 months, which represented an increase of 15% over the previous twelve months. In other words, at the time, 7 in 10 companies were hit by fraud in the previous year. But it gets worse. The Economist at the same time also found that fraud was on the rise and predicted that it would continue to rise. If the rate of increase remained steady, then 4 of 5 businesses got hit with fraud last year and 9 out of 10 business will get hit with fraud this year. Yowzers!

Procurement fraud can be particularly costly and damaging regardless of if you are in the public sector or the private sector. The UK public sector estimated that fraudulent purchasing on an annual basis cost it £ 2.3 Billion in 2012! Zoinks! And while it’s harder to find good numbers for the US, a 2011 report by Computer Evidence Specialists found that Fraud cost the US $1.32 Trillion in 2010, of which 733 Billion was Corporate (with 68% committed by corporations and 32% committed by employees). Hamana! Hamana!

If you are a large organization, whether you want to admit or not, there is a small percentage of employees, suppliers, and customers that are looking to rip you off for as much as they think they can get. Every day of the week, including Sunday. Not everyone, not by a longshot, but enough people to make your job miserable.

So what can you do? As per our damnation post, a good start is to

  • have an invoice policy that is strictly followed that only accepts invoices from approved suppliers, only for approved goods or received services, and only at contracted or publicly advertised rates
  • have strict spending limits and controls that enforce them which ensure that only people with authority can grant approvals for bypass, and that such approval is clearly logged in an auditable fashion
  • careful inspections of all goods received to make sure the organization gets what was ordered and what is paid for

But that’s just a start. The organization should also:

  • analyze all invoices or expenses without a PO very carefully to ensure they are not duplicate, that the goods or services were received, and that the prices billed are the prices the organization committed to pay
  • have strict policies on who is allowed to buy and what they can buy and have a policy that repeated or serious offences can, and will, result in immediate dismissal
  • have a standard contract rider that no invoices for off-contract goods or services will be accepted without a PO that all contracted suppliers must sign, as this will severely limit how many unexpected invoices show up
  • use data mining and machine learning to identify potential fraud as the same receipt submitted 3 times two months apart, or patterns of the same no-receipt charges, or duplicate billings for the same service months apart will be immediately identified as suspect, for example
  • keep up on fraudulent statistics and schemes and identify methods to enable the quick identification thereof before new fraud methods and attempts cost the organization too much money

But whatever you do, don’t target employees and treat them like criminals. If you treat them like criminals, they will become criminals. Create good procedures and processes for invoices and payments, install solutions where it is easier to follow the procedures and processes than ignore them, and make it about cost control, not fraud prevention, and you’ll find that fraud just isn’t as much of a concern. (Fraudsters choose easy targets.)

Technological Damnation 92: Data Loss

It is the information age and data is the life blood of the company and the supply chain. The financial chain is controlled by data. The physical flow of goods is dictated by data. People communicate electronically through data packets. It’s all data. And losing that data is a damnation. Not just because data is lost, but because:

Lost Intellectual Property data is a loss of competitive advantage

Sometimes the only edge a company has is it’s intellectual property that it can use to create a slightly better product, do better in a foreign market, or lower its costs enough to undersell the competition when its products are no better. If that gets stolen, and one or more competitors get their hands on it, the advantage is gone and all of a sudden the product is no better, the edge in the foreign market is lost, and there is no cost advantage to exploit in the end product.

Intrusions that result in lost or stolen data are hard to trace

If your systems or networks get hacked, and your data is stolen, good luck figuring out who got your data, because chances are that not only will you not be able to figure out who hacked you, but you will not even be able to figure out where the hack came from. Right now, there are free hacking toolkits for every major OS on the deep web that can bounce packets off of dozens of anonymous proxy servers, fake TCP/IP headers, and exploit dozens upon dozens of security holes that can be launched successfully against the average system by budding script kiddies — so imagine what real black-hats can do if this is what they give away for free. Do you know how many zero-day exploits are in your systems? They do!

Even if the intrusions are traced, loss is hard to recover

Let’s say you are able to afford, and hire, the best white-hat trackers from the top security firms on the planet and they trace the hack to, let’s say, a rogue hacker in China or Russia. Do you think you’re going to recover anything? Nope. And even if you can trace the hack to your country or a country that you operate in, do you think suing a hacker who got an untraceable payment to a Swiss or Cayman Islands account is going to net you anything? No way!

Data loss prevention requires very powerful, expensive, digital vaults

The only protection your organization has is to install the best systems with the best encryption configured by real security pros. This is not easy to do. Considering that most web sites are full of security holes that are easily uncovered by open source products like PortSwigger’s Burp Scanner, imagine how hard it is to properly secure a database, an ERP, an OS, and the communication lines between them. So not only do you have to buy a top of the line system with embedded security, but then you have to find a real security expert to properly configure and harden the system — who is extremely pricey if you manage to find that person.

And loads of security training, awareness, review, and enforcement.

The majority of data thefts are not the result of hacks, but the result of disgruntled employees with access or social engineering. That’s why you need good policies, training, and enforcement. An admin should not grant carte-blanche access to data in a system to an employee who does not need it just because it’s too hard to set up the roles based security, even if the employee is happy and trust-worthy. Chances are that security will never be reviewed and if, in two years, the employee gets disgruntled or falls on hard times, that’s an exploit waiting to happen.

But the biggest risk is the average employee who writes her password on a post it inside her drawer, a receptionist who does a system test when asked over the phone, or an office admin who grants a workman access to the server room because they look like they should be there. The most common way a hacker gets access to your system is by posing as the janitorial staff who gets to go into every cubicle to empty garbage (and check desks for password post-it notes), as the vendor rep who wants to test the server connection (and has the rep go to a site that looks like the vendor portal admin screen and login for a speed / reliability test when all it does is capture the authentication data before passing through to a real site), or by dressing up as an IT shop employee there to fix the server — because once you’re on the live system, you can suck all the admin codes you want for a remote access later. Poor security practices opens holes bigger than the Vredefort crater.

And the average person does not understand this, even after repeated instructions and explanations as to why writing the password down is dangerous. So this damnation will be with us for quite some time.

Societal Damnation 40: Crime / Piracy

These damnations have been around longer than supply chains, and they aren’t going away any time soon. THe only difference is that today the types of crime an organization is exposed to today are much more varied than the crimes an organization was exposed to in the past. For example, terrorist attacks, identity theft, and cybercrime were not something the average large organization had to deal with on a regular basis, if at all.

But now, terrorist organizations, many of which are composed of individuals who are ex-military or trained by military and/or government agencies, are becoming common in many countries where there is significant civil unrest or animosity towards a people or government. And these terrorist organizations often target large shipments of goods that they need to sustain their efforts near the territories that they are based in — and this is not just restricted to weapons but also includes fuel, food, clothing, and personal electronic devices. It’s not just common thieves and criminal groups plotting to steal a few boxes or empty an 18-wheeler when the driver takes a lunch break — it’s a terrorist organization planning to steal an entire convoy of 18-wheelers (because they want the trucks too).

It used to be that identify theft was when one person impersonated another to fool an unsuspecting individual at a company or bank to gain access to funds or products, and this could easily be protected against by good security measures, passwords, and biometrics, but now we have the situation where the identify of entire companies is being stolen. This has become especially prevalent in the US since the introduction of MAP-21 (which SI likes to call RIP-21) which resulted in thousands of small transport companies going out of business when the minimum bond was increased from 10,000 to 75,000. Shortly after this happened, some very enterprising individuals decided to setup fake companies that pretended to be the company that was out of business. They faked registration documents, insurance certificates and bonds, and personnel records, presented themselves to 3PLs that the company previously worked with (stating that they managed to raise the bond money and were back in business), and even presented themselves to large manufacturers and retailers the company used to do business with. When contracts were awarded, they acquired trucks, hired drivers, and made deliveries. Some of them even operated just like a legitimate company for months until they were trusted with a multi-million dollar shipment of products that would fetch a similar sum on the black market — then they vanished overnight with millions of dollars of products. (See SI’s post on how increased cargo theft is the next impact of MAP-21.

And cybercrime has hit entirely new levels. It used to be that the best a hacker could do was steal a bank account number and password, do an ACH transfer, and make off with the operating account. But now, hackers can infiltrate your networks and make off with all of your bank account numbers and passwords, hack other networks and replace the corporate director and officer records, falsely represent themselves as your company to banks and lenders (by stealing the identities of your corporate officers and then hacking your virtual private networks and spoofing your IP addresses to access your bank accounts in what appears to be a legitimate access by the bank), take out massive loans and not only make off with every dollar in every account you have, but leave your company on the hook for millions more. And that’s if the hackers are being nice. Plus, while the hackers are at it, they hack your merchant terminals, steal all of your customer’s credit card information, sell it on the black market, and leave you with a massive media black eye that puts your brand reputation in the toilet.

If you thought the Fraud and Corruption (as chronicled in Damnation 41) was bad, just wait until you have to deal with the new terrorists, identify fraudsters, and cyber-criminals. And if you survive this first wave, then you get to deal with the Somali pirates! (And they are a whole lot meaner than the Saskatchewan pirates.)