Category Archives: Fraud

Societal Damnation 41: Fraud & Corruption

As per our damnation post last year, fraud and corruption is everywhere and running havoc on your organization and your supply chain. A recent Kroll Global Fraud Report in late 2013 found that 70% of companies were affected by fraud in the prior 12 months, which represented an increase of 15% over the previous twelve months. In other words, at the time, 7 in 10 companies were hit by fraud in the previous year. But it gets worse. The Economist at the same time also found that fraud was on the rise and predicted that it would continue to rise. If the rate of increase remained steady, then 4 of 5 businesses got hit with fraud last year and 9 out of 10 business will get hit with fraud this year. Yowzers!

Procurement fraud can be particularly costly and damaging regardless of if you are in the public sector or the private sector. The UK public sector estimated that fraudulent purchasing on an annual basis cost it £ 2.3 Billion in 2012! Zoinks! And while it’s harder to find good numbers for the US, a 2011 report by Computer Evidence Specialists found that Fraud cost the US $1.32 Trillion in 2010, of which 733 Billion was Corporate (with 68% committed by corporations and 32% committed by employees). Hamana! Hamana!

If you are a large organization, whether you want to admit or not, there is a small percentage of employees, suppliers, and customers that are looking to rip you off for as much as they think they can get. Every day of the week, including Sunday. Not everyone, not by a longshot, but enough people to make your job miserable.

So what can you do? As per our damnation post, a good start is to

  • have an invoice policy that is strictly followed that only accepts invoices from approved suppliers, only for approved goods or received services, and only at contracted or publicly advertised rates
  • have strict spending limits and controls that enforce them which ensure that only people with authority can grant approvals for bypass, and that such approval is clearly logged in an auditable fashion
  • careful inspections of all goods received to make sure the organization gets what was ordered and what is paid for

But that’s just a start. The organization should also:

  • analyze all invoices or expenses without a PO very carefully to ensure they are not duplicate, that the goods or services were received, and that the prices billed are the prices the organization committed to pay
  • have strict policies on who is allowed to buy and what they can buy and have a policy that repeated or serious offences can, and will, result in immediate dismissal
  • have a standard contract rider that no invoices for off-contract goods or services will be accepted without a PO that all contracted suppliers must sign, as this will severely limit how many unexpected invoices show up
  • use data mining and machine learning to identify potential fraud as the same receipt submitted 3 times two months apart, or patterns of the same no-receipt charges, or duplicate billings for the same service months apart will be immediately identified as suspect, for example
  • keep up on fraudulent statistics and schemes and identify methods to enable the quick identification thereof before new fraud methods and attempts cost the organization too much money

But whatever you do, don’t target employees and treat them like criminals. If you treat them like criminals, they will become criminals. Create good procedures and processes for invoices and payments, install solutions where it is easier to follow the procedures and processes than ignore them, and make it about cost control, not fraud prevention, and you’ll find that fraud just isn’t as much of a concern. (Fraudsters choose easy targets.)

Technological Damnation 92: Data Loss

It is the information age and data is the life blood of the company and the supply chain. The financial chain is controlled by data. The physical flow of goods is dictated by data. People communicate electronically through data packets. It’s all data. And losing that data is a damnation. Not just because data is lost, but because:


Lost Intellectual Property data is a loss of competitive advantage

Sometimes the only edge a company has is it’s intellectual property that it can use to create a slightly better product, do better in a foreign market, or lower its costs enough to undersell the competition when its products are no better. If that gets stolen, and one or more competitors get their hands on it, the advantage is gone and all of a sudden the product is no better, the edge in the foreign market is lost, and there is no cost advantage to exploit in the end product.


Intrusions that result in lost or stolen data are hard to trace

If your systems or networks get hacked, and your data is stolen, good luck figuring out who got your data, because chances are that not only will you not be able to figure out who hacked you, but you will not even be able to figure out where the hack came from. Right now, there are free hacking toolkits for every major OS on the deep web that can bounce packets off of dozens of anonymous proxy servers, fake TCP/IP headers, and exploit dozens upon dozens of security holes that can be launched successfully against the average system by budding script kiddies — so imagine what real black-hats can do if this is what they give away for free. Do you know how many zero-day exploits are in your systems? They do!


Even if the intrusions are traced, loss is hard to recover

Let’s say you are able to afford, and hire, the best white-hat trackers from the top security firms on the planet and they trace the hack to, let’s say, a rogue hacker in China or Russia. Do you think you’re going to recover anything? Nope. And even if you can trace the hack to your country or a country that you operate in, do you think suing a hacker who got an untraceable payment to a Swiss or Cayman Islands account is going to net you anything? No way!


Data loss prevention requires very powerful, expensive, digital vaults

The only protection your organization has is to install the best systems with the best encryption configured by real security pros. This is not easy to do. Considering that most web sites are full of security holes that are easily uncovered by open source products like PortSwigger’s Burp Scanner, imagine how hard it is to properly secure a database, an ERP, an OS, and the communication lines between them. So not only do you have to buy a top of the line system with embedded security, but then you have to find a real security expert to properly configure and harden the system — who is extremely pricey if you manage to find that person.


And loads of security training, awareness, review, and enforcement.

The majority of data thefts are not the result of hacks, but the result of disgruntled employees with access or social engineering. That’s why you need good policies, training, and enforcement. An admin should not grant carte-blanche access to data in a system to an employee who does not need it just because it’s too hard to set up the roles based security, even if the employee is happy and trust-worthy. Chances are that security will never be reviewed and if, in two years, the employee gets disgruntled or falls on hard times, that’s an exploit waiting to happen.

But the biggest risk is the average employee who writes her password on a post it inside her drawer, a receptionist who does a system test when asked over the phone, or an office admin who grants a workman access to the server room because they look like they should be there. The most common way a hacker gets access to your system is by posing as the janitorial staff who gets to go into every cubicle to empty garbage (and check desks for password post-it notes), as the vendor rep who wants to test the server connection (and has the rep go to a site that looks like the vendor portal admin screen and login for a speed / reliability test when all it does is capture the authentication data before passing through to a real site), or by dressing up as an IT shop employee there to fix the server — because once you’re on the live system, you can suck all the admin codes you want for a remote access later. Poor security practices opens holes bigger than the Vredefort crater.

And the average person does not understand this, even after repeated instructions and explanations as to why writing the password down is dangerous. So this damnation will be with us for quite some time.

Societal Damnation 40: Crime / Piracy

These damnations have been around longer than supply chains, and they aren’t going away any time soon. THe only difference is that today the types of crime an organization is exposed to today are much more varied than the crimes an organization was exposed to in the past. For example, terrorist attacks, identity theft, and cybercrime were not something the average large organization had to deal with on a regular basis, if at all.

But now, terrorist organizations, many of which are composed of individuals who are ex-military or trained by military and/or government agencies, are becoming common in many countries where there is significant civil unrest or animosity towards a people or government. And these terrorist organizations often target large shipments of goods that they need to sustain their efforts near the territories that they are based in — and this is not just restricted to weapons but also includes fuel, food, clothing, and personal electronic devices. It’s not just common thieves and criminal groups plotting to steal a few boxes or empty an 18-wheeler when the driver takes a lunch break — it’s a terrorist organization planning to steal an entire convoy of 18-wheelers (because they want the trucks too).

It used to be that identify theft was when one person impersonated another to fool an unsuspecting individual at a company or bank to gain access to funds or products, and this could easily be protected against by good security measures, passwords, and biometrics, but now we have the situation where the identify of entire companies is being stolen. This has become especially prevalent in the US since the introduction of MAP-21 (which SI likes to call RIP-21) which resulted in thousands of small transport companies going out of business when the minimum bond was increased from 10,000 to 75,000. Shortly after this happened, some very enterprising individuals decided to setup fake companies that pretended to be the company that was out of business. They faked registration documents, insurance certificates and bonds, and personnel records, presented themselves to 3PLs that the company previously worked with (stating that they managed to raise the bond money and were back in business), and even presented themselves to large manufacturers and retailers the company used to do business with. When contracts were awarded, they acquired trucks, hired drivers, and made deliveries. Some of them even operated just like a legitimate company for months until they were trusted with a multi-million dollar shipment of products that would fetch a similar sum on the black market — then they vanished overnight with millions of dollars of products. (See SI’s post on how increased cargo theft is the next impact of MAP-21.

And cybercrime has hit entirely new levels. It used to be that the best a hacker could do was steal a bank account number and password, do an ACH transfer, and make off with the operating account. But now, hackers can infiltrate your networks and make off with all of your bank account numbers and passwords, hack other networks and replace the corporate director and officer records, falsely represent themselves as your company to banks and lenders (by stealing the identities of your corporate officers and then hacking your virtual private networks and spoofing your IP addresses to access your bank accounts in what appears to be a legitimate access by the bank), take out massive loans and not only make off with every dollar in every account you have, but leave your company on the hook for millions more. And that’s if the hackers are being nice. Plus, while the hackers are at it, they hack your merchant terminals, steal all of your customer’s credit card information, sell it on the black market, and leave you with a massive media black eye that puts your brand reputation in the toilet.

If you thought the Fraud and Corruption (as chronicled in Damnation 41) was bad, just wait until you have to deal with the new terrorists, identify fraudsters, and cyber-criminals. And if you survive this first wave, then you get to deal with the Somali pirates! (And they are a whole lot meaner than the Saskatchewan pirates.)

Societal Damnation 41: Fraud and Corruption

Fraud and Corruption is everywhere and running havoc on your organization and your supply chain. A recent Kroll Global Fraud Report in late 2013 found that 70% of companies were affected by fraud in the prior 12 months, which represented an increase of 15% over the previous twelve months. In other words, at the time, 7 in 10 companies were hit by fraud in the previous year. But it gets worse. The Economist at the same time also found that fraud was on the rise and predicted that it would continue to rise. If the rate of increase remained steady, then 4 of 5 businesses got hit with fraud last year and 9 out of 10 business will get hit with fraud this year. Yowzers!

Moreover, Procurement Fraud can be particularly costly and damaging, in both the public and private sectors. For example, a recent article over on Supply Management on how Councils [were] told to do more to tackle Procurement Found found that there were 107,000 cases of Procurement fraud detected by local authorities in 2012-2013 that combined accounted for £s; 178 million! And this is just a drop in the bucket when compared to the total amount lost by the UK public sector to fraudulent purchasing on an annual basis, an amount that was estimated at £s;2,300 million in 2012! Zoinks!

It’s harder to find good numbers for the US, but a 2011 report by Computer Evidence Specialists found that Fraud cost the US $1.32 Trillion in 2010, of which 733 Billion was Corporate (with 68% committed by corporations and 32% committed by employees). This number might sound surprising but when you consider that between 2000 and 2007 a small South Carolina parts supplier collected about 20.5 Million from the Pentagon between 2000 and 2006 in fraudulent shipping charges, including $998,798 for sending two 19-cent washers to an Army base in Texas, it puts things in a different light. (Source M4Carbine.net archives.) Hamana, hamana!

If your organization is not on full alert 24/7, it is going to get hit with fraud from somewhere in the organization or the supply chain. It’s just a matter of time before an attempt is made. This fraud can take many forms, which can include, but are not limited to:

  • invoices from non-existent suppliers
    usually submitted by an employee for services (not received) or goods of questionable origin to try and defraud the company of money (or by a random third party trying to hope a small invoice slips through unnoticed)
  • invoices from suppliers for off-contract goods and services
    usually for smaller dollar amounts for services “to be received” or for goods that are priced above standard list price for “emergency provision and delivery” where a supplier is trying to eek out more revenue or an employee is colluding to get a kickback
  • bait-and-switch
    where the supplier promises you the newest high-end laptop with the top-of-the-line processor and memory chips, but you actually get last year’s model which has depreciated 30% less (because, not being an IT shop, the supplier thinks you won’t know the difference) or charges you for Grade 5 Bolts when in fact they are only Grade 2 Bolts (and which you intend to use in commercial busses used to transport passengers, giving you a legal liability as well as a case of fraud)
  • inflated T&E claims
    where meetings across town are 50 miles instead of 10, all meals are $1 below the per diem limits, significant “entertainment” charges (especially on the first and last day where the employee or manager was actually entertaining friends and relatives), etc. (or, and this happened, the same receipt is accidentally submitted on consecutive expense reports)
  • inflated performance claims
    where a buyer “negotiates” a year-end rebate in exchange for guaranteed volume at unnecessarily higher prices next year so that he can exceed his savings target and get a bigger bonus
  • “lost” / “damaged” stock
    that is “walked” off the truck by an employee during a pre-lot entry inspection or, if the merchandise is un-returnable / too costly to return, declared damaged and purchased at pennies at the dollars by an employee who will resell the undamaged products on his own

In other words, fraud can happen anywhere, and at any time, and if a Procurement organization is not vigilant, it will happen to them. Fortunately, steps can be taken to reduce the chances of most of these frauds. Having a policy that invoices will only be accepted from approved suppliers, that all invoices from approved suppliers for non-contracted goods and services and/or for goods and services at non-contracted rates will prevent most external fraud from slipping through the system. (Collusion can still bypass the best of controls, but, unless the system is hacked, you know exactly who perpetrated the fraud in this instance.) Having T&E limits without budget manager approval, automatic zip-code based mileage checks, and fixed per-diems (while more costly) can weed out a lot of T&E fraud. Careful inspections and a two-step process can minimize the chances of a bait-and-switch and good stock being written off. And waiting a quarter to verify the numbers then and now before issuing a bonus will discourage many employees from trying to inflate their savings (or sales) claims.

However, no system is perfect and a lot of process transformation, and diligence, will be required to minimize the risk of fraud and corruption and limits its impact if it does happen. For Procurement, it’s another damned if you do (as the effort takes time and resources away from good category management that is often the largest source of value generation) and damned if you don’t (as the losses from a single fraud could wipe out most of the captured savings).

If Software Has to Embed Games To Make You Want To Use It …

Then the software isn’t worth using in the first place!

When Pierre mentioned a YouTube video of a “first-person shooter” (FPS) game for SAP PO (Purchase Order) approvers to blow away those pesky POs in his recent piece on Gamification in Procurement (Plus content on Spend Matters), I thought he was being satirical! But he was being factual. And it’s pathetic that this concept exists.

While I agree that gamification has potential as a learning tool, the fact that you have to consider putting games inside your software to get people to use it says, no, screams something — YOUR SOFTWARE SUCKS and no one should be using it in the first place when there are dozens of other options.

In other words, when Pierre said that this is where gamification really runs the risk of going off the rails and resembling the proverbial hammer looking for the nail I not only have to agree, but take it one step further and emphatically state that this is where gamification goes completely off the rails.

Supply Management technology should help you get your job done efficiently and effectively. If it’s done right, and accomplishes this goal, you will want to use it because you’re overworked, underpaid, and will do whatever it takes to get the job done and get home before it’s time to go to bed and start the cycle all over again. Because, while you like games, you’d rather go home and play a tabletop Euro-game with your family where you not only get to challenge your problem solving skills and teach the next generation the basics of supply and demand and resource management, but actually enjoy some time with your family.

So, while Pierre is right in that games, properly applied, can be powerful learning tools (and why SI ran a whole series on the Board Gamer’s Guide to Supply Management), they are educational and modelling tools that need to be used appropriately — not misused to mask crappy software. So, when it comes to games, apply the theory (and, yes, game theory is great), and leave the FPS to the war-gamers.