Category Archives: Fraud

Hiperos – It’s So Hip To Be Square with 3rd Party Management! Part II

Hiperos provides a SaaS platform that allows an organization to manage the entire 3rd party lifecycle, which consists of registration, data collection, segmentation, control automation, assessment, management, and collaborative issue resolution.

Hiperos includes your standard SIM (Supplier Information Management) functionality that allows for supplier self-service registration and profile maintenance and data integration from third party sources. On top of that it implements a user-configurable rules-based workflow that allows third-parties to be segmented into different buckets that represent the different programs that they need to be subjected too – be it FCPA, REACH, WEE, HIPPA, or some other type of compliance or monitoring program. Each bucket has its associated monitoring rules that notify the third party when more information is needed and that automatically alerts the user when a violation is detected or when information is not provided by the third party in a timely fashion. Assessments are automatically run every time new data becomes available and can be run by a user at any time. The fact that all relevant third party information is available at all times allows users to pro-actively manage third parties, and associated risks, and then either work with third parties to mitigate risks, if the potential infraction can be corrected, or cut them loose if the risk of association is too great (because they showed up on a denied party list or use child labour in their supply chain).

The application, which loads the default user-defined dashboard, allows a user to manage third parties, engagements, relationships, products, and programs and to define programs, vendor communities, reports, and analytics.

The dashboard is multi-tabbed and allows a user to define relevant views on each of the application areas defined above, as well as a default dashboard that allows the user to see the information most relevant to him or her. At the top of the dashboard is a link to current action items that allows a user to quickly see what needs to be done in third party management, engagements, programs, etc. The dashboards can be configured using hundreds of pre-defined (reporting) widgets or the user can define their own widgets by defining appropriate reports in the reporting module. And the user can bring in real-time news and data feeds from sites of interest.

The application can track any compliance, performance, sustainability, or risk data elements of interest and, like any good SIM platform, is preconfigured to track hundreds of relevant data items, depending upon the programs you define as relevant for a given compliance, performance, or risk program (which minimizes the amount of configuration required to track custom fields). And not only is all relevant data available from any view that is program or user defined, but it’s all interlinked so a user can click on a third party included in a program, see the relevant report(s), and then dive into the third party data management screen to examine the raw data elements, and then run a report on just a data subset.

Program definition is flexible and allows for any type of compliance, risk, sustainability, or performance program you can think of. In addition, the fact that Hiperos also supports contract meta-data and third-party data feeds allows financial impact reports to be generated. That way, a user always knows what the impact of a third-party falling out of compliance is to the organization. Knowing that a tier-one supplier might be buying from a tier-two supplier that might be using child labour is one thing, but knowing that the organization is spending 20 Million across 5 categories on that tier-one supplier is something else. In the first case, the supplier is put on the “investigate” list and someone gets around to it when they get around to it. In the second case, the user knows that it is a high priority and an investigation has to be started immediately as the public backlash will be extremely damaging to the organization if it gets out that 20 Million is being spent on products and/or services that were partially produced by child labour.

Hiperos has also included extensive color-coded geo-mapping capabilities so that you can quickly see, for any program, where the highest risk areas are globally and dive in. While Hiperos is not the first company to do this, they have latched on to the fact that the visual representation of risk or non-compliance by region allows one to quickly see what regions have to be monitored. This allows resources to be properly applied, especially since proper monitoring will typically require subscriptions to appropriate data feeds for those regions.

The Market Intelligence capabilites are quite extensive too, and they have pre-configured watch-lists, diversity monitoring, parent-subsidiary monitoring, subcontractor monitoring, REACH/WEE monitoring, and dozens of other feeds of interest which can be enabled as required by the client.

And the analytics piece supports the full suite of slice-and-dice capabilities found in most sourcing products today, so that you can dive into the data and find out which suppliers, categories, or programs represent the highest risk to your organization.

There’s quite a bit of data, and the application can be quite busy at times, but Hiperos has one thing right, where compliance is concerned, it’s Hip to be Square.

Hiperos – It’s So Hip To Be Square with 3rd Party Management! Part I

When we last checked in with Hiperos, they had evolved from a Risk Management platform to an “Extended Enterprise Management” platform that integrated Contract Management, Compliance Management, Performance Management, and Sustainability Management into a 360° solution platform for an organization that wanted to get these various facets of risk under control.

However, as they have continued to roll-out their platform and work with clients in different verticals (beyond finance, which was their initial core strength and where they appear to be dominating the market), they have found that as enterprises get their internal(ly controlled) risks under control, their clients realize that typically the biggest risks they face are from their suppliers and vendors who provide then with all sorts of direct and indirect product and services. As a result, 3rd Party Management (3PM) has become critical to their operational success. How critical?

Consider these statistics. Forty-four percent of data breaches involve third parties, and the most expensive data breach has cost 35.3 Million dollars to resolve. And while this is atypically high, a data breach will cost an organization millions to resolve (as even the cheapest data breach cost $780,000). And if there turn out to be traces of blood money or drug money in your supply chain, it could cost you as much as $160 Million to settle the resulting probe. In short, 3rd Party Risk, if not properly managed, is likely to end up costing your organization millions. The only question is when.

And if you believe that preventative spending to manage risks that might not happen is unwise in this economy, consider this. Organizations that implemented Hiperos 3rd Party Management saw a 75% reduction in customer impact incidents due to sole sourcing. One organization was able to eliminate a seven-figure spend of 4 Million in annual subscription fees that it was paying just to insure that it wasn’t using blacklisted or banned suppliers (and that it wasn’t working with suppliers who were known to bribe and/or be involved in anti-corruption investigations) as the Hiperos 3rd Party Management solution contained all the functionality they needed. And, overall, Hiperos’ clients saw a 300% increase in the assessment of 3rd parties with a high-breach potential — allowing them to be vetted or eliminated before a costly incident occurred.

And this is jus a short-list of costly compliance and reputational risk facing an average organization that operates globally and has to deal with ISO, SAS 70, Anti-Bribery, Anti-Money Laundering, FCPA, SOX, OCC, CFPB, REACH, WEEE, OSHA, HIPPA, and W9 security and reporting obligations, just to name a few. A third party management solution tracks all of this, and more.

So what does Hiperos do to help you with your 3rd Party Management? Stay Tuned for Part II.

Worried About P2P Fraud? Here’s How to Prevent Even More of It!

In yesterday’s post we reviewed Accounts Payable News’ recent piece on the top six ways to carry out P2P fraud that every Supply Management professional should be aware of BEFORE implementing any P2P system. We did this because, as pointed out by Spend Matters UK Procurement Related Fraud [is] On the Rise (or at least more instances are being caught and prosecuted). The post chronicled four recent high-profile cases, of which two involved collusion between a buyer and a supplier (where the buyer purposely overpaid a supplier or helped them win a bid in exchange for cash kickbacks), one was a purely internal fraud conducted by a sole buyer (who set up dummy corporations that issued false invoices that were paid to a an account the buyer controlled), and one was an external fraud in which a criminal convinced accounts payable to change payment information for a genuine supplier to the criminals’ bank account.

In other words, we had a case of social engineering and supplier payment diversion by outsiders, a case of fictitious invoices for goods not actually delivered by an insider, a case of undermining of control by way of buyer-supplier collusion, and a case of tacit approval of unapproved “handling” costs to a supplier, who would pay a kick-back. All of the frauds Accounts Payable News warned us about have recently occurred in big organizations and ended up as high-profile cases before the courts. And at least three of these could have easily been prevented. Having a second party phone the supplier’s AR department to verify banking would have quickly revealed the social engineering fraud, verifying goods were received would have prevented payment of the fictitious invoices, and mandatory approvals for any costs above contract terms or market rates would have prevented the supplier overpayments. The undermining of control would be difficult to stop if it was a single party feeding a preferred supplier confidential information, but note that this is procurement-related fraud, and not pure P2P fraud.

In other words, as mentioned in yesterday’s post, if one solves two of three situations that are common among procurement frauds, fake data and lack of control to be precise, many frauds can be prevented. And while you can never solve the collusion issue, having to accept that the best you can do is discourage it, the reality is that you can minimize it. As pointed out by the Spend Matters UK,
Motive + Opportunity = Bad Things Happen,
and opportunity can certainly be minimized.

However, as implied by Spend Matters UK, what you really have to worry about is motive. The chance of fraud increases substantially when someone has a motive, and, as further pointed out by the post, motive increases greatly when there is:

  • Financial Need
    If someone is deeply in debt, has a gambling problem, or owes the mob money, that someone is going to be driven to get money anyway he can.
  • Psychologically Defective
    If someone has a pathological desire for thrills, and fraud is their fix, sooner or later, he’s going to try.
  • A sense of Entitlement
    This could take the form of greed, or of jealousy if the individual, who works hard, sees superiors getting big rewards for little effort while the individual gets little or no rewards for a lot of effort.

And while you can’t tell what a person is thinking, some people have easy tells that you can use to evaluate your chance of risk, and put additional controls in place if the chance of risk is high. For example, if a credit check shows the person is bordering on bankruptcy, that person could be more susceptible to opportunities for fraud, or at least to bribes. While it’s not necessarily the case, as some people would rather starve than steal a dollar, it should trigger extra precautions at least until you are sure the person is trustworthy.

In addition, basic psychological testing can often reveal a need to over-achieve or an undeserved sense of entitlement. These people could also pose financial risks to your firm and their financial control should be limited until their performance is adequately measured and your trust has been earned.

The simple fact is that people without a want or a need have no motive, and opportunity means very little to them. While it’s not as easy to weed out motive as it is to lock out a system, if millions are on the line, spend a few hundred on a background check, and if we’re talking an executive, a personality assessment wouldn’t hurt either.

Worried about P2P Fraud? – Here’s How To Prevent Most Of It!

Accounts Payable News recently ran a good article on the top six ways to carry out P2P fraud that every Supply Management professional should read BEFORE implementing any P2P system. While the sheer presence of a P2P system will discourage fraud, as fraud will be much harder to hide and/or require collusion if the system is properly integrated, it also enables fraud to be conducted faster and at a much larger scale if there are holes in the implementation. But first, let’s look at the frauds identified:

  • Social Engineering
    A user who doesn’t need admin access gets it by convincing IT that it will be quicker if they can create accounts for authorized individuals, or that they need it for testing after hours. If such admin access can be used to create new, fictitious, suppliers with banking information that don’t require payment approvals …
  • Fictitious Invoices for non-PO spend below the bar
    If invoices below a certain threshold, like $1,000, automatically get paid (without a purchase order or, worse, goods receipt match) from preferred suppliers if the line items are on an approved list, then all it takes is collusion between a buyer and supplier to generate and approve a few (dozen) false invoices and both get a free vacation on the Riviera.
  • Reassignment and Undermining of Control
    If a fraudster can convince others to reassign approvals or part of the payment process to himself, then he can approve invoices from fictitious invoices from fake suppliers, which are actually companies, and bank accounts, he controls.
  • Receipt of goods not actually delivered
    If the buyer, who never steps foot in the warehouse or on the construction site, receipts goods never delivered, the buyer can arrange for a supplier to be paid twice if the supplier sends an invoice before the goods, gets paid right away, and then drops off a second invoice with the goods, which is then matched against a PO and receipted. And, of course, the buyer would get a kickback.
  • Approval of unapproved handling costs
    Which were never in the contract, but of which a portion will be kick-backed to the colluding buyer.
  • Supplier Payment Diversion
    A smart buyer will open a bank account in a name that sounds like it is the suppliers name, like MJ Consulting if the supplier is M&J Consulting, provide finance with new banking instructions from a spoofed e-mail account, and collect the payments until AP discovers they have incorrect account information.

    • If you analyze these types of fraud, you see a couple of commonalities:

    • Fake Data
    • Lack of Control
    • Collusion

    It’s very easy with modern technology to prevent the first two and make the third harder, in that more people will have to be in on the fraud for it to succeed. Specifically, if you take the following steps:

    • Lock down access to finance and admin functionality to only those who need it
      and, using fine-grained roles-based security, restrict admin functionality to only those functions admin rights are truly required by the person
    • Require 2nd party verification of all regulatory and financial data associated with a supplier
      as no one should be able to enter and confirm the same data element
    • Only a person performing a function can enter data relating to that function
      as only a warehouse or site worker will know when the goods are/are not delivered
    • Also require 2nd party verification of any data element that can trigger a payment
      So, a goods receipt, as a whole, should be verified by a foreman
    • Absolutely no automatic payments unless ( a) the supplier is verified, ( b) the supplier’s accounts are verified, ( c) the goods were verified as received
    • Absolutely no payment for an invoice above the minimum threshold for non-automatic payment without a PO
      even if verified supplier, account, and receipt of goods
    • Absolutely no payment for an invoice above the threshold for which approval is specified
      without a manager approval, even if there is a PO, verified supplier, account, and receipt of goods
    • Absolutely no P2P/e-Procurement systems that don’t encrypt user access information, account information, and approvals. Otherwise, all an enterprising fraudster has to do is either (a) get onto the server and (a) query the database for an admin login, (b) overwrite the account record with his own bank record or, and this is way too easy in some systems, (c) set the approved for payment flag next to the invoice to true. The approval field should be a system encrypted value that only the system can decrypt to a valid “pay on” date using salts, hashes, and ciphers.

    This will solve the fake data issue, as there can be no fake data unless there is collusion, and the lack of control issue, as there will be no way around the workflow unless there is collusion. You can’t solve the collusion issue, but you can certainly discourage it. Criminals tend not to trust each other, and when three or more parties are required to pull off a heist, the odds are much more in your favour.

We Need More Corporate Ethics – Bring on the No-Maximum Mega Fines!

As noted in a recent article on Fine and Punishment, it has been a bumper summer for corporate fines and settlements. With firms in Britain and America agreeing to pay over 10 Billion in the past three months alone, there’s too much corporate wrong-doing these days. But the current fines are not enough. For example, a mere 5K for violating 10+2 is a CEO’s lunch money these days in most Global 3000’s. The only act close to defining a fine that will take a real chunk out of the corporate coffers of the guilty that the doctor knows of is the National Defense Authorization Act (NDAA) which allows 15 Million Dollar fines for first offenses and 30 Million Dollar fines for second offenses.

The reality is that a fine is only a deterrent if getting caught would mean a loss. Let’s say the fine for stock-fixing is 1 Million but an investor group could make 10 Million on the fix. Guess what’s going to happen? The stock is going to get fixed if the investor group has anything to do about it because, worst case, they only make 9 Million. The fine HAS to outweigh the reward, or corporate wrongdoing is going to continue to permeate both the financial sector, and the supply chain practices in industries where unlicensed knock-offs (especially in pharmaceuticals or electronics) can save a middle-man millions of dollars and push profits through the roof. As the Economist article stakes, given a risk-free opportunity to mis-sell a product, or form a cartel executives will grab it. To them, it’s all about the almighty dollar — and earning more than their peers to earn Wall Street’s favour and have something to boast about at the next charity dinner. (For a great Wall Street Perspective, you have to check out Randall Lane‘s The Zeroes: My Misadventures in the Decade Wall Street Went Insane [now at a bargain price for the hardcover edition on Amazon.com — you can’t go wrong]. Audiobook also available).

Unless the potential fines are crippling, wrong-doing will persist*, and so will cheapening out. And this is the biggest problem. Right now, we need sustainability in supply management, but initial investment in sustainability always costs more, so not only are executives not going to green light sustainable efforts, but if the organization has to look green or socially responsible, they are going to fund the lowest-cost “accredited” third parties that they can find to be “socially responsible”, and, in particular, likely fund those that use shady practices and cut corners everywhere possible. Because when the dollar rules, as long as you can buy the image, why create the real thing?

But if we force ethics back into the corporate world, then maybe we can force sustainability in as well. And when the only choice for gains is again long-term strategy, which is precisely where the economics of sustainability really make sense, maybe we’ll see improvement in ethics and corporate responsibility across the board. Or maybe it’s a pipe-dream. Either way, heftier fines would be a great start!


After all, remember what Randall Lane discovered when he did a Trader Monthly survey in the zeroes:
  If you received an illegal insider tip, a sure thing, and had a 50% chance of getting busted, would you use it? Only 7% would. What about only a 10% chance of getting caught? The numbers spiked to 28%. And what if you had a 0% chance of getting discovered? Suddenly, the number surged to 58%! To the majority of our readers, cheating wasn’t an ethical issue, it was simply a matter of whether they’d get caught.