Category Archives: Fraud

Service Misrepresentation is Fraud

Share This on Linked In

Editor’s Note: This post is from regular contributor Norman Katz, Sourcing Innovation’s resident expert on supply chain fraud and supply chain risk. Catch up on his column in the archives.

As a consultant, and given my areas of specialty, I never always & fully know what to expect when I am engaged by a client, as there is always something new to discover. But before I accept any assignment, I perform due diligence to ensure I’m the right person for the job. My due diligence involves a detailed discussion as to the problems the organization is having, technology environment, geographic location, etc. Sometimes I can steer the organization towards a different – and better – solution path, removing me from consideration. It doesn’t pay the bills but it’s the ethical thing to do.

I’m often left with the decision about whether I’m the right person for the job because I know better than the perspective client what my skills and talents are. If I’m not familiar with certain software or hardware, or the problem lies in a situation or industry I’ve not experienced, I’ll tell the perspective client this. It won’t necessarily negate my chances of selected as the solution provider, because experience has told me that as long as I can quickly acclimate myself to something and have (closely) related experience, I’ve got a good chance of getting the project.

I believe it’s absolutely necessary, in all fairness, to set the expectations as realistic as possible from before the beginning (during the “interview” stage). In no way do I want to surprise a client with what I don’t know during an engagement, after being paid monies leading up to that point.

Some former colleagues of mine asked me into a company they were trying to help; the discussion would center on implementing several unused modules of their Enterprise Resource Planning (ERP) system, and that some data migration and creation would be required. Now, I’ve helped clients with everything from QuickBooks® to SAP®, and with hardware platforms such as Unix®, Linux®, Windows®, AS/400®, and IBM Mainframe. I’m able to do this because I work with my clients’ technology staff or technology provider service companies in concert with my own technical skills. However, despite expertise in some areas, it would likely be more correct to label me an ERP generalist.

I went in and met with the company, and it wasn’t too far into the discussion that I realized they had been told I was something of a “knowledge expert” on their particular ERP system, and the conversation went down from there, as I informed the meeting attendees that while yes, I could perform the work needed (and had done so before in other ERP systems), certain criteria had to be met on their end, such as did they have administrative access to their database and the import/export module. (I had done my homework on their ERP system before I went in.) For each question I asked, the company operating officer and lead technology person had no idea, and neither did my colleague.

Well, I had two choices: hang my colleague for the misrepresentation in front of everyone, or take the bullet myself, and I opted for the latter rather than the former, because that’s the kind of person I am. Later at lunch with my (now former) colleague, I was criticized for my sales pitch: I should just shut up and take the work and then explain the nuances and details later. (Never mind that it’s those nuances and details that are important to understand up front to ensure I was right in accepting the assignment in the first place!)

One definition of fraud describes it as a breach of confidence, and misrepresenting ones’ skill set is, in my opinion, fraud.

Regardless of what line of work you are in, (purposeful) misrepresentation is fraud, pure and simple.

I’ve probably turned down more assignments than I’ve accepted in my consulting career, but when you compromise your integrity and dignity, you lose your credibility because eventually your fraud will be revealed, and by that time it’s too late.

Norman Katz, Katzscan

Logistics Management’s Ten Steps to a Safer Supply Chain

Share This on Linked In

Today’s organizations must proactively enhance their supply chain resiliency against multiple threats, because if they don’t:

  • widespread disruption to customer deliveries can occur,
  • brand equity could be damaged,
  • loss of revenue could lead to investor discontent,
  • regulatory scrutiny could increase, and
  • significant legal liabilities can materialize.

That’s why I appreciated an article that Logistics Management ran last year that covered “a framework for protecting your supply chain” because, as the downturn hangs on, the risks of many types of threats increase.

The framework described in the article revolves around 10 security competencies that are required within and across each firm in the supply chain to keep it safe. Specifically, the following competencies are required:

  1. Process Strategy
    An effective security environment requires strong executive commitment and a culture that puts a premium on security.
  2. Process Management
    This requires in-depth understanding of firm and supply chain processes in order to identify vulnerabilities that may cause disruptions.
  3. Infrastructure Management
    This involves the most basic and common methods used to increase security as they serve to form a “perimeter” guarding against unauthorized entry.
  4. Communication Management
    This involves strategies to share potential threat and security information internally with employees and provide communication channels for employees to use when a potential threat exists or incident occurs.
  5. Management Technology
    Information systems provide a first-defense mechanism to understand trends in product contamination and missing shipments, as well as to identify the root causes of these occurrences.
  6. Process Technology
    This is used to track product movement and monitor processes internally and across the supply chain.
  7. Metrics
    Metrics should be developed and captured by the firm to assure adherence to security guidelines.
  8. Relationship Management
    Collaboration with external entities is necessary to ensure that security procedures are communicated and followed.
  9. Service Provider Collaboration Management
    A company cannot create a supply chain protection program alone.
  10. Public Interface Management
    Forging relationships with government agencies is a critical corporate capability to protect against many threats.

Sloppiness or Fraud?

Share This on Linked In

Editor’s Note: This post is from regular contributor Norman Katz, Sourcing Innovation’s resident expert on supply chain fraud and supply chain risk. Catch up on his column in the archives.

A Florida Department of Children and Families supervisor – with 20 years at the agency – bleeds off small amounts of money – not greater than $900 at a time, though sometimes several times per day – from funds set aside for families in need. Total take before she was caught: $1.54 million, money that could have reportedly fed 8,810 families for one month. The supervisor used her knowledge of the agency’s inner workings to get around the system of checks and balances that were in place at the time.

The city of Fort Lauderdale (FL) fails a federal audit for the failure to adequately document how monies dedicated to helping poor people were allocated. The penalty: the city will repay the federal government $2.5 million. The city is accused of sloppy record-keeping, possibly over a 20-year period, a lack of understanding about how federal money must be spent, and a failure to properly training employees. Oddly, I think, the city passed the federal agency’s local office audit, only to fail when the national auditors came to town.

(During the 20 years, the city received some $49 million in this particular grant money; the $2.5 million that was poorly documented represents about 5% of all the monies received over the 20-year period.)

In both cases, a failure of the internal system of monitoring and controls led to the problems. The DCF supervisor theft of funds is clearly fraud – theft is also illegal pretty much all the time. In the case of the city’s sloppiness, this is not fraud according to a director for the city, and I believe that to be truthful.

In the case of the DCF supervisor, the fraud was perpetrated with the intent to deceive for her own gain as well as the gain of others. There was a breach of confidence in her relationship with her employer, the state of Florida. There was a purpose to her actions. What makes her theft more unpalatable is that, literally, she took food out of the mouths of people in need to feed her greed.

In the case of the city, there does not seem to be any intent to deceive; we don’t know for sure if the money was spent according to federal guidelines because sufficient documentation was not done, which was the source of the audit failure. However, based on the article I read, there is no indication that the monies poorly documented did not go to help people in need, it’s just that it wasn’t documented well enough. Very likely, the monies went to where they were determined to be needed.

Should the city have known better? Yes. Will the city pay the penalty for their mistake? Yes. Should the federal agency’s local office audit have caught the problem before the federal audit? Yes.

Did the DCF improve their internal controls and monitoring? Well, we hope so.

For activities to be fraudulent there needs to be purpose and intent. The DCF supervisor purposefully worked around the checks and balances with the intent on stealing something not belonging to her.

Inasmuch as good governance compliance requires adherence to rules and regulations, the city of Fort Lauderdale did not perform their due diligence in understanding the documentation requirements for spending federal money. While there could have been intent to deceive so as to allocate the money for some other uses than what it was intended, that does not seem to be the case.

The city will be penalized for their lack of performance, just like the DCF supervisor will be penalized for what she did.

But don’t think that sloppiness cannot be branded as fraud; as Sarbanes-Oxley informs us, management in public companies must understand the business and the activities of the employees they (directly) supervise. Thus, purposeful, willful negligence can be seen as fraudulent behavior, and private enterprises and government agencies are not exempt from good behavior.

Norman Katz, Katzscan

Fighting Corporate Payment Fraud

Share This on Linked In

A recent article in Supply & Demand Chain Executive on “Fighting Corporate Payment Fraud” noted that nearly three-quarters of organizations experienced payment fraud in 2008. While the typical loss was only $15,200, some organizations experienced fraud that was orders of magnitude greater, and if you’re a small business, $15,200 could be the difference between paying two employees this month and not.

So what can you do? Given that the most common type of fraud is check fraud (with over 90% of the organizations who suffered fraud being attacked with check fraud), the second most common is credit and debit cards, and the third is ACH payment fraud, one thing you can do is implement a comprehensive defense against payment fraud by improving your internal controls and utilizing bank solutions available to you. For example, in addition to the paper, electronic, and online security controls that you can institutionalize, many financial institutions now offer payment fraud protection solutions that include debit blocking, payee verification, and post-no-check solutions. It won’t address every type of fraud, but if it prevents you from losing a hundred grand for a few bucks, it’s worth it.

March Madness 2009 Statistics

Share This on Linked In

Editor’s Note: This post is from regular contributor Norman Katz, Sourcing Innovation’s resident expert on supply chain fraud and supply chain risk. Catch up on his column in the archives.

First, my apologies to any college basketball fans who are thinking this post will be discussing hoops. I get about 15 different business magazines each month; they are a very useful resource for keeping up with what’s going on in the world.

In the March 2009 edition of Inbound Logistics, the top 12 corporate ethics and compliance concerns of executives surveyed were listed. Product Safety & Liability came in at # 6, with Information Security and Financial Integrity last at numbers 11 and 12 respectively. Anti-bribery, Conflicts of interest & gifts, Anti-trust contact with competitors, Mutual Respect, and Records Management beat Product Safety & Liability. Information Security and Financial Integrity was bested by Privacy, Proper use of computers, Export Controls, and Careful Communication.

Hmmmmm … I’m a little more concerned for my own health and safety now, I think.

In the March 30, 2009 edition of Information Week, 400 respondents to the senior management top security priorities survey showed that 35% of respondents are concerned about protecting data from outside hackers, and 18% are concerned about protecting data from unauthorized employee access.

In the April 2009 (well, it’s close enough to March) edition of CSO Magazine, 1000 ex-employees were surveyed about data security: 79% said they took data without their employer’s permission, with 59% admitting outright to stealing data, and 82% said that employers did not perform audits prior to their dismissal. (24% also stated that they had system access after dismissal.)

Okay…..with Information Security and Financial Integrity ranked so low in the area of concerns, and employers more concerned about outside hacks than inside theft (by a 2:1 ratio), is it any wonder that so many employees were able to steal data before and possibly even after their dismissal?

The distribution of intellectual property – customer lists, item prices, suppliers & costs – can cause serious competitive harm to an organization, so much so that it could suffer serious impacts to financial performance.

Protecting an organization from leaking data requires internal and external focus, and I submit that it takes two different groups of talented people to properly address each security vantage point. Protecting the network infrastructure via the use of hardware & software firewalls, anti-virus software, spam monitoring, web site filtering, data copying & transmission prevention, etc., are tasks best left to the folks who are experts in network infrastructure hardware and software. Identifying gaps in business processes and excessive application user rights & roles – especially those that contradict a person’s job description – are best left to business systems analysts and the folks who are in charge of business software application functional administration.

Taking this a step further, I have long wondered why CIO’s (Chief Information Officers) are given responsibilities better designated for CTO’s (Chief Technology Officers). In my opinion, this is an ideal separation of responsibilities. Working separately the CIO and CTO can focus their talents and resources on their individual areas of expertise. Working together, the CIO and CTO – and their respective teams – can ensure that any solution presented for the enterprise satisfies the business need and works within the technology standards established. (And if the right solution requires standards changes or other enhancements, let the right group handle it.)

What do you think readers? Is it better to have a CIO and CTO working together in mutual collaboration, or keep all technology tasks – from network infrastructure to business applications – under one C-level executive?

Norman Katz, Katzscan