Category Archives: Fraud

Worried About P2P Fraud? Here’s How to Prevent Even More of It!

In yesterday’s post we reviewed Accounts Payable News’ recent piece on “the top six ways to carry out P2P fraud” that every Supply Management professional should be aware of BEFORE implementing any P2P system. We did this because, as pointed out by Spend Matters UK “Procurement Related Fraud [is] On the Rise” (or at least more instances are being caught and prosecuted). The post chronicled four recent high-profile cases, of which two involved collusion between a buyer and a supplier (where the buyer purposely overpaid a supplier or helped them win a bid in exchange for cash kickbacks), one was a purely internal fraud conducted by a sole buyer (who set up dummy corporations that issued false invoices that were paid to a an account the buyer controlled), and one was an external fraud in which a criminal convinced accounts payable to change payment information for a genuine supplier to the criminals’ bank account.

In other words, we had a case of social engineering and supplier payment diversion by outsiders, a case of fictitious invoices for goods not actually delivered by an insider, a case of undermining of control by way of buyer-supplier collusion, and a case of tacit approval of unapproved “handling” costs to a supplier, who would pay a kick-back. All of the frauds Accounts Payable News warned us about have recently occurred in big organizations and ended up as high-profile cases before the courts. And at least three of these could have easily been prevented. Having a second party phone the supplier’s AR department to verify banking would have quickly revealed the social engineering fraud, verifying goods were received would have prevented payment of the fictitious invoices, and mandatory approvals for any costs above contract terms or market rates would have prevented the supplier overpayments. The undermining of control would be difficult to stop if it was a single party feeding a preferred supplier confidential information, but note that this is procurement-related fraud, and not pure P2P fraud.

In other words, as mentioned in yesterday’s post, if one solves two of three situations that are common among procurement frauds, fake data and lack of control to be precise, many frauds can be prevented. And while you can never solve the collusion issue, having to accept that the best you can do is discourage it, the reality is that you can minimize it. As pointed out by the Spend Matters UK,
Motive + Opportunity = Bad Things Happen,
and opportunity can certainly be minimized.

However, as implied by Spend Matters UK, what you really have to worry about is motive. The chance of fraud increases substantially when someone has a motive, and, as further pointed out by the post, motive increases greatly when there is:

  • Financial Need
    If someone is deeply in debt, has a gambling problem, or owes the mob money, that someone is going to be driven to get money anyway he can.
  • Psychologically Defective
    If someone has a pathological desire for thrills, and fraud is their fix, sooner or later, he’s going to try.
  • A sense of Entitlement
    This could take the form of greed, or of jealousy if the individual, who works hard, sees superiors getting big rewards for little effort while the individual gets little or no rewards for a lot of effort.

And while you can’t tell what a person is thinking, some people have easy tells that you can use to evaluate your chance of risk, and put additional controls in place if the chance of risk is high. For example, if a credit check shows the person is bordering on bankruptcy, that person could be more susceptible to opportunities for fraud, or at least to bribes. While it’s not necessarily the case, as some people would rather starve than steal a dollar, it should trigger extra precautions at least until you are sure the person is trustworthy.

In addition, basic psychological testing can often reveal a need to over-achieve or an undeserved sense of entitlement. These people could also pose financial risks to your firm and their financial control should be limited until their performance is adequately measured and your trust has been earned.

The simple fact is that people without a want or a need have no motive, and opportunity means very little to them. While it’s not as easy to weed out motive as it is to lock out a system, if millions are on the line, spend a few hundred on a background check, and if we’re talking an executive, a personality assessment wouldn’t hurt either.

Worried about P2P Fraud? – Here’s How To Prevent Most Of It!

Accounts Payable News recently ran a good article on “the top six ways to carry out P2P fraud” that every Supply Management professional should read BEFORE implementing any P2P system. While the sheer presence of a P2P system will discourage fraud, as fraud will be much harder to hide and/or require collusion if the system is properly integrated, it also enables fraud to be conducted faster and at a much larger scale if there are holes in the implementation. But first, let’s look at the frauds identified:

    • Social Engineering
      A user who doesn’t need admin access gets it by convincing IT that it will be quicker if they can create accounts for authorized individuals, or that they need it for testing after hours. If such admin access can be used to create new, fictitious, suppliers with banking information that don’t require payment approvals …
    • Fictitious Invoices for non-PO spend below the bar
      If invoices below a certain threshold, like $1,000, automatically get paid (without a purchase order or, worse, goods receipt match) from preferred suppliers if the line items are on an approved list, then all it takes is collusion between a buyer and supplier to generate and approve a few (dozen) false invoices and both get a free vacation on the Riviera.
    • Reassignment and Undermining of Control
      If a fraudster can convince others to reassign approvals or part of the payment process to himself, then he can approve invoices from fictitious invoices from fake suppliers, which are actually companies, and bank accounts, he controls.
    • Receipt of goods not actually delivered
      If the buyer, who never steps foot in the warehouse or on the construction site, receipts goods never delivered, the buyer can arrange for a supplier to be paid twice if the supplier sends an invoice before the goods, gets paid right away, and then drops off a second invoice with the goods, which is then matched against a PO and receipted. And, of course, the buyer would get a kickback.
    • Approval of unapproved handling costs
      Which were never in the contract, but of which a portion will be kick-backed to the colluding buyer.
    • Supplier Payment Diversion
      A smart buyer will open a bank account in a name that sounds like it is the suppliers name, like MJ Consulting if the supplier is M&J Consulting, provide finance with new banking instructions from a spoofed e-mail account, and collect the payments until AP discovers they have incorrect account information.

If you analyze these types of fraud, you see a couple of commonalities:

      • Fake Data
      • Lack of Control
      • Collusion

It’s very easy with modern technology to prevent the first two and make the third harder, in that more people will have to be in on the fraud for it to succeed. Specifically, if you take the following steps:

      • Lock down access to finance and admin functionality to only those who need it
        and, using fine-grained roles-based security, restrict admin functionality to only those functions admin rights are truly required by the person
      • Require 2nd party verification of all regulatory and financial data associated with a supplier
        as no one should be able to enter and confirm the same data element
      • Only a person performing a function can enter data relating to that function
        as only a warehouse or site worker will know when the goods are/are not delivered
      • Also require 2nd party verification of any data element that can trigger a payment
        So, a goods receipt, as a whole, should be verified by a foreman
      • Absolutely no automatic payments unless ( a) the supplier is verified, ( b) the supplier’s accounts are verified, ( c) the goods were verified as received
      • Absolutely no payment for an invoice above the minimum threshold for non-automatic payment without a PO
        even if verified supplier, account, and receipt of goods
      • Absolutely no payment for an invoice above the threshold for which approval is specified
        without a manager approval, even if there is a PO, verified supplier, account, and receipt of goods
      • Absolutely no P2P/e-Procurement systems that don’t encrypt user access information, account information, and approvals. Otherwise, all an enterprising fraudster has to do is either (a) get onto the server and (a) query the database for an admin login, (b) overwrite the account record with his own bank record or, and this is way too easy in some systems, (c) set the approved for payment flag next to the invoice to true. The approval field should be a system encrypted value that only the system can decrypt to a valid “pay on” date using salts, hashes, and ciphers.

This will solve the fake data issue, as there can be no fake data unless there is collusion, and the lack of control issue, as there will be no way around the workflow unless there is collusion. You can’t solve the collusion issue, but you can certainly discourage it. Criminals tend not to trust each other, and when three or more parties are required to pull off a heist, the odds are much more in your favour.

We Need More Corporate Ethics – Bring on the No-Maximum Mega Fines!

As noted in a recent article on Fine and Punishment, it has been a bumper summer for corporate fines and settlements. With firms in Britain and America agreeing to pay over 10 Billion in the past three months alone, there’s too much corporate wrong-doing these days. But the current fines are not enough. For example, a mere 5K for violating 10+2 is a CEO’s lunch money these days in most Global 3000’s. The only act close to defining a fine that will take a real chunk out of the corporate coffers of the guilty that the doctor knows of is the National Defense Authorization Act (NDAA) which allows 15 Million Dollar fines for first offenses and 30 Million Dollar fines for second offenses.

The reality is that a fine is only a deterrent if getting caught would mean a loss. Let’s say the fine for stock-fixing is 1 Million but an investor group could make 10 Million on the fix. Guess what’s going to happen? The stock is going to get fixed if the investor group has anything to do about it because, worst case, they only make 9 Million. The fine HAS to outweigh the reward, or corporate wrongdoing is going to continue to permeate both the financial sector, and the supply chain practices in industries where unlicensed knock-offs (especially in pharmaceuticals or electronics) can save a middle-man millions of dollars and push profits through the roof. As the Economist article stakes, given a risk-free opportunity to mis-sell a product, or form a cartel executives will grab it. To them, it’s all about the almighty dollar — and earning more than their peers to earn Wall Street’s favour and have something to boast about at the next charity dinner. (For a great Wall Street Perspective, you have to check out Randall Lane‘s The Zeroes: My Misadventures in the Decade Wall Street Went Insane [now at a bargain price for the hardcover edition on Amazon.com — you can’t go wrong]. Audiobook also available).

Unless the potential fines are crippling, wrong-doing will persist*, and so will cheapening out. And this is the biggest problem. Right now, we need sustainability in supply management, but initial investment in sustainability always costs more, so not only are executives not going to green light sustainable efforts, but if the organization has to look green or socially responsible, they are going to fund the lowest-cost “accredited” third parties that they can find to be “socially responsible”, and, in particular, likely fund those that use shady practices and cut corners everywhere possible. Because when the dollar rules, as long as you can buy the image, why create the real thing?

But if we force ethics back into the corporate world, then maybe we can force sustainability in as well. And when the only choice for gains is again long-term strategy, which is precisely where the economics of sustainability really make sense, maybe we’ll see improvement in ethics and corporate responsibility across the board. Or maybe it’s a pipe-dream. Either way, heftier fines would be a great start!


After all, remember what Randall Lane discovered when he did a Trader Monthly survey in the zeroes:
  If you received an illegal insider tip, a sure thing, and had a 50% chance of getting busted, would you use it? Only 7% would. What about only a 10% chance of getting caught? The numbers spiked to 28%. And what if you had a 0% chance of getting discovered? Suddenly, the number surged to 58%! To the majority of our readers, cheating wasn’t an ethical issue, it was simply a matter of whether they’d get caught.

e-Procurement Systems are Great, but Let’s Not Confuse Transparency and Corruption

A recent Supply Management article (yes, Supply Management, how shocking) caught the doctor‘s eye when it said that EU nations should increase their adoption of e-Procurement to provide greater transparency and reduce the potential for purchasing processes to be corrupted. Bzzt. Adoption of e-Procurement will definitely increase transparency as all participants will be able to see what’s going on, but let’s not fool ourselves that it will reduce the potential for purchasing processes to be corrupted. It’s still easy for an individual to corrupt a process if he or she wants too, especially since most awards will be made on a weighted scorecard these days.

And since your first reaction is no, definitely not, because Provider XYZ told me that proper, full disclosure, implementation makes corruption almost impossible, after I tell you bullshit, I’m going to show you how easy it is to corrupt a process if the individual running is corrupt and wants to corrupt the process.

Let’s say you define a weighted scorecard as follows:

Metric Weighting
Cost Competitiveness 40%
Supplier Rating 20%
Product Rating 20%
Service Rating 20%

Let’s say you have suppliers Alpha, Beta, and Echo bidding. Let’s also say, after a preliminary, unconfirmed, analysis, you have the following rankings, which were supposed to be derived from a thorough evaluation based-upon a detailed check-list for each category, on a scale of 1 to 10:

  Alpha Beta Echo
Cost Competitiveness 9 8 7
Supplier Rating 8 9 7
Product Rating 8 7 6
Service Rating 7 7 6
Total 8.2 7.8 6.2

And let’s say that Echo has promised you a free Caribbean vacation (in exchanged for “speaking” at their annual meeting or whatever), some “on-the-side” (read “under-the-table”) consulting revenue, or whatever it takes for you to want them to win — and you want them to win. You can’t do anything, right? Wrong! You defined the scorecard, which, by the way, happens to have three categories where the metrics are very subjective. A few more nines here and there on the subjective metric sheets for Echo and a few less for Alpha and Beta, and, bingo, we have this table:

  Alpha Beta Echo
Cost Competitiveness 9 8 7
Supplier Rating 8 7 9
Product Rating 7 7 9
Service Rating 6 7 8
Total 7.8 7.4 8.0

Hello Echo! And don’t tell me that since the categories and weightings will be predefined, that the chances of there being enough room to manipulate any supplier to the top will be slim. If the buyer wants a certain supplier before the event beings, he can do an off-line assessment, figure out which metrics that supplier happens to be good in, and weight those particular metrics higher (after concocting appropriate rationalizations for long-term reliability being important for printer paper or whatever). The point is, the tool can only affect transparency. The only way to reduce corruption is to instill better processes that are harder to corrupt and the only way to get rid of it is to hire the incorruptibles. Get it now?

How Do You Handle Inside Theft? Same Way You Handle Drug Dealers!

Apparel just ran a fascinating article on how former federal agents can help solve retailers’ employee theft problems. According to the article, the same practices used in fighting drug dealers applies to tracking down thieves inside the workplace. In particular, professionally conducted interview and interrogation tactics and procedures play a critical role in identifying the prime suspects in inside theft and solving this costly problem.

Given that the employee theft rate, which held steady at 15% from 1969 to 2006, skyrocketed to an alarming 75% later that year, and that employee theft cost U.S. Retailers $18.4 Billion in 2011, this is becoming a critical issue.

So where do you start? First, start with the red flag employees.

The article notes that there are four types of employee thieves actively engaged in stealing time, money, or products from their employers:

  1. Thieves by Nature
    who enjoy stealing
  2. Employees who feel Entitled
    because the world owes them more than what they earn
  3. Employees Stealing out of Desperation
    as they are in extreme debt or have a drug/gambling/other problem compounded by a weak economy
  4. Theft by Target of Opportunity
    where money in plain sight will be taken

These employees can be identified by well trained private investigators, with experience in the right areas of law enforcement, who can ask probing questions, confirm facts, corroborate allegations, and identify the full magnitude of theft in your organization. These interviews should focus on scheduling, accounting and inventory activities, and similar supply management practices where the greatest opportunities for theft occur. And conducted properly, in full accordance with the law, they will identify the perpetrators of theft much faster than if the organization waits until its losses mount to the point where law enforcement agencies take notice.