Do you really know who you are paying?

Do you really know who you are paying?


By Cecilia Locati, ACMA, CGMA

From fake invoicing and pay-and-return schemes to personal purchases with corporate funds and payment fraud, fraud in the procurement-to-pay process is very common and extremely difficult to prevent and detect.

According to the 2016 Report to the Nations on Occupational Fraud and Abuse by the Association of Certified Fraud Examiners (ACFE), fraudulent disbursements are the most common form of asset misappropriation. Of all the types of fraudulent disbursement, billing schemes are the most common with an average of 22.2% of the cases and a median loss of £80,000 ($100,000).

The following real-life examples illustrate common scenarios of procurement fraud in small- and medium-size enterprises: the first case study is a real-life example of an electronic disbursement fraud while the second and the third relate to billing schemes.

Case study 1: MediaCo

Jenny was managing the finance and administrative activities of MediaCo, a small media production company specialising in documentaries for TV, co-founded by Kevin and Ivan.

Over time, Jenny found an easy way to boost her wages. When approving payments, Kevin always cross-checked the invoices and payment details thoroughly, while Ivan approved the payments without double-checking them against the invoices. From time to time, Jenny would enter her sister’s bank details into the online banking system instead of a supplier’s account details. She would then submit the payment for approval to Ivan. Ivan would approve without noticing that the bank details on the payment were different from those specified on the supplier’s invoice. After a couple of weeks, when she knew that Ivan was out of the office, she would include the same vendor invoice in a payment (with the correct vendor bank details) and ask Kevin to approve it.

Jenny was the only one who managed the accounts at MediaCo, and she could easily allocate the cost of the fraudulent payment to a number of P&L accounts to cover up the shortage.

One day, she was forced to stay at home for a couple of weeks through illness, and the co-founders’ personal assistant covered for her. Following a call from an angry vendor who complained about not receiving payment on his last invoice, the personal assistant looked into the finance files to check whether the invoice had been paid. Thus it was discovered that by paying invoices to her sister’s bank account, Jenny had managed to embezzle approximately £60,000 ($75,000) over a three-year period.

Case study 2: KitchenCo

Matt was the marketing manager for KitchenCo, a medium-size bespoke kitchen manufacturer.

He convinced the company’s owner of the need to invest approximately £100,000 ($125,000) to improve KitchenCo’s online presence. The owner did not have any background in online marketing and social media presence. But he knew that some of his competitors were investing in such activities, and he wanted to keep up with them.

Matt created a shell search engine marketing company called SEMCo with a fancy website and his wife as the company director. He painted SEMCo as one of the top companies on the market and got the owner to approve an inflated quote for SEMCo’s services.

Then, Matt engaged a couple of inexpensive contractors to whom SEMCo subcontracted the work for a much lower price than what KitchenCo paid SEMCo.

After a few months, during a networking dinner, the owner met a search engine optimisation (SEO) consultant, and when their conversation turned to KitchenCo’s SEO initiatives, the consultant was amazed by the price KitchenCo had paid, and stated that he had never heard of SEMCo.

Because of this conversation, the owner asked KitchenCo’s finance director to carry out some checks on SEMCo and found out that it was owned by Matt’s wife, and that the price KitchenCo had paid was well above the market average.

Case study 3: GlassesCo

For 15 years, David was the finance director of GlassesCo, a retailer that sold spectacles and lenses. GlassesCo used a small legal firm, LegalCo, and over the year, David got to know John, the owner, quite well.

At a certain point, the two men came to the following agreement: John would inflate the number of hours of consulting provided to GlassesCo, David would approve the inflated invoices, and they would split the fraudulent proceeds. This arrangement was quite easy to pull off because David was the only approver of the invoices.

One day, the CEO of GlassesCo received an anonymous email reporting that David was approving inflated consulting invoices. The CEO engaged a fraud investigator to verify whether the claims were true. By reviewing David’s email archive, it became obvious that he was colluding with John in a pay-and-return fraud scheme worth £30,000 ($37,500) over the past two years. Due to the email archive retention period, it was not possible to ascertain whether the loss was even greater; however, given the length of David’s service and for how long LegalCo had been providing services to GlassesCo, it is quite likely that the loss amounted to much more than that.

7 ways SMEs can protect themselves against procurement fraud

Segregation of duties: In all three examples, the lack of segregation of duties made the frauds possible or helped to conceal them. In MediaCo’s case, the lack of segregation of duties in the accounting function allowed Jenny to hide the fraudulent payments in the general ledger without anybody noticing. To achieve segregation of duties, responsibility for processing payments should be allocated to a different individual from the one in charge of posting transactions in the general ledger. Another way to segregate duties is to ensure that finance systems require two users to process journal entries: one to post journals and one to release them.

In the second case study, segregation of duties could have been achieved by giving the finance department responsibility for carrying out due diligence on the new vendors. This would have uncovered the shell company fraud scheme before the vendor had been engaged.

In the third case, David’s fraud would have been discovered much earlier if the CEO had to approve LegalCo’s invoices in addition to David’s approval. To ensure that invoices are independently approved, they should be reviewed by a second individual, other than the person who holds the relationship with the vendor.

Robust reviews: In the first case, the fraud was made possible by the poor controls carried out by one of the two managing directors, who did not check the details of the payments against the supporting documents. In the case of KitchenCo, the owner did not perform a thorough review of the vendor selection process carried out by the marketing manager, which resulted in the engagement of a shell company as a vendor. When approving, the reviewer should be aware of the specific reasons why the approval is needed and the risks it is designed to mitigate. Raising awareness around this topic would help improve the quality of the review performed.

Vendor selection and approval: Having a strong vendor selection and due-diligence process in place is crucial to avoiding procurement fraud, as the case of KitchenCo shows. A strong vendor selection process should include a bidding procedure and a due-diligence process to ensure that the new vendor is a genuine company and that there is no potential conflict of interest. Once those checks have been performed, the new vendor should be approved by another party who should conduct independent checks to ensure that the selection process has been carried out fairly and without bias.

Automated controls: Manual processes are more prone to errors and fraud than automated processes. In the case of MediaCo, the fraud would have been much more difficult to perpetrate if, instead of using manual payments, the company was using an automated system. In this case, the vendor details would have been populated automatically based on the data available in the vendor master data. Therefore, provided that appropriate controls around the vendor master data had been in place, it would not have been possible to perpetrate this type of fraud.

Ongoing vendor monitoring and benchmarking: It is best practice to monitor an existing vendor’s performance over time to ensure that the level of service meets expectations and the price is appropriate. The monitoring activity should be carried out by a department or person different from the one managing the relationship with the client on a day-to-day basis. This would have helped prevent GlassesCo from falling victim to the overbilling scheme.

Tight analytical and budget review: All of these cases lacked a robust review of the actual and budgeted figures. While more challenging for small, rapidly growing companies, the review process should include not only a tight review of the actual-versus-budget figures, but also analysis of the financial ratios and comparative analysis to identify costs that need further investigation. The tighter the controls, the greater the chance of spotting frauds.

Hotline: Tip-offs are the most common way of uncovering frauds. Having a formal, structured process to report and follow up suspected instances of fraud and control override helps SMEs encourage people to report such cases. Nowadays, a number of companies, for a flat annual or monthly fee, provide a 24/7 hotline service in different languages.

In each case study, the fraudsters saw an opportunity to take advantage of the perceived lack of control and thought they could get away with their scheme. To prevent and detect fraud effectively, senior management must have good oversight over controls.

Cecilia Locati (cecilialocati@fraudfence.co.uk) is director of Fraud Fence, a consultancy that advises companies on internal fraud prevention.