Three ways to identify and combat vendor fraud

Prepared by:
Bruce V. Bush, Director, McGladrey LLP
972.764.7144, bruce.bush@mcgladrey.com

December 2013

To some extent, all businesses run on trust. Too often, though, it is an excess of trust that leads to fraud. In
many cases, companies never suspect the employee responsible for fraud because of the employees length of
service or reputation. Remember, trust is not a control.

One step to effectively combat fraud is to understand the various fraud risks your company faces. Vendor fraud
is one key fraud category to watch. Vendor fraud involves fraud schemes in which the fraudster manipulates a
companys accounts payable and payment systems for illegal personal gain.

Vendor fraud generally falls into three categories:

yy Billing schemes
yy Check tampering schemes
yy Bribery or extortion schemes

Billing schemes involve an employee using false documentation to manipulate a companys billing system to
generate a false payment for his or her own benefit. Two common billing schemes are:

yy Shell company schemeswhere the fraudster creates a fictitious vendor, which bills the company for
payment. The payment is then diverted to the fraudster. This can be accomplished with nothing more than
a fake name and a post office box.
yy Nonaccomplice vendor schemeswhere the fraudster manipulates the account of a legitimate vendor,
causing double payment of a legitimate invoice. The fraudster either diverts the payment to an account
under his control, or when the duplicate payment returns to the company, the fraudster intercepts it and
deposits it into their own bank account.

Check tampering schemes occur when an employee physically manipulates checks. This could involve forgery,
altering payee information, issuing inappropriate manual checks or other schemes.

Bribery or extortion schemes happen when an employee accepts inappropriate personal payments from
a vendor, so that the vendor gains a sale or some other advantage, or when an employee demands such
payments from a vendor.
Combating vendor fraud
Companies should ensure a variety of controls are in place to combat fraud. Following are controls specifically
designed to prevent vendor fraud:

Due diligence in the vendor setup process

Since vendor fraud, by definition, involves vendors, vendor data is an obvious place to start when evaluating
how to combat fraud. To begin, your company should establish set due diligence procedures for all new
vendors. Examples of due diligence procedures you should perform include:

yy Comparing the mailing address for vendors against the mailing addresses for employeesany overlap
bears careful examination.
yy Checking vendors with only a post office box for a mailing address to verify their legitimacy.
yy Verifying that each vendor has an assigned tax ID number and telephone numberand then verifying that
this data is correct.
yy Confirming ownership of the vendor through state business registration databases, and looking for any
potential employee, board member or other key party conflicts.
yy Having someone outside of the vendor setup process reviewing, and approving a list of new vendors on a
monthly basis.

Segregation of duties
Segregation of duties seems like a basic practice for preventing vendor fraud. Yet at many companies, we still
find breakdowns in this vital control area. There should be clear divisions between the personnel receiving
goods or authorizing services, those processing invoices and those processing payments. In addition, there
should be clear divisions between those that process payments, those that receive the bank statements
and those that reconcile the bank accounts. Finally, there should be a regular independent review of these
functions.

Having appropriate segregation of duties and other controls is one thingmaking sure they are followed is
another. Consider this scenario:

To protect against fraud, a company establishes a new control requiring that all payments over a certain
dollar threshold be personally approved by the controller. But the controller already has numerous duties,
so accounts payable personnel often have trouble getting the required approval. Since accounts payable
personnel performance appraisals are based largely on the timely processing of payments, they often fake
controller approval, in order to speed processing. They view the approval as a needless formality, given the
scant attention the controller pays to this duty. While this in itself does not constitute fraud, it creates
a breakdown in controls that an employee looking for the opportunity to commit fraud could exploit.

To address this issue, the company could establish a policy that payments over a stated threshold are
all processed on a specific day of the week, and schedule a regular time for the controller to approve
these invoices.

Leveraging data-mining techniques

Data mining is an emerging area that companies can exploit to detect and prevent fraud. While internal and
external audits have always relied on examination of company data to identify fraud, audits examine only a
fraction of a companys data. Data mining involves the targeted analysis of the entire population of data to

2
identify trends, establish a baseline and identify anomalies, which enables a company to spotlight both fraud
and internal control breakdowns.

One way to use data mining to combat vendor fraud is to analyze vendor payments, both in general and by
a specific vendor, to establish benchmarks. You can then use these benchmarks as guidelines to identify and
investigate anomalous payments. Basic trend analysis is the best place to start. By understanding the usual
average size of payments to a vendor and the usual total amount paid to that vendor by month, quarter or
other period, you can establish expectations, and automatically review the situation when those expectations
are violated.

You can also flag for review a variety of specific payment patterns that may indicate fraud. Some of these
payment patterns include:

yy Payments that fall just below an approval limit

yy Payments made by manual check or that otherwise deviate from normal payment procedures
yy Payments for round dollar amounts
yy Payments where the check or invoice numbers are out of sequence
yy Payments where there is an alpha character at the end of the invoice number
yy Payments where delivery addresses are different than payment addresses
yy Payments for a duplicate amount on the same date

Your organization may have certain other vendor and payment patterns unique to its operations. Consider
this scenario:

A building contractor often works in a specific geographic market. Its vendors are usually located in or as
close as possible to that market. In such a case, transactions falling outside a set geographic boundary
should be flagged for review, as they are outside of normal payment patterns.

An anomalous transaction is not always fraud. There are often legitimate business reasons for a transaction
to deviate from established patterns. By identifying and investigating anomalous transactions, however, an
organization can significantly increase the chances of catching fraud.

These are just three ways in which you can protect your company from fraud. Ensuring you have both
preventive and detective controls in placeand that they are being enforcedwill reduce your companys
fraud risk.

800.274.3978
www.mcgladrey.com

This document contains general information, may be based on authorities that are subject to change, and is not a substitute for
professional advice or services. This document does not constitute assurance, tax, consulting, business, financial, investment, legal or
other professional advice, and you should consult a qualified professional advisor before taking any action based on the information
herein. McGladrey LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this
document by any person.

McGladrey LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of
independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global
clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own
acts and omissions, and not those of any other party.

McGladrey, the McGladrey logo, the McGladrey Classic logo, The power of being understood, Power comes from being understood,
and Experience the power of being understood are registered trademarks of McGladrey LLP.

2013 McGladrey LLP. All Rights Reserved.