Combating vendor fraud
The following are controls specifically designed to prevent vendor fraud:
Due diligence in the vendor setup process
Since vendor fraud, by definition, involves vendors, vendor data is an obvious place to start when evaluating how to combat fraud. To begin, your company should establish set due diligence procedures for all new vendors. Examples of due diligence procedures you should perform include:
- Comparing the mailing address for vendors against the mailing addresses for employees—any overlap bears careful examination.
- Checking vendors with only a post office box for a mailing address to verify their legitimacy.
- Verifying that each vendor has an assigned tax ID number and telephone number—and then verifying that this data is correct.
- Confirming ownership of the vendor through state business registration databases, and looking for any potential employee, board member, or other key party conflicts.
- Having someone outside of the vendor setup process review, and approving a list of new vendors on a monthly basis.
Segregation of duties
Segregation of duties seems like a basic practice for preventing vendor fraud. Yet at many companies, we still find breakdowns in this vital control area. There should be clear divisions between the personnel receiving goods or authorizing services, those processing invoices, and those processing payments. In addition, there should be clear divisions between those who process payments, those who receive the bank statements, and those who reconcile the bank accounts. Finally, there should be a regular independent review of these functions.
Having appropriate segregation of duties and other controls is one thing—making sure they are followed is another. Consider this scenario:
To protect against fraud, a company establishes a new control requiring that all payments over a certain dollar threshold be personally approved by the controller. However, the controller already has numerous duties, so accounts payable personnel often have trouble getting the required approval. Since accounts payable personnel performance appraisals are based largely on the timely processing of payments, they often fake controller approval, in order to speed processing. They view the approval as a needless formality, given the scant attention the controller pays to this duty. While this in itself does not constitute fraud, it creates a breakdown in controls that an employee looking for the opportunity to commit fraud could exploit.
To address this issue, the company could establish a policy that payments over a stated threshold are all processed on a specific day of the week, and schedule a regular time for the controller to approve these invoices.
Leveraging data-mining techniques
Data mining is an emerging area that companies can exploit to detect and prevent fraud. While internal and external audits have always relied on the examination of company data to identify fraud, audits examine only a fraction of a company’s data. Data mining involves the targeted analysis of the entire population of data to identify trends, establish a baseline, and identify anomalies, which enables a company to spotlight both fraud and internal control breakdowns.
One way to use data mining to combat vendor fraud is to analyze vendor payments, both in general and by a specific vendor, to establish benchmarks. You can then use these benchmarks as guidelines to identify and investigate anomalous payments. Basic trend analysis is the best place to start. By understanding the usual average size of payments to a vendor and the usual total amount paid to that vendor by month, quarter, or another period, you can establish expectations, and automatically review the situation when those expectations are violated.