Three ways to identify and combat vendor fraud

Jul 31, 2021
Business risk consulting Financial investigations

To some extent, all businesses run on trust. Too often, though, it is an excess of trust that leads to fraud. In many cases, companies never suspect the employee responsible for fraud because of the employee’s length of service or reputation. Remember, trust is not a control.

One step to effectively combat fraud is to understand the various fraud risks your company faces. Vendor fraud is one key fraud category to watch. Vendor fraud involves fraud schemes in which the fraudster manipulates a company’s accounts payable and payment systems for illegal personal gain.

Vendor fraud generally falls into three categories

Billing schemes

This involves an employee using false documentation to manipulate a company’s billing system to generate a false payment for his or her own benefit. Two common billing schemes are:

  • Fictitious Billing—where the fraudster creates a fictitious vendor, which bills the company for payment. The payment is then diverted to the fraudster. This can be accomplished with nothing more than a fake name and a post office box.
  • Duplicate Invoice Payments—where the fraudster manipulates the account of a legitimate vendor, causing double payment of a legitimate invoice. The fraudster diverts the payment to a bank account under his control.

Check tampering schemes

This occurs when an employee physically manipulates checks so that they can be deposited into a bank account under his control. This could involve forgery, altering payee information, or issuing inappropriate manual checks.

Bribery or extortion schemes

This happens when an employee receives or demands inappropriate personal payments from a vendor so that the vendor gains a sale or some other advantage.

Combating vendor fraud

The following are controls specifically designed to prevent vendor fraud.

Due diligence in the vendor setup process

Since vendor fraud, by definition, involves vendors, vendor data is an obvious place to start when evaluating how to combat fraud. To begin, your company should establish set due diligence procedures for all new vendors. Examples of due diligence procedures you should perform include:

  • Comparing the mailing address for vendors against the mailing addresses for employees—any overlap bears careful examination.
  • Checking vendors with only a post office box for a mailing address to verify their legitimacy.
  • Verifying that each vendor has an assigned tax ID number and telephone number—and then verifying that this data is correct.
  • Confirming ownership of the vendor through state business registration databases, and looking for any potential employee, board member, or other key party conflicts.
  • Having someone outside of the vendor setup process review, and approving a list of new vendors on a monthly basis.
  • Applying artificial intelligence tools to identify anomalous or inconsistent patterns of payments to vendors.

Segregation of duties

Segregation of duties seems like a basic practice for preventing vendor fraud. Yet at many companies, we still find breakdowns in this vital control area. There should be clear divisions between the personnel receiving goods or authorizing services, those processing invoices, and those processing payments. In addition, there should be clear divisions between those who process payments, those who receive the bank statements, and those who reconcile the bank accounts. Finally, there should be a regular independent review of these functions.

Having appropriate segregation of duties and other controls is one thing—making sure they are followed is another. Consider this scenario:

To protect against fraud, a company establishes a new control requiring that all payments over a certain dollar threshold be personally approved by the controller. However, the controller already has numerous duties, so accounts payable personnel often have trouble getting the required approval. Since accounts payable personnel performance appraisals are based largely on the timely processing of payments, they often fake controller approval, in order to speed processing. They view the approval as a needless formality, given the scant attention the controller pays to this duty. While this in itself does not constitute fraud, it creates a breakdown in controls that an employee looking for the opportunity to commit fraud could exploit.

To address this issue, the company could establish a policy that payments over a stated threshold are all processed on a specific day of the week, and schedule a regular time for the controller to approve these invoices.

Leveraging data-mining techniques

Data mining with the application of artificial intelligence is an emerging area that companies can exploit to detect and prevent fraud. While internal and external audits have always relied on the examination of company data to identify fraud, audits examine only a fraction of a company’s data. Data mining involves the targeted analysis of the entire population of data to identify trends, establish a baseline, and identify anomalies, which enables a company to spotlight both fraud and internal control breakdowns.

One way to use data mining to combat vendor fraud is to analyze vendor payments, both in general and by a specific vendor, to establish benchmarks. You can then use these benchmarks as guidelines to identify and investigate anomalous payments. Basic trend analysis is the best place to start. By understanding the usual average size of payments to a vendor and the usual total amount paid to that vendor by month, quarter, or another period, you can establish expectations, and automatically review the situation when those expectations are violated.

You can also flag for review a variety of specific payment patterns that may indicate fraud. Some of these payment patterns include:

  • Payments that fall just below an approval limit
  • Payments made by manual check or that otherwise deviate from normal payment procedures
  • Payments for round dollar amounts
  • Payments where the vendor invoice numbers are out of sequence
  • Payments where there is an alpha character at the end of the invoice number
  • Payments where delivery addresses are different than payment addresses
  • Payments for a duplicate amount on the same date
  • Payments that do not fit historical or typical patterns

There are many steps you can take to mitigate the risk of vendor fraud.  This includes due diligence in the vendor and employee process, implementing a strong segregation of duties environment, and leveraging tools and technologies to increase your chances of identifying fraudulent activity earlier. These few steps can set your business up for success, protecting profitability and your reputation.

Related insights

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights and regulatory compliance updates to help your organization manage risk.