Three ways to identify and combat vendor fraud

Financial investigations Risk vulnerability

To some extent, all businesses run on trust. Too often, though, it is an excess of trust that leads to fraud. In many cases, companies never suspect the employee responsible for fraud because of the employee’s length of service or reputation. Remember, trust is not a control.

One step to effectively combat fraud is to understand the various fraud risks your company faces. Vendor fraud is one key fraud category to watch. Vendor fraud involves fraud schemes in which the fraudster manipulates a company’s accounts payable and payment systems for illegal personal gain.

Vendor fraud generally falls into three categories:

  • Billing schemes
  • Check tampering schemes
  • Bribery or extortion schemes

Billing schemes involve an employee using false documentation to manipulate a company’s billing system to generate a false payment for his or her own benefit. Two common billing schemes are:

  • Fictitious Billing—where the fraudster creates a fictitious vendor, which bills the company for payment. The payment is then diverted to the fraudster. This can be accomplished with nothing more than a fake name and a post office box.
  • Duplicate Invoice Payments—where the fraudster manipulates the account of a legitimate vendor, causing double payment of a legitimate invoice. The fraudster diverts the payment to a bank account under his control.

Check tampering schemes occur when an employee physically manipulates checks so that they can be deposited into a bank account under his control. This could involve forgery, altering payee information, or issuing inappropriate manual checks.

Bribery or extortion schemes happen when an employee receives or demands inappropriate personal payments from a vendor, so that the vendor gains a sale or some other advantage.

Combating vendor fraud

The following are controls specifically designed to prevent vendor fraud:

Due diligence in the vendor setup process

Since vendor fraud, by definition, involves vendors, vendor data is an obvious place to start when evaluating how to combat fraud. To begin, your company should establish set due diligence procedures for all new vendors. Examples of due diligence procedures you should perform include:

  • Comparing the mailing address for vendors against the mailing addresses for employees—any overlap bears careful examination.
  • Checking vendors with only a post office box for a mailing address to verify their legitimacy.
  • Verifying that each vendor has an assigned tax ID number and telephone number—and then verifying that this data is correct.
  • Confirming ownership of the vendor through state business registration databases, and looking for any potential employee, board member or other key party conflicts.
  • Having someone outside of the vendor setup process reviewing, and approving a list of new vendors on a monthly basis.

Segregation of duties

Segregation of duties seems like a basic practice for preventing vendor fraud. Yet at many companies, we still find breakdowns in this vital control area. There should be clear divisions between the personnel receiving goods or authorizing services, those processing invoices and those processing payments. In addition, there should be clear divisions between those that process payments, those that receive the bank statements and those that reconcile the bank accounts. Finally, there should be a regular independent review of these functions.

Having appropriate segregation of duties and other controls is one thing—making sure they are followed is another. Consider this scenario:

To protect against fraud, a company establishes a new control requiring that all payments over a certain dollar threshold be personally approved by the controller. But the controller already has numerous duties, so accounts payable personnel often have trouble getting the required approval. Since accounts payable personnel performance appraisals are based largely on the timely processing of payments, they often fake controller approval, in order to speed processing. They view the approval as a needless formality, given the scant attention the controller pays to this duty. While this in itself does not constitute fraud, it creates a breakdown in controls that an employee looking for the opportunity to commit fraud could exploit.

To address this issue, the company could establish a policy that payments over a stated threshold are all processed on a specific day of the week, and schedule a regular time for the controller to approve these invoices.

Leveraging data-mining techniques

Data mining is an emerging area that companies can exploit to detect and prevent fraud. While internal and external audits have always relied on examination of company data to identify fraud, audits examine only a fraction of a company’s data. Data mining involves the targeted analysis of the entire population of data to identify trends, establish a baseline and identify anomalies, which enables a company to spotlight both fraud and internal control breakdowns.

One way to use data mining to combat vendor fraud is to analyze vendor payments, both in general and by a specific vendor, to establish benchmarks. You can then use these benchmarks as guidelines to identify and investigate anomalous payments. Basic trend analysis is the best place to start. By understanding the usual average size of payments to a vendor and the usual total amount paid to that vendor by month, quarter or other period, you can establish expectations, and automatically review the situation when those expectations are violated.

You can also flag for review a variety of specific payment patterns that may indicate fraud. Some of these payment patterns include:

  • Payments that fall just below an approval limit
  • Payments made by manual check or that otherwise deviate from normal payment procedures
  • Payments for round dollar amounts
  • Payments where the vendor invoice numbers are out of sequence
  • Payments where there is an alpha character at the end of the invoice number
  • Payments where delivery addresses are different than payment addresses
  • Payments for a duplicate amount on the same date

Your organization may have certain other vendor and payment patterns unique to its operations. Consider this scenario:

A building contractor often works in a specific geographic market. Its vendors are usually located in or as close as possible to that market. In such a case, transactions falling outside a set geographic boundary should be flagged for review, as they are outside of normal payment patterns.

An anomalous transaction is not always fraud. There are often legitimate business reasons for a transaction to deviate from established patterns. By identifying and investigating anomalous transactions, however, an organization can significantly increase the chances of catching fraud.

These are just three ways in which you can protect your company from vendor fraud. Ensuring you have both preventive and detective controls in place—and that they are being enforced—will reduce your company’s fraud risk.


5 leading technology-driven techniques used to investigate fraud

5 leading technology-driven techniques used to investigate fraud

Learn the five technology and analytics tools that can help organizations advance fraud detection while minimizing costs.

Conducting internal fraud investigations in a remote environment

Conducting internal fraud investigations in a remote environment

Learn practical steps for conducting an internal fraud investigation in the new remote work environment triggered by the COVID-19 pandemic.

Next-level data analytics for fraud prevention and detection

Next-level data analytics for fraud prevention and detection

Data analytics can help companies identify and mitigate fraud, waste and abuse, and develop strategies to minimize future misconduct risks.

Subscribe to Risk Bulletin

Our cybersecurity, risk and fraud professionals provide regular insights to help your organization manage risk.