Posted by Steve Wilcox on Fri, Mar 06, 2009 @ 10:59 AM
Yup, that's an outhouse.
What if you used Google Maps to view a vendor address and it turned out to be an outhouse?!? Alarm bells would probably go off in your head that an unscrupulous "vendor" was trying to swindle your company.
Nat Goodman used this outhouse example in this past week's webcast on preventing AP fraud. As we discussed in the last blog entry and according to Nat:
"Every addition or change to the vendor master should be verified to approved documents [such as updated W9s, contract amendments, verified correspondence, etc]. That means approval and support before keying AS WELL AS verification to file changes AFTER processing. In order to avoid duplicate vendors on file, be particularly careful about how the vendor name is keyed with consistent naming and keying conventions."
Vendor addresses should be treated particularly carefully. Again, according to Nat:
"We need to guard against false addresses that can be used to embezzle funds. However, we are not only concerned with phony vendors but we want to confirm that the vendor appears to be a business person with legitimate qualifications to perform the work or provide the goods. Switchboard.com and Yellowpage.com have business and residential listings. Mapquest.com is great way to view a property. Many consultants/service providers work out of their home. Here is an opportunity to view their home. If they have an outhouse on the property you may think twice. If a goods producer lists an address on a vacant lot, a red flag goes up and you may want to check further."
Bottomline ... all new vendor addresses or changes should be carefully verified. With Google Maps or a similar tool, it's easy to check a vendor's office or location.
-Rakesh Shukla
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Tue, Feb 24, 2009 @ 12:15 PM
For the past month, my blog entries have been focusing on AP Fraud. It's a fascinating subject and I just scratched the surface. If you want a true expert's take on AP fraud, Nat Goodman, President of Goodman and Associates, focuses on how to prevent procure-to-pay fraud through practical advice on how to tighten internal controls, prevent malfeasance, stop theft, detect red flags, and safeguard company assets for 5 vulnerable P2P processes:
- risk-mitigating tips for maintaining the master vendor file
- susceptible areas for p-card purchasing
- solid techniques for properly accounting for airline flights
- challenges and solutions for recording/accruing of expenses
- hard lessons learned for payment execution
Without stealing Nat's thunder, let me give you a preview of the first bullet point about master vendor files. How vulnerable is your vendor master file?
Be honest.
Nobody enjoys maintaining a clean master vendor file. It is tedious work that is often overlooked. And yet poor internal controls for vendor files can lead to massive AP frauds.
A very recent case in point is the $2.5M billing fraud in Utah where the bank account information for a legitimate vendor (an insurer) was changed (to a fraudulent bank account) ... without any verification. Fraudulent invoices were then submitted and paid to the fraudulent back account. The thieves stole $2.5M before getting caught.
According to Jon Casher, another AP industry expert:
"It's a very simple process to change the bank routing number and account number for payments being made via ACH. In the Utah case, the change was probably made without verifying that the new account number belonged to the insurance company. To prevent such problems from happening, all changes to the vendor master file should be reviewed and verified.
-Rakesh Shukla
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Wed, Feb 18, 2009 @ 03:05 PM
Today, I will present some more very interesting case studies of AP Fraud that highlight the risks of poor Travel & Expense (T&E) controls.
Fudging travel and entertainment facts on expense reports is so pandemic that practically everyone in the business world has heard tales of abuse:
-
the manager who turns in all his reports religiously - once a year;
-
the executives entertaining a client who each submit the total bill for reimbursement;
-
the advice of an old hand who counsels, "Subtract the cash you come home with from what you left with and call it ‘cabs.'"
A few years ago, T&E fraud made above-the-fold news when the head of Yale University's International Institute of Corporate Governance, the once-heralded, now-disgraced Florencio López-de-Silanes, was asked to step down when it was discovered that he double-billed the university to the tune of $150,000 for one year's travel expenses. Perhaps the most bizarre aspect of this story is that López-de-Silanes, a tenured finance and economics professor also employed by the World Bank as a governance consultant, submitted an entire year's worth of reports at one time. It's hard to determine what is more appalling: that a crusader for better corporate governance would try to fleece his employer, or that a distinguished professor of the Yale School of Management was not aware that withholding material liabilities was a red flag in any accounting era, much less the high-alert atmosphere of SOX compliance we live in today.
As the case of the globetrotting López-de-Silanes illustrates, the high cost of international airfares makes them a prime target for T&E finaglers. Consider the case of Open Traders, as related by Nathaniel Goodman of Goodman and Associates, a leading authority in AP best practices. Open Traders, headquartered in Minneapolis, was a consulting firm specializing in international trade. Among their far-flung client base was The Moon Group, based in Singapore. The cost of business-class airfare - one of the perks of the trade - from Minneapolis to Singapore ran to about $4,000, compared to a considerably slimmer $1,500 fare for the same route in economy class.
Each consultant was responsible for arranging his own travel with the airlines, billing the charges to a corporate American Express card. One day, as Goodman tells it, a Mr. Jim Krebs made a last-minute change to his plans to visit The Moon Group, bumping up his departure date by a day, with the result that the airline couldn't honor his business-class seat for the earlier flight. Accordingly, the airline issued a $2,500 refund directly to Krebs. The original credit card receipt still read $4,000, and this is what Krebs submitted with his expenses. The Moon Group, in turn, was likewise billed for the full fare. The $2,500 fit snugly into the pocket of Krebs, who not only rationalized his actions - why shouldn't such a highly paid professional be able to choose how he spends his travel "allowance?" - he proselytized, encouraging others in his firm to bilk their clients along with him.
Krebs' craftiness came to light because his own sense of self-justification led him to broadcast his skimming tactic rather than submerge it. Without his self-incrimination, and assuming no change in internal procedures or auditing practices, it's doubtful Krebs' personal bonus program would ever have been detected. Such shenanigans couldn't hide from a system that could permanently attach all travel back-up documentation, including electronic scans of boarding passes, to their respective expense reports. Such a system makes it possible for whoever approves reports to easily view all back-up prior to approval, and without waiting for the cumbersome retrieval and transmission of a hard copy. Mr. Krebs would have a challenging time explaining why the company was billed $4,000 for seat 48H.
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Tue, Feb 10, 2009 @ 03:17 PM
In my last blog entry, I explored the importance of segregating AP duties.
Today, I will present a fascinating case study of AP Fraud that highlights the risks of poor AP internal controls.
This is a true story.
Our tale concerns a husband-wife team who colluded with an outside vendor to fleece their company of at least $2 million over a seven-year period. The target of this sustained fraud was the well-respected newspaper, The Charlotte Observer, where poor internal controls contributed mightily to the scandal they were, to their considerable embarrassment, obliged to report in their own pages.
The Profile of an AP Fraudster
The mastermind of the scheme was a Mr. Johnson, a white male and 22-year employee of the newspaper with an unblemished record. Believe it or not, this is the typical profile of an AP Fraudster.
It was Mr. Johnson's good fortune to serve as a purchasing manager who also had authority to both receive goods and services and approve invoices for the same. The invoices would naturally flow through the AP department, where Mr. Johnson's wife happened to work. All the Johnsons needed to complete a seamless scam was a cooperative and unscrupulous vendor. Mr. Johnson cultivated a friendship with a favorite supplier until they became close enough that he could propose his ploy: for every two shipments you send me, invoice The Observer for three, and we'll split the payment for the phantom shipment!
Too Many Hats for One Head
The breakdowns in internal controls that allowed this arrangement to prosper over a 7-year period are manifold. Consolidating so many responsibilities in the hands of even the most trusted of employees is the first bright-red flag. A married couple with entangled duties connected with AP is another red flare. Significant budget variances, on the order of $50,000 of bogus charges per month per department, were overlooked as boom times created a lax atmosphere that tolerated such large discrepancies. Poor inventory controls allowed non-existent shipments to be processed and paid for. To top it all off, nobody involved was bonded and the company wasn't insured against such a loss.
NASCAR Insider?!? Where was the Common Sense?
While there is no question that better systems and procedures might have excised this cancerous scheme, simply bringing common sense to bear would have at least curtailed the loss. During the seven years that the Johnsons were siphoning off a substantial chunk of The Observer's revenue, their lifestyle took a dramatic turn for the better. They sold their old home, moved into a new lakefront mansion in an exclusive neighborhood, added a swanky boat, traveled like pashas and stockpiled fancy automobiles. Indeed, not only did Johnson flaunt his new-found wealth, he abandoned discretion entirely by incessantly insinuating himself into the picture - literally - in the very high profile world of NASCAR. Every week, it seemed, he would be photographed bear-hugging the winner at the victory celebration, an awesome display of insider status in the region's most revered sport.
Meanwhile, his demeanor around the office was quite the opposite. Formerly out-going and hands-on, Johnson retreated into his office where he spent most of each day behind a closed door and drawn blinds.
How could anyone, indeed everyone, have failed to notice? The answer is that of course people noticed, but they didn't trust their intuition enough to call Johnson's bluff. All Johnson had to do to deflect curiosity over the course of the better part of a decade was claim an aunt died and left him an inheritance. Naturally, once the fraud was unmasked, the aunt was discovered to be as imaginary as the stream of phantom shipments Johnson authorized and his wife paid for.
AP Internal Control Breakdowns
Clearly, a woeful failure to segregate duties was at the heart of this calamity. Had Johnson not had the power to approve his own actions, this fraud might have been prevented altogether. Improved transparency and more disciplined approval framework would also, at the very least, make a fraud such as Johnson's more difficult to launch and impossible to sustain.
While Mr. and Mrs. Johnson eventually received their comeuppance - curiously, The Observer did not take immediate legal action upon their exposure - the newspaper nonetheless took a substantial hit, both in terms of financial loss and tarnished reputation. Nor were the perps the only people to suffer: managers who presided over the slipshod operations were sacked, steering lives and careers off track. The real tragedy of this tale is that if today's AP automation software and associated best business practices had been in place at The Observer, this entire fraud, and all the damage that ensued, would never have happened in the first place.
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Fri, Feb 06, 2009 @ 03:27 PM
Question: What do the following situations all have in common?
- A policeman ticketing a Dunkin' Donuts truck driver ...
- A doctor prescribing medicine from a pharmaceutical company in which he owns stock ...
- A politician accepting contributions from a special interest group ...
- A procurement manager being wined and dined by vendors ...
- A hungry wolf guarding the chicken coop ...
- A judge sentencing a family member ...
- Coaching your own son or daughter on a travel team ...
Answer: In each situation, there is a conflict of interest.
A conflict of interest is a situation where someone (such as a doctor,politician, procurement specialist, police officer, judge, coach, wolf etc.) has a personal interest or motivation that might compromise the reliability and integrity of bigger obligations.
In many cases - especially where money is involved - a conflict of interest may tempt someone to break the law. Nowhere is this truer than in Accounts Payable.
In AP, there are a lot of conflicting duties which should always be segregated. Segregating AP duties is one of the most important internal controls in finance. For example, the person entering the invoice should not approve the invoice for obvious reasons. Similarly, the person who sets up a vendor should not enter the invoice into the ERP system. There are many examples in AP where duties should be segregated. The problem is that most finance departments constantly have pressure to do more with less. But to follow segregation of duties to the letter, you need enough staff which isn't always a luxury - especially in these economic conditions.
But wait!
Haven't ERP systems addressed segregated duties through a security framework which governs the acceptable use for each authorized user?
Aren't roles and responsibilities managed so that, for example, an entry-level accounts payable clerk can access modules only related to her specific job function while the CFO can access any module in the system?
Well ... yes ... but the problem of trying to maintain segregated duties using this classification approach is that these configurations are expensive to design and deploy. As employees are promoted, reassigned, or terminated, organizations must continually update their ERP systems with everyone's correct authorization level including consultants, contractors and business partners. Supporting and maintaining the classifications and configurations is a resource intensive job.
Furthermore, most organizations struggle with their initial ERP setup -- millions are spent in projects that can take up to 3 or more years. Unfortunately, the setup of these segregated classifications is often the last phase of the project and does not receive the attention it requires especially if the project is over budget or behind schedule - which is more common than not.
With AP automation that includes a robust workflow engine, you should have complete end-to-end AP process visibility as the invoice transitions from one step to the next ... the AP system should track all changes maintaining a comprehensive audit trail of what was performed and by whom for all prior steps so potential conflicts can automatically be caught at the transaction-level.
Using this approach, limited headcount can still allow for segregated duties since segregation can be enforced at the transaction level instead of the job role level. Employees can still be cross trained and allowed to perform multiple functions as long as they don't perform conflicting duties on the same transaction. For example, an AP Specialist could both enter invoices and also setup suppliers as long as there is no conflict on each and every transaction.
This transaction-level segregation can be enforced by the workflow software which allows you to move away from restrictive job role controls ... rather than limiting what functions employees can carry out as part of their jobs, this approach allows enterprises to boost productivity while mitigating the business risks.
One last point here ... this approach requires less overhead since segregation rules are defined once at the process level as opposed to the constant overhead of ERP administration.
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Fri, Jan 30, 2009 @ 02:13 PM
The classic finance dilemma is choosing between reducing costs or strengthening internal controls. Typically, these are opposing goals. Achieving one goal usually means sacrificing the other. For example, strengthening internal controls usually means increasing processing costs. Nowhere is this more true than with Accounts Payable.
The bottom line is that strengthening internal controls remains purely a cost burden... for most companies. The Hackett Group studies show that on average, compliance costs have added $200,000 per US$billion of revenue to the cost of finance since the start of SOX in 2003.
However ...world-class finance costs are about 50% below the average company's costs and continue to decline as a percentage of revenue.
So what are these world class companies doing to strengthen controls while keeping a lid on control costs? 4 things:
- Centralizing and simplifying processes
- Leveraging technology
- Automating controls
- Using more preventative controls
Let's quickly talk about each of these points.
Process Centralization and Simplification
Shared services is the best way to centralize processes and reduce costs. In fact, here is a very compelling data point -- 20% of companies that have implemented financial shared services have achieved savings of over 40%!
Leading companies also have simpler processes ... 20% fewer key controls per billion dollars in revenue.
Technology Leverage
Leading companies have consolidated technology platforms resulting in fewer ERP systems and minimal duplication of data. The best companies have only 1 ERP vs 2 ERPs for everyone else.
Shared databases for purchasing and payables allow companies to have a single vendor master file and a single chart of accounts (which is easy if you have a single ERP system) ... the big benefit here is a single source of the truth which is critical for financial data.
Control automation
The average companies also perform a LOT more manual control activities than leading companies which means they are operating with an unnecessary level of risk. Peer companies perform manual control activities 2.4 times more than leading companies. All this manual activity increases the risk of control failure which is perilous in today's regulatory and legislative environment.
Greater Use of Preventative Controls
Finally, leading companies have more preventative controls. Of course an environment where deficiencies are prevented in the first place is more desirable and much less expensive than having to detect problems after the fact.
The number of preventative controls are 11% higher for leading companies.
So there you have it. To solve the classic financial executive dilemma of reducing costs while, at the same time, strengthening controls, you must centralize and simply processes, leverage technology appropriately and automate controls with more preventative controls.
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Wed, Jan 21, 2009 @ 08:30 AM
My 8-year old daughter is a cookie thief. You see, I caught her with her hand in the cookie jar the other day.
"How long have you been taking cookies without asking?"
"Uhhhh ... just today, Dad!"
Yeah right. I gave her a stern look even though I was a master cookie thief myself in my youth.
"Really Dad, I swear. This is my first time."
Of course, this wasn't her first cookie theft -- but it was the first time she was caught. Later that day, I was wondering how many cookies have been "stolen" in households throughout the U.S.? The answer is that it's impossible to know for certain because of the unknown number of cookie raids that have never been detected!
It's actually not that different from estimating fraud losses. In the 2008 Association of Certified Fraud Examiners' (ACFE) report, it states that the typical organization loses 7% of its annual revenues to fraud. Based on US GDP of just over $14 trillion, this translates into a staggering $990 billion in annual losses. But here is the caveat from the ACFE report:
Fraud, by its very nature, does not lend itself to being scientifically observed or measured in an accurate manner. One of the primary characteristics of fraud is that it is clandestine, or hidden; almost all fraud involves the attempted concealment of the crime.
Consequently, many instances of occupational fraud may go completely undetected. Further, even for those cases that do come to light, the full amount stolen may not be ascertainable, or the victim organization may decide not to report the theft to the authorities or the general public. As a result, determining the true breadth and depth of this form of crime is nearly impossible.
2008 ACFE Report to the Nation
On Occupational Fraud and Abuse
In the report, each fraud type was classified using the Uniform Occupational Fraud Classification System (commonly known as the Fraud Tree) into one of three major categories:
- Corruption
- Asset Misappropriation
- Fraudulent Statements
Fraudulent Disbursements (the set of yellow boxes at the bottom), a type of asset misappropriation, represented 2/3rds of all cases. And within this Fraudulent Disbursement branch, in terms of frequency, the top 3 frauds were AP related:
- Billing Schemes
- Check Tampering
- Expense Reimbursement
There is no question that fraud and specifically, AP Fraud, continues to be a real problem.
Now here is where it gets interesting ... How were the frauds detected? Here are the ACFE Fraud survey results:
I find it just remarkable that Internal Controls ranked a distant second ... and barely ahead of By Accident - in terms of detection! Sure, it's an improvement over the 2006 survey where Internal Controls ranked fourth but it's still terrible! Clearly, more effective internal controls are needed.
In my next blog entry, I'll talk about the 4 best practices that are critical to strengthening internal controls to manage risk while keeping a lid on costs.
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts