Posted by Steve Wilcox on Fri, Mar 06, 2009 @ 10:59 AM
Yup, that's an outhouse.
What if you used Google Maps to view a vendor address and it turned out to be an outhouse?!? Alarm bells would probably go off in your head that an unscrupulous "vendor" was trying to swindle your company.
Nat Goodman used this outhouse example in this past week's webcast on preventing AP fraud. As we discussed in the last blog entry and according to Nat:
"Every addition or change to the vendor master should be verified to approved documents [such as updated W9s, contract amendments, verified correspondence, etc]. That means approval and support before keying AS WELL AS verification to file changes AFTER processing. In order to avoid duplicate vendors on file, be particularly careful about how the vendor name is keyed with consistent naming and keying conventions."
Vendor addresses should be treated particularly carefully. Again, according to Nat:
"We need to guard against false addresses that can be used to embezzle funds. However, we are not only concerned with phony vendors but we want to confirm that the vendor appears to be a business person with legitimate qualifications to perform the work or provide the goods. Switchboard.com and Yellowpage.com have business and residential listings. Mapquest.com is great way to view a property. Many consultants/service providers work out of their home. Here is an opportunity to view their home. If they have an outhouse on the property you may think twice. If a goods producer lists an address on a vacant lot, a red flag goes up and you may want to check further."
Bottomline ... all new vendor addresses or changes should be carefully verified. With Google Maps or a similar tool, it's easy to check a vendor's office or location.
-Rakesh Shukla
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Tue, Feb 24, 2009 @ 12:15 PM
For the past month, my blog entries have been focusing on AP Fraud. It's a fascinating subject and I just scratched the surface. If you want a true expert's take on AP fraud, Nat Goodman, President of Goodman and Associates, focuses on how to prevent procure-to-pay fraud through practical advice on how to tighten internal controls, prevent malfeasance, stop theft, detect red flags, and safeguard company assets for 5 vulnerable P2P processes:
- risk-mitigating tips for maintaining the master vendor file
- susceptible areas for p-card purchasing
- solid techniques for properly accounting for airline flights
- challenges and solutions for recording/accruing of expenses
- hard lessons learned for payment execution
Without stealing Nat's thunder, let me give you a preview of the first bullet point about master vendor files. How vulnerable is your vendor master file?
Be honest.
Nobody enjoys maintaining a clean master vendor file. It is tedious work that is often overlooked. And yet poor internal controls for vendor files can lead to massive AP frauds.
A very recent case in point is the $2.5M billing fraud in Utah where the bank account information for a legitimate vendor (an insurer) was changed (to a fraudulent bank account) ... without any verification. Fraudulent invoices were then submitted and paid to the fraudulent back account. The thieves stole $2.5M before getting caught.
According to Jon Casher, another AP industry expert:
"It's a very simple process to change the bank routing number and account number for payments being made via ACH. In the Utah case, the change was probably made without verifying that the new account number belonged to the insurance company. To prevent such problems from happening, all changes to the vendor master file should be reviewed and verified.
-Rakesh Shukla
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Wed, Feb 18, 2009 @ 03:05 PM
Today, I will present some more very interesting case studies of AP Fraud that highlight the risks of poor Travel & Expense (T&E) controls.
Fudging travel and entertainment facts on expense reports is so pandemic that practically everyone in the business world has heard tales of abuse:
-
the manager who turns in all his reports religiously - once a year;
-
the executives entertaining a client who each submit the total bill for reimbursement;
-
the advice of an old hand who counsels, "Subtract the cash you come home with from what you left with and call it ‘cabs.'"
A few years ago, T&E fraud made above-the-fold news when the head of Yale University's International Institute of Corporate Governance, the once-heralded, now-disgraced Florencio López-de-Silanes, was asked to step down when it was discovered that he double-billed the university to the tune of $150,000 for one year's travel expenses. Perhaps the most bizarre aspect of this story is that López-de-Silanes, a tenured finance and economics professor also employed by the World Bank as a governance consultant, submitted an entire year's worth of reports at one time. It's hard to determine what is more appalling: that a crusader for better corporate governance would try to fleece his employer, or that a distinguished professor of the Yale School of Management was not aware that withholding material liabilities was a red flag in any accounting era, much less the high-alert atmosphere of SOX compliance we live in today.
As the case of the globetrotting López-de-Silanes illustrates, the high cost of international airfares makes them a prime target for T&E finaglers. Consider the case of Open Traders, as related by Nathaniel Goodman of Goodman and Associates, a leading authority in AP best practices. Open Traders, headquartered in Minneapolis, was a consulting firm specializing in international trade. Among their far-flung client base was The Moon Group, based in Singapore. The cost of business-class airfare - one of the perks of the trade - from Minneapolis to Singapore ran to about $4,000, compared to a considerably slimmer $1,500 fare for the same route in economy class.
Each consultant was responsible for arranging his own travel with the airlines, billing the charges to a corporate American Express card. One day, as Goodman tells it, a Mr. Jim Krebs made a last-minute change to his plans to visit The Moon Group, bumping up his departure date by a day, with the result that the airline couldn't honor his business-class seat for the earlier flight. Accordingly, the airline issued a $2,500 refund directly to Krebs. The original credit card receipt still read $4,000, and this is what Krebs submitted with his expenses. The Moon Group, in turn, was likewise billed for the full fare. The $2,500 fit snugly into the pocket of Krebs, who not only rationalized his actions - why shouldn't such a highly paid professional be able to choose how he spends his travel "allowance?" - he proselytized, encouraging others in his firm to bilk their clients along with him.
Krebs' craftiness came to light because his own sense of self-justification led him to broadcast his skimming tactic rather than submerge it. Without his self-incrimination, and assuming no change in internal procedures or auditing practices, it's doubtful Krebs' personal bonus program would ever have been detected. Such shenanigans couldn't hide from a system that could permanently attach all travel back-up documentation, including electronic scans of boarding passes, to their respective expense reports. Such a system makes it possible for whoever approves reports to easily view all back-up prior to approval, and without waiting for the cumbersome retrieval and transmission of a hard copy. Mr. Krebs would have a challenging time explaining why the company was billed $4,000 for seat 48H.
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Tue, Feb 10, 2009 @ 03:17 PM
In my last blog entry, I explored the importance of segregating AP duties.
Today, I will present a fascinating case study of AP Fraud that highlights the risks of poor AP internal controls.
This is a true story.
Our tale concerns a husband-wife team who colluded with an outside vendor to fleece their company of at least $2 million over a seven-year period. The target of this sustained fraud was the well-respected newspaper, The Charlotte Observer, where poor internal controls contributed mightily to the scandal they were, to their considerable embarrassment, obliged to report in their own pages.
The Profile of an AP Fraudster
The mastermind of the scheme was a Mr. Johnson, a white male and 22-year employee of the newspaper with an unblemished record. Believe it or not, this is the typical profile of an AP Fraudster.
It was Mr. Johnson's good fortune to serve as a purchasing manager who also had authority to both receive goods and services and approve invoices for the same. The invoices would naturally flow through the AP department, where Mr. Johnson's wife happened to work. All the Johnsons needed to complete a seamless scam was a cooperative and unscrupulous vendor. Mr. Johnson cultivated a friendship with a favorite supplier until they became close enough that he could propose his ploy: for every two shipments you send me, invoice The Observer for three, and we'll split the payment for the phantom shipment!
Too Many Hats for One Head
The breakdowns in internal controls that allowed this arrangement to prosper over a 7-year period are manifold. Consolidating so many responsibilities in the hands of even the most trusted of employees is the first bright-red flag. A married couple with entangled duties connected with AP is another red flare. Significant budget variances, on the order of $50,000 of bogus charges per month per department, were overlooked as boom times created a lax atmosphere that tolerated such large discrepancies. Poor inventory controls allowed non-existent shipments to be processed and paid for. To top it all off, nobody involved was bonded and the company wasn't insured against such a loss.
NASCAR Insider?!? Where was the Common Sense?
While there is no question that better systems and procedures might have excised this cancerous scheme, simply bringing common sense to bear would have at least curtailed the loss. During the seven years that the Johnsons were siphoning off a substantial chunk of The Observer's revenue, their lifestyle took a dramatic turn for the better. They sold their old home, moved into a new lakefront mansion in an exclusive neighborhood, added a swanky boat, traveled like pashas and stockpiled fancy automobiles. Indeed, not only did Johnson flaunt his new-found wealth, he abandoned discretion entirely by incessantly insinuating himself into the picture - literally - in the very high profile world of NASCAR. Every week, it seemed, he would be photographed bear-hugging the winner at the victory celebration, an awesome display of insider status in the region's most revered sport.
Meanwhile, his demeanor around the office was quite the opposite. Formerly out-going and hands-on, Johnson retreated into his office where he spent most of each day behind a closed door and drawn blinds.
How could anyone, indeed everyone, have failed to notice? The answer is that of course people noticed, but they didn't trust their intuition enough to call Johnson's bluff. All Johnson had to do to deflect curiosity over the course of the better part of a decade was claim an aunt died and left him an inheritance. Naturally, once the fraud was unmasked, the aunt was discovered to be as imaginary as the stream of phantom shipments Johnson authorized and his wife paid for.
AP Internal Control Breakdowns
Clearly, a woeful failure to segregate duties was at the heart of this calamity. Had Johnson not had the power to approve his own actions, this fraud might have been prevented altogether. Improved transparency and more disciplined approval framework would also, at the very least, make a fraud such as Johnson's more difficult to launch and impossible to sustain.
While Mr. and Mrs. Johnson eventually received their comeuppance - curiously, The Observer did not take immediate legal action upon their exposure - the newspaper nonetheless took a substantial hit, both in terms of financial loss and tarnished reputation. Nor were the perps the only people to suffer: managers who presided over the slipshod operations were sacked, steering lives and careers off track. The real tragedy of this tale is that if today's AP automation software and associated best business practices had been in place at The Observer, this entire fraud, and all the damage that ensued, would never have happened in the first place.
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Fri, Feb 06, 2009 @ 03:27 PM
Question: What do the following situations all have in common?
- A policeman ticketing a Dunkin' Donuts truck driver ...
- A doctor prescribing medicine from a pharmaceutical company in which he owns stock ...
- A politician accepting contributions from a special interest group ...
- A procurement manager being wined and dined by vendors ...
- A hungry wolf guarding the chicken coop ...
- A judge sentencing a family member ...
- Coaching your own son or daughter on a travel team ...
Answer: In each situation, there is a conflict of interest.
A conflict of interest is a situation where someone (such as a doctor,politician, procurement specialist, police officer, judge, coach, wolf etc.) has a personal interest or motivation that might compromise the reliability and integrity of bigger obligations.
In many cases - especially where money is involved - a conflict of interest may tempt someone to break the law. Nowhere is this truer than in Accounts Payable.
In AP, there are a lot of conflicting duties which should always be segregated. Segregating AP duties is one of the most important internal controls in finance. For example, the person entering the invoice should not approve the invoice for obvious reasons. Similarly, the person who sets up a vendor should not enter the invoice into the ERP system. There are many examples in AP where duties should be segregated. The problem is that most finance departments constantly have pressure to do more with less. But to follow segregation of duties to the letter, you need enough staff which isn't always a luxury - especially in these economic conditions.
But wait!
Haven't ERP systems addressed segregated duties through a security framework which governs the acceptable use for each authorized user?
Aren't roles and responsibilities managed so that, for example, an entry-level accounts payable clerk can access modules only related to her specific job function while the CFO can access any module in the system?
Well ... yes ... but the problem of trying to maintain segregated duties using this classification approach is that these configurations are expensive to design and deploy. As employees are promoted, reassigned, or terminated, organizations must continually update their ERP systems with everyone's correct authorization level including consultants, contractors and business partners. Supporting and maintaining the classifications and configurations is a resource intensive job.
Furthermore, most organizations struggle with their initial ERP setup -- millions are spent in projects that can take up to 3 or more years. Unfortunately, the setup of these segregated classifications is often the last phase of the project and does not receive the attention it requires especially if the project is over budget or behind schedule - which is more common than not.
With AP automation that includes a robust workflow engine, you should have complete end-to-end AP process visibility as the invoice transitions from one step to the next ... the AP system should track all changes maintaining a comprehensive audit trail of what was performed and by whom for all prior steps so potential conflicts can automatically be caught at the transaction-level.
Using this approach, limited headcount can still allow for segregated duties since segregation can be enforced at the transaction level instead of the job role level. Employees can still be cross trained and allowed to perform multiple functions as long as they don't perform conflicting duties on the same transaction. For example, an AP Specialist could both enter invoices and also setup suppliers as long as there is no conflict on each and every transaction.
This transaction-level segregation can be enforced by the workflow software which allows you to move away from restrictive job role controls ... rather than limiting what functions employees can carry out as part of their jobs, this approach allows enterprises to boost productivity while mitigating the business risks.
One last point here ... this approach requires less overhead since segregation rules are defined once at the process level as opposed to the constant overhead of ERP administration.
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts
Posted by Steve Wilcox on Thu, Jan 08, 2009 @ 08:07 AM
About the time of my last blog post, the sensational Madoff scandal was hitting the newswires. I have been fascinated by not only Madoff's Ponzi scheme but also the utter failure of the SEC to detect a fraud which reportedly swindled $50B ... F - I - F - T - Y BILLION!!!
A Ponzi scheme is named after Charles Ponzi (see 1910 mugshot above). It's a fraudulent operation that pays returns to older investors from newer investors until the whole house-of-cards collapses. It's a classic pyramid scheme.
What makes this fraud even more fascinating is that the SEC had been receiving tips about the Madoff fraud for over a decade. In particular, a money manager named Harry Markopolos made it his personal mission to expose Madoff. Unfortunately, he couldn't persuade the SEC to investigate despite detailed report after detailed report on how it was virtually impossible for Madoff's strategy to work.
It's frustrating and even sickening how the SEC ignored these tips, especially when Markopolos gift-wrapped them for the SEC. Clearly, the SEC doesn't understand the first rule about detecting frauds. According to the Association of Certified Fraud Examiners (ACFE), the #1 way in which fraud is discovered is ...
... by a tip or complaint.
Yup, nearly half of the fraud cases in the ACFE's 2008 study were uncovered by a tip or complaint from an employee, customer, vendor, or other source.
Since over half of all fraud cases are AP-related, the lessons for AP are clear ... tips and complaints need to be encouraged. The best way to do this is through anonymous hotlines.
Both employees and third parties should be encouraged to report illegal or suspicious behavior. Whistleblowers should be assured that all and any reports are confidential and that there will be no retaliation by the organization whatsoever.
Whistleblowers should also be reassured that unlike the manner in which the SEC handled tips and complaints about Madoff, when a tip is received, it will be properly investigated.
In my next blog entry, I'll explore something else that is disturbing about the ACFE chart above. Can you guess what it is?
-Rakesh Shukla
@rakesh170
Related White Papers
Related Blog Posts