Of all the forms of white-collar crime, procurement fraud is probably the least visible yet the most costly. That’s largely because it’s a hidden byproduct of seemingly legitimate transactions, often involving millions of dollars, between a business and supposedly legitimate vendors. What’s more, the organizations victimized by procurement fraud often don’t report it and choose to settle privately with the alleged culprits.

Typically, procurement fraud involves an employee working with an outside vendor to defraud his employer through bogus or inflated invoices, services and products not delivered, work never done, or contract manipulation. In exchange for letting the vendor shortchange the company, the worker gets kickbacks or some other compensation. Fraudsters are also known to establish shell or shadow vendors to bilk the company.

I recall one case where management was so embarrassed about the fraud that executives didn’t want the incident revealed to anyone in the workplace. I had been encouraging the publication of an ethics bulletin regarding the incident to promote a “perception of detection” to help deter future fraud and other misconduct while promoting a “culture of compliance” within the organization. I’m still shocked by management’s reluctance based on the misperception that fraud is rare (one executive said it was his only awareness of any fraud in more than 20 years as a manager!), or that by even mentioning the fraud we were giving employees a blueprint to commit similar acts.

Unfortunately, those of us experienced in fraud know it happens much more frequently than most of us realize. The Association of Certified Fraud Examiners’ rule of thumb is that companies lose 6 percent of annual revenue to occupational fraud, and that’s probably conservative. You tend to find wrongdoing primarily when you’re looking for it (or by accident), so fraud schemes can remain undiscovered without aggressive fraud-control efforts.

The financial consequences of procurement fraud can run into millions of dollars in losses each year. The consequences of non-compliance with increased regulatory requirements can be even more severe. Corporations face harsh fines, bad publicity, damage to corporate brand and reputation, and loss of investor and consumer confidence and trust.

Understanding the Risk of Procurement Fraud

Organizations now have even more exposure to the risk of procurement fraud as governments at every level have increased investigations and prosecutions. Government contractors are particularly affected by compliance requirements from updates to the Federal Acquisition Regulation (FAR). An amendment to FAR in December 2007 (Federal Register, Vol. 72, p.65873) mandates specific reporting requirements for companies with federal contracts of $5 million or more. Another new rule that took effect December 2008 expanded the scope of the existing business ethics and conduct clause to include suspending and disbarring contractors who fail to disclose criminal offenses and violations of the False Claims Act, or who don’t disclose evidence of significant overpayments received. The government raised the stakes with the $787 economic stimulus bill Washington enacted in March 2009, when President Obama ordered that the federal contracting system be overhauled to “break bad habits that have built up over many years.” Proponents of healthcare reform believe that an expansion of health coverage can be funded by squeezing out waste and fraud. State and local governments have likewise stepped up enforcement efforts via their own civil false claims legislation.

Part of the challenge is that the fraud can occur at several points during the procurement process. Enforcement data from the National Procurement Fraud Task Force suggest that bribery, bid-rigging, embezzlement, and submission of false claims are the most common schemes.

The fraud can take place before solicitation of potential contractors begins as well as during solicitation of contractors. It may include selecting bidders based on biased information, or disclosing information to one bidder but not others. It can include collusion between bidders, and clearly the use of bribery to win contracts is fraud. Finally, fraud can happen during the execution of a contract; for instance, if a contract stipulates that a product be tested, but the provider fails to do so, this can be considered fraud.

Auditing for Procurement Fraud

The risk of procurement fraud can be viewed in a similar manner to the exposure a company faces from travel and entertainment expenses or from conflicts of interests (topics I’ve tackled in prior columns). The internal control environment—particularly the effectiveness of the compliance and ethics program—is critical, as procurement fraud is often perpetuated by individuals with significant operational knowledge of the company’s systems and processes.

In other words, procurement fraud is typically an inside job involving collusion between employees and vendors. That means internal auditors should consider the basic features of the control environment for periodic reviews. Those basic features include the employee hiring process, the due diligence conducted on vendors, and the availability (and use) of internal reporting mechanisms. Appropriate remediation and discipline of employees and voluntary disclosures of problems are more indicators of a strong control environment.

The internal auditor needs to be alert to the opportunities to enhance operational efficiencies in the procurement process so that the opportunities for misconduct are reduced.

Similar to audits of T&E expenses or conflicts of interests, random and targeted reviews of employee expense reports, especially on high-volume areas and high-risk departments, may uncover suspicious spending that suggests procurement fraud. Likewise, surveying vendors and suppliers can reveal situations where a disgruntled contractor or prospective seller believes a competitor has been unfairly favored, again pointing to a procurement scheme.

You should closely scrutinize the effectiveness of conflict-of-interest procedures for procurement fraud risk. At a minimum, determine whether the proper individuals understand the policy and submit disclosure questionnaires, and whether reported conflicts are addressed appropriately. Proper administration of conflict-of-interest forms makes it more difficult for individuals to collude and conceal their misconduct, and more difficult for management to turn a blind eye if it learns of an issue (especially when a perceived star employee is involved).

Analytic technology can be used to identify potential conflicts of interest, and you can use it to spot procurement fraud, too. A data match can be performed between employee and vendor data files to identify conflicts of interests that may point to procurement fraud. Auditors can also analyze procurement trends and payment patterns that can indicate collusive behavior.

Monitoring Procurement Fraud Risk

Given the inside, collusive nature of procurement fraud, make the effort to identify operational weaknesses in the procurement cycle that can be exploited. Factors that suggest areas to focus an audit and monitoring controls include:

Inconsistent data and data quality issues across procurement systems;

Lack of controls (or ignoring controls) around use of preferred vendors;

Lack of a centralized master vendor file;

Limited segregation of duties involving payment processes of vendors and suppliers;

Chronic problems with duplicate payments and other inefficient invoice errors.

Organizations are increasing automation of their purchasing, payables, and payment processes to reduce costs, gain efficiencies, and support compliance with regulatory requirements and business policies. But even the most sophisticated enterprise systems may not incorporate all the controls necessary to guard against error, misuse, and fraud. At the best of times, employees skillfully evade those built-in application controls simply to keep up with demanding workloads; at worst, unscrupulous users exploit areas of weakness, given the opportunity.

These issues, combined with high volumes of transactions, increased levels of operational complexity, and a diverse range of IT platforms and systems, make managing the risk of procurement fraud a challenge. Develop ways to conduct point-in-time analysis and interrogation of data and to incorporate sophisticated analytics, and embed them in day-to-day operations. Such analysis can be run regularly to identify suspicious activity, errors, and exceptions that might be disguised by structuring transactions in complex ways, processing them over long periods of time, or burying them within high data volumes.

When a control exception does occur, you will need prompt notification so you can drill down immediately to the specific transaction and take a look. Try “stratifying” vendors according to risk, so you can re-assess them over time as your company’s risk factors change. All the foregoing can be taken into account by the internal auditor when developing a plan to review the procurement process.

Having a sound procurement process with robust controls will go a long way to reducing procurement fraud. A strong corporate culture supported by an effective compliance and ethics program can serve as a significant internal control. The internal auditor needs to be alert to the opportunities to enhance operational efficiencies in the procurement process so that the opportunities for misconduct are reduced.