Because of their complexity, supply chain operations are particularly vulnerable to fraud.
The true cost of supply chain fraud can only be guessed. The Association of Certified Fraud Examiners (ACFE) estimates that a typical organisation loses 5% of revenue a year because of fraud. Yet, more than 44% of company fraud cases are discovered only through a tip or by accident. So, finance professionals need to understand what supply chain fraud is, where is it happening, and what can be done about it.
“Supply chain fraud can mean a lot of different things to a lot of different organisations,” said Vito Giovingo, CPA, CGMA, formerly a risk advisory consultant, and now director of enterprise risk management at McDonald’s Corporation. “It can cover everything from the purchase of raw materials, to delivery and logistics, and also marketing activities,” he said.
Giovingo, who along with Katie Hausfeld, J.D., a senior litigation associate at global law firm DLA Piper, gave a presentation on supply chain fraud at the 2017 AICPA Global Manufacturing Conference, said it “runs the gamut” of frauds, from false expenses claims from employees, to high-level corruption involving government officials and partners.
Know whom to trust
As fraud can happen anywhere in the supply chain, it can be difficult to know whom to trust.
“Where I’ve seen a lot of my clients get heartburn — in terms of reducing or mitigating risk of fraud in their supply chain — is really knowing your suppliers and knowing the individuals within your supply chain,” Hausfeld said.
“Due diligence is key both from the time you bring in a party into the supply chain all the way through the relationship and constantly refreshing the due diligence,” she added.
So, is it a case of trust nobody?
“No,” Giovingo said. “It is a case of not trusting blindly, but you also don’t want to presume everyone is a bad actor.”
With some organisations having hundreds or even thousands of partners in their supply chain, it may not be possible to do checks on everybody in the supply chain, but Giovingo and Hausfeld believe you don’t have to.
“It isn’t possible or practical to bring risk down to zero, but if you understand your supply chain and what people do for you, you can start to focus on who is more important to your organisation and poses the biggest risk,” Giovingo said.
“It’s looking at your total pool of third-party relationships and doing a risk assessment of those relationships, determining which are higher or lower risk based on the type of work that they provide, the service they provide, the spend, their location, and then implementing the appropriate due diligence for that level of risk,” Hausfeld explained.
Follow the money
As any detective in a TV cop show might say, if you want to find the perpetrator of a crime, you should follow the money, and when it comes to supply chain fraud, this turns out to be sage advice.
With more than 80% of fraud cases surveyed by the ACFE featuring asset misappropriation, keeping an eye on where money changes hands is the perfect place to start.
“Of course, fraud can occur where money changes hands,” Hausfeld said.
She outlined some red flags: “Missing or incomplete invoices, lack of underlying support for those invoices; in things like bid collusion you can see bids that are priced either too far apart, or they are too high or they are too low and the lowest bidder wins,” she said.
“It could be the case that if things look too good to be true, then maybe they are too good.”
Put in controls
Spotting supply chain fraud after it has happened is one thing, but how do you stop it from happening in the first place?
“What are the controls and processes for all cash and assets leaving the company?” asked Giovingo. “Look at accounts payable. Look at petty cash and ask, do our monitoring and control activities give us sufficient visibility to fully understand what we are buying?”
“Internal controls are key,” Hausfeld said. “You need checks and balances in the system. Before any payment goes out, you need checks to ensure it is a valid payment, or that all expenses are legitimate.”
Automated controls and systems are harder for individuals to undermine. Manual processes are more prone to errors and fraud.
Build a compliance culture
Of course, all this means people need to be trained, but it may also mean a shift of culture within an organisation.
“You can’t just train everyone and say that’s that. There has to be a culture of compliance within the organisation, and it has to be pervasive throughout the company,” Hausfeld said.
While it may be tempting to turn a blind eye to certain internal practices or ignore fraud from key partners that are bringing in money, that is no way to look at it, Hausfeld said.
“Compliance has to be enforced from the top down. It is understandable that a company will want to push its business to grow, but you have to do it ethically and in the right way,” she said.
— Richard N. Williams is a UK-based freelance writer. To comment on this article or to suggest an idea for another article, contact Sabine Vollmer, an FM magazine senior editor, at Sabine.Vollmer@aicpa-cima.com.