The most efficient organizations focus on process management. They use enterprise resource management platforms to provide functional and technical support, and organizational integration to optimize the most critical processes. Organizations can even be managed using a functional process orientation that crosses organizational silos and maintains the traceability of transactions.
These processes are often accompanied by strong transparency. This, however, requires continuous audit to detect any anomalies, errors, breaches and cases of fraud as quickly as possible. ERP platforms are now considered essential, but remain conventional in their designs. They have therefore often been unable to integrate advanced models of anomaly detection, even where controls have been put in place. The audit function, however, continues to try to identify new patterns of abuse, non-compliance and fraud. Early detection is vital to avoid excessive reputational or economic damage.
In concrete terms, systems are needed to detect failures at an early stage, identify suitable corrective measures, prevent repetition, and anticipate changes in possible patterns of fraud. Care is needed, because internal complicity can help the leakage of sensitive information, and can contribute to ongoing or repeat fraud.
Detecting fraud, and especially in the purchasing process, does not mean it can be completely eradicated. Few fraud cases are repeated in exactly the same way. The internal control office therefore needs to adopt a holistic approach to fraud prevention, combining the use of different control tools, technologies, and methodological approaches, to minimize economic and reputational damage. Good governance requires continuous audit to become much more preventive, avoiding leakage of privileged information.
Risk factors contributing to generating fraud cases
The procurement department must stipulate the processes required to avoid or minimize the temptation towards fraud. For example, non-documentation and poor traceability of processes can create ‘shadow zones’ that fraudsters may exploit. Even in well-designed systems, however, there will be failures to detect fraud. These are often linked to common factors, including:
- The absence of an analytical approach using the most relevant data;
- Ignorance of the variables and correlations that will improve analytical modelling; and
- Non analytical identification of possible behaviours that characterize the most damaging and better-organized fraud cases.
This has some immediate operational applications. Most cases of purchasing fraud are about misappropriation or theft of assets, and supplier fraud generally involves purchases. It is therefore possible to identify some common scenarios, even though fraud patterns tend to evolve over time, and take action to avoid those.
Unnecessary and fraudulent claims may, for example, involve orders at higher or lower prices than agreed or than the market, higher or lower orders, and incorrect or duplicate invoicing, orders, addresses, and accounts. Other possible signs include payments during holiday periods, rounded amounts, use of non-existent suppliers, incomplete documentation, prepayments, and paying suppliers directly. It is helpful to examine the interests of the suppliers and owners of the process, consider thresholds and possible anomalies, and use framing analysis to detect possible collusion.
A combination of these approaches, which assigns a severity score to alerts, will allow fraud investigators to operationalize the management of suspicious cases with full end-to-end traceability. This, of course, is another requirement of the new generation of auditors: to be able to demonstrate to regulators and internal authorities that audits are adequately evaluated.
Internal control systems may struggle to identify risks to the purchasing department if they do not employ proven analytical systems. Organizations do not achieve analytical maturity through a single, isolated project. Instead, they need to employ expertise and experience to take advantage of best practice in the field. However, both controls and continuous improvement tools are useful in detecting possible frauds in organizational processes.
Organizations often refuse to believe that new fraud detection systems are necessary. Under those circumstances, they may reject or minimize the operational and reputational risk. This can disrupt the analytical project. The data provided may be incomplete, or not fully quality-assured. The first cases identified are likely to provoke concern, because they have not previously been identified, despite exemplary procurement and logistics processes.
Procurement fraud outlook
No organization can claim that it is protected against all possible cases of abuse, non-compliance and fraud unless these problems have been addressed with a genuine and proven analytical approach. This needs to cover the broad functional and technical spectrum of continuous and preventive detection. A mature and highly rationalized procurement organization can still fall prey to attacks by highly informed insiders through failures of registration, tracking and accounting systems. This may be worsened by external influences trying to corrupt the organization. There is now strong regulatory pressure to avoid this, as well as the potential reputational and economic damage. This has resulted in the growing adoption of standards such as ISO 37001 and good governance, which it is hoped will reduce the potential for fraud still further.
No organization can claim that it is protected against all possible cases of abuse, non-compliance and fraud unless these problems have been addressed with a genuine and proven analytical approach.