“I’m too busy.”
“That will take too long.”
“That’s too much of a hassle.”
Who hasn’t heard these and similar comments when improvements are recommended or weaknesses in internal controls identified as a result of an audit? While our intentions are sound, putting these recommendations into action in our fast-paced world is another matter.
This attitude is especially critical in an area that for far too long has operated under the radar: the vetting of vendors. Within this often unattended area is great potential for identifying fraud. When I ask about vendor vetting or credentialing, I typically get the “deer in the headlights” stare or a response that suggests confidence in an organization’s existing vetting process, typically a D&B report on a particular vendor and a credit application. We have learned that while these are important basic items, there is so much more that we can and should learn about prospective vendors before they are approved for new or recurring work.
The exposure
Once an unethical vendor is set up in an accounts payable system, it is like a Trojan horse or computer virus that upon release could cause havoc, costing thousands if not millions of dollars in losses due to misappropriations and reputational damage to the organization and management team, in addition to potential job loss. Vendor fraud often occurs in plain sight. Throughout the organization, the vendor is considered trustworthy and hard-working.
While your vendors may in fact be loyal, do you really know who they are? Do you know whether they have relationships with your other vendors, employees, physicians, professors, students, or dependents of your employees? Do they have related companies that also do business with your organization? Do the owners have criminal records, lawsuits, liens, and the like? Have you ever considered whether the three bidders (in a three-bid process) are in fact all related companies with common ownership and the bid is therefore rigged? Proper and thorough upfront and periodic vetting can be used to detect and prevent these problems.
Prevention of vendor-related fraud
While many believe that detection is important, in reality prevention is the key to keeping corrupt vendors out of your company’s accounting system. As mentioned above, once a vendor has been set up, the potential exists for disbursements to be made to that vendor without realizing that the company may be a shell entity, controlled by an individual or group that owns other companies set up in your database or client’s database, or that the disbursement is fraudulent in nature and no work was done to support it.
Actions to consider in preventing fraud:
•Ensuring that the vendor is a valid entity by confirming its federal tax identification number with the IRS;
•Ensuring the entity has a valid address; •Understanding company ownership;
•Determining whether the owners have criminal records, liens, lawsuits, or bankruptcies;
•Determining whether the owners have other companies that may exist in your organization’s database;
•Investigating whether the same owner of a vendor company shows up in a different company; and
•Searching secretary of state records, Corporation Wiki, and other online resources.
Organizations need a robust vendor onboarding process that requires vendors to submit to an in-depth review in order to identify potential conflicts with an organization’s existing employees and vendors, as well as a review of the vendor’s ownership, organization, and management team. Pertinent data should be obtained and vetted through various public databases, online resources, or similar specialized vendor credentialing software. That information allows management to make an intelligent decision regarding whether to engage or keep the vendor.
Information which should be obtained includes:
•Vendor name; •Federal employer identification number (FEIN);
•Address; •Officers’ names; •Legal structure;
•Relationship to the organization they wish to do business with in terms of previous business dealings under the current name or other names;
•Financial or ownership interests in other companies; and
•Authorization to do a background search.
This information can then be used to do online searches and confirm data against current employees and vendors. More advanced software allows you to identify liens, lawsuits, and criminal activity.
Detection of vendor-related fraud
Another critical aspect of preventing vendor-related fraud is detection. This includes:
•Understanding the business;
•Identifying what types of fraud can occur;
•Identifying symptoms of the types of frauds; and
•Following up and investigating the anomalies noted.
One procedure we find incredibly useful is looking for anomalies in data through query analysis between databases such as vendors, employees, physicians, students, professors, or any other databases. In essence, you are comparing data looking for unusual information such as duplicate listings, multiple use of the same vendor name, same vendor address, same FEIN, matching addresses between vendors and employees, etc.
Once identified, these anomalies should be thoroughly investigated. We typically look at payment histories, who is approving the invoices, what was actually done, and potentially taking pictures supporting the work that is being billed to ensure that the work was actually done. And finally, we summarize findings, document them, present them to management, and identify and implement corrective actions.
Make a case for fraud investigation
It is often more effective to make a business case explaining the benefit of an investigation instead of using technical jargon. For example:
Potential fraud/misappropriation $500,000
Current business margin 10%
Required additional sales to cover the fraud $5,000,000
Sales value of each product sold $250
Increase in units to cover the fraud 20,000 units or 1,667 more per month
Senior management is much more apt to approve a review if management can understand the business impact of the potential investigation.
The cost/benefit matrix
It has been said that the cost of prevention is far less, and the benefits far greater, than detection and investigations. There are no small frauds—just big ones you catch early.
Prevention Detection Investigation
Cost Least Moderate Highest
Benefit Highest Moderate Lowest
Our experience shows what well-intentioned and highly educated managers in an effective if not excellent control environment can often leave themselves and their organization open to fraudulent vendors if they don’t know what they don’t know. In this case, what you don’t know can really hurt you and your organization. Companies, know your vendors.
Joseph M. Palmar, CPA/CFF, CFE, has more than 20 years of experience in public accounting and business and industry. His firm, Palmar Consulting Group Inc., specializes in construction accounting, budgeting, forensic accounting, and outsourcing of CFO services.