by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice
In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.
We perform many internal investigations for companies every year. In our experience, the most common fraud committed against a company relates to vendors that either don’t exist, are corrupt, or are secretly owned by a company insider who is directing business to them.
Let’s start with companies that don’t exist. Seems simple enough, and yet it may not be. It is very easy to register a legal entity in any of the 50 states. All you need is an address, a contact person to serve as registered agent to receive mail on behalf of the company, and the ability to pay the registration fee (which is usually around $200). It is even easier to register a fictitious name and get a business certificate in that name.
Most banks will permit you to open a commercial bank account using either a company registration or a business certificate evidencing your registration of a fictitious name. There are more controls around registering a legal entity than there are a fictitious name. In practice, you are not supposed to be able to register a name of a company that already exists, and your application is supposed to be compared to a database of known companies to prevent having more than one company by that name.
Fictitious name registrations are not quite as stringent – it is possible to register a fictitious name that closely matches that of a real and possibly well-known company.
More Guidance: Leveraging the Right Technology Tools to Manage Fraud Risk
Once you have registered your fake company and used it to create a real bank account, you’re more than halfway there. To perpetrate the fraud, you then need to create authentic-looking invoices from that company that would fit with the business to which the invoice is being submitted so that it does not stand out from the crowd of hundreds of other invoices being processed by the company. Ideally, the person that approves the invoice for payment is in on the scheme so they don’t scrutinize it too closely and simply send it along.
Often, once a manager with invoice approval authority has approved it, many companies simply process it for payment. Often, a fraudster submitting bogus invoices will start with one fake company and will periodically submit an invoice for payment. If the scheme goes undetected, two things tend to happen. The size and frequency of the invoices increase, and new bogus vendors are added. Before long, there may be dozens of bogus vendors for which checks are being issued, though no goods or services are exchanged. Schemes like this have been known to go on for many years.
Another form of vendor fraud involves actual vendors of the company who act in collusion with one or more company insiders. This can happen in a number of ways. Vendors can submit invoices for services not performed or goods not delivered. These vendors may also submit invoices at inflated prices. All that’s required is that the vendor and someone in the company agree in advance how much the invoice should be, how much each conspirator will receive from the proceeds of the payment of the bogus or inflated invoice, and how the vendor will deliver the money to the corrupt company insider.
Vendor companies that are secretly owned by company insiders work in a similar way. The only difference is that they don’t have to take the extra step of deciding who gets what percentage of the proceeds of the fraud because the corrupt employee, as owner of the fraudulent vendor company, keeps it all.
How Can You Avoid Being a Victim of Vendor Fraud?
Here are some tips:
- Obtain and review vendor master files and sort by aggregate spend.
- Review any vendor name receiving significant aggregate spend for which no one recognizes the company name or for which the vendor file has limited to no supporting documentation.
- Perform periodic background investigations of new vendors and existing vendors above a certain aggregate spend threshold and compare results to information contained in human resource databases, most notably last names, addresses and phone numbers that employees have in common with any vendors.
- Be alert for companies with very little information in the public domain, with addresses in common with employees or officers, and/or with dates of establishment that correspond to the approximate time frame when the vendor first started receiving payments from the company.
- Look for trends or patterns associated with approved invoices that are suspect, including whether they are similar in appearance, have the same font, are in recurring or round dollar amounts, were approved by the same person, etc.
Vendor fraud is one of the most common fraud schemes perpetrated against companies. If you’ve never experienced a vendor fraud, do you think it’s because you’re just lucky, or is it that you’re not looking carefully enough?