Our webinar series on internal investigations is generating lots of good questions from participants. The series kicked off in November 2014 with Internal Investigations for Non-Investigators, which offered a broad overview of the topic. The second webinar, Misplaced Trust: Investigating Vendor Fraud, was held in March 2015.
The series is co-presented by Scott Moritz, global lead of Protiviti’s Investigations & Fraud Risk Management practice, and Peter Grupe, a director in that group. Scott has 28 years of investigative experience, including nearly 10 years as an FBI special agent. Peter, a former assistant special agent in charge of the FBI’s white collar crime program in New York, has over 25 years of experience investigating financial crime.
In this blog entry, Scott answers some great caller questions that came up in the Vendor Fraud session.
Q: What is a best practice to validate new vendors?
A: Historically, companies collected information from vendors in order to set up payments. This basic data falls far short of what is required to make informed risk-based decisions — for regulatory compliance and fraud risk management, among other things.
Today, companies need to be able to readily segregate upstream suppliers from those empowered to act on the organization’s behalf (often referred to as “intermediaries”). If a company acts on your behalf, Protiviti recommends collecting richer data — including the names of executives, owners, and whether the company is public, private, or government-owned; how long the company has been in existence, revenue (if disclosed), and whether the client is the vendor’s largest customer.
Q: If you are performing a typical vendor audit (i.e., no initial suspicion of fraudulent activity), what are the best techniques to identify fraud, such as vendor kickbacks?
A: Just because you don’t suspect vendor fraud, doesn’t mean it’s not going on. Vendor fraud is the most common type of fraud and accounts for 18 percent of fraud losses — particularly at large organizations.
Top of mind:
- Compare vendor master data with personnel data. Look for addresses in common. (Be mindful of privacy restrictions in certain jurisdictions such as the EU).
- Vendors of almost any size will leave some sort of footprint in the public domain – social media presence, etc. You would expect any commercial entity to have some record of its existence in the public domain. Entities that exhibit little to no footprint warrant closer scrutiny.
- It is also prudent to search global watch lists, such as by the Office of Foreign Assets Control (OFAC), which tracks international trade violators and sanctions; the U.S. General Services Administration’s (GSA) System for Award Management (SAM) list, which includes a list of companies that have either failed to perform or have committed fraud against the U.S. government and have been debarred; and the U.S. Department of Commerce Bureau of Industry and Security list, which includes companies that have violated U.S. boycott laws.
- Look for red flags. Kickbacks are a type of fraud that may raise very specific red flags. Compare contracts for a vendor suspected of paying kickbacks to those of comparable vendors – is unit pricing or aggregate spend out of line? Did your investigation reveal that one or more employees are unusually close to someone at the suspect vendor?
Q: Can you give some examples of the types of background checks you perform on new or existing vendors?
A: First, let me distinguish between a background check and the watchlist matching process (sometimes referred to as “screening”) we were discussing earlier. Screening deals primarily with vendor-supplied information and comparing it to one or more lists of debarred parties. Background investigations use publicly available information, beyond the watch lists I’ve mentioned, to bring to light past bad behavior by vendors that may cast doubt on their character and the veracity of self-reported data. Public information includes things such as regulatory actions, pending or prior criminal actions, lawsuits, bankruptcies, liens, judgments, affiliated companies, companies with common ownership, etc.
If the public record shows that somebody has done something improper or illegal in the past, there’s a good chance they’re going to do something similar in the future. Not a lot of people (or companies) wake up one day and decide to embark on a life of white collar crime. Most people involved in fraud or corruption have been involved in similar crimes for many years and very few of them find redemption.
Q: In doing a standard, cyclical vendor audit, what are some things we should look for to identify vendor-related fraud? Presumably, the vendor itself in all these cases is legitimate as we are doing business with them.
A: The GSA produces a blacklist of companies that have either consistently failed to perform their obligations under government contracts, or have defrauded the government. If a vendor has no qualms about defrauding the federal government and facing those kinds of sanctions, they’re going to have no qualms about defrauding you. Debarments are a sign you want to pay attention to, as past behavior is a good predictor of future behavior. There is a wide array of debarment lists maintained by the federal, state and local government as well as several of the larger, multilateral banks (World Bank, European Bank for Reconstruction and Development, Inter-American Bank, etc.)
We’ve seen a significant uptick in demand for master vendor file audits. Not sure what is contributing to this, but a lot of organizations are finding that the volume of vendor contracts requiring auditing is overwhelming and are seeking to leverage electronic tools to detect undisclosed conflicts of interest, fictitious vendors and any vendors who have pending or historical sanctions against them.
Protiviti will continue to promote an ongoing dialogue on fraud, fraud risk, financial crime and corruption through its thought leadership and continuing its webinar series on internal investigations.