Tag Archives: vendor fraud

Vendor Assessment – Backing Corporate Counsel

Pre-emptive fraud risk assessments targeting client vendor security are increasingly receiving CFE attention. This is because in the past several years, sophisticated cyber-adversaries have launched powerful attacks through vendor networks and connections and have siphoned off money, millions of credit card records and customers’ sensitive personal information.

There has, accordingly, been a noticeable jump in those CFE client organizations whose counsel attribute security incidents to current service providers, contractors and to former partners. The evolution of targets and threats outside the enterprise are powerfully influencing the current and near-future of the risk landscape. CFEs who regard these easily predicted changes in a strategic manner can proactively assist their client’s security and risk leadership to identify new fraud prevention opportunities while managing the emerging risk. To make this happen enterprises require adequate oversight insight into vendor involved fraud security risk as part of a comprehensive cyber-risk management policy.

Few managements anticipated only a few years ago that their connectivity with trusted vendors would ever result in massive on-line exploits on sister organizations like retailers and financial organizations, or, still less, that many such attacks would go undetected for months at a time. Few risk management programs of that time would have addressed such a risk, which represents not only a significant impact but whose occurrence is also difficult to predict. Such events were rare and typically beyond the realm of normal anticipation; Black Swan events, if you will. Then, attackers, organized cyber-criminals and some nation-states began capturing news headlines because of high-profile security breaches. The ACFE has long told us that one-third (32 percent) of fraud survey respondents report that insider crimes are costlier or more damaging than incidents perpetrated by outsiders and that employees are not the only source of insider threat; insider threat can also include former employees, service providers, consultants, contractors, suppliers and business partners.

Almost 500 such retailer breaches have been reported this year alone targeting credit card data, personal information, and sensitive financial information. There has, accordingly, been a massive regulatory response.  Regulators are revisiting their guidelines on vendor security and are directing regulated organizations to increase their focus on vendor risk as organizations continue to expand the number and complexities of their vendor relationships. For example, the US Office of the Comptroller of the Currency (0CC) and the Board of Governors of the US Federal Reserve System have released updated guidance on the risk management of third-party relationships. This guidance signals a fundamental shift in how retail financial institutions especially need to assess third-party relationships. In particular, the guidance calls for robust risk assessment and monitoring processes to be employed relative to third-party relationships and specifically those that involve critical activities with the potential to expose an institution to significant risk. CFEs and other assurance professionals can proactively assist the counsels of their client enterprises to elevate their vendor-related security practices to keep pace with ever-evolving fraud threats and security risk associated with their client’s third-party relationships.

Vendor risk oversight from a security point of view demands a program that covers the entire enterprise, outlining the policy and guidelines to manage and mitigate vendor security risk, combined with clearly articulated vendor contracts negotiated by the corporate counsel’s function. Such oversight will not only help organizations improve cybersecurity programs but also potentially advance their regulatory and legal standing in the future. What insights can CFEs, acting proactively, provide corporate counsel?

First, the need for executive oversight. Executive alignment and business context is critical for appropriate implementation throughout the organization. Proper alignment is like a command center, providing the required policies, processes and guidelines for the program. The decision to outsource is a strategic one and not merely a procurement decision. It is, therefore, of the utmost importance that executive committees provide direction for the vendor risk management program. The program can obtain executive guidance from:

–The compliance function to provide regulatory and other compliance requirements that have specific rules regarding vendor risk management to which the vendor organizations must adhere;

–The IT risk and control function to determine the risk and the risk level, depending on the nature of access/data sensitivity shared with the vendor(s). The vendor risk management program should utilize the key risk indicators provided by this function to address risk during vendor assessments;

–The contract governance function and corporate counsel to ensure that vendor contracts adequately address the need for security assessments and define vendors’ obligations to complete these assessments.

Most larger organizations today deal with a considerable amount of third parties and service providers. Missing contact information, responsibility matrices or updated contracts are typical areas of concern about which risk managers might have engaged CFEs initiate fraud risk assessments. This can pose a significant challenge, especially, when there are multiple teams involved to carry out the procurement business process. A vendor and contract database (VCD) ensures that an accurate and complete inventory of vendors is maintained, including other third-party relationships (e.g., joint ventures, utilities, business partners, fourth parties, etc.).

In effectively assessing a vendor risk management program, the CFE can’t conduct the same type of fraud risk assessment for all vendors. Rather, it’s necessary to identify those vendor services deemed to carry the greatest risk and to prioritize them accordingly. The first step is to understand which vendors and services are in the scope from an active fraud risk management perspective. Once this subset of vendors has been identified and prioritized, due diligence assessments are performed for the vendors, depending on the level of client internal versus vendor-owned fraud prevention and detection controls. The results of these assessments help establish the appropriate trust-level rating (TLR) and the future requirements in terms of CFE assisted reassessments and monitoring. This approach focuses resources on the vendor relationships that matter most, limiting unnecessary work for lower-risk relationships. For example, a vendor with a high TLR should be prioritized over a vendor with a low TLR.

Proper control and management of vendor risk requires continuous re-assessment. It’s important to decide the types of on-going assessments to be performed on vendors depending on the level of their TLR and the risk they represent.

Outsourced relationships usually go through iterations and evolve as they mature. As your client organizations strategize to outsource more, they should also validate trust level(s) in anticipation of more information and resources being shared. With technological advancements, a continuously changing business environment and increased regulatory demands, validating the trust level is a continuous exercise. To get the most rational and effective findings, it’s best to use the results of ongoing assessments. In such a reiterative process, it is necessary to continuously monitor and routinely assess vendors based on the trust level they carry. The program should share information about the vendor security posture and risk levels with corporate counsel or other executive sponsor, who can help the organization progress toward the target profile. Clearly communicating the fraud risk from a business perspective can be an additional feature, especially when reports are furnished to inform internal stakeholders, internal audit functions, lines of business and the board of directors, if necessary.

Vendor fraud risk management elevates information security from a technical control business process to an effective management business process. Regular fraud risk security assessments of vendors give organizations the confidence that their business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting it. Comprehensive vendor security assessments provide enterprises with insight on whether their systems and data are being deployed consistently with their security policies. Vendor fraud risk management is not a mere project; it is an ongoing program and requires continuous trust to keep the momentum going. Once the foundational framework has been established, our client organizations can look at enhancing maturity through initiatives such as improving guidelines and procedures, rationalizing assessment questionnaires, and more automation. Awareness and communication are key to ensuring that the program is effective and achieves its intended outcome, securing enterprises together with all their business partners and vendors.

A Piece of String

stringOne of our local members is a part time adjunct accounting instructor at a community college.  She recently asked if any of her fellow chapter members could supply a teaching example of an occupational fraud that started out simply and then escalated.   Turns out, one of our out of state readers had just such an example and I thought I’d share it with you.

The ACFE tells us that any organization or department is susceptible to occupational fraud. The following example illustrates how important it is for every management to analyze their internal accounting controls continuously as well as those over the general control environments of all their operating departments. Organizations and their management commit a critical error and actually enhance opportunities for fraud by trustingly believing that fraud can’t occur in their organization. Fraud prevention is as much about the awareness of the existence and potential for fraud as it is about the development of key controls to safeguard assets.

Fred Blevins was the manager of the kitchen fittings section of a large, luxury kitchen design and installation company.  The company employed a host of equipment vendors and installation subcontractors.  As the section manager, Blevins was responsible for completion of requisition forms for the purchase of outside resources such as custom fittings, outsourced kitchen installations, parts, supplies, and production consumables. Blevins also developed section cost budgets and approved vendor invoices for payment of items originally requisitioned through the fittings section. Blevins reported to the interior design director, Sally Jefferson, who relied heavily on Blevins’ judgment and honesty in completing the non-design related responsibilities associated with managing her department.

Even though his job at the design company provided a good living, Blevins still found it tough to make ends meet and to sustain the lifestyle to which he had become accustomed. With two sons, both trying to purchase their first homes and a daughter set to enter college, Blevins was beginning to feel the financial burden of the coming higher education and looming mortgage related expenses. Furthering Fred’s financial stress was his fondness for gambling. Fred would regularly tell co-workers of his trips to the casinos in a neighboring state. And while this talk frequently included boasts of gambling winnings, the truth was these trips more often resulted in losses.

In searching for a way to address his various financial pressures, Fred opportunely noticed that the accounting controls over the requisition of outside goods and services at his company were extremely weak or, in some cases, nonexistent.  Blevins soon devised a scheme that would allow him to easily circumvent the weak controls that were in place. When functioning correctly, the company purchasing process was fairly straightforward. All requisitions associated with purchasing consumables had to be approved by the requisitioning department’s manager. Once approved, the requisition was submitted to accounting for the issue of a purchase order. Before issuing the purchase order, the accounting department checked that the purchase was within the budgetary constraints for the coinciding expense category and that the vendor was on the approved vendor list. Although the accounting department required that approved vendors provide a company name, address, telephone number, and principal contact, there was no verification or due diligence process associated with establishing an approved vendor in the accounting system – a weakness that Fred found too tempting to resist.

Fred’s scheme began simply enough with a shakedown of the vendors who supplied goods and services to the kitchen fittings section. He knew that these vendors relied on his satisfaction and approval to continue their business relationship with his company. Fred began to take advantage of his authority by requiring that vendors provide him with monetary gifts to remain on his company’s rotation for sales. Vendors that refused to cooperate with Blevins would risk reduction in orders. To maintain business volume, most vendors “played the game” and acquiesced to Fred’s requirement.  Fred’s scheme quickly evolved, and he soon began requiring that vendors pay him a “commission” on all of their sales to his company. The vendors did not report this activity to the company management because of fear of reprisal and the resulting substantial loss of business revenue.

Blevins’ greed soon increased, and he began to favor one vendor in particular, a company owned by a man named Stan Fields. Fields agreed to a larger commission than the other vendors to knock out the competition and get a larger volume of business. Fields obviously believed that the return in revenue and profits was worth the risk of being discovered.

As Blevins’ and Field’s bank accounts grew, so did Fred’s confidence in his ability to continue successfully defrauding his employer. Eventually, he decided to advance the scheme further by setting up his own fictitious vendor with Fields, FBSF Inc., to bilk his employer out of even more money. When Fred submitted the application for FBSF to be approved as a new vendor, the accounting department didn’t even notice that the president of FBSF was the same Stan Fields who owned a competing vendor company. The department also failed to notice that the address listed on FBSF’s application was a post office box. At a minimum, a routine check of the corporation’s standing with the local secretary of state’s office would have quickly revealed that this vendor was a sham.

In a classic example of a pass-through billing scheme, the two men used FBSF to purchase products from Field’s company and resell them to Fred’s company at a marked-up rate. Thanks to the proceeds of what can clearly be defined as occupational fraud, Blevins and Fields were prospering. Over the course of a year and a half, Fred embezzled nearly $300,000 and Fields shared in the excess profits from every transaction run through FBSF.

Fred’s scheme finally unraveled when he became ill and the company was forced to delegate his duties to another employee during his absence. When Fred’s replacement contacted one vendor regarding the purchase of some fittings, the vendor’s response was “it isn’t my turn yet.”  This unusual response led to further inquiry and the discovery of all the kickbacks required by Blevins in his fraudulent dealings with company vendors. As the investigation continued, Fred’s employer uncovered the fictitious vendor he set up with Fields. When confronted, Fred initially denied any involvement in the scheme, but could not explain why his company, FBSF, received checks from his employer. As a result, Fields company lost all of its considerable business with Fred’s employer and was quickly forced to shut down its operations. Fred’s position was immediately terminated. Criminal charges were filed against Blevins and Fields and restitution was sought.

The bottom line is that occupational frauds, if initially successful, almost always escalate and diversify.  There’s an old auditor’s question (something of an adage, really), “How long is a piece of string?”  When applied to fraud examination, it means that there is usually more than one initial scenario to look for in any instance of fraud.  Fred’s scheme started out as a simple shake down of vulnerable vendors and escalated in a relatively short period of time from kickbacks to a full scale fictitious vendor pass through scheme with several sub-schemes thrown in along the way.

The teachable fraud prevention moment for the accounting class is that organizations should have a policy regarding new vendor approval that requires due diligence on the part of the accounting department. This process should include verification that the business is a legal business in the state represented, that the entity has a legal federal identification number and proof of liability insurance, and that the potential vendor’s owners are checked against other vendors’ owners and employees of the organization. Finally, when vendors provide a post office box as an address, the firm’s physical location must always be verified.