In attempts to stay competitive, businesses focus on removing inefficiencies and constraints from their supply chains. In line with this, some are utilising available information to identify and address supply chain integrity issues.
The ideal organisation should be designed and built to operate as a well-oiled machine, able to respond rapidly, in complete synchronisation, with efficiency and control. Supply chain processes, even if brilliantly designed, still depend on well aligned people and systems. When systems are misaligned and don`t fully support business processes or people, operate with or without intent, against the best interests of the organisation, the result is inefficiency, wasted time and resources, slow or inappropriate responses and a general lack of competitiveness.
In part one, we explore some of the typical causes of a loss of integrity relating to IT systems and decision-making. Part two focuses on forensic analysis, where we highlight some specific risks and exposures to potential fraud in the procurement environment and will share ideas on controls that can be implemented to detect "red flags" timeously in order to limit an organisation`s fraud exposure.
First let`s look at three key supply chain functions to illustrate the impact of a lack of process integrity on supply chain execution.
A lack of integrity in procurement will impact the intelligent selection of supplier and the management of their performance. It will also hamper the speed, completeness and accuracy of the ordering processes and the governance of requisitioning and authorisation protocols.
Inventory management will be impacted in that visibility and control over inventory quality may be poor. Support for tactical and strategic decision-making will be slow or limited. Stock write-offs may be inflated and there could be a general lack of responsiveness and difficulty in handling SKU complexity. Distribution processes will suffer from slow cycle times. Inefficiency, high distribution costs and time wastage will manifest with poor resource utilisation and an inability to effectively interact with and manage LSP`s. This, in turn, will contribute to a lack of financial control in certain respects.
System integrity
IT systems should be aligned with processes and with each other. The risk is that this is not always the case, with the immediate impact being that they don`t accurately capture and manage business data and don`t integrate reliably with one another. Certain, more common system scenarios can threaten the integrity of supply chain process, for example where different systems interpret common information elements differently or where system data structures which don`t cater for all necessary information elements. In other instances, there is a lack of information on who has done what on a system, or indeed, what the system has done itself. Lastly, systems sometimes allow for too much non-validated free text to be captured.
Here are some practical indicators to look for within the context of inventory distribution:
* Do the number of deliveries match across planning and operational systems for a given time period? Equally, does the total quantity and weight agree?
* Are the levels of pallet and weight utilisation of vehicles reasonable? If not this could indicate a "unit or measure" discrepancy between the systems, data capture issues or lost transactions.
* Is plan adherence at acceptable levels? Poor plan adherence could also indicate issues with the transfer of planning data or the accuracy of inventory data.
* If billing is done through the operational system - assess the profitability of certain customers? Unprofitable customers may be as a result of inaccurate billing due to master data or data transfer issues.
Aside from those listed above, there are a number of other indicators which may help to assess system integrity:
* Identify other unit-of-measure, product dimension and mass discrepancies;
* Assess the degree of master data inconsistency at a field, field value and record level;
* Test for the consistent transfer and interpretation of "date" fields such as order date, dispatch date, receipt date, etc;
* Look for occurrences where transactions are deleted/cancelled and recaptured. Perhaps the system does not allow for legitimate scenarios or events to be dealt with;
* Conduct balancing cheques (by mass, number of transactions, number of shipments) between systems which deal with different aspects of the same process;
* Look for instances where transaction loops have not been successfully concluded ie, invoice numbers not fed back to distribution management system etc; and
* Create high-level visibility of transaction statuses over time, looking at their ratios to one another and an analysis of time spent within each status.
The integrity of decision-making
People also need to be aligned with processes. The way in which people participate and respond to situations should equally follow process requirements. The risk is that people don`t follow defined processes, don`t make informed or consistent decisions, don`t consider the implications of their decisions and don`t make complete or correct use of supporting systems. Here are some of the more common people-related scenarios which disrupt the integrity of supply chain execution:
* People often operate on gut feel, without proper support from information systems, either because supporting systems were never available or because trust was lost in what systems were telling them;
* Human nature tries to find shortcuts when confronted with new processes or systems thinking it will make things "easier";
* Operational staff often have a limited understanding of processes, systems and their role in the broader chain; and
* Not all role players have a consistent and aligned perception of operational and strategic objectives.
Looking at the distribution scenario once again, here are some questions which point to a lack of decision-making integrity:
* To what extent is there "panic" over month-end to get billing done because the "system" is wrong and cannot be reconciled?
* How many deliveries are still "open"? Is this reasonable?
* What does an age-analysis of various statuses across the dispatch cycle show?
Some additional indicators relating to assessing decision-making integrity include:
* Assessing the flow of purchasing activity looking at the order of events, timing between events and if all activities were carried out;
* Draw a distribution curve of key performance measure and inspect outliers for possible decision-making anomalies;
* Look for examples of low or no forecast accuracy;
* Look for high levels of repetition in data values such as statuses, quantities, durations of tasks, reason codes, etc;
* Assess when last routes, inventory thresholds and fleet allocation were reviewed; and
* Assess service level or process failure against process elements such as routes, physical facilities, supervisory personnel, shifts, etc.
Using technology to support integrity testing
Existing enterprise business intelligence environments may be a valuable source of necessary data. One would typically, however, choose less formal methods and technologies for analysing and exploring the data than those prescribed by existing production data warehouse environments. Should any of the analytical views prove helpful in the context of ensuring ongoing integrity, these can then be built into more formal production environments.
Part of the need for analytical agility involves not getting too concerned if there are not clear explanations for all data anomalies. Testing system and decision-making integrity is a continuous process where focus is given to issues of ever-increasing complexity.
It is important that technologies such as ad-hoc analysis tools and databases are leveraged to support rapid, intuitive analysis and do not become a hindrance or constraint in the process.
Typical fraud in the procurement environment
The scenarios discussed below are not intended to serve as a comprehensive guide to all types of fraud committed in the procurement environment, but rather highlights some possible scenarios, to create fraud awareness and to enable the organisation to evaluate the adequacy of its internal controls.
Processing of a false invoice for payment: Staff members on their own or staff members colluding with syndicates or existing vendors would forge the necessary documentation to process falsified invoices. Syndicates and/or existing vendor entities may also target staff members, in return for a `kickback` or a `favour` for assistance in processing the falsified invoice.
An existing invoice may be processed against the correct vendor code and may also be irregularly processed in duplicate by either:
* Processing the same invoice to a sundry creditor code or through the cashbook;
* Processing the invoice to a duplicate vendor that is created with the same details as an existing vendor code on the master file;
* Processing an old invoice again to an old inactive vendor code where the fraudster has simply just altered the beneficiary bank account number;
* Processing the same invoice to the same vendor code, where the vendor colluded with the organisation`s staff member by paying a kickback to the staff member on the portion of falsified invoices; and
* In these instances, either a false invoice may be generated by forging it on the letterhead of the company, on a copy invoice of the vendor or simply on a photocopy of the original invoice.
Irregular change in bank particulars: Syndicates may target organisations by sending a letter on an existing vendor`s letterhead (the syndicate forged or misappropriated letterhead to make instruction look authentic) to instruct an irregular change in bank particulars to that of the syndicate. Had the organisation not independently verified the change in bank particulars and made payment to the syndicate, the organisation would still owe its vendor the money.
Fronting: To bypass tender regulations, the organisation could receive different quotes from the same entity or person under the guise of different vendor names listed on the organisation`s master files. With fronting, the organisation does not receive the best price as envisaged with the tender process. This can be done by staff on their own or in collusion with a vendor entity.
VAT fraud: Vendors may record a fictitious VAT number or another valid vendor`s VAT number to irregularly charge VAT on their invoices while not being registered with SARS as VAT vendors. There is also the risk that VAT numbers may not be recorded on the invoice but with VAT charged, which are still claimed as input VAT on the invoice from SARS by the organisation.
Typical errors in the procurement environment: There are many types of errors that can occur in processing invoices for payment, however, one that we have identified to reoccur is where invoices were processed to incorrect vendor codes, and when the correct vendor queries non-payment, a copy invoice is sent, which is processed for payment a second time. If the first vendor does not alert the organisation of the "unknown" payment it received and return the funds, the organisation may remain out of pocket if the incorrect payment is not detected.
There is a high risk for purely duplicate payments where no validation rules are activated over the vendor invoice number field as captured on the transaction files when an invoice is processed.
The use of analytics to address your fraud exposures - To identify fictitious or related vendors using analytics: When creating a fictitious vendor on the vendor master file, the fraudster may not be that creative and may use information that is common to him/her or use information of an existing vendor. Where the master file does not have a validation rule in place over the vendor name recorded and other critical fields, a duplicate vendor can be created with ease on the master file.
"Red flags" that could be tested for that may be indicative of fraud risk on the master file would be where vendors are identified:
* Where it is identified that fields are shared between different vendors that are supposed to be unique on each vendor, such as bank details, VAT numbers, etc;
* Where most of the abovementioned unique fields are incomplete or blank;
* Where high number of vendors share the same unique field, such as where the organisation`s own information ie, address, VAT number, etc is used and recorded as the vendor`s;
* With large invoice values with a VAT charge where no VAT number is recorded on the vendor master file;
* With VAT numbers recorded that fail the VAT algorithm test; or
* That has not been transacted with over a period of time, therefore becoming inactive.
To identify fictitious vendors through external verification: When the designated official of the organisation reviews invoices for approval to process payment, it would be very difficult at face value to differentiate between ones that appear to be false or not. It is, therefore, necessary for organisations to have master files in place as a control measure to validate entities transacted with.
Generally, master files are a very good measure of internal control in any business, but the effectiveness of the control mechanism diminishes if the information loaded is not validated against an external source to detect potential "ghost" entities/persons transacted with.
To gain assurance over the validity of all vendors on your master file, the existence of vendors can be verified against external databases by:
* Verifying the vendor name and registration number against the records available from the Registrar of Companies;
* Verifying vendor name and VAT number against the records made available by the South African Revenue Services; and
* Verifying vendor name and bank account number against the actual accountholder details against the bank account.
Further, organisations are able to establish relationships between existing vendors by comparing the names of the principals of vendors as obtained from the records available from the Registrar of Companies. This should typically identify potential "fronting" of vendors.
To identify potential employee vendor conflicts: In order to establish whether any relationships exist between employees and vendors, common field types on these master files can be compared such as bank accounts, etc. A further test, in the instance where principals of vendors have been obtained from the Registrar of Companies, would be to compare these vendors` principal details to that of the organisation`s employees on the payroll.
Once these relationships have been identified, the organisation can asses whether there was adequate disclosure in terms of the organisation`s policies or investigate transactions where any breaches have been identified.
By Dean Tebbutt and Ruan Rossouw
Share