Managing the risk of supply chain fraud
6 steps companies can consider to shore up supply chains against the rising tide of global protectionism and other disruptors.
Business disruption comes in many forms. Lately, we have seen it in the form of increased global protectionism. Whether favorable or unfavorable, disruptions inevitably lead to changes in the way organizations must conduct business to succeed and be profitable.
Perhaps more important, disruption has a huge impact on an organization’s risk profile. Anytime there is significant change in an organization, inefficiency and financial crime may have an opportunity to get a toehold in the business’s operations.
The complexity of global commerce makes many supply chains especially vulnerable to fraud, waste, and abuse as a result of disruption. A challenge for risk and finance teams lies in understanding how disruptive forces can create a breeding ground for such issues and what they can proactively do to protect their business.
Fraud, waste and abuse in the supply chain
Government actions frequently impact supply chains and can be a source of supply chain disruption. One example was the establishment of the Foreign Corrupt Practices Act (FCPA) in 1977, along with subsequent trends in enforcement. The FCPA pushed companies to identify and cut business ties due to risk of corruption, and to forge new relationships only after proper due diligence and vetting.
Another example is the disruption created by the imposition of sanctions on certain political regimes, which can make organizations shift sourcing strategies and vendor relationships. And consider the supply chain disruption caused by the Great Recession, wherein scores of global suppliers and vendors succumbed to bankruptcy or dissolution as a result of the financial shock.
All these examples required companies to pivot quickly to navigate through supply chain disorder. In such scenarios, executives tend to focus first on big-picture activities like maintaining business continuity and operational sustainability, rather than on function-specific tasks such as analyzing their changing supply chain risk profile or vetting new and existing vendors. This can open the door for bad actors to take advantage of the disruption. Unfortunately, companies often fail to apply adequate resources to achieving insight into, and inspection of, their supply chains until after they have experienced an extended period of disruption.
As a hypothetical illustration of how disruption may increase the risk of fraud, waste, and abuse, consider the wide variety of economic sanctions that exist. If sanctions against one entity in your supply chain forced your organization to find a new group of suppliers in another region of the world, that requirement might drive up your costs significantly. Also, if you were forced to identify a host of new suppliers on short notice, you might end up focusing on the operational-capacity characteristics of potential suppliers, and might forgo performing the type of due diligence you would conduct if you were under less time pressure.
Moreover, pinning down clear pricing and procurement policies takes time following geopolitical changes. Some suppliers may take advantage of this period of uncertainty by artificially ratcheting up prices or charging new pass-through costs that could get lost in the disruption. Thus, the rush to counteract the effects of tariffs might create an increased fraud risk and open companies up to significant financial losses. It potentially might also expose them to legal and regulatory investigations, civil and criminal litigation, and even reputational damage, which could be very costly.
Regardless of the type of disruption that occurs, you need to have a plan of action that contemplates the potential impacts to your supply chain risk profile. Then you need to put in place appropriate measures to protect your supply chain operations from abuse.
What should risk and finance teams do to mitigate fraud risk?
Thankfully, there are a number of ways to strengthen your fraud mitigation toolkit to help combat fraud, waste, and abuse in the supply chain.
1. Perform ongoing due diligence and thorough analyses of vendor risk. In research Deloitte published last year, roughly one-third (33.4%) of finance and accounting professionals indicated that their organization does not maintain a vendor or supplier inventory, nor does it track the type of data those vendors and suppliers have access to. Irregular or incomplete vendor and supplier due diligence can open the door to supply chain fraud, waste, and abuse, and leave a company more vulnerable to disruption; therefore, assessments should be ongoing and structured to obtain meaningful data.
Related: It’s never a bad time for a supplier risk review
What might an assessment look like? Something as simple as a risk-profiling questionnaire that encompasses both quantitative and qualitative risk values can be helpful in identifying possible related entities, pinpointing anomalies, and monitoring a vendor’s track record over time. For example, does the supplier have a strong track record for meeting contractual obligations? Do any of its other business relationships create conflicts of interest?
It can prove informative to understand how a third party’s due diligence and compliance policies, such as conflict-of-interest disclosures, compare with your own. However, a company should never rely solely on information supplied by the third party. The devil is in the details, and those details need to be verified through your internal due diligence processes.
Oversight of third parties should also encompass monitoring updates to sanctioned-entity and politically exposed persons (PEP) lists. Ever-more-sophisticated monitoring tools are leveraging open-source information and data analytics in an effort to identify warning signs early across a variety of risk areas including human trafficking, rights abuses, and other social issues. Analysis of social media is one area of supply chain data analytics.
The frequency and intensity of supplier assessments is crucial. A leading practice is to assess riskier suppliers more frequently than those considered less risky. Another good practice is to consider reassessing a supplier’s risk anytime the company needs to increase business from that supply chain partner or anytime the partner experiences a problem.
While there is no “magic bullet” approach to anticipating or preparing for all potential disruptions, taking a crisis-management-focused approach can help a company deal with those disruptions when they occur.
2. Understand each vendor’s business inside and out. It is critically important to understand your vendors’ operations, accounting controls, and reporting requirements. It is even more important to understand how these change over time, especially during periods of heightened disruption. Your company’s internal data can be mined to look for trends in risk areas including supplier quality issues, upticks in component-product failure rates, volatility in delivery patterns, and concentration risk in suppliers or specific geographic regions. A robust supply chain forensic strategy incorporates ongoing due diligence on vendors, coupled with periodic forensic inspections of vendor interactions.
3. Scrutinize the terms of vendor agreements. Contracts are one of the most important weapons for finance teams fighting supply chain fraud. Make sure your finance or risk management staff is routinely scrutinizing the company’s highest-risk supplier contracts to identify any accounting or other contractual considerations. Such an analysis can consist of looking at contract terms and conditions and evaluating whether they conform to the company’s current standards. For instance, a contract that is 10 years old and has undergone numerous modifications may require greater scrutiny — and may be a candidate for renegotiation, to simplify the overall structure of the contractual relationship. If this analysis reveals fraud risks or gaps with a certain vendor, consider approaching that supplier with a request to revise the agreement in a way that closes the loopholes.
Further, as the company is negotiating future supplier agreements, make sure the final contract identifies payments the organization is not obligated to make and includes the “right to audit.” Right-to-audit clauses are important in any vendor agreement because they allow a company to review its transaction history with that vendor for fraud or contract violations. Not only are these clauses important for ongoing risk mitigation, but vendor audits (when conducted regularly) can be a powerful tool in building greater trust between trading partners.
4. Analyze invoices prior to payment. This one tends to surprise people, but in our 2017 research, only 38.6% of finance and accounting professionals reported that their organization analyzes incoming invoices for evidence of supply chain fraud, waste, and abuse before it pays those invoices.
Companies should be vigilant in their efforts to promptly uncover duplicate invoices, suspicious pass-through costs, and even the origination of the bill. A key element to facilitate such analyses is to understand how the invoices are structured and to contractually require that invoices/invoice support are in electronic format. Having structured invoice data simplifies the ability to use data analytics to look for potential overbilling or fraud risks relative to the supplier’s prior invoicing and the company’s procurement activities in general.
In addition, billing outside of contract terms, whether fraudulent or not, can be significant, particularly in specific areas such as large capital projects. Monitoring for issues in these areas — before you pay the vendor — can provide much greater leverage in negotiations around disputed amounts.
5. Institute data mining and analytics processes. Companies should use data mining and analytics tools to scrutinize procurement and invoicing processes on an ongoing basis. They should look at information that comes directly from the vendors in the form of invoice data, as well as information provided during the due diligence process. This is largely a quantitative exercise — comparing invoiced transactions against the contract and other historical vendor data.
Data analytics can also be utilized to look for predefined fraud markers, such as high frequency of rapid payment to a particular supplier, indicating the potential risk of an unusual relationship to that party or a purposeful action to avoid scrutiny of invoicing. Another example is mining data to look for previously unknown trends, such as a procurement manager who sources to one contractor at a higher frequency than his or her peers. This type of anomaly could be an indicator of an employee accepting kickbacks to funnel work on a sole-sourced basis outside the normal bounds of competitive bidding practices.
Deloitte research has found that companies’ use of analytics to mitigate the risk of third-party supply chain fraud, waste, and abuse jumped from 25.2% in 2014 to 35% in 2017. Technology is helping organizations detect and quantify potential overspending in typical high-risk categories, such as labor, allocated or shared expenses, cost-plus transactions, and third-party pass-throughs. This trend is encouraging, but if these systems are not updated regularly, they will become outdated over time. Even the most advanced analytics users need to implement processes that ensure their efforts to stem supply chain fraud, waste, and abuse are constantly evolving to capture new threats and risks.
6. Monitor your employees. Monitoring vendors is important, but so is monitoring employees for instances of fraud in the supply chain. A 2015 Deloitte poll of finance and accounting professionals found that employees present the largest source of supply chain fraud, waste, and abuse at 22.9%, followed by vendors at 17.4%.
Questionnaires can be just as helpful in keeping internal stakeholders honest as they are with vendors. For example, a fraud-prevention group within finance might ask procurement teams to report on whether competitive bids are required for purchases, whether logs of all items received from vendors are maintained, etc.
Even self-reporting on these activities can be effective because it tells employees that the company is monitoring them — which raises the stakes for those who might be tempted to commit fraud. A compliance helpline is another critical fraud-prevention tool, and is typically the greatest source of information regarding potential concerns. Publishing and promoting helpline contact details to the employee base, as well as making this information public on the company’s website, can help to increase awareness of reporting channels for potential concerns and trigger earlier identification of issues that could have a significant impact on the business.
What comes next?
If you think your supply chain is safe from fraud simply because you have not experienced any incidents in the past year, you may want to think again. Although companies seem to be doing more to counteract supply chain fraud today, financial crimes are likely just as prevalent in corporate supply chains as they were several years ago. Deloitte’s research does not indicate that the frequency of supply chain fraud, waste, and abuse has dropped off since 2014.
Predicting disruption is difficult, but preparing for it is possible. The first step is to make sure finance decision-makers understand that their organizations will likely face intensified risk of supply chain fraud, waste, and abuse in times of change. Shoring up supply chain processes before the disruption occurs is key to coming through the change with minimal damage.
Fraud can find the most unsuspecting places to take root. Make sure to stay alert, and don’t let it take your business by surprise.
Pearson and Kivett co-lead Deloitte’s supply chain forensic offering.