A Deloitte survey released in mid-May revealed 29 percent of the respondents said their organizations experienced supply chain fraud, waste or abuse during the past 12 months, yet nearly as many (26.8 percent) have no program to prevent and detect those risks. FEI Daily spoke with Mark Pearson, principal, Deloitte Financial Advisory Services, about supply chain risk and the CFO’s role in risk management.
FEI Daily: If you look at supply chain fraud risk, are you seeing the problem before more acute?
Mark Pearson: It’s not that the prevalence of fraud is increasing necessarily, but rather, the ability of companies to detect and manage fraud is improving. For example, the vast amount of supply chain transactions that occur through electronic data interchange (or are supported by electronic detail) can drive the forensic data analytics that enable a company to more quickly identify anomalies, including potential fraud, waste or abuse.
Mark Pearson
A lot of financial execs forget that fraud goes directly to the bottom line. For every dollar of fraud, that's one less dollar of net income and value that can be returned to shareholders. As supply chains tend to be the single largest source of cash outflows in an organization, financial execs who understand fraud’s impact to the bottom line are increasingly using electronic data and other sources of information to identify, mitigate and reduce that fraud, waste or abuse that I think has been prevalent in supply chains since the existence of time.
FEI Daily: Are more companies interested in applying analytics to their supply chain data?
Pearson: Basic data analytics are going to help companies identify trends, signals, or faint markers that nobody used to look for. Instead of running a query to say, "Show me all invoices that are duplicates in a certain data set," for example, what we find is that the more advanced companies and finance professionals are saying, "Let me analyze all available data to help inform me of what questions I should be asking to identify potential fraud, waste or abuse."
What they're saying is, “let me look for trends, patterns or other apparent anomalies in the data and then when I start seeing some, perform the work to figure out why that's the case and whether it’s a good indicator of potential fraud.” Many times, they'll find questions that they never would have asked in the first place. For example, if there is a spike of invoice transactions occurring at $49,000, what they might find out is that there are additional invoice approvals for anything over $50,000 in certain business units. In order to circumvent this control, some vendors may be splitting their invoicing in a way to stay under that radar which, obviously, is a red flag that finance professionals would want to know about.
FEI Daily: Taking a step back, how do you identify the questions to ask?
Pearson: There's a set of fundamental questions that are pretty straightforward. When we talk about supply chain fraud, there are probably 50 or so things that I want to better understand, the least of which is, simple things like, "Are there duplicative invoices?" and “What proportion of your supply chain is indirect versus direct procurement?” I also want to look at the process by which vendors were chosen for any given project or any given procurement activity. I want to get a better understanding of any acknowledged weaknesses within a company’s supply chain process overall, from identification of a business need to vendor selection and--ultimately--to invoice approval and payment.
The term “supply chain” can mean many things to different people. One way to view the supply chain is to group activities into subsets or “verticals,” like procurement, inventory and distribution. So, if you think about those three verticals, you've got a couple of questions that you ask yourself within each, such as, "Is there a supply chain fraud that employees could perpetrate without any assistance from the outside? Are there frauds outsiders could perpetrate without the assistance of any inside employees?"
There are frauds that involve insiders colluding with external parties – these can tend to be the most damaging as they are often the most difficult to detect. Having an understanding of how your company’s supply chain is structured and of where your own strengths and weaknesses are will help you to figure out which of those 50 fundamental or base questions that I talked about earlier you should be asking and which are most relevant to your organization.
In addition to very basic items like duplicative invoices, other very common questions we ask include: How detailed are the invoices that you require from your vendors in order to pay them? Is there a single line item that says, “For services provided?” Do you require sufficient detail as to the services, labor, materials or other expenses provided?
One of the failings that I've seen has been, as finance folks, we know finance, we know economics, we know accounting, we don't tend to have technical specialties in certain areas for invoices that we are ultimately approving, such as IT invoices or engineering services. For example, if there's an IT invoice containing a lot of highly technical detail, what do most CFOs and most finance professionals do? They rely upon their IT director, asking "Does this make sense to you and is this okay to pay?" And when that IT director says, "Yep, it's all good to go," that can pose a problem. We've seen in the past that the people approving invoices are also approving their payment upon receipt. If there’s no stop-gap, you’re just opening the door to fraud.
We've seen multi-million dollar frauds facilitated because finance professionals approve payments relying on the business's approval of whether or not something is okay to pay. Does that mean that CFOs and finance professionals need to understand technical engineering and IT specs? Not at all. But, what it does mean is that finance professionals need to verify that their trust is well placed. So, yes, you should trust your IT director; however, if that IT director is also approving invoices for payment, consider seeking a second, more independent opinion on the contents of the invoice.
FEI Daily: In the survey you released recently, employees were cited as a leading fraud risk. Was that surprising?
Pearson: It was very surprising for a couple of reasons. If you would have asked that question a couple of years ago, I think the response would have been much lower. Many executives tend to rely on their hiring process and might say things like, "Well, we hire good people, it's not going to happen here." But I think companies are starting to understand that even if they have outstanding hiring and vetting processes, there are still going to be people who either fly under the radar or--more likely—whose circumstances change after they’re hired, providing incentive or pressure to commit fraud. Maybe they're going through some financial, health-related, or other kinds of difficulties that have made them decide to perpetrate a fraud.
Companies are getting wiser about the risk that their own employees place on their supply chains. Since roughly two-thirds of frauds detected through tips and complaints, often from employees, companies have developed more robust responses to hotline information. Further, management has learned that bad-acting employees pose a significant risk to their companies and whistleblowers are key to detecting and stemming that bad activity.
FEI Daily: What is the CFO's role in helping to prevent fraud?
Pearson: The CFO's key role is to set the tone of the financial reporting function and to support the tone of the organization overall. Specifically, a CFO can set the tone at the top for financial reporting and for accounting to convey that if you see something, you have to say something. As financial reporting and accounting professionals, the most valuable asset we have is our ethics and character. Convey to employees that if their names are associated with bad invoice approvals, for example, they will be held accountable.
It helps to have employees understand they’re part of a larger system, and there's a lot of reliance on everyone to do the job right. So, I would encourage CFOs to play that role of a strong leader in conveying that it's important the organization does well financially, but it's more important that we do things properly. Making clear that impropriety won’t be tolerated encourages the right tone and a culture of reporting potentially inappropriate activity.
FEI Daily: Are you seeing more awareness in some industries versus others?
Pearson: The companies that are most ahead of the curve tend to be in highly regulated industries—for example, health care and life sciences. At the other end of the spectrum are companies in less regulated industries with little end-consumer interaction – for example, tier-2 or tier-3 B2B manufacturers without an end-consumer focus. If word got out that there was a fraud or other problem in a lower tier manufacturer, the reputational exposure would tend to be less than a company with a high interaction with end consumers.
On the other hand, the consumer-oriented, consumables businesses--whether it’s food or drugs--tend to be closer to the leading edge in identifying and detecting supply chain fraud, because the cost of not doing so can be considerably higher when public health may be at issue.
FEI Daily: How big of a challenge is complacency?
Pearson: Complacency certainly exists. I think the desire to say, "That's not happening here," and basically to sweep things under the carpet is greater in the organizations that lack a strong ethical tone at the top, an enterprise-wide understanding that fraud occurs—or both.
Complacency is something that can bite a company. But, I think the way that you combat that is pretty straightforward. One of the most cost-effective ways to address that is through annual fraud training, where you focus time on some of the most likely frauds for that organization, the indicators or red flags, and what to do if you suspect fraud.