Excerpted from Detecting and Reducing Supply Chain Fraud, (August 2012) by Norman A. Katz, published by Routledge/Taylor & Francis Group. Reprinted by permission.
Detecting supply chain fraud or any other illicit activity requires sniffing out clues while traveling down what will probably be several different investigatory paths, finding evidence, and building a case. Evidence can be material or circumstantial, though certainly the more firm the evidence, the more solid the case against the fraud perpetrators.
In the business environment, circumstantial evidence of fraud can trigger investigations and can lead to the detection of gaps and the introduction of better controls. Circumstantial evidence, when presented to an employee, may be enough to get an employee who was involved in the perpetration of fraud to agree to resign on his or her own; guilty parties may welcome the chance to avoid the involvement of law enforcement agencies if the organization decides to get them involved.
Unfortunately, the act of letting go an employee known to have perpetrated fraud leaves the fraudster free to pursue employment elsewhere and possibly run his or her scams again, the defrauded organization passing along the problem instead of stopping it. Organizations may wish to involve law enforcement agencies and press charges against their dishonest employees, but too often (and unfortunately) they may lack the will to do so; the involvement of law enforcement agencies might result in the case being reported in the news, which could negatively affect the organization's reputation, customer or supplier relationships, and perhaps even stock price. Even where the burden of proof is lower in civil versus criminal litigation, the fact that fraud occurred in an organization may make the organization reluctant to pursue any legal action for fear of the litigation being reported in the news media. I believe this is why we do not hear or read about more supply chain frauds in the media unless they are related to the abuse of taxpayer monies or involve consumer injury or death.
For the few years that followed my career change, I kept in touch with some of my former co-workers. One day I received a telephone call from an old colleague who informed me that several members of the information technology staff, one person in a purchasing role, and an executive assistant had all resigned suddenly at my former employer. Apparently they had all conspired to falsify purchase orders with regard to personal computers and related hardware components. The group was found to have stolen approximately $100,000 worth of computer parts, which were being used to support the outside computer hardware business run by several of the group members. I was informed that instead of the organization bringing in law enforcement agencies and filing criminal charges, it was strongly suggested that each person tender his or her resignation or face dismissal, and apparently each person submitted his or her own resignation shortly thereafter.
There is no guarantee that an employee found to have committed fraud will yield under pressure when presented with evidence—circumstantial or direct—and resign his or her job. It is possible that the employee knows how flimsy or firm the evidence is in reality and is therefore more able to push back against the organization. Experienced fraudsters or employees with detailed knowledge of an organization's software applications and business procedures may have the wherewithal to know how much factual or fictional evidence the organization was truly able to acquire, and thus may not be so swayed or threatened as to resign when confronted by the organization.
The burden of proof in civil litigation is the preponderance of evidence, essentially meaning that the weight of the evidence will determine the outcome of the trial. If the plaintiff's evidence carries enough weight, the defendant can be found guilty; if the evidence is not convincing enough, the plaintiff's case may be seen as too weak, and the defendant will probably be presumed to be innocent. In criminal litigation there must be evidence beyond a reasonable doubt, which basically means that a reasonable person would be able to make a determination based upon the facts presented. Evidence in criminal litigation must pass a stricter, more definitive test. Still, even with a reduced burden of evidence, civil trials can make the news, and thus make organizations wary of pursuing them and getting unfavorable media coverage.
Several days after I presented to a group of manufacturers on supply chain fraud, I received a telephone call from the symposium organizer. Following my presentation, one of the attendees went back to her company and informed the owner that she suspected a fraud. The company owner began his own internal investigation, but unfortunately mishandled it to the extent that he immediately revealed to the suspected fraudster that his (illicit) activities were being closely scrutinized. Unsurprisingly, the rogue employee began covering his tracks and ending his operations. In the end, the fraudster simply left the company. The owner still does not know how much was stolen; somewhere between $60,000 and $250,000 is the best guess. Insufficient controls, a lack of proper record-keeping, too little oversight, and too much trust by the company owner in this employee were all likely contributors to the inability to better determine the extent of the fraud.
The company owner was reduced to tears over the revelation of fraud. The fraudster had worked for the company for many years and had perpetrated his fraud through both the company's good times and bad times. Fraudsters rarely care about the financial fortunes or failures of their employer as they commit their crimes; their priority is their own needs first and foremost. The owner believed he had treated this employee, like his others, very fairly, but that is subjective and beside the point. The fraudster saw the opportunity, had a need, and took advantage of the situation. By muddling the investigation, the fraudster was allowed to go free with the ability to perpetrate fraud at his next employer. The defrauded organization was left unable to pursue him through the law, which may also prevent it from filing any insurance claims to recoup all or part of the losses.
The Dangers of Do-It-Yourself Investigation
What contributed to the above investigation getting derailed and prevented the organization from involving law enforcement agencies and filing criminal charges such as theft is that the organization made the not-uncommon mistake of performing its own investigation. Fraud investigations are not do-it-yourself projects to be undertaken by those without the proper skills. While both a parking-enforcement officer and a homicide detective are each performing duties related to the investigations of illegal activities, there are considerable differences in the job requirements and qualifications. A financial auditor, network supervisor, or hardware technician may be the wrong person—at least individually and initially—to assign to a suspected case of supply chain fraud.
The failure of an organization to investigate supply chain fraud with due diligence and care can result in a failure to find the fraud or a mishandling whereby the case itself cannot be pursued to the necessary extent. An investigation of an employee suspected of perpetrating fraud might require a forensic analysis of the hard drives or memory cards of the personal computer (PC) workstation, laptop, or cell phone assigned to the employee.
A failure to properly protect the hard drives during their removal from the computer can damage them or cause damage to the drive contents, such as that which could happen in close contact with a static electrical charge or exposure to excessive moisture or heat. A "true copy" of the hard drive should be made to protect the purity of the original source hard drive. Any forensic analysis should be performed against verifiable copies of the original hard drive, leaving one "true copy" always intact and unchanged. And it is important to remember that opening a file changes the file's date/time stamp from the last time it was accessed; that is, by the suspected fraudster. A chain of evidence must be sufficiently established and very well documented, including who was in possession of what and when (date and time). Any gaps or lapses in procedure could be used by a defendant to throw doubt upon the veracity of evidence presented by the plaintiff organization.
Use Evidence Trails
Computer networks (the technology infrastructure) can tell us the date and time a person has signed in or out, and which terminal or client computer he or she has used. Was it the person, or someone who learned of another person's login credentials (identification and password)? Good security policy will require users to lock or otherwise disable access to their workstations when they leave them to help ensure that no one else can access information using their identification credentials. Employees should be advised to protect their computer system and software access credentials (their user identification and password). Some application, operating system, and network control software can be configured to prompt users to change their passwords on a regular basis. Secure access doors record the date, time, and location of employees who enter (and maybe also exit), based on a badge swipe or other unique identification token.
It is worth recalling from the discussion of supply chain frauds the need for transaction and data-maintenance logging in enterprise software applications so as to make it possible to catch certain activities. This functionality—again, when activated—provides a critical trail of evidence that is an important component of detecting supply chain fraud based on what a person is doing once he or she is inside the protected infrastructure. Organizations use product-identification devices such as radio frequency identification tags, lot/batch identifiers, and serial numbers (the latter two most likely in bar-code form) for track-and-trace capabilities through the supply chain, recording a unique identifier's location and date/time stamp as it passes through the supply chain. The ability to trace a product and the related transactions through the supply chain are parallel trails of evidence that can be used together to trace fraudulent activities.
During a consulting assignment, the sales manager brought me into a conversation with a sales representative who accused another sales representative of reassigning ownership of several customer accounts for the purposes of receiving commission on sales to those customers. The company's enterprise resource planning (ERP) system tracked the "before" and "after" values of data fields in transactions such as sales orders, purchase orders, and invoices, as well as against entities such as customers, items, and vendors. Thus, we were able to investigate the original ownership of the customer accounts and move toward determining whether or not they were fraudulently changed and assigned to the other sales representative. We found evidence of sales representatives who fraudulently assigned themselves to customer accounts; those sales representatives were soon dismissed after this was brought to the attention of the company's executives.
Alerts from software applications are not the only fraud-discovery sources on which organizations should rely. Let us recall the story of the children and families agency supervisor who knew not to withdraw payment amounts greater than the apparent $900 limit. Software transaction logging and controls—necessary and effective as they are—cannot stand alone as the only means of detecting fraudulent activity. In this situation, the fraudster was aware that attempts to withdraw payments above the $900 limit would bring attention to her scheme by requiring her to receive approval for an amount greater than the $900 limit. Thus, she simply withdrew payment amounts less than the control limit.
In many cases an organization's employees, customers, or suppliers may report fraudulent activity that the internal audit or security department itself has failed to notice.
In its "2010 Report to the Nation," the Association of Certified Fraud Examiners reports that tips "were the most common means of detection in every study since 2002, when we began tracking the data." In the 2010 report, the following statistics were presented with regard to the sources responsible for the initial detection of frauds:
Further, employees were responsible for more tips (49.2 percent) than customers (17.8 percent) and vendors (12.1 percent), with an anonymous tip source representing 13.4 percent of the tips. This highlights the need for the organization to really engage its employees, customers, and vendors in the fight against fraud.
- Tips: 40.2 percent.
- Management review: 15.4 percent.
- Internal audit: 13.9 percent.
- By accident: 8.3 percent.
- Account reconciliation: 6.1 percent.
- Document examination: 5.2 percent.
- External audit: 4.6 percent.
- Surveillance/monitoring: 2.6 percent.
- Notified by police: 1.0 percent.
- Confession: 1.0 percent.
- IT controls: 0.0 percent.
Organizations that create integrated and respected relationships with their customers and suppliers can leverage this association to help each other combat fraudulent activities because all parties can be affected. There is also a chance that fraud between supply chain partners can be contained. Frauds caught early enough in the supply chain may be able to be dealt with internally, or at least "less externally," than those that result in a full-blown crisis. It is more painful when an organization finds out about its fraudulent activities first through consumer groups, government regulators, or the media. The organization is blindsided to the news and is forced to react suddenly, perhaps even with damage-control efforts if there are safety issues with a product that it produced, was involved in producing, or distributed. Reacting to fraudulent behavior is much more expensive than proactively reducing the chances of it occurring in the first place.
Detection Without Disruption
Organizations need to combat fraudulent behavior proactively, which requires detecting it as early as possible. Controlled access to physical areas, security cameras, and network and application security are all various means of reducing the possibility of fraud occurring. These are somewhat static, because a person either has access or does not. Business operations through a supply chain are fluid and dynamic, requiring a cross-analysis of information and transactions to determine whether activity is of a fraudulent nature.
Detection frequency must be sufficient without becoming an obstacle, yet it must be continuous and pervasive throughout the supply chain. Depending on the industry and how an organization has developed its relationships with its suppliers, it may not be practical or necessary to open every box or sample every container, but it is necessary to check statistically significant amounts or quantities to allow confidence that an entire batch or shipment is complete and not tainted. Establishing quality control points through the entire supply chain removes the burden of complete quality inspection from one functional area and allows it to be shared across the enterprise. This is necessary because each step in a supply chain can add something (such as handling, an ingredient, or a component) that changes or affects what is being produced. The goal is to increase the likelihood of catching fraud while decreasing the impact should fraud happen.
The detection methodology should be somewhat stealthy so as to not reveal fully the tactics and controls used, making them more resilient in the face of potential fraudsters. Disruptive detection tactics run the risk of affecting operations negatively and thus skewing performance results, becoming more of a hindrance than a help. Detection tactics that are barriers to operational performance may force employees to work around them to maintain throughput and timely schedules. This renders the detection tactics ineffective and a contributor to circumventing systems and processes, resulting in even wider gaps where fraud can be perpetrated. For example, running too many analytical programs can tax computer system resources, while bombarding managers and supervisors with excessive statistical information is inefficient to the point of being counterproductive. Organizations must elevate the perception of detection to a level at which employees, customers, and suppliers have an awareness of anti-fraud oversight without feeling threatened by it and without being negatively affected by it.
A good rule of thumb for supply chain operations is "trust but verify," a phrase attributed to President Ronald Reagan, although it is actually based on a Russian proverb. Reagan used this term during a speech with regard to a treaty reducing nuclear weapons between the U.S. and Russia as Mikhail Gorbachev was standing next to him. On October 14, 2008, Public Law 110-417, also known as the "Duncan Hunter National Defense Authorization Act for Fiscal Year 2009," was enacted by the U.S. Congress. Section 254 of the act is titled Trusted Defense Systems. The section states that: "The Secretary of Defense shall conduct an assessment of selected covered acquisition programs to identify vulnerabilities in the supply chain of each program's electronics and information processing systems that potentially compromise the level of trust in the systems." In other words, trust but verify.
Organizations can outsource manufacturing and other operations, but this does not translate to an outsourcing of responsibility. Regardless of whether an organization's supply chain is local or global, there must be procedures and systems in place to mutually ensure quality in each section of the supply chain.
The U.S. government recognizes the need to trust other governments—even those once considered a fierce enemy—in the same way that the U.S. military must have trust in relationships with its suppliers. Both entities recognize the need to verify those trusted relationships, and this is a good lesson for organizations charged with providing goods and services to consumers of all types.
The balance in deciding the appropriate level of detection is somewhere between how much is too much, to the point of overwhelming and no longer being conducive—if not detrimental to—achieving the necessary purpose, and how little is sufficient to adequately cover a substantial amount of the problems. Some determining factors include the following:
An organization's customers and suppliers will benefit as the organization shares its fraud-monitoring data with its supply chain partners. In such a collaborative relationship, partners may also agree to share their own fraud-monitoring methodologies, though these can be considered proprietary information that an organization may opt not to reveal, so the sharing of information may be limited to just the results. Employees will be made aware of their fraud-catching performance or ability to spot suspicious activities through open communications from their respective management and as part of their employment-review process.
In the case of an audit or inspection job role, the employee's employment may depend on his or her ability to detect abnormal activity. This is predicated on the organization deploying the necessary equipment and technology to enable the employee to detect fraudulent behavior. All things being equal, if suspicious activities continue to slip through under a particular employee's watch, it is unlikely that this employee is right for a job role that involves inspecting goods upon receipt from a supplier. (Conversely, an employee who falsely accuses a supplier of fraud—perhaps to prove he or she is doing a good job of inspection—is committing an act of fraud and should be removed from the job role.) Suppliers will know that they are being watched as inspection/audit information is shared with them by their customers and their performance comes into focus.
Avoid the "Dummy Camera" Syndrome
Scarecrows were (and perhaps still are) commonly used to ward off disruptive birds from foraging for food in crop fields. I have seen lifelike statuettes of birds of prey used as a deterrent to keep pesky birds away from places of business or where flocks of birds pose a danger, such as at airports. But once a few clever birds determine that there is no risk from the artificial measures, the tactic has failed. Likewise, organizations must not be fooled into thinking that dummy security cameras and empty threats will thwart fraudulent behavior for too long. Once employees or other potential fraudsters realize that there is no or very minimal real danger of getting caught, the organization will have left itself open to fraudulent behavior. Worse, the organization may continue to believe that its fake tactics are working while its employees are stealing from it, leaving management blind to what is really going on.
Do not be fooled into thinking that your organization can be fraud-free: Each time someone builds a better mousetrap, Mother Nature breeds a better mouse. People are clever, and many well-established frauds resurface or are repackaged with a technological twist. Fraud-detection methodologies must be real, with the results tangible and measurable to ensure that they are effective and not disruptive.
Checklist for Fraud Detection
Here's a quick summary of some of the main recommendations in this chapter:
Editor's note: Detecting and Reducing Supply Chain Fraud includes sections that explain the characteristics and ramifications of supply chain fraud; how to detect fraud in such areas as purchase orders, manufacturing, distribution, and inventory; and methods for reducing such fraud. Order information is available from the publisher.