Fraud the Unmanaged Risk - Module 2

Fictitious vendors

I want to illustrate that by looking at what I think is a very simple straight forward routine fraud that is probably going on in 10 to 20 thousand corporations across Canada today. That’s the fraud that involves the creation of fictitious vendors. My hypothesis is that if you can identify what fraud looks like, then you can detect it. We have some great technology-based tools to help us do that today. There is also other forms of evidence that we can access that are not to do with forms that require technology: interviews, what people see, there are pieces of paper and documents around as well. But increasingly people in my business are turning to technology to support the investigation and detection of fraud.

Let’s say that we are going to set up a fictitious vendor. And the question is how do you identify a fictitious vendor from among a whole bunch of ordinary, regular, nonfictitious vendors?

Not a recognized, large dormant or infrequent vendor

First of all, if it’s the fictitious vendor, it’s not Ernst & Young, it’s not the University of Waterloo, I mean we know that those companies and organizations exist so they can’t be fictitious. So first of all there’s a whole bunch of vendors out there that we know are not fictitious. It would be very useful if we’re looking for the ones that are to be able to get rid of the ones that we know that aren’t. It’s probably not a large vendor, even if we don’t happen to know the name. Because if it was that large it would be very difficult to sustain fictitious vendor fraud. It’s probably not a very infrequent vendor because I said before, fraud tends to continue; it tends to go on. So if you happen to have a bunch of dormant vendors in your vendor master file your fictitious vendor won’t be among them or if it is it doesn’t matter because there is no activity.

No trivial amounts

There probably won’t be any trivial amounts in transactions with a fictitious vendor. Why would that be? Well, if your intention is to optimize your risk reward equation, you’re not going to spend time taking risks for $25 dollars or $15. But quite frequently in the normal course of business propriety organizations will send invoices for those sorts of amounts.

No credit memos

You won’t have any credit memos. I can guarantee this, you will never have a fee dispute with a fictitious vendor. That’s one of the few certainties in life.

Low invoice value deviation

You will find that there is a low standard deviation around the invoice value from this particular vendor. Why is that? Well think about it. If you are trying to optimize your risk reward equation you are going to position the value of these invoices that you are going to submit from this fictitious vendor, one at a point that is just probably under your own personal authorization threshold. And you won’t go down too low because you don’t want to take the risk for nothing and you don’t want to go up too high because you fear that somebody else will notice that you should have had some other signature on this document to approve it.

Services rather than goods

It will typically be for services rather than goods—not always, but typically it is. Why is that? It’s because other people have to handle goods. Goods are easier to put an objective value on. It’s much easier for me to deal with having a fictitious service supplier especially if it’s to a cost centre that I have to manage because nobody has to see product coming in and out of the door.

Charged to one cost centre

And it probably is charged to one cost centre and that’s because somebody has to be responsible for the management of the costs this fictitious vendor is charging to my organization. And that typically is either going to be me or it’s going to be a cost centre that I know somebody isn’t managing well.

Not in the phone book

If you think about what a fictitious vendor is, I mean a fictitious vendor isn’t, there isn’t a supplier here. You may have the documents, you may have the data patterns you would associate with an actual supplier but the truth of the matter is nothing is there. So if you have an invoice and the fraudster wants to make this invoice look like the sort of invoice that you would get from a normal supplier, it will have a name, it will have a phone number, it will have some description of the service provided and it will have amounts and maybe or maybe not it will have GST, and all the things you would associate with that. It will also have a phone number on it. I mean people have to have phone numbers. It would look very suspicious if there wasn’t one. If you go and look for the name of the company in the telephone book nine times out of ten you won’t find it. Because why would anybody go to the trouble of actually registering a fictitious name in the phone book? You have to pay for that and most of these people are not there to do anything substantive other than steal from you.

No physical premises

There won’t be any physical premises. You wouldn’t go and rent an office for a fictitious supplier. It will typically have a c/o or P.O. box address.

Only one requisitioner

How many people in an organization would know of the existence of a fictitious supplier? Would everybody know? One person would typically know that this is a fictitious supplier. So what does that mean? That means that is the only person who would actually request supplies from that supplier. Nobody else will because nobody else knows that it exists.

Quick payment

You will also find that typically the payment, the delay between the date of receipt of the invoice and the date of the payment is quite small. Why is that? Well because the fraudster knows when the cheque run is gong to happen. He knows when he has to have his invoice in order to get it in that cheque run. He’s got fictitious documents hanging around like this invoice that he’s created. He doesn’t want to have this thing lying around anymore for any inspection any longer than he needs to. So the likelihood is, and he also wants to get his money. So the likelihood is that you will have a relatively midrange to small level supplier where you find there is a very short delay between the date of the invoice and the date of the payment.

Regular invoices

You will find too that there are typically quite regular invoices because there is a habit that needs feeding here and I can do this so why wouldn’t I? And in fact, the more regular it is, the more normal it will seem.

One invoice per cheque

You will typically also find that you only get one invoice paid by one cheque. For most normal suppliers you might have batches of invoices that are paid on one cheque. I haven’t seen a case in fictitious vendor type fraud where people have issued four to six invoices which is typical of normal suppliers that would be paid on one cheque. Usually they issue the invoice, get it through the system, and get the cheque. That seems to be the way it goes.

Inconspicuous name

If you were establishing a real business, you would think about where you were going to locate it, you would think about the nature of the product, the business strategy, the marketing strategy. You would think about what you were going to call this business. And you would be thinking about a name that people would associate with your product or with you personally so you might call it the Efrim Boritz Widget Company, if you happen to be Efrim Boritz and you are selling widgets. Now if Efrim Boritz wanted to commit a fraud, I don’t think he would call it the Efrim Boritz Widget Company. So what would he call it? He might call it the Nick Hodson Widget Company. But probably he would call it AX Consulting Services. And it’s astonishing and I don’t have any sort of statistical data to back this up but my anecdotal experience is that people tend to use initials for the names of companies that, I mean there are lots of legitimate companies that have initials in their names I should tell you that, but there is a predominance of fraudulent suppliers or fictitious suppliers that people try to make look as inconspicuous and anonymous as possible.

Unincorporated

It typically is going to be an unincorporated business because why would you go to the trouble to go and get an incorporation certificate, pay for it, have to file documents—this is a scam. It’s not intended to be a real business.

No sales people

And I can also tell you that no sales people will call from a fictitious supplier. And Norwich Union is a real company.

Sequential invoice numbers

One of the other characteristics that you tend to find less of these days is sequential invoice numbers. I still see it though. It used to be in the days when people would go to buy a pad of invoices from Grand and Toy or some other office supplier and they would all have numbers pre-printed on the right hand corner and of course, this fictitious supplier doesn’t have any other customers right. So when you get the invoice and you tear the pad off, tear the next one off, tear the next one off, all of the invoice numbers run in sequence. It is still an interesting exercise even though people typically tend to use PCs to produce invoices these days, to look at the invoice numbering because you have to make it up. This is not something that just happens in the business process. You actually have to make this up.

Vendor set up details missing

The final point I want to make here and this is a lengthy list, the last point is setting up the vendor in the first place and it follows the same patterns that most organizations to add a vendor to your vendor master file you have to input a bunch of information about this vendor: what it’s credit history was, where it is, who the contact people are, depending on the structure and organization of your payables system. We’ve found in cases where we’ve looked at fictitious vendors that those details are missing.

The whole point of this is that they are here, what how many, a couple of dozen characteristics that will help you define what fictitious vendors look like. Some of them help you to find fictitious vendors by helping you identify nonfictitious vendors. And what that does is it takes away a whole bunch of noise. If you have a list of vendors that’s this wide, you can get it down to this wide very quickly by getting rid of the top hundred vendors, all the vendors you know, run it against Dunn and Bradstreets’ list and turf out any that you recognize and you are down already to this sort of a list. Then you can start running the sort of matrices that you can develop by taking profiles like this to look for the characteristics if they exist. And if they exist, you will find them. I guarantee you will find them. That’s a simple example of a fairly routine, common place fraud that has a whole bunch of characteristics. And all you do, all we have done is by observing over time, that these are characteristics we have seen and by sitting, thinking, when you are in the washroom someday, man, I wonder how you know you wouldn’t ever, that’s right, you wouldn’t ever get a credit memo from a fictitious vendor. It requires some sort of quiet times to think and I have to tell you practitioners don’t get a lot of quiet times so that’s why most of the thinking is done in washrooms or sometimes on planes.

So I’m going to take that concept, that same notion and export it to false financial statements. Fundamentally I don’t see a really substantive difference sort of methodologically in dealing with employee fraud and dealing with financial statements. They’re both disguising financial information to hide some irregularity that the fraudster doesn’t want you to know about. So I’m going to keep this really simple because I know you are very intelligent people and I have to be able to speak about things at my level.