The Insider Threat: Testing the effectiveness of your fraud controls, are you doing the basics?
Do you focus on identifying high value fraud and ignore the risk of high volume low value fraud? An insight into why an assessment of the risk from regular low value contract fraud is important.
A good decision is based on knowledge and not numbers
A case prosecuted in Canada highlighted a number of key issues surrounding the insider threat and the organised network that was developed to undermine the compliance controls and give the impression of competition within the procurement process.
The Chronicle Herald reported that a judge has found a private contractor and a civilian employee guilty of defrauding the federal government in a scheme related to the heating plant.
An employee responsible for procurement for the air force base’s massive heating plant was found guilty in plotting with his friend and businessman, to direct contracts to four companies owned by the latter. It was alleged that over a four year period the three men involved defrauded the federal government of over $2 Million.
Four companies were created to give the impression of competition in the tender process, specifically to provide the number of bids that were required to seek for contracts under $5,000. What isn't clear is whether the work was carried out. It also means if my maths is correct that in a four-year period there were a minimum of a thousand low value contracts awarded to these companies.
In this case the procurement professional knew the financial thresholds and that anything over this amount would have required additional scrutiny and approvals.
What is missed in many organisations is the scrutiny of low value procurement because there can be a perception that there will be no fraud or if it’s a low value contract then any fraud will be minimal and hardly worth wasting any time on. However, when they are low value and regular contracts they soon mount up to high value fraud.
Control measures are put in place for the high value procurement because there may be an increased risk of fraud or financial risk. I have also seen cases within international organisations where allegations under a specific value will not be scrutinised due to the number and cost of cases under investigation.
The full facts aren’t clear just from a press article, however one of my first questions is always, how did they get in the front door. The control safeguards at the vendor onboarding failed. How did four companies owned by the same individual pass screening that should have included verifying:
The date of company formation against vendor registration date
Company directors and shareholders checked against staff and supplier data for conflicts of interest
Supplier visit to confirm the establishment and size of the business
Ability to perform contract if they were a brand new company
Additionally, as part of an eProcurement data analysis there should be checks carried out to look at values around the threshold levels to determine whether there is irregularity. It isn’t uncommon for staff to split orders to keep them under the threshold for a number of reasons, that might include the additional bureaucracy or delays that might be incurred. It doesn’t mean that it’s corrupt it may simply be a breach in procedure. Root cause analysis in these cases needs to be established.
The ability to verify work is finished should also be in place including segregation of duties, specifically the person ordering the work shouldn’t be the person verifying the work has been completed.
The insider knowledge that the vetting system was weak allowed for the registration of ghost companies and the manipulation and rigging of bids. The implementation of vetting and procurement procedures would have brought this scheme to light much earlier and may have stopped it before it had chance to begin.
If you enjoyed our post please feel free to like and share