Procurement fraud is not an area of financial crime risk that is generally identified or specifically highlighted as a risk within the financial sector and yet in many cases, it is linked to the insider threat.
An investment in knowledge pays the best interest
In many procurement fraud cases, an associated risk can be corruption, where an individual accepts or requests a bribe payment to facilitate the awarding of a contract, and once a contract is obtained by this method, in many cases, further fraud can be committed ensuring maximum financial gain throughout the lifetime of the contract.
The Experian, UK Annual Fraud Indicator report, the loss to the public and private sectors in the UK from procurement fraud was estimated to be £121.4 billion, and the World Economic Forum estimate that corruption, bribery, theft and tax evasion, and other illicit financial flows cost developing countries $1.26 trillion per year. Although likely a significant loss, what isn't clear is the level of bribery within the private sector and therefore an area that the financial sector should pay more attention to.
THE INSIDER THREAT
Assessing bribery and obtaining or retaining new business, which includes the use and payment to third parties in developing new areas of business, there has been a number of published cases and reviews that have highlighted the extent of the risk that the financial sector faces. However, in publishing these risks have the financial sector and regulating bodies properly considered the extent of the fraud and corruption risk that they may face.
Bribery in the regulated sectors has in many cases been considered as a front office risk on the financial services and solutions that they provide, however, is procurement an area within your organisation that requires a second look to determine the extent of the fraud and corruption risk? Is this a financial crime risk that you aren’t aware of, is it part of your risk management plan or do you believe that the risk is so low that it requires minimal consideration as part of your compliance regime.
Procurement is a process that all organisations have and use, and financial sector organisations can spend hundreds of millions annually on, from cutting edge IT security to facility management and physical security services. But is it an area that your organisation focuses on or prioritises when assessing fraud and corruption risks? The British Standard BS10501 (Guide to Implementing Procurement Fraud Controls) delineates the many methods through which procurement fraud can be committed.
One of the challenges within the financial sector is the ongoing assessment and procurement of cutting edge IT infrastructure and in many cases is one of the largest procurement areas. Dependent on the approach and responsibility given to ownership and procurement of these solutions, greater autonomy can be given to IT departments and their leadership, where procurement routes and controls can be ignored. This may also show itself in the improper procurement of consultants and misuse of procurement cards for low value procurement, particularly where there is a lack of governance or risk assessment in the process.
Although the financial sector has a clear focus on risk, this capability is only as good as the knowledge of the individuals assessing these risks. Over the years we have identified different bribery and procurement fraud risks that were missed during the risk assessment process, which has included the weakness in the invoice payment process where 60% of the invoices received didn't have a requisition or purchase order.
This meant that the only control in the procurement process was the review before payment. If there was a weakness in this control then it would leave the process open to the creation of fake invoices for fictitious goods, works or services.
The recruitment of IT expertise is an essential part of the banking infrastructure and in many cases the financial sector use specialist recruitment companies to identify key candidates. Where, as a case example, the head of an ICT department consistently fails individuals within the interview process and then goes outside of the normal recruiter to identify a specific individual for a role through a different recruitment company. The risks highlighted within this case included the individual recruited was a friend of the ICT head and secondly why was the recruitment company paid for this individual when the head of ICT already knew the individual.
Organisations that don't put enough emphasis on the expertise of procurement staff and procedure, may increase the risk of bribery and corruption, where a procurement team is only used in an advisory role for high value projects. In instances where departments carry out their own procurement, it may reduce the segregation of duties controls and increase the procurement fraud and bribery risk.
Globally, procurement fraud is limited within organisation crime strategies and consequently, there has been limited assessment of risk in this area.
The UK Financial Conduct Authority (FCA) has tended to focus upon bribery and has published the results of thematic reviews in order to assist organisations in evaluating and developing their own anti-bribery systems and controls. These have included a thematic review on anti-bribery and corruption in commercial insurance broking and anti-bribery and corruption systems and controls within Investment Banks. The further publication of the final notices to Aon Ltd, Willis Ltd and Besso Limited have provided a specific focus on third party bribery risk in obtaining and retaining new business and the marketing of financial solutions that an organisation may offer.
The use of procurement contracts to obtain and retain new business within the financial sector, has featured only to a limited degree within FCA publications and then only in relation to third party relationships (including general comment on policies and procedures for said parties) and due diligence. Although corruption and fraud within procurement can be serious risks, FCA publications mention bribery risk in procurement fleetingly and then only in terms of a commentary on good practice for specific organisations’ implementation of anti-bribery initiatives.
To support the assessment of an organisation’s bribery risk, the FCA suggests that a review should be conducted with internal stakeholders to determine the risk within respective business areas. Although this is an important methodology for identifying fraud and bribery risk per se, the lack of knowledge on the part of corporate professionals in relation to procurement fraud methodologies, their connection to corruption and the threat posed by insiders involved in the procurement process to the organisations’ internal controls, may lead to an incomplete risk strategy.
PROCUREMENT RISK TYPOLOGIES
Organisations should have a process in place to verify whether the procurement need identified within the organisation is actually required or whether there are in fact illicit motivations driving the request. The specification should be checked to establish where possible that, for example, that where cutting-edge technology is requested that it is actually required or whether in fact something ‘off the shelf’ might be more appropriate. The pre-qualification and selection of vendors and the subsequent award of contracts can also be open to personal influence, and suitable controls should be put in place for the management of those processes.
The NFA also highlights bid rigging as a procurement fraud risk that includes the collusion between contractors and their pre-determination of the winners of tenders. This is also acknowledged as a global risk by anti-competition commissions including the Malaysia ACC that highlights a number of global cases and methodologies. These examples of procurement fraud risk are recognised as common methods within which fraud and corruption can occur and which can result, if appropriate controls are not put in place, in corrupt influence and improper awarding of contracts.
Post-award procurement fraud and corruption risks can also be seen in a number of areas including payments based on false vendor information, false invoices (including requests for the amendment of company billing information), and legitimate payments diverted to illicit accounts. An organisation must have proactive links between departments, including accounts payable, procurement, and compliance, respectively, to systematically identify and respond to such risks. It is how the organisation implements controls in this area that generally determines the level of mitigation and the subsequent extent of procurement fraud committed against it.
The FCA also confirms that the notion of bribery extends to anyone acting on the firm’s behalf who engages in bribery. The FCA affirms that it does not enforce or give guidance on the Bribery Act but firms which are subject to rules SYSC 3.2.6R and SYSC 6.1.1R are under a separate regulatory obligation to establish and maintain effective systems and controls to mitigate financial crime risk.
Do individuals involved in purchasing on behalf of your organisation or the handling of supplier information face additional vetting procedures to ensure that you do not have a conflict of interest or fraud and corruption risk?
In a large percentage of cases, procurement fraud is facilitated with the support of an insider.
Where organisations have decentralised their procurement or accounts payable capability and have a number of procurement hubs to support their purchasing requirement, particularly in organisations with an international reach, they may develop weaknesses in their procurement and payment controls. Fraud risk may also increase in this area, particularly where departments are driven by time sensitive operational requirements and controls are relaxed to expedite procurement.
ENHANCED DUE DILIGENCE
Organisations should not just conduct due diligence on companies they use in developing new business but should also review business services that are outsourced, and which may include procurement. Organisations that either outsource their procurement capability or use temporary staff within their own organisation for procurement requirements have a recognised susceptibility to procurement fraud and corruption risk. Where a high level of risk assessment and vetting is not conducted in these areas it can leave the organisation open to corruption and procurement fraud schemes.
The World Bank highlights, within its fraud and corruption awareness handbook, that an insider threat can emanate from the leaking of information about cost estimates and competing bids to favoured bidders in order provide them with an unfair advantage which enables them to tailor their bid to secure a contract award. The method is simple to commit and difficult to detect, thus organisations must put security systems and controls in place to mitigate this risk.
Procurement fraud methodologies and schemes are not new, but globalisation and the outsourcing of business functions, together with the continued enhancement of technology that expedites business and financial transactions, have rendered this type of fraud more difficult to detect. The fraudster’s best tool is the combination of insider knowledge of an organisation’s processes and controls and subsequent ability to manipulate weaknesses within them to their benefit. Organisations must ensure that they have the correct understanding of their procurement fraud risk and that their controls adequately reflect their risk appetite.
Do you want to work with us?
Book a Strategy Call with us to see how we can positively impact your risk approach
Be the first to receive our latest articles