Credit: Spirit Airlines |
While not an everyday occurrence for companies, it is common enough that if a company hasn't seen it happen, they either will in the future or lack the processes to know that it could be happening.
I've seen this quite a few times using different methods and doesn't have to require employees to participate for the con to be effective. Usually, the reason it occurs and isn't immediately caught comes down to 2 root causes:
- Poor separation of duties. One of the most common issues is when the person who is requesting new supplier creation is the same as the person who approves those suppliers' invoices/POs. Not having a different staff member verify the supplier is legitimate as well as other people verifying dollar amounts are in the expected range (such as a Cost Center Manager looking at a report of all line items) are common holes that can be attacked.
- Insufficient processes for validating invoices and payment instructions. There should only be specific people who can update a company's Remit To address or payment instructions, and those people must have defined verification processes for each.
We've seen this happen not just when companies come to us asking to improve their processes, but it can even become apparent during an otherwise normal Corcentric technology implementation. Unlike many other companies, we review relevant processes during the implementation and provide recommendations on where to make improvements to achieve their Target Business Outcomes. Even in just the past 12 months, I've worked with clients during these implementations who do not vet new suppliers, do not have defined processes for updating bank account information, and do not have strong reporting for managers to review purchases.
These holes may not be obvious unless you are looking for them, but once found can be plugged. In the examples above, we come in with recommendations on how to fix it and then can work with the client to ensure they are properly deployed in order to maximize the reduction in fraud potential.
While companies like to think of staff as family, all it takes is one person acting maliciously for millions of dollars to be removed, and without the proper controls, the company may not realize it for years, and could never discover the truth.
Post A Comment:
0 comments so far,add yours