Procurement, Fraud, and High-Risk Events

One thing is certain in these uncertain times. There have been unprecedented measures implemented to help businesses keep people on their payroll and aid individuals. Loan and grant programs have been offering businesses ways to avoid shutting down when even they cannot operate. Many organizations are mandating and/or allowing employees to telework to maintain a safe working environment.

With that, something else is almost certain — taking advantage of situations to provide self-benefit at the detriment of others. We are talking about fraud.

As the Association of Certified Fraud Examiners (ACFE) states, “…fraud includes any intentional or deliberate act to deprive another of property or money by guile, deception, or other unfair means.”[1]

Emergency operations, fear of the unknown, new/ad-hoc procedures, and disruptions in normal operations offer the gamut of the fraud triangle: Pressure, Rationalization, and Opportunity. 

An activity at the core of operational changes and significant events is procurement or purchasing. Procurement exists throughout many organizations and can be susceptible to fraud at any time; during periods of routine operations or periods of high-risk events (e.g., COVID-19).

Procurement in Summary

• One party (buyer) has a need (e.g., goods or services) and will pay to fulfill that need
• Another party (seller) wants to provide the need in exchange for compensation
• The seller or sellers may submit bids to compete based on:
  • Capabilities
  • Prices
  • Best overall offer
• One or more sellers contract with the buyer to fulfill the need
• The sellers perform the work and are compensated by the buyer

What is at Risk?

There are several fraud risks, or schemes, in a procurement activity. In a normal operating environment, procurement can be vulnerable to collusion and corruption which can include bribery, kickbacks, bid-rigging, extortion, and illegal gratuities. Risks may also later evolve into asset misappropriation. High-risk events, such as global pandemics, may elevate the impact and likelihood of fraudulent activity.

Statistics

The ACFE’s 2020 Report of the Nations [2] highlighted the following statistics related to the occurrence and impact of fraud in procurement.

• Corruption accounted for 43% of reported fraud cases with a median loss of $200k
• Perpetrators in purchasing departments accounted for 5% of reported fraud cases with a median loss of $200k

Industry Impact Example

Government and public administration (e.g., national, state/provincial, and local) has been a recent focal point due to the many efforts to aid people/businesses in need.

• Governments accounted for 16% of total reported frauds with total median losses of $100k
  • National governments: 45% with a median loss of $200k
  • State/provincial governments: 21% with a median loss of $91k
  • Local governments: 32% with a median loss of $75k
• Corruption accounted for 48% of reported government fraud, more than double of other fraud schemes in the industry

These are daunting statistics. They are serious and should not be taken lightly. Damages and losses can be significant: money, safety, reputation, and trust and confidence with stakeholders, citizens, employees, investors, etc.

Procurement Process Changes

Procurement activities may be adjusted during high-risk events, organizational needs, and/or recipient needs. The unprecedented global pandemic we are experiencing is a perfect example of something that will require process changes. Impacted activities may include:

• Increased buying activity due to additional needs
• Increased, or newly created emergency procurement activities for immediate or expedited spend needs
• Increased personnel needs to perform procurement and contracting tasks including:
  • Needs assessments
  • Solicitations
  • Proposal evaluations
  • Contract establishment and execution
  • Vendor setup and administration
• Decrease of personnel due to health, safety, location, and/or resource constraints

Consistency Concerns

Although adjustments need to be made to address the pandemic, quality and consistency cannot be overlooked or reprioritized. Process modifications, increased needs and effort, and reduced work forces are ingredients that heighten fraud risk. Changing or granting exceptions to the routine process or policies increases the risk that critical process components are not considered and/or addressed. The following components, if not adequately maintained can result in opportunities for fraudulent activity.

• Processes and tasks completely and accurately performed on a consistent basis
• Process points containing proper reviews, approvals, and documentation
• Processes and operations continuing based on established procedures
• Internal controls operating effectively
• Operational transparency and communication between personnel
• Adequate oversight

Tools to Mitigate Fraud Risk

It is critical to understand the environment and processes susceptible to risk. Organizations should proactively and periodically evaluate and address fraud and other risks. There are a variety of approaches organizations can take in efforts to mitigate risk.

Document Processes

Process documentation is the foundation of risk mitigation. Organizations should have established process documentation (e.g., policies, procedures, desk manuals, flowcharts, risk and control matrices, etc.) so there is clear understanding of how they operate.

• Documentation should accurately reflect actual and expected operations
• Documentation should be current, reviewed, and updated on a periodic basis
• Process designs should consider potential needs to change, scale, and adjust based on resources and other factors
• If possible, documentation should include risk factors (e.g., financial, regulatory, IT, fraud, etc.) and control points designed to mitigate risks

Assess Fraud Risk

Conduct a fraud risk assessment. This activity differs from a traditional organizational-wide risk assessment that evaluates multiple risk types. This is a targeted exercise focused on evaluating fraud related risks (inherent and residual), mitigating controls, and risk responses.

Evaluate Processes and Internal Controls

Evaluations can be conducted through a variety of exercises; internal audits, performance audits, internal control reviews, current state assessments, business process improvement exercises, etc. In summary, the following is conducted with a focus on fraud and other risks.

• Understand and document processes (e.g., flowcharts and narratives)
• Determine if controls are suitably designed to mitigate risks (e.g., risk and control matrix)
• Determine if controls are operating as intended
• Identify and address gaps: Risks that are not mitigated by controls, or controls that are not effectively operating

Process Change Response

Organizations who proactively address risks through the above exercises can use that information to evaluate and address process changes. Consider the following questions when procurement processes, or other processes, require sudden change.

• How do these adjustments differ from current procedures?
• Are current risks still addressed with controls?
• Do new risks exist or have risks changed, and are there controls to mitigate them?
• How will the revised process be documented, communicated, monitored, and enforced?

[1] https://www.acfe.com/fraud-101.aspx

[2] https://www.acfe.com/report-to-the-nations/2020/