Supply chain fraud inthe 21st century

Supply chain fraud inthe 21st century

2

Executive summary 3Learning outcomes 3Introduction 3The role of procurement in countering fraud 4Definition 4CIPS position 5Relevant legislation 6Impact of fraud on procurement 8Areas of weakness 9Measures available to counter fraud 10Frequently asked questions 11Further reading 13Useful websites 13

Executive summaryFraud is commonplace, wide-ranging,costly, and clearly affects the supplychain, as well as all other areas of corpo-rate business. Fraud is also on the in-crease, especially with the developmentof IT systems and ever more sophisti-cated methods of perpetrating fraud.Purchasing and Supply Management pro-fessionals have a duty to minimise therisk of fraud within the ambit of supplychain and supplier relationship manage-ment. There are many areas of the sup-ply chain that might be affected by fraudand there are many different types offraud. These are described in bullet-pointform in this document. There is now oneover-arching piece of legislation that cov-ers all fraud. This is the Fraud Act 2006,which became law on 15 January 2007.Scotland already had certain legal provi-sions to deal with fraud, so the act onlyapplies in the rest of the United King-dom. The new act replaces as many aseight statutory crimes and makes it mucheasier to prosecute fraud cases. Fraud isa risk, and should be formally managedas part of a corporate risk strategy.

Learning outcomesThe aims of this CIPS Knowledge Insightpaper are to:• learn definition of fraud• learn to identify fraud and types offraud

• learn about its impact on the globaland local economy

• learn about the importance ofeliminating fraud in the procure-to-payarena

• learn that fraud is a criminal activity• learn about the Fraud Act (2006),which tidies up confused legalposition re: definition of fraud

• learn that there is empirical evidencethat fraud is on the increase, especiallyInternet fraud

• learn about risk mitigation in fraud• learn about policy for carrying out riskassessment for fraud.

Introduction and topic importanceThe cost of fraud to the UK economy isbelieved to be in excess of £10 billionper annum. The cost to the worldeconomy might be as high as between3% and 6% of global GDP. The effect offraud in financial terms is notoriouslydifficult to measure accurately. Theimpact of fraud is felt equally in both thepublic and private sector organisations.Financial services markets are especiallyvulnerable. Plastic card fraud losses in2005 alone were about £439m. TheCIFAS (Credit Industry Fraud AvoidanceSystem) database identified 85,128 fraudcases between January and June 2006,12.5% up on the same period in 2005.The annual losses in the insurancemarket are estimated to be in excess of£550m. Fraud cost the telecoms marketapproximately £866m in 2004.There are two separate victims of

fraud: those who are ‘primary’ victims,who suffer directly from fraud, and thosewho are ‘secondary’ victims, who suffervicariously. One major intangible ‘cost’to victims is an emotional one, the effecton a person’s well-being as a result oftheir being defrauded. There is usually agreater relative impact on SMEs than onlarger firms – although this is not alwaysthe case, take EXON, for example. Largerfirms normally have the resources torecover from the effects of fraud. It isvital that all firms, but especially SMEs,take steps to protect themselves against

3

fraud or they could be renderedinsolvent and their proprietors bankrupt.Dealing with fraud should be part of anorganisation’s general corporate socialresponsibility (CSR) strategy.Organisations need to invest in propersupplier assurance programmes,including supplier accreditation torecognised pan-European standards.There are many types of fraud. Some

of the most prominent are as follows:counterfeit intellectual property,counterfeit money, data-compromise,embezzlement, insider dealing, marketabuse, insurance fraud, fraudulent use ofpayment cards, procurement fraud,counterfeit products, consumer fraud,investment fraud, false accounting andreporting, bribery and corruption,collusion, false description, industrialespionage, theft, misappropriation offunds or assets, fraudulent administrationof contracts, falsification of sourcerecords for fraudulent advantage,conflicts of interest, technological abuse.Reduction in fraud is very important forsupply chain managers. Little is reliablyknown about the extent and aggregatecost of fraud and there is a lack ofreliable data for measurement. This lackof data complicates policy-making todeal with fraud.

The role of procurement in counteringfraudPurchasers have a duty to their employersto eradicate fraud. Procurementmanagers have a duty of care to theirsubordinates and also to their suppliers.Purchasers need adequate training tolearn to identify fraud and subsequentlyto report on the risks flowing from typesof fraud. It is important for them to

realise that fraud costs organisationssignificant sums of money and lost profit.It is also vital for supply-chain managersto include treatment of fraud as part ofrisk and business continuity planning.Firms should adopt as a minimumbenchmark CIPS’ Code of Ethics.Corporate disciplinary procedures shouldprovide that transgressors of the CIPScode can be dismissed, as well as ‘struckoff’ by the Institute itself. It is importantfor organisations to establish what isacceptable or unacceptable hospitality.There should be a clear policy on whatare and are not unsolicited gifts. It isimperative that policies are put in placethat lead to the eradication of favouritismtowards, and cosy relationships with,suppliers. Checks and balances should beimplemented to mitigate against anymisuse of p-cards. These controls shouldalso aim to remove, inter alia, thefollowing:• payment for work not carried out• duplicate payments and the creation offalse suppliers in ERP solutions

• payment for short deliveries and so on• suppliers carrying out personal workfor corporate employees

• cases of personal benefit fromcorporate supply contracts wherethere is no policy to allow for suchbenefits.

DefinitionsFor the purpose of this KnowledgeWorks paper we will define fraud as:‘The obtaining of financial advantage orcausing loss by deception; themechanism through which the fraudstergains an unlawful advantage or causesunlawful loss.’

4

The most common types are frauds aredefined below:Corruption – meaning the payment orreceipt of any unauthorised benefit to orby an agent (usually an employee) fordoing, or not doing, anything in relationto his work. Examples include:• acceptance by an employee of cash forinfluencing a decision made on behalfof his employer

• payment of club membership for anemployee of a supplier in return forfavourable treatment

• indefensibly lavish entertaining of, orby, an employee with the possibleintention of influencing a decision.

Conflicts of interest – where agents(again usually employees) have private,undisclosed interests that could interferewith their work and fiduciary obligationsto their principles. Examples Include:• engaging in part-time work orconsultancy, without permission

• using sensitive company informationfor personal benefit, including insiderdealing

• drug or alcohol abuse, which affectwork performance.

Theft of assets – including theunauthorised removal of intellectualcapital and information. Examplesinclude:• theft, embezzlement, false accounting,and deception

• theft or misuse of proprietaryinformation

• malingering and theft of time paid forby the company

• commercial deception by suppliers,customers, and others.

False reporting and falsifyingperformance – this includes both thecreation of false reports and suppressionof material information. Examplesinclude:• submitting false accounts to concealinadequate performance or to qualifyfor a bonus

• using false accounts to deceiveinvestors, bankers, a stock exchangeor a third party

• manipulating financial results• suppression of regulatory and otherbreaches and false reporting; examplesinclude: falsely reporting compliancewith environmental, anti-discriminatoryor other regulatory requirements;fraudulently concealing violations ofmoney laundering, health and safety,human rights or other regulations.

Technological abuse – includingunauthorised access to computersystems, implanting viruses or othermalicious code, and sabotage.Examples include:

• accessing computer files withoutauthority

• unauthorised Internet browsing• computer related fraud.

CIPS views, opinions and beliefs arestated throughout the document.However, the broad practice statementsthat underpin the text are as follows:

CIPS position on practiceCIPS firmly believes that Purchasing andSupply Management professionals should;• be trained to have an understanding offraud and the likely circumstances inwhich fraud might occur in theirorganisations

5

• maintain a suitable body of knowledgeabout fraud cases and the types offraud that can occur in their markets,at home and abroad

• have a full understanding of rules,regulations, laws and guidelinesrelating to UK and global fraud

• ensure that checks for fraud form partof all vendor assessment and supplierevaluation programmes

• formalise commercial anti-fraud policywithin the main procurement strategydocument

• strive to minimise bottom-line financialloss to their organisation arising fromfraud

• review, analyse and challenge allsupply-chain business processes tomitigate the possibility of fraud ineach one.

Relevant legislationThe Fraud Act 2006The Fraud Act 2006 came into effect on15th January 2007 and applies toEngland, Wales and Northern Ireland.Apart from Section 10 (1) relating toSection 458 of the Companies Act 1985,it does not apply to Scotland.This Act largely replaces the laws

relating to obtaining property bydeception, obtaining a pecuniaryadvantage and other offences createdunder the Theft Act 1978. These offencesattracted much criticism for their unduecomplexity and difficulty of proving guiltin court.The Fraud Act establishes a new

general offence of fraud which can becommitted in three ways:

Fraud by false representation - Section 2This is committed if a person makes “anyrepresentation as to fact or law... whichis express or implied” and which thatperson knows to be untrue.

Fraud by failing to discloseinformation - Section 3This is defined as where a person fails todisclose any information to a third partywhen that person is under a legal dutyto disclose such information.

Fraud by abuse of position - Section 4This occurs where a person occupies aposition in which he or she is expectedto safeguard the financial interests ofanother person, but abuses that position.This includes cases where the abuseconsists of an omission, as well as anovert act.In all three classes of fraud, for an

offence to have occurred, the personmust have acted dishonestly, and withthe intent of making a gain forthemselves or anyone else, or inflicting aloss (or a risk of a loss) on another.‘Representation’ must be as to fact or

law, including a representation as to thestate of mind of the person making therepresentation or any other person. Thiscan be express or implied.A ‘gain’ or a ‘loss’ is defined as

consisting of a gain or a loss only inmoney or other property (includingintangible property) but could betemporary or permanent. A ‘gain’ can beconstrued as gaining by keeping existingpossessions, not just by obtaining newones. A ‘loss’ can include losses ofexpected acquisitions, as well as lossesof already held property.

6

The Act also establishes two‘supporting’ offences, one being thepossession of articles for use in frauds(Section 7); the other being the makingor supplying of articles for use in frauds(Section 8). For example, under Section8, writing software knowing that it isdesigned or adapted for use inconnection with fraud can result in acustodial sentence of up to 10 years.Section 12 of the Act provides that

where an offence against the Act iscommitted by a body corporate, but iscarried out with the ‘consent orconnivance’ of any director, manager,secretary or officer of the company, orany person purporting to be such, thenthat person, as well as the bodycorporate, is liable.An important difference between this

Act and the Theft Act 1978 is thatoffences against the Fraud Act do notrequire there to have been a victim, aswas the case with the Theft Act.Conviction carries a maximum

sentence of 10 years and/or an unlimitedfine.

The Competition Act 1998The Competition Act 1998 came intoforce on the 1st March 2000 andintroduces two main prohibitions:

1. A prohibition of anti-competitiveagreements, which are intended to, orhave the effect of, ‘preventing, restrictingor distorting competition in the UK’. TheAct also covers situations where there isno actual agreement, but where theactions of trade associations orcompanies acting together have the sameeffect.

2. A prohibition of abuse of a dominantposition in the UK or part of the UK.Such actions include ‘limiting production,markets or technical development to thedetriment of the consumer’.

The intention of this Act is to create aregulatory framework that is tough onthose who seek to impair competition.but allows those who do compete fairlythe opportunity to thrive. Key aspects ofthis legislation are:• anti-competitive agreements, cartelsand abuses of a dominant position areunlawful from the outset

• businesses which infringe theseprohibitions are liable to financialpenalties of up to 10% of UK turnoverfor up to 3 years

• competitors and customers are entitledto seek damages

• the Director General of Fair Tradinghas powers to step in at the outset tostop anti-competitive behaviour

• investigators are able to launch “dawnraids” and to enter premises usingreasonable force

• a leniency policy will make it easierfor cartels to be exposed.

Computer Misuse Act 1990The Computer Misuse Act became law inAugust 1990. It is designed to meet thegeneral threat of unauthorised access,often called ‘hacking’, and theintroduction of viruses. There are threeoffences in the Act:

1. Unauthorised access to computermaterial (such as a program or data):A person is guilty of an offence if he orshe causes a computer to perform anyfunction with intent to secure access to

7

any program or data held in a computerAND access or intended access isunauthorised AND that person knows thisis the case when the action is carried out.Unauthorised access to computer

material is the lowest level of offenceand includes such practices as finding orguessing someone’s password and/orusing another’s password to access acomputer system.The offence occurs even if no changes

to data are made and no damage isdone. It is the act of accessing materialswithout authorisation that is illegal.It carries a penalty of up to six months

imprisonment and/or a maximum fine of£2,000.

2. Unauthorised access to a computersystem with intent to commit orfacilitate committing further offences:This expands on the first offence andincludes gaining access to financial oradministrative records.It is the term ‘intent to commit or

facilitate committing further offences’that increases both the severity of theoffence and the severity of the possiblepenalty, which is up to five years’imprisonment and/or a fine.

3. Unauthorised modification tocomputer material:This offence includes such practices asdeleting files, changing the desktopbuild, introducing both local andnetworked viruses and modifying systemfiles.The key element of this offence is

“intent” that is, it is aimed at deliberateacts. It extends to the access of onecomputer through which damage isperpetrated on another remote computer.

This offence carries a penalty of up tofive years imprisonment and/or a fine.NB: CIPS legal commentaries do not

purport to be any more than a briefsummary of the law. There are manyother areas of law which have an impactin this area, including laws on insiderdealing and money laundering under UKand EU law on which specialist adviceshould be sought. If the reader is in anydoubt then independent, expert legaladvice must be sought.

Impact of fraudThe impact of fraud on an organisationis far reaching. On a corporate level thefollowing issues apply:• impacts on bottom line, cost, assetvaluation and utilisation, corporateasset acquisition and disposal

• impacts on customer/client/stakeholder records and support

• relates to all aspects of business andcommerce

• effects shareholder confidence andshare values

• brings loss of operational integrity.• adds to litigation and insurance costs.• impacts on staff morale• reduces credibility of management• diverts management resources• subverts organisation’s strategicobjectives and policies

• impairs brand value/image and lessensthe balance-sheet value of goodwill

• increases reputational risk• impacts on corporate standards• must be seen in the wider context ofmanaging all risks

• must identify the processes oractivities at risk of fraud

• risk to product and serviceoutputs/deliverables

8

• risk to operational areas/locations• risk to revenue generation/profitability• risk to cash flow• risk of unbudgeted increases inexpenditure.

There are also many issues that impactP&SM professionals directly. P&SMprofessionals should consider thefollowing issues and their relation to thepurchasing department, policies,processes and procedures:• strongly contiguous to corruption• has a place in CSR strategy• is fundamental in buyer-supplierrelationships

• weak P2P processes and systems allow it• risk to supplies and inputs.

Areas of weaknessWe have all heard the saying ‘preventionis better than cure’ in the case ofcorporate fraud nothing rings more true.So what can P&SM professionals do toensure that any measures implementedreduce the likelihood that theirorganisation will be victimised by anyP&SM related fraud? The following listdetails potential areas of weaknessencouraging fraud which requiremonitoring and addressing.• poor anti-fraud and corruption strategies• weak risk management strategies.• slack controls on people, suppliersand business processes

• anti-whistleblowing culture and lack ofprotection for whistleblowers

• poor accountability and governance• poor scrutiny• weak checks and balances, internaland external monitoring and auditing

• inadequate staff training on fraud• making it more difficult to spot fraud

• little notable punishment fortransgression

• inadequately documented policy andprocedure for fraud

• failure to identify fraud indicators,such as stress levels, refusal to takeleave, unexplained wealth, cosyrelationships with suppliers

• lack of encouragement of prevention• lack of positive promotion of detection• lack of clear pathways for fraudinvestigation

• failure to change culture andbehaviour of people

• laissez-faire attitude and approach tofraud

• lack of openness in organisation• poor staff training on fraud• fraud is easily perpetrated• inadequate formal, documented policyand procedure for fraud

• lack of understanding in organisationsof corporate fraud response practices.

• lack of clearly defined businessprocesses

• willingness to encourage bribery tomatch international culture andexpectations in buying and sellingabroad

• unsatisfactory processes, poor divisionof roles and responsibilitiesencouraging perpetration of fraud.

Measures to take to implementpoliciesIt is important that all P&SM personnelshould be trained so that they have adetailed understanding of the risks in theoperation under their own span ofcontrol; and a broader overview of widerbusiness risks. One way of achieving thisis by a process in which P&SMprofessionals review the risks and

9

controls, and agree between themselvesthe measures for improvement. Secondly,P&SM professionals should maintain abody of knowledge that informs them ofthe type of frauds that can occur in themarkets and countries in which theyacquire goods and services.Due to the many rules, guidelines, laws

and regulations both nationally andinternationally on organisationalcompliance, there is a greater onus toensure that P&SM professionals are awareof their responsibilities. Not understandingthese compliance obligations is no excuse.This is an area within business that cannotbe left to chance, as it is easy to makemistakes, and if concealed, can have veryserious consequences. In fact, fraud andconcealment or failure to comply withlaws, rules and regulations can beregarded as equal risks.The following outlines the measures

P&SM professionals should considerwhen implementing policies.• ensure a formal declaration of vestedinterests programme is established

• create a policy for the declaration ofgifts and hospitality and methods ofdealing with these

• ensure that a strong segregation ofduties policy is established andformalised

• ensure that confidentiality and non-disclosure policies are not too narrowand secretive and, where appropriate,observe the requirements of freedomof information legislation

• ensure that formal non-collusionstatements are signed at the relevantstage in any tendering process

• link codes of conduct to thedisciplinary process and contracts ofemployment, use CIPS code of ethics

as the minimum standard, be preparedto dismiss staff found guilty offraudulent practices, be prepared tobring in the police

• create the necessary checks andbalances by implementing internalaudit or external forensic auditcontrols and processes

• ensure ‘gateway’ reviews are carriedout at each stage of a procurementproject; the focus of reviews is to‘investigate and challenge’

• consider installing two separate‘whistleblowers’ hot-lines’, one for staff,one for suppliers, and investigate allcomplaints received from any source

• regularly review standing lists ofsuppliers

• ensure that tender evaluation criteriafor contract award are objective, fairand non-discriminatory; considerseparating quality and price tendersand not allowing any through to theprice stage unless they have passedthe quality threshold

• incorporate strong security measures(lock down computers and increasefirewalls) into corporate ICT policy

• ensure that the policy is well knownand understood by employees andother stakeholders

• carry out regular training andawareness sessions for employees.

Frequently asked questionsWhere can I find information on otherlegislation regarding fraud?• Transparency International –‘Transparency International, the globalcivil society organisation leading thefight against corruption, brings peopletogether in a powerful worldwidecoalition to end the devastating impact

10

of corruption on men, women andchildren around the world.’

• CIFAS is the UK’s Fraud PreventionService with 260 members spreadacross banking, credit card companies,asset finance, retail credit, mail order,insurance, savings and investments,telecommunications, factoring, andshare dealing

• EUROPA is the portal site of theEuropean Union. It provides up-to-datecoverage of European Union affairsand essential information on Europeanintegration. Users can also consult alllegislation currently in force or underdiscussion, access the websites of eachof the EU institutions and find outabout the policies administered by theEuropean Union under the powersdevolved to it by the Treaties

• CIPS legal helpline is free to all CIPSmembers – 0800 0921980.

What steps can I take to minimise therisk of fraud inside the procurementand supply chain functions of myorganisation?• develop a suite of guidance materialand formal business processes that actas enablers for those involved inprocurement in the organisation

• conduct a full risk analysis in P&SMand highlight key areas ofvulnerability

• identify which preventative measuresexist elsewhere in one’s organisationand consider their application inprocurement and supply chainmanagement

• ensure that anti-fraud measures andtheir application are driven from thevery top of the organisation

• develop a robust P&SM fraud policythat reflects the commitmentsformalised by senior management

• implement a risk management strategyin P&SM and create a risk register withactions necessary to mitigate key risks

• ensure that the penalty for fraudcommitted by employees is rigidlyenforced.

I am often told that fraud ‘directlyeffects the bottom line’.What are theother ways in which fraud can damageour business?• fraud lowers staff morale and createsmistrust

• fraud creates adverse publicity for theorganisation

• fraud causes significant damage to theorganisation in the eyes of itssuppliers, customers andshareholders/stakeholders

• the organisation suffers severedisruption from a major fraudinvestigation

• fraud can lead to bankruptcy, firmsbeing put into administration(especially SME’s) and jail forowners/employees.

Staff motivation and discipline areparticularly sensitive issues in myorganisation.What steps can I take toreduce the risk of fraud withoutseeming to be swinging the heavyjackboot at staff?• employees are to be at the heart ofany anti-fraud strategy. The rule is:‘velvet glove, iron fist.’ Reward loyaltyand do not discriminate on grounds ofage, sex and so on

• discreetly check and confirm allreferences

11

• define each employee’s responsibilitiesclearly and make sure they know whothey should report to if problems arise

• avoid having ‘indispensable’ staff whoalone know the workings of aparticular part of the business

• many frauds require regular activity bythe fraudster. Make sure everyonetakes regular breaks from workRemember - the bigger and moresophisticated the fraud, the morelikely it will be that senior staff areinvolved

• ensure sensible staff rotation policiesare implemented, where it isappropriate to do so

• ensure that relationships betweensuppliers and buyers are never closeand personal

• ensure that you have an holisticcorporate procurement strategy thateffectively deals with procurement in‘satellite’ parts of the organisation

• ensure that you have satisfactory riskassessment, surveillance and auditprocesses that can lead to theidentification of fraud at an early stage

• keep up-to-date on emerging fraudthreats

• Ensure that ordering, receiving andpaying responsibilities are segregated.

I need to beef up the way managersdeal with fraud in my organisation. Iknow I need to lay on extra trainingfor them, but what should I do aboutthe organisation’s managementcontrols? I think they’re weak, too.• review all of your management controlsystems (including any embedded inIT systems) and identify anyweaknesses. Take advice fromspecialists if you are uncertain

• always check bank and tradereferences of suppliers and clientsthrough trade protection organisationsor credit reference agencies

• protect your financial position byasking new clients for part payment inadvance or make only partialdeliveries. You can also ask forpersonal guarantees - credit insuranceis another option

• if you are suspicious of an individual,remember that details of bankrupts areheld at your local Official Receivers’office. Details of disqualified directorsare kept by Companies House, and areavailable on the Internet free of chargeat: Companies House website

• have a clear company policy relatingto fraud, and stick to it. Review itregularly. Ensure a senior manager ordirector has overall responsibility forfraud management

• come down hard on irregularities• set an example from the top• inform and train staff• inform suppliers of your policy• encourage "whistle-blowing" but beprepared to protect any member ofstaff who does so

• use the advice of internal auditors ornon-executive directors

• remember, dissatisfied employees aremore likely to be tempted by fraud

• if necessary access police records andsecurity services checks

• ensure that duties and responsibilitieswhich encourage fraud are segregatedappropriately

• vet, train and monitor temporaryagency and interim management staff,including external consultants andadvisors

12

• use CCTV to conduct surveillance inhigh-risk areas

• introduce spot checks on activities,stock and personnel as appropriate.

My organisation is becoming evermore dependent upon computers tomanage the back-office processeswhich underpin the services wedeliver. How can I improve computersecurity so that fraudulent ICTpractices are minimised?• have a clear policy concerning the useof computer systems

• change passwords regularly and keepthem confidential

• consider sourcing an externally-hostedservice, or outsourcing parts or all ofthe ICT service, rather than keeping itall in-house. External providers shouldhave far greater skills and controls inminimising fraud

• ensure all staff are aware of their legalstanding with regards to their use ofcomputers

• employ staff who are suitably trainedin the use of the IT systems

• take regular and frequent backups ofdata and keep copies of backups offthe premises in case of theft, fire orother disaster

• install anti-virus software and firewallsto prevent fraudulent practices andlock down pc’s to prevent employeeaccess to inappropriate websites (on-line gambling and so on)

• beware of computer viruses throughunsolicited discs or through theInternet

• implement and maintain a corporatedisaster recovery strategy and testplans regularly and frequently

• seek the advice of experts if unsure.

Further Reading• Comer, Michael J., InvestigatingCorporate Fraud, price: £59.95, ISBN:0566085313, pages: 245.

• Sadgrove, Kit, The Complete Guide toBusiness Risk Management, 2nd ed.,price £65.00, ISBN 0566086611, pages:348.

• Ed., Reuvid, Jonathan, ManagingBusiness Risk - A Practical Guide toProtecting Your Business, 3rd Ed.,Price: £50.00 , ISBN: 0749445106 ,pages: 317.

Useful Websiteswww.transparency.org/www.homeoffice.gov.uk/www.cifas.org.uk/www.apacs.org.uk/www.acpo.police.uk/

AuthorRon HardwickChairmanContracts SKGFriday, 17 August 2007

CIPS would like to thank the ContractSpecialist knowledge group for theircontribution to this paper.

13