Selling fraud-prevention efforts can sometimes be as challenging as preventing fraud. How does one ask for money to prevent something that has not yet happened or is difficult to quantify? The standard statistics from the Association of Certified Fraud Examiners state that enterprises lose 5 percent of their gross revenues to fraud every year. Is a single statistic enough to build a case on?
If a fraud-prevention or risk management program will have a negative impact on operational throughput—causing a decrease in operating efficiency or an increase in the cost of goods sold, perhaps due to an increase in labor required by operations processes—the proposed fraud-prevention and risk management programs will have little likelihood of receiving the go-ahead from C-suite executives.
That’s why risk management and fraud prevention cannot be implemented as standalone, isolated objectives. They should be married to operational improvement projects, and they should use the embedded technologies that operate the enterprise’s supply chain activities. This approach offers a clear return on investment: When supply chain operations and technologies are brought together with risk management and fraud prevention, the same technologies and transactions that are used to enable the supply chain and measure its performance can also be used to monitor for fraud and analyze patterns for risk. This helps ensure that the overall goals of the enterprise are truly shared amongst all internal stakeholders.
The Right Technology Infrastructure for Supply Chain Audits
First, a company needs to have the right technology infrastructure in place. Corporate policy should involve converting paper-based transactions to electronic transactions and then performing audits and cross-checks as close to the operational point of origin as possible. Audits will involve comparing different documents related to a particular transaction, as they appear within the company’s supply chain software system of record, and also comparing the current version of the same document between software systems.
The goal is to stop the “bad”—whether it is erroneous data or actual problems with the shipments of goods—at the point of origin, before the “bad” has the opportunity to manifest into something worse as it infiltrates the enterprise’s supply chain. The phrase “garbage in, garbage out” is a truism. Bad data can lead to even worse information, and to damaging decisions.
The technology at the center of it all is the enterprise resource planning (ERP) system. While some enterprises run multiple ERP systems, and others run interconnected “best of breed” systems, an enterprise looking to conduct supply chain audits should have at least one robust ERP system that is the system of record. The ERP system stores information about the enterprise’s customers, products or services, and suppliers. Employees use the ERP system to generate the documents needed to close business transactions involving those customers, vendors, and items for sale: sales orders, purchase orders, work orders, and invoices. Accounting ledgers, payables, receivables, and manufacturing bills (material, operations, and labor) are all maintained within the ERP system as well.
Companies that are serious about supply chain audits often extend the internal reach of their ERP system of record using electronic data capture (EDC) via automatic identification technologies such as barcode labeling and scanning, or radio frequency identification (RFID). These technologies convert manual inventory-receiving activities into automated activities that are recorded via electronic transactions. The primary return on investment for these technologies derives from the fact that, compared with manual data processing, they improve both throughput and accuracy within operations. But beyond the obvious benefits, the ability to capture transactions at the source enables companies to monitor the supply chain looking for fraudulent activities by cross-checking data in the EDC system against purchase orders and electronic bills of lading.
Companies may also extend the external reach of their ERP system using electronic business-to-business (eB2B) technologies such as electronic data interchange. EDI is used to translate common business documents—including purchase orders, purchase order acknowledgements, purchase order changes, invoices, payment remittances, debit/credit adjustments, and shipping notices—into a universal electronic format so that supply chain trading partners can easily exchange information about a transaction.
Note that ERP, EDI, and barcoding technologies have been around since the 1970s and 1980s; in these areas, the same technologies developed decades ago are being used to enable and operate supply chains today. While the science supporting these technologies has improved greatly and standards have evolved, the underlying technologies have remained tried-and-true.
Regardless of whether a company has extended its ERP system using these types of technologies, the critical factor for ensuring that supply chain audits will be effective is to designate a single ERP system as the company’s system of record. At all times, this one system needs to hold the most recent version of every document related to the supply chain. Likewise, there should be one system of record for eB2B transactions and one for warehouse or distribution center transactions. Even if a company uses multiple warehouse management systems, it should consolidate all the systems’ transaction records in a single data warehouse, or use some other means of creating a companywide data repository of record.
Cross-Checks Help Monitor Transactions for Possible Fraud
When a company has established a system of record that holds current data on all its supply chain documents and activities, it is ready to perform information audits and cross-checks. Supply-chain auditors should find known, closed-loop, complete, and error-free scenarios that they can use to establish baselines against which they will judge open-ended, incomplete, or possibly in-error transactions. Rules-based scenarios must be well-thought-through and approached from various angles to ensure all variations are considered and accounted for. Then they should compare:
Purchase order vs. ship notice. The ship notice, having arrived prior to the physical receipt, provides a preview of what the customer company can expect to receive with regard to shipment weight, volume, and the quantities of items. Any discrepancy between the final state of the purchase order and the ship notice, excluding known back orders, has an impact on supply chain operations. But if the items shipped differ from what’s listed on the purchase order, or if quantities differ from what was ordered (e.g., shipment quantities exceed purchase order), a company can take that discrepancy as a red flag that something is amiss. Although it would be foolish for a supplier engaging in illicit activities to blatantly notify the customer on the electronic bill of lading, criminals are sometimes caught making this sort of mistake. It’s well worth checking.
Receipt vs. ship notice. The receipt for the transaction should match the electronic ship notice.
Receipt vs. purchase order. Even in a back-order situation, where only part of the purchase order was fulfilled, auditors should make sure that all the goods which were shipped appear on the purchase order. An item that appears on a receipt but not on any purchase order is a clear sign of a problem.
Quality assurance vs. receipt. The audit team should sample goods as they are received, and should enter the results into an electronic quality-assurance system. Note that problematic cartons are likely to be in the center of the pallet, where they are difficult to reach. The quality-assurance test should be cross-checked against the transaction receipt to ensure that the shipment meets agreed-upon quality standards.
Invoice vs. quality assurance. Most enterprises pay their invoices, then ask for credits if they discover problems with the goods received. One flaw in this approach is that the receiving company may not notice supply chain problems in time to deal with them effectively—in other words, they may not realize there’s a problem with a particular shipment of materials until those materials are already needed, immediately, for manufacturing or distribution processes. Another flaw is that paying invoices for shipments with quality problems consumes cash that the customer enterprise could find better uses for. Best practices in supply chain management involve paying invoices only after receiving goods that match the quality and other characteristics described in the purchase order.
Discrepancies in any of these areas may be honest errors. However, they may also indicate theft by a vendor, carrier, or someone within the customer organization. They may result from data manipulation by someone within the customer company, either to make a supplier appear to be performing better than it is, in order to secure kickbacks, or worse than it is, in order to force in a substitute supplier that has promised kickbacks. Or discrepancies may highlight gaps in policies and procedures that the company may want to address through programmatic fixes.
Benefits for Supplier Performance Management
Retailers have been doing cross-checks of supply chain documents since before my introduction to vendor compliance in 1993. They’ve added new documents to the process, and the transaction formats have been updated over the years. They’ve also become increasingly adept at tying supply chain audits together with vendor performance management processes. And as they’ve done so, companies in other industries have begun to view supply chain audits in the same light.
The ability of a vendor to correctly format electronic transactions, to send data on a timely basis, and to accurately fulfill its shipments, comprises the foundation for customers’ monitoring and management of that vendor’s performance. Supply chain metrics typically include purchase order acceptance (e.g., percentage of back orders, percentage of cancellations); fulfillment accuracy (e.g., percentage of correct items, percentage of completely fulfilled items); invoicing accuracy to the shipment (i.e., invoice includes only the shipped items); invoicing timeliness to the shipment; accuracy and timeliness, in relation to the shipment, of the electronic bill of lading (i.e., the advance ship notice); and product returns and replacements (i.e., quality).
Much of the same data a company uses to audit its supply chain, looking for fraud, can provide crucial information about the supplier’s performance. Thus, companies working on a supply chain audit can translate their key fraud concerns into key performance indicators (KPIs). These metrics indicate the vendor’s level of performance and are typically presented as percentages. For example, a company might measure vendor performance through a product-quality KPI. A vendor that scores 100 percent on the quality KPI might seem like a dream come true for a supply chain professional, yet the 100 percent might raise the eyebrow of an auditor who finds that consistent performance at that level is highly unlikely within the company’s industry—or is likely only with some inside help and data manipulation. It is important to audit both the poor performers and the top performers when selecting supply chain data samples.
Once it has developed a series of KPIs to gauge vendor performance, a company can build a vendor scorecard that compares vendor performance against a benchmark and assigns the vendor a grade for each KPI, much like the grades associated with school report cards. The company’s supply chain managers need to determine which performance level is acceptable for each KPI. A 95 percent fulfillment rate (i.e., a 5 percent back-order rate) may result in a scorecard grade of B, while a vendor may need to attain a 97.5 percent fulfillment rate to earn an A in that area. However, scoring on the KPI measuring timeliness of invoices might give the vendor an A as long as 90 percent of its invoices are delivered within 10 days of the shipment delivery date.
Customer enterprises should not confuse this performance scorecard with their vendor dashboards. A vendor dashboard gives the vendor visibility into its own performance across all metrics. For example, it may enable the vendor to see that only 87 percent of its invoices over the past month were delivered within 10 days of the shipment delivery dates. By contrast, a performance scorecard shows an aggregation of performance information over time, and it may translate these aggregated KPI calculations into a letter grade for each metric. Some companies use performance scorecards to track as many as 25 different supply chain metrics for their vendors, covering everything from electronic transaction integrity and timing, to carton and pallet configurations, to carton, pallet, and item labeling, as well as product packaging and presentation. Not all supply chain metrics are useful in fraud detection and reduction, but many of the same supply chain systems and transaction data can support both performance management and supply chain audits.
Leveraging KPIs for Supply Chain Risk Management
The same process that a company uses to monitor performance within its supply chain can also be used to assess supply chain risk. If a vendor’s performance against a particular metric starts to either increase or decrease significantly, that change could be an indicator of trouble ahead. For example, the KPI’s movement could tell the customer company that it needs to evaluate whether the vendor is about to cease business operations altogether. This is especially important if the vendor is the company’s sole source of whatever material it is supplying.
Whether looking for fraud or examining for risk, the customer enterprise is essentially developing sets of rules to compare its supply chain transactions against, which are not unlike the rules used to determine vendor performance. Software to perform rules-based risk and fraud analyses is available in the marketplace as generic rules-based engines. Alternatively, a company may opt to develop similar software in-house. When a transaction triggers an alert in the rules engine, then the software should notify the right people, as determined based on the type of fraud or risk that was detected. For example, fraud messages might go to the audit team, while risk messages might go to the supply chain team, with certain crossover communication. Similarly, different situations might require different escalation of alerts—e.g., email alerts vs. more urgent text messages. In addition to setting up rules around alerts for issues that require immediate action, it makes sense to set up dashboards for ongoing monitoring.
Companies can use a similar approach to gain insights about their internal business, as well. An analysis of the number of shipments received provides information about employees’ workload per day and per hour, enabling the enterprise to appropriately adjust labor capacity. Examining data around each shipment can also provide insights into the amount of labor required to move and store the goods received, as well as the amount of physical storage capacity required to stock goods.
If a warehouse audit reveals delays in receiving, or aisles clogged with cartons that make it difficult for forklift and foot traffic to safely move through, then the justification for more capacity—whether people or space—is likely in the data. But an inventory audit may instead reveal that mistakes in order fulfillment, or damages in the warehouse, are the result of sloppy inventory management.
Examining data on a frequent basis, instead of only during the occasional physical audit, shifts the perspective from reactive to proactive. Why wait to change an ineffective process if it is causing chaos? If employees are not speaking up and alerting management to problems, then data analysis will reveal what the employees are not saying. Moreover, data from internal operations audits can help to quantify what employees are either grumbling about or suggesting changes around.
This is one example of the ripple effect that can occur when something “bad” infiltrates the supply chain. The original problem can manifest itself and morph into bigger problems as it traverses the supply chain’s links. Note that within supply chain management, “bad” may equate to “missing”; it doesn’t necessarily mean the opposite of “good.” Delays in entering receipt data into the ERP system, for example, will adversely affect the information reported out of it, skewing results and impacting the decisions that are based upon ERP data.
Set up Audit Logs in ERP
One important feature that should be activated in the ERP system of record is audit logging, which captures any change in data within the system. Although audit logs can take up significant hard drive space and can be arduous to search through, they represent a critical chain of evidence when the company needs to understand who altered what data, from what value to what value, and when and where the information was changed.
For example, purchase orders and invoices are at the root of many fraud schemes because their content can be altered after their commitment. One common fraud involves someone in the vendor organization changing part pricing in the ERP system before a purchase order is sent and then changing it back after the purchase order mails. Without an audit trail of who is doing what, and when, it can be nearly impossible to successfully pinpoint the perpetrator of a fraud that involves manipulation of electronic data.
When a company’s supply chain transactions are fully converted from paper to electronic format, the organization may also compare data from its EDI (or other eB2B) system with data from the ERP system to flag suspicious transactions. EDI systems are effectively “closed,” meaning that altering their data is difficult even for experienced professionals. At minimum, an office worker scheming to alter EDI data would have to conspire with an IT professional who has administrative access to the EDI system.
In comparing data across systems, an auditor can check that the most recent version of the purchase order in the ERP system matches the most recent version in the EDI/eB2B system, and that the most recent version of the invoice received from the vendor via EDI/eB2B matches what was imported into the ERP system. If a proper vendor compliance program is in place, the last acknowledged versions of the purchase order and invoice should match. Companies should be suspicious of any mismatches, and should investigate any discrepancies. These comparisons are not difficult to perform, and would be possible to perform by automating the match for every purchase order and invoice.
Working Together to Optimize the Supply Chain
Ultimately, viewing the same supply chain transactions from different perspectives enables an enterprise to examine its supply chain from three related, but critically different, views:
- Performance: This hindsight perspective lets the enterprise know how well it is doing, especially with regard to the vendors in its downstream supply chain.
- Fraud: This insight perspective looks for anomalies or patterns that may be indicators of a problem. A subjective review of the output by trained professionals can determine whether the results point to illicit behavior; are one-off occurrences representing gaps in operations processes or technology rules; or represent workarounds that require a policy, procedure, or programmatic fix to correct.
- Risk: The foresight perspective considers the data in aggregate over time to determine whether a pattern is heading toward an unfavorable outcome. Some risk determinations can be made relatively quickly, but others are more subtle and require an analysis of data across many points.
When a company makes the same supply chain data that is available to supply chain operations professionals also available to auditors and risk managers, and facilitates the collaborative sharing of perspectives and insights, the messages of risk management and fraud detection are spread throughout, and the entire enterprise benefits.
Collaborative partnering on projects saves money and reaps a greater return on the enterprise’s investments. Siloed systems (e.g., ERP, eB2B, audit) are removed, duplicate data is reduced (also reducing data storage capacity and costs), and communication is more effective. Process improvement, fraud detection, and risk reduction projects become more convincing (and more palatable) to C-suite executives when there is partnership from what once were disparate teams. And return on investment of these projects increases when the overall investment is shared across a more diverse cross-section of functions. The message that the whole enterprise is on the lookout for fraud and is watching out for risk helps make the project successful: The more eyes on the prize, the greater the chance of achievement.
Research has revealed that boards of directors want internal auditors to be more than reactive groups who lack a sufficient understanding of the inner workings of the enterprise. Boards want internal auditors to be able to make proactive recommendations for improvements, but unfortunately auditors may lack the knowledge to do so. While bringing in outside expertise is an option that may be justified if the enterprise lacks the specialty skill set, partnering with internal resources often makes more sense, and collaborative knowledge sharing can work both ways. Operations team members can come to understand audit methods and risk management, while auditors better understand supply chain software systems and processes.
I do not believe that anyone could successfully argue that reducing risk and fighting fraud are not worthwhile endeavors for any enterprise. It is just best done as a collaborative effort.
Norman Katz, CFE, CFS, CCS, is president of Katzscan Inc. near Fort Lauderdale, Florida. He is a 30-year consultant in supply-chain technologies and operations, as well as an author, speaker, and instructor. He is also the author of “Detecting and Reducing Supply Chain Fraud” (Gower, August 2012) and the forthcoming “Successful Supply Chain Vendor Compliance” (Gower, January 2016). You can reach him at email@example.com.