Are there fraud risks associated with vendors?

Every public and private sector organisation today has a requirement to outsource some or all aspects of their operations, whether it be purchasing supplies or equipment, engaging a managed (outsourced) service provider to run its IT helpdesk or security operations centre, our purchasing tangible products or raw materials for its operations. Managing these capabilities takes a lot of effort and typically requires a specialist team aside from the procurement function to manage key relationships day to day.

We all know that relationships are difficult by their nature, and business relationships are no different to those in our personal lives. Sometimes, however, relationships deteriorate substantially to the point of potential litigation or where those relationships may be severed. Common triggers for this includes upstream supply or quality control issues, breaches of confidentiality, and fraud.

Business to business fraud is a problem which remains largely off the radar – many businsess have problems with their vendors or business partners, but these rarely end up in court or in the media. Frequently, even when a business relationship goes wrong, the parties to the relationship still need each other and will work to rebuild trust that has been lost where an alternate supplier or partner is not available.

One important note on vendors is that they form part of your organisation’s inner circle: they are trusted insiders who, by virtue of this status, have privileged access to your organisation, its products, information, services, systems, facilities and people beyond that of the ordinary public. It is critical that vendors be considered as part of your Insider Threat Management Program, as well as in your Supply Chain Security, Integrity and Fraud Program. Where there are overlaps in coverage in these programs, this should be harmonised.

Associations with irreputable vendors can also damage your organisation’s reputation, and potentially introduce the risks of civil or criminal action as well as shareholder activism. One example here is where a vendor is involved in modern slavery, and your organisation’s due diligence program has not detected this in advance.

What is the vendor fraud landscape?

Vendor fraud can be defined as fraud involving a vendor that occurs at any point in the supplier process, which is:

• Supplier selection
• Contracting
• Operations
• Termination

The Association of Certified Fraud Examiners (ACFE) notes that vendor fraud can occur in anything from billing to delivery of supplies, and can be broadly grouped in two categories. Vendor frauds involving trusted insiders, such as employees and contractors, can occur indepedent of the vendor or in collusion with them. There are also various types of vendor frauds perpetrated without the involvement of insiders. These range from what we might call ‘soft frauds’, such as subtly charging the wrong hourly rate or claiming travel expenses when not applicable, through to more serious problems like product substitution. A high level taxonomy of vendor fraud is shown below:

Vendor frauds involving insiders	External vendor frauds
Billing schemes (invoicing)	Labour fraud schemes (for outsourced services)
Corruption schemes (e.g. kickbacks, bribery, conflicts of interest)	Travel fraud schemes
	Fraud schemes involving materials
	Shell companies and pass through schemes
	Hidden subcontractor schemes

As you can see, there is a wide spectrum of vendor frauds – the ACFE’s training course on vendor fraud, referenced below, is a great starting point for someone new to this area. Some are specific to particular types of work – such as labour and travel fraud schemes more prominent with the outsourcing of services.

Vendor fraud versus supply chain integrity: what’s the difference?

As the focus of @forewarnedblog is on protection and integrity of critical technologies, supply chains, IP, products, brands and marketplaces, I would be remiss if I did not cover vendor fraud schemes involving materials and ‘supply chain integrity’ in more detail.

The term ‘supply chain integrity’ is being used increasingly in common language to reflect whether business (as opposed to retail consumers) buyers have ‘got what they paid for’ in relation to materials (products). As consumers, when we buy a product (the material) we expect it to meet certain quality or provinance (origin) standards, such as those advertised by the seller or manufacturer. In countries like Australia, many of these requirements are also enshrined in consumer law. If a product breaks or fails, or if it is poor quality such as paint peeling off, then we feel disappointed and probably worse. It is business’ responsibility to make sure this outcome doesn’t happen for its consumers, which is where a Supply Chain Integrity program comes in.

A Supply Chain Integrity program aims to “mitigate the risk end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted” (The United States Pharmacopeial Convention, 2016). These programs apply to both buyers and sellers, but the focus differs depending on where you sit in a supply chain.

The overlap with vendor fraud lies with what ACFE refers to as “fraud schemes involving materials“, where risks such as product substitution (a buyer pays for a product meeting one set of specifications, but it is substituted for a cheaper, lower quality, alternate or less functional model which might be less reliable or functional for the user). Typically, the trust a consumer places in a product or service is also wrapped up in the seller’s brand – if we see a product for sale from a brand we trust, we might buy it without question. Commonly, Supply Chain Integrity is bundled with Supply Chain Security into a consolidated ‘Supply Chain Integrity and Security’ program (SCIS), as seen in the global pharmaceutical industry.

Typically, an SCIS program focuses on both upstream supply (i.e. ensuring substandard products or raw materials do not infiltrate your supply chain as an input to say manufacturing), and downstream to ensure that counterfeits and diverted products do not enter a supply chain through nodes such as authorised distributors. In contrast, vendor fraud programs are typically narrower in scope.

What does this mean in practice?

In my opinion, if you are in an industry with serious life, safety or reputational (‘brand’) risks attached to the quality of materials provided by your suppliers, using a vendor fraud program to manage product substitution fraud risks may not be sufficiently robust or rigorous. Typically these programs focus on whether the vendor supplied a substandard product (i.e. may have defrauded you in terms of your sourcing, purchasing or procurement process) rather than a more holistic program aimed at improving the security and integrity of your supply chain overall (i.e. all products across all vendors). For these industries, a holistic Supply Chain Integrity and Security program (that also addresses the vendor fraud risk of product substitition) is more appropriate.

We already see this situation emerging in high reliability industries (e.g. mass transport, pharmaceuticals and medical devices, automotive and aerospace). In Australia, this area is becoming increasingly regulated with amendments to Australia’s Security of Critical Infrastructure (SOCI) Act which covers eleven critical infrastructure sectors and introduces new rules for managing supply chain integrity and security hazards. There’s a lot to unpack in this topic – I will cover some types of vendor fraud, particularly product substitution (sometimes called ‘product fraud’) in future posts.

Further Reading

• Asia Pacific Economic Cooperation. (2016). Supply Chain Security Toolkit for Medical Products, Life Sciences Innovation Forum, www.usp.org
• Association of Certified Fraud Examiners (n.d.). Auditing for Vendor Fraud, https://www.acfe.com/selfstudy.aspx?zid=2c92a0086a07f4aa016a27279923332b
• Australian Government (2017). Commonwealth Fraud Control Policy, www,counterfraud.gov.au
• Curwell, P. (2021). The USP/APEC ‘Supply Chain Security Toolkit for Medical Products’, https://paulcurwell.com/2021/08/29/the-usp-apec-supply-chain-security-toolkit-for-medical-products/
• Curwell, P. (2021). Unpacking AS6174 in relation to Supply Chain Integrity, https://paulcurwell.com/2021/05/30/unpacking-as6174-and-supply-chain-traceability/
• Curwell, P. (2021). Modern Slavery, Human Trafficking & People Smuggling? (Part I), https://paulcurwell.com/2021/04/30/modern-slavery-human-trafficking-people-smuggling-part-i/
• Curwell, P. (2021). How should I perform due diligence to comply with Australia’s Modern Slavery Act 2018 (part 2)? https://paulcurwell.com/2021/06/27/how-should-i-perform-due-diligence-to-comply-with-australias-modern-slavery-act-2018-cth-part-2/
• SAE International (2014). AS6174 Counterfeit Material; Assuring Acquisition of Authentic and Conforming Material, Rev. A, Aerospace & Automotive Standard, www.sae.org.
• Smith, M., Ashraf, M., Austin, C., Lester, R. (2021). Product fraud: Impacts on Australian agriculture, fisheries and forestry industries, AgriFutures Australia, https://www.agrifutures.com.au/product/product-fraud-impacts-on-australian-agriculture-fisheries-and-forestry-industry/
•  The United States Pharmacopeial Convention (2014). <1083.4> Supply Chain Integrity and Security, www.uspnf.com

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.