Outward Bound - Fraud in the Procurement Cycle

The procurement cycle is the set of activities related to buying and paying for goods and services. This can range from one-off purchases from unknown suppliers to regular purchases through known suppliers, all the way up to large-scale procurement projects put out to a tender process. Whether small or large-scale purchases, there are fraud risks at each stage of the cycle. From selecting suppliers and verifying the goods and services received, to making payments to the correct supplier or paying staff expenses for purchases requiring reimbursement. It is therefore imperative to understand the key risk areas to help prevent procurement related fraud at your charity.
 

Five-fold increase in procurement fraud

Procurement fraud is a general term to categorise fraud that occurs anywhere in the expenditure cycle, from the planning and assessing stage to contract management. Compared with the previous year, our latest survey found a five-fold increase in supplier and procurement fraud (increasing from 5% to 26%). 5% had seemed particularly low when compared to our experience of the prolific nature of procurement fraud, so the latest results are – unfortunately – more in line with our expectations.
 

Common procurement fraud themes

One of the common features of this type of fraud is that it often involves collusion between an insider and an external party. This may include situations where the external parties are friends and families of an employee or volunteer or a where there is a more business-like arrangement which is mutually beneficial to both parties. Either way, the risk to the charity doubles as they are vulnerable from both sides. Some of the most common themes in procurement fraud include:

  • Collusion both between employees or volunteers and suppliers, or between suppliers themselves to, for example, drive up prices or influence the tender process;
  • A supplier may unduly influence an employee or volunteer to award work to them by offering kickbacks or bribes;
  • An employee or volunteer may process payments from the supplier above the agreed budget;
  • Suppliers may provide inflated invoices that demand a price higher than was agreed; and
  • A supplier may substitute a product for a lower quality one than what the charity paid for.

 

Protecting against procurement fraud

If you think about the amount of money that you spend on goods and services each year and roughly calculate how much it would cost your charity if just 1% was lost to procurement fraud, this would probably be a worryingly high number. In order to avoid losses, some controls to implement at your charity to protect against procurement fraud include:

  • Educate staff and volunteers on procurement fraud red flags and provide them with appropriate reporting channels for concerns;
  • Have a procurement policy that clearly states the procurement processes and so there is no ambiguity;
  • Delegate responsibility for the procurement cycle amongst multiple people to avoid allowing any one person to monopolise the procurement decisions;
  • Check invoices against budget and run exception reports on supplier activity data to identify any outliers or unusual trends; and
  • Conduct proper research and due diligence on new suppliers.

 

Payment diversion fraud

Making sure that you are paying the correct party is key. In the prior Charity Fraud survey, we discovered that payment diversion fraud was the most common type of fraud experienced by respondents (37%). Whilst this decreased to 20% in the latest report, this still represents a significant proportion of all fraud reports, and is still a prominent risk that needs to be mitigated as it is very unlikely to go away. 

Payment diversion fraud is where a fraudster will impersonate a supplier by creating or amending what appear to be genuine invoices or other payment requests to divert funds to bank accounts under their control. There is an entire industry underpinning this type of fraud, and fraudsters will go to great lengths to ensure that fraudulent requests look genuine. There is no doubt that all organisations are and will continue to be vulnerable to this type of fraud, no matter their size. 

This type of fraud largely relies on fraudsters being able to pose as someone they are not in order to illicit payments. Fraudsters can obtain information through social engineering, manipulating someone into performing certain actions or providing relevant information that gives the fraudster an opportunity for a payment diversion attack.
 

Common payment diversion fraud themes

The most common approaches made by fraudsters are via email or phone calls, where the fraudster will claim to represent a known supplier. We have investigated some very elaborate (but not uncommon) scams where the fraudster has gone beyond the more regular scams. For example:

  • A fraudster purporting to be the CEO asking an employee to move funds urgently to a secure location amidst a supposed cyber attack;
  • Fraudsters impersonating the organisation’s bank to warn of a failed payment and successfully convincing the employee to provide sufficient information to allow the fraudster to log onto the organisation’s bank account to set-up new payments; and
  • Fraudsters pretending to be suppliers and calling repeatedly to put pressure on employees to change payment details and make payments for various reasons, including that they may go out of business.

Although the above examples are extreme, the process often appears very authentic. We know that charities can be overstretched and under-resourced and, as a result, funds can all too often fall into the hands of organised criminals, but most importantly not in the hands of those who depend upon it the most.
 

Protecting against payment diversion

Some key controls to implement at your charity to protect against payment diversion fraud include:

  • Educate employees so they understand the many guises that payment diversion fraud may take;
  • Only change payment details if you have verified the details directly with the supplier on a phone number that is already known to you and following consultation with your reporting manager; and
  • Implement a built-in phishing email identifier into your charity's email system to flag unusual or suspicious emails upon receipt;
     

Expenses fraud

Expenses and subsistence claims will arise during everyday activities as trustees, staff, and volunteers carry out your charity's work. If there are limited controls around what can be expensed there is a heightened risk of fraud, particularly amidst a cost-of-living crisis where employees and volunteers may be under unprecedented financial pressure.

The risk of expenses fraud will increase if employees are regularly making genuine purchases and claiming through expenses instead of going through the appropriate procurement channels as it will become more difficult to identify genuine purchases from any personal purchases. There is also a risk that your charity will be overpaying for goods and services if ad-hoc purchases are the norm.
 

Protecting against expenses fraud

Whilst procuring goods and services directly and submitting an expense claim through the charity may be more convenient for the trustee, employee or volunteer, that does not mean it will necessarily be in the charity's best interest. A proactive approach is advisable. Some controls to protect against expenses fraud include:

  • Require pre-approval of all expenses claims - this removes any subjectivity after the event, eliminates the need for a detailed review, and will give you peace of mind that expenses are legitimate;
  • Require proof of purchase and delivery of the good and services;
  • Regularly monitor staff expenses to look for any trends or spikes in activity; and
  • If frequent ad-hoc purchases are required consider a corporate credit or pre-paid debit card that is controlled and reconciled centrally.
     

Controls can help keep your charity safe

Limited resource is often the norm for charities. It is therefore imperative that you have control over your outgoings, whether this is maximising value for money, having transparency over the supply chain to ensure it aligns with your social, ethical or environmental objectives, or preventing losses through fraud or error at all stages of the expenditure cycle. Control will help to flag the risks before it’s too late and help prevent fraud from happening. But, sometimes even the best prevention controls can’t stop human error or intent. So if the worst happens and you think you have been a scam victim, always report it immediately to your manager, your bank and Action Fraud. The quicker you report, the quicker action can happen and funds hopefully stopped or recovered.

For further reading, please review the Love business Hate fraud campaign’s helpful guide on how to keep your organisation safe when buying goods and services: Buying goods and services safely - Love Business Hate Fraud

Contact Tracey Kenworthy, Fraud Director for more advice on how to prevent fraud at your charity.
 

Charity Fraud Report 2022