A colleague recently shared an article about invoicing fraud within a US corporation and questioned how this happens in companies that use electronic systems. The story went like this: an Oklahoma man was charged with defrauding Chesapeake Energy of more than $4 million using fraudulent invoices. He created work tickets for field services that were never performed, ensuring each one totaled an amount under the company’s $5,000 low-level approval amount. The fraud took place over a period of 9 years and involved more than 1,100 fake invoices totaling 4.3 million dollars in payment.
The article is an important reminder of the prevalence of corporate fraud, and begs the question, “am I at risk for fraudulent invoices?” I sat down with our Senior Enterprise Architect, Lucian Pop, to discuss what leads to these types of theft and how it can be prevented.
Use and Track Purchase Orders
In the case of Chesapeake Energy, they had an electronic invoicing system in place to receive vendor documents. This automation creates efficiency but is not a solution in itself to prevent fraudulent submissions. A way to avoid this is to use and track Purchase Orders. When the PO is generated by a company’s ERP system, it creates a record of all requested products and/or services. Then when invoices are submitted, they can be automatically validated against the data in the Purchase Order to ensure they are authentic. If you are considering an e-invoicing system, make sure the solution offers this reconciliation process. In the Oil & Gas industry specifically, providers should offer validation against both Purchase Orders and Field Tickets for added security.
Create an Airtight Approval Chain
Now that you have automated and validated the invoice data, it is also important to address and track the approval cycle of those invoices. Some companies choose to have a final approver on all invoices, including low-level approval amounts as an additional security measure. For default approved limits, you can put in place scheduled reviews or audits as a protection measure. This will allow early detection of any fake invoicing activity and prevent it from escalating. If the invoices are for field work as in the case of this article, it is also important to have the work validated by a field approver. This function can be set up within your e-invoicing system and enables sign off by approvers who may not be office based.
Use Your Power Wisely
All companies need to give access and authority to personnel in order to ensure a smooth flow of operations. At times, the checks and balances that go along with that access can appear tedious. It may not be obvious to everyone involved why those security measures are necessary but remember that they are often the result of hard-learned lessons. There is a delicate balance between comfort and control; when control is tighter, there is more discomfort and vice versa. If you want to keep security risk at a minimum, do not give in to the temptation to take time-saving shortcuts.
It’s Not Only A Big Company Problem
According to the article “Fraud Statistics Every Business Should Know” from Quickbooks, small companies are particularly vulnerable to fraud in comparison to their larger counterparts. This vulnerability is due to the difference in anti-fraud practices between companies of various sizes. Often larger companies will invest in measures such as hotlines, employee fraud training, and internal departmental audits at a cost not feasible for small organizations. Look for ways to add effective controls where possible, regardless of company size, to enable early fraud detection.
Social Engineering is on the Rise
Technology is an important tool for mitigating risk through the elimination of unintentional human error, but it is not impervious to intentional human interference. Criminals are very skilled at manipulating people to give up confidential information such as passwords and employee ID’s, an activity of growing concern known as “social engineering”. Why is it on the rise? It is much easier to obtain an employee’s information to access company systems than it is to hack the software. The article “What Is Social Engineering?” from cybersecurity provider Webroot provides a valuable overview of what social engineering is and how it affects us. A computer cannot tell the difference between you entering your credentials, or an intruder who has stolen your information. As more technological advances are made, we can be sure that criminals will find even more creative ways to breach them, so be vigilant in your fraud prevention!
View the original article here: http://brokernewswire.com/sulphur-oklahoma-man-charged-with-defrauding-chesapeake-energy-of-more-than-4-million/.