Lastest news

How to mitigate the risk of invoicing fraud

Apr 05, 2018
Individuals and organisations involved in the payment of invoices should consider and mitigate the risk of fraud, writes Michael Fitzgerald.

An employee, contractor or supplier can commit fraud by knowingly submitting false, inflated or duplicate invoices with the intent to defraud – either acting alone or in collusion with contracting personnel. Fraud can commonly occur by:
 
  • Third party fraud: this involves the creation and submission of an invoice for supposedly legitimate products or services that have never been delivered or carried out. A contractor or supplier could work alone to submit and obtain payment, or could collude with an employee to acquire payment;
  • The payment of duplicate invoices: while this may not be fraud-related on all occasions, mistakes in the Accounts Payable processes can provide the opportunity for leakage of payments by fraud or genuine mistake; and
  • Employee fraud is potentially costly and there have been cases where an employee obtained a legitimate vendor invoice for payment and used a bank account under their control to divert the payment. To carry out this type of fraud, the employee usually has to gain access to the employer’s accounting software, whereby they are able to change the vendor’s bank account to one under the employee’s control. To avoid detection, the employee would then change the bank account number back to the vendor’s original number once the payment has been made.

Red flags

False invoicing is not particularly sophisticated, but it is difficult to keep it going for a long period of time without detection. Red flags may be present, including:
 
  • Weak controls around the review and payment of invoices;
  • The ability to change the destination account number;
  • Poor invoice data such as no address, incorrect or invalid dates or incorrect contact information;
  • Discrepancies between contract or purchase order, receiving documents and invoices;
  • Discrepancies between the contractor’s invoices and supporting documents;
  • Invoice is in a round number amount, if that is unusual (based on VAT being charged);
  • Total payments to a contractor exceed total contract or purchase order amounts;
  • No receiving report for invoiced goods or services;
  • Invoiced goods or services cannot be located in, or accounted for, in the inventory;
  • No purchase order number for invoiced goods or services;
  • Abnormal invoice volume activity;
  • Above average payments to vendors;
  • Multiple payments in the same time period; and
  • Multiple invoices with the same date, amount, invoice number, description of goods and services, or PO number.
This list is not exhaustive, but it does represent some common attributes of false invoices.

Risk mitigation

A simple way for an employer to protect herself or himself against invoice fraud is to ensure that adequate controls are in place. This should apply to all types and sizes of organisations. This statement could be considered flippant and obvious in tackling the issue, but it is not uncommon for individuals who manage invoices to also reconcile the bank accounts without any segregation in duties from a four-eye perspective.

Electronic invoicing is an excellent way to prevent invoice fraud and with the right management from the service provider, red flag alerts can be included in the system. This should complement physical and behavioural controls that cover:
 
  • Production of an exception report that is issued to line management (same day or before payment is made) relating to high-risk changes to vendor information such as account numbers;
  • Production of an exception report where manual overrides can be made in the invoice system;
  • An annual test of the end-to-end process and review of the controls around the payments of invoices, undertaken by an independent function and resulting actions for the senior management team;
  • The action that should be taken when invoice payment confirmation(s) are returned by post. This should be dealt with by a team outside the payments section;
  • Appropriate sanction of payments being made to settle invoices, other than by electronic transfer (i.e. cheque); and
  • A clear segregation in duties from procurement and bank reconciliations through to accounts payable. 
The above is only a snapshot but by having adequate controls in place, you will make it harder for an employee in particular to commit false invoicing fraud against her or his employer.

However, in the same way that you can only deter (and not completely stop) would-be burglars by having an alarm in place, an employee intent on committing fraud may still find a way to do so despite the adequate controls in place. Similarly, the senior management team has a key role in ensuring that the ‘this won’t happen to us’ mentality is replaced by an ‘I won’t let this happen’ mentality.

Michael Fitzgerald is the Founder of Fraud Business Solutions, which offers risk-based advisory and investigatory services to a range of clients.