Supply-chain fraud is alive and escalating

The last time you probably thought about supply chains was during the early days of the COVID-19 crisis when the toilet-paper shelves were empty. But that TP had to wend its way through a complex journey from pulp mills to your home that involved many parties and chains of events. Disrupt just one step — say because of pandemic fears or fraud — and the chain breaks. Here’s how to help prevent supply chains from fraudulent acts and mitigate them when they do break.

Supply-chain fraud is prevalent throughout the world in most segments of the economy. For example, in March 2018, a truck driver in the U.K., while parking overnight, was drugged with sleeping gas in the cabin of his truck so thieves could steal his cargo that included industrial equipment valued at  more than 70,000 pounds sterling. (See New Cargo Theft Method Threatens Supply Chain Security Across Europe, DHL RESILIENCE360, August 2018.)

On Aug. 14, 2017, jurors awarded plaintiffs, Milan Supply Chain Solutions, more than $30 million in damages in a suit against Navistar alleging that it misled them when the company sold them heavy-duty trucks and engines by failing to disclose that the Maxxforce 13 liter engine was launched with serious known defects. (See Navistar Hit With $30.8 Million Judgment in ProStar/MaxxForce Lawsuit, Aug. 14, 2017, BigMackTrucks.com.)

In 2013, Michelle Myrter, president of Castle Cheese, pleaded guilty in a fraud case for selling fake 100% Romano and 100% Parmesan cheese products that fraudulently contained zero percent of either. Instead, the products consisted of cheaper cheeses and fillers, including wood pulp — cardboard — to increase weight volume. (See the U.S. Department of Justice release, and Castle Cheese and President/Co-Owner Michelle Myrter Plead Guilty, by Jessica Donnel, “Deli Market News,” Feb. 29, 2016.)

Organizations of all sizes around the world manage their supply chains — intricate networks of all activities of interconnected businesses from the acquisition of raw materials and merchandise to delivery of final products to customers. Because of globalization and diversity of players, organizations must have supply-chain management systems that include strategies to gauge and mitigate risks driving fraud.

At the top of the list of organizations’ goals, of course, is to cultivate environments that accommodate the needs of current and potential customers and motivate them to purchase finished products or merchandise. Organizations will meet this goal if every step in the supply chain works smoothly and uneventfully. However, if just one of the steps is flawed — say an organization doesn’t catch a delivered finished product that contains inferior raw materials from a fraudulent supplier — then the supply chain is disrupted, which increases the risk that customers won’t return.

In an interview for Fraud Magazine with Mark Pearson, a leading expert in supply-chain fraud and a principal in the Chicago office of Deloitte Risk & Financial Advisory, I asked him if disruptions in supply chains because of the COVID-19 crisis have created additional opportunities for fraud.

“I absolutely agree that there is increased likelihood of fraud in the supply chain,” Pearson says, “in a variety of areas, including but not limited to, extreme financial duress on suppliers creating pressures to get ‘creative’ when invoicing for goods and services, counterfeiting and adulteration of raw materials/inputs due in part to reduced monitoring caused by the demand for product.

“Also, as supply chains break down, companies will be searching for new sources of supply, which when coupled with a heightened sense of urgency, may result in reduced due diligence on new suppliers, thereby creating a scenario where we may see more problematic vendors — suppliers — entering a company’s supply chain ecosystem,” Pearson says.

Organizations can help mitigate fraud risks by vigilantly studying underlying events and adjusting their risk management practices. To put the supply chain risks in perspective and make them easier to understand, I’ve devised a system to classify them as broad-based or narrow-based.

Broad-based supply-chain risks

Broad-based supply risks are factors or events that are outside organizations’ direct control and normally cause non-fraudulent disruptions in supply chains. Organizations are still evaluating the unprecedented effects of COVID-19 on supply chains that could supersede all other factors and affect all risks.

However, the e-book, Thwarting risk in your company’s Supply Chain, published by Compliance Week before the COVID-19 crisis, includes a list of the top 10 supply-chain risks from 2019 across North America, Europe, Latin America, the Caribbean, Africa, the Middle East and the Asia-Pacific region.

These risks probably will still be relevant the rest of the year and beyond after the COVID-19 dust finally settles: global trade wars and Brexit, raw material shortages, safety recalls, climate change, tougher environmental regulations, economic uncertainty, cargo theft, container ship fires, border battles and drones in the aviation industry. And we can add “worldwide pandemics” to the broad-based risk list.

Narrow-based supply-chain risks

Narrow-based supply-chain risks are factors or events that are within organizations’ direct control that normally cause fraudulent disruptions in supply chains.

A recent Travelers report showed the results of a survey of more than 2,500 manufacturers and other businesses who took the company’s “supply chain pressure test” to identify weaknesses in supply chains.

Travelers classified the supply-chain weaknesses into upstream, in-plant and downstream risks.

Upstream risks

Upstream risks include the “loss or disruptions of key suppliers, raw materials or materials necessary for production.” According to the survey:

• 31% of companies have their primary supply located in an area prone to severe weather, natural disasters or disruptive political conflict.
• 49% of the companies rely on a single supplier for 25% of their materials.
• 52% of the companies said they aren’t sure if they have a trusted network of backup suppliers or a backup inventory plan in place.

In-plant risks

In-plant risks include “the loss of equipment, people and processes most critical for production.” According to the survey:

• 42% of the companies either don’t have or aren’t sure if they have policies and procedures in place to protect their data, intellectual property and crucial equipment from interruptions.
• 44% of companies say replacements or replacement parts for their most critical equipment either aren’t readily available or they aren’t sure.
• 55% of the companies say they either don’t have a formal continuity plan — including backup plans for people, processes and equipment — or they aren’t sure if they do.

Downstream risks

Downstream risks include “the loss of customers, distributors and the need for backup plans.” According to the survey:

• 51% of the companies say they have a single distribution center or warehouse from which they ship all their products.
• 36% of the companies say they rely on a single customer for 25% of their business income.
• 43% of the companies say they don’t have a backup transportation/logistics plan and provider for shipping products or they aren’t sure.

These self-imposed risks represent vulnerabilities that, if left unchecked, increase the probability that serious disruptions in a supply chain will occur, which will lead to opportunities for unscrupulous insiders and outsiders to exploit for fraudulent purposes.

Organizations can manage and lessen the effects of these risks by mapping each risk to an internal control and designating the ownership of them to a specified individual. For example, in a hospital situation, to ensure the accurate and complete diagnostic or procedural coding that reduces the risk of noncompliance with federal and state regulations and/or other health plan contract requirements, we could link it to the internal control, “Coders have restricted login access to the billing system” and hold these individuals responsible for emerging inaccuracies resulting with third parties.

Organizations can also gain comprehensive views of risks via automated, integrated enterprise risk management systems.

Compliance Week conducted a survey of 113 compliance, risk and audit executives worldwide, including those in the U.S., Europe, the Asia-Pacific region and Latin America, to determine how confident respondents were in their organizations to map each control to a risk. According to their 2019 Risk Management Benchmark Survey report:

• 44% said they have standardized processes and use of technology but not across the entire enterprise.
• 35% said their processes and technologies remain siloed.
• 20% said they have integrated processes and technology across their organizations.
• 62% of the respondents said they were somewhat confident in their organizations to map each control they have to a given risk whereas 21% were very confident, and 14% weren’t confident.

Also, according to the report, 61% said they were somewhat confident in their organizations to map ownership of each risk and control to an individual, and 15% said they weren’t confident at all.

Based on the findings of the report, many organizations need to improve the management of their supply-chain risks mitigating fraud.

Unique fraud dangers of supply chains

A supply chain is especially at risk from fraud because of the complex steps and numerous players — internally and externally — involved in the process across the globe to complete it from start to finish. Every link can be vulnerable. View all the players directly involved in a supply chain with skepticism because the unprincipled ones evaluate the strength of internal controls of organizations to look for vulnerabilities for creating opportunities to commit fraud. But any employee can identify weaknesses and exploit the weak links.

In June 2017, Acer Inc. contracted with a trucking company to deliver 900 Acer Chromebook laptops from a packaging facility in California to a Costco distribution center in College Park, Georgia. Costco rejected the shipment because of problems with the purchase order paperwork. Acer hired another truck driver to deliver the computers back to California. But, instead, he drove the laptops to Chicago and unloaded them in a warehouse to later resell. Law enforcement caught up with him, and he was sentenced to a year in prison and ordered to pay $245,000 in restitution. Anybody can break the chain.

Also, individuals not directly involved in supply-chain steps but who’ve identified weaknesses in internal controls can find abundant opportunities to attack organizations.

For example, in August 2019, the Department of Homeland Security Office of Inspector General discovered that an international fraud ring had been impersonating various U.S. government agencies to steal from their suppliers — and resell — computer equipment worth hundreds of thousands of dollars.

Gang members used a spoofing technique to create email addresses that closely resembled those of various agencies by using domain names such as “rrb-gov.us.” In another example, they used a real government email address in the “from” header but slightly changed the “reply to” header to a non-government email address. (See Fraud ring targeting US govt agencies, by Andrew Allen, Supply Management, Aug. 9, 2019.)

You might deal with individual or colluding fraudsters. An unscrupulous vendor might ship low-quality materials to an organization and hope the quality assurance department isn’t attentive. Or a vendor might offer a purchasing officer within an organization a bribe or kickback to obtain a contract, which could lead to submission of inflated or fake invoices or shipping of inferior materials. Collusion is more difficult to detect.

KPMG’s report, Supply Chain Fraud, lists common supply-chain frauds:

• Kickbacks on raw-material purchases.
• Foreign Corrupt Practices Act violations.
• Intellectual property theft.
• Improper use of production assets.
• Counterfeiting and sale of goods on gray markets. (In a gray market, products are made by or with the approval of brand owners but are sold outside the owners’ authorized distribution channels.)
• Improper rebates.
• Misappropriations of scrap, raw materials or finished goods.
• Fraudulent certificates of origin.
• Free-trade zone fraud.
• Use of conflict minerals.
• Office of Foreign Assets Controls (OFAC) violations. (The OFAC is a financial intelligence and enforcement agency of the U.S. Treasury Department.)
• Human-trafficking and child-labor law violations.
• Quality assurance fraud.
• Disbursement fraud, including billing schemes and check tampering.
• Inventory fraud, including purchasing and receiving schemes, and false sales.

Poor PII protection leads to data breaches

One of the internal-control deficiencies is the improper protection of personally identifiable information (PII), which leads to accidental or intentional data breaches. The Travelers survey reports, under “narrow-based risks,” that “42% of the companies either don’t have or aren’t sure if they have policies and procedure in place to protect their data, intellectual property and crucial equipment from interruptions.”

Unscrupulous insiders and outsiders might use compromised information to pull off supply-chain frauds either as individuals or in collusion with other crooks. The breach of confidential transportation schedules of incoming or outgoing freight, for example, increases the probability of cargo theft and subsequent related inventory shortage. Also, fraudsters use compromised intellectual property such as copyright, trademark, patent, trade-secret and other proprietary information to infringe upon their markets and rob owners of potential revenue and profits.

Fraudsters often use phishing emails to trick individuals into unloading information. Victims typically click on links that load malicious malware onto their networks that then searches for vulnerabilities in software to exploit information.

Employees and third parties, such as vendors, can unwittingly dispose information in accidental internal data breaches, or knowingly hack and steal supply-chain details. Also beware of disgruntled ex-employees, or malicious and non-malicious hackers.

Impact of supply-chain fraud

KPMG’s report, Supply Chain Fraud, says that organizations’ failure to comply with regulations (including anti-bribery and corruption provisions, child labor laws, important export laws, and health and safety regulations) can have these effects on supply chains:

• Manufacturing slowdowns or shutdowns.
• Inability to supply customers or increased time to market.
• Quality of capacity reductions.
• Damage to the brand and increased media/advertising costs.
• Loss of market share.
• Increased insurance costs.
• Product recall costs, including costs of shipping and destruction of goods.
• Investigations or audits by regulators, which result in increased compliance costs.
• Investigations or audits by customers, which result in charge-back costs.
• Litigation costs.
• Distributors, wholesalers or retailers requesting credits.

Mitigating supply-chain fraud

A November 2017, Deloitte study polled more than 3,200 professionals about their use of supply-chain forensics and analytics. Between 2014 and 2017, 30.8 percent of poll respondents reported at least one instance of fraud, waste and abuse in supply chains in the preceding year, and about a quarter of the companies surveyed also didn’t have programs in place to detect and prevent fraud risks. The big question is how many frauds went undetected? Of course, it’s impossible for organizations to detect and prevent every type of fraud, but they need to improve their strategies to increase their success rates.

Mitigate risks associated with supply- chain fraud by maintaining an awareness of fraud schemes and how they might impact your operations and financial performances. Then, constantly evaluate internal controls, risk management practices and the integrity of those individuals associated with your supply chains.

Proactively plan for possible fraudulent disruptions in your supply chains and provide measures to control rather than react to them. Share these strategies with your customers and other relevant parties to reduce the risk of surprises and possible loss of business.

System ID provides some practices that it says can help achieve greater supply-chain visibility and reduce the risk of fraud:

• Create clear policies for bidding and contract negotiations. Make sure the employees who negotiate understand conflict of interest and gifting guidelines and enforce them strictly.
• Use barcode technology to track inventory and assets along the supply chain.
• Make sure your inventory or asset database is updated in real time and is accessible to multiple users. You don’t want just one person to have access to the books.
• Perform regular surprise audits on your inventory and check every order to make sure all details are accounted for.
• Perform due diligence on potential business partners of any kind and make sure you know who you’re working with.
• Put in place clear guidelines for your partners. Explain what you need on invoices and how you want to track their billings.
• Develop long and strong relationships with suppliers and vendors. Try to get to know the people you work with. Visits to partners and their operations can also be a good way to learn more about them and their business.
• Test your products to make sure that vendors and suppliers are maintaining the quality you need, and the items are not counterfeit.

(See How to Prevent Supply Chain Fraud, System ID.)

Establish in-house ongoing employee protection and detection awareness protocol and training to help your employees identify the red flags associated with all types of supply-chain frauds and other disruptions. To protect important information from getting into the hands of unscrupulous insiders and outsiders, include training to understand how data is accidentally and intentionally breached. Also, train employees to recognize phishing schemes and other cybersecurity threats, which could help reduce all type of frauds.

Develop fluid supply-chain programs to deter fraud

Globalization and inclusion of diversified business partners provide the environment for fraud in supply chains. To help mitigate this fraud, companies must develop fluid and proactive supply-chain management programs and share them with business partners and customers. Organizations obviously need to do more to increase their success rates.

Robert E. Holtfreter, Ph.D., CFE, is a professor of accounting and research at a university in the U.S. Northwest. He’s also a member of the Accounting Council for the Gerson Lehrman Group, a research consulting organization. He’s on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.