Contract and
Procurement Fraud
Vendor Management
Organizations must take steps to reduce
vendor fraud, including:
• Conducting vendor due diligence
• Managing vendor risks via contracts
• Ensuring vendors are legitimate (avoiding shell
company schemes)
2 of 28
Introduction
Controls for vendor master file management
Vendor background checks
Vendor questionnaires
Vendor due diligence checklists
Vendor monitoring
Compliance committees to oversee the
retention of any vendors
Watchlists
3 of 28
Vendor Due Diligence
Controls for Vendor
Master File Management
Set procedures for setting up new vendors and
changing vendor master file records.
Prevent employees responsible for the vendor
master file from approving invoices or signing
checks.
Establish clear vendor master file naming
conventions.
Keep vendor records accurate and up-to-date.
Monitor the application of the accounts payable
policies on vendor master files.
4 of 28
Vendor Background Checks
Review watchlists.
Conduct a corporate registry search.
Search politically exposed persons (PEP)
databases.
Verify the vendor’s key individuals.
Verify vendor’s insurance.
Verify any professional licenses.
5 of 28
Vendor Background Checks
Confirm physical addresses.
Perform site visits.
Test the reputation of the vendor and its key
individuals.
Conduct a media analysis.
Compare vendor addresses against
employee addresses.
6 of 28
Vendor Background Checks
Conduct interviews.
Require W-9 forms before paying vendors.
Review the vendor’s policies and procedures
on fraud, governance, and compliance.
Review the vendor’s financial data.
Review the vendor’s banking information.
7 of 28
Vendor Questionnaires
Management should consider giving potential
vendors a questionnaire requesting various
types of information.
The questionnaires should be written for
each company’s specific needs.
8 of 28
Vendor Due Diligence Checklist
To help ensure that the vendor due diligence
process is conducted in a refined fashion,
purchasing companies should develop and
use a vendor due diligence checklist.
9 of 28
Vendor Monitoring
Use monitoring and auditing systems to
detect criminal conduct by vendors.
Base monitoring systems on the red flags of
vendor schemes that pose the greatest risk.
10 of 28
Compliance Committee
Establish a compliance committee to review
and record actions and contracts relating to
the retention of any vendors.
11 of 28
Watchlists
Excluded Parties List System (EPLS)
OFAC’s List of Specially Designated Nationals
and Blocked Persons List
The Denied Persons List
The Debarred Party List
Nonproliferation Sanctions Lists
The Export Administration Regulation (EAR)
Entity List
12 of 28
Considerations in vendor contracts:
• Compliance with the law
• Professional standards
• Indemnification clauses
• Insurance
• Limits on liability
• Conflicts of interest
• Contract default, termination, and renewal
• A right to audit
13 of 28
Managing Vendor Risks Via Contracts
Risk of Shell Companies
Part of vendor management involves
ensuring vendors are legitimate business
enterprises.
A shell company is a company that has no
physical presence and generates little
independent economic value.
14 of 28
Shell Company Schemes
Involve the issuance of false invoices for
products and services never delivered or
rendered
Perpetrated by vendors or employees
Three-part process:
• Setting up the shell company
• Submitting an invoice
• Obtaining payment approval for the fraudulent
invoice
15 of 28
Preventing Shell Company Schemes
Segregate the duties of:
• Authorizing purchases
• Confirming purchases
• Authorizing payment
Require purchase orders for payment.
Create an approved vendor list and prohibit
payment of invoices to any company not on
the list.
16 of 28
Preventing Shell Company Schemes
Have prospective vendors fill out a vendor
data form.
Verify the authenticity of contractors before
making payments.
Segregate duties of approving payments and
adding/deleting names on the approved
vendor list.
Periodically compare budgeted expenses
with actual expenses.
17 of 28
Preventing Shell Company Schemes
Compare vendor addresses with employee
addresses.
Track unusual invoicing patterns.
Train personnel to be alert to the red flags of
fraudulent invoices.
Prohibit use of vendors that do not have a
physical address.
18 of 28
Red Flags of Shell Company Schemes
Payments to contractors not on approved
vendor list
Vendors not located in business directories
Vendor address that is:
• Not a street mailing address
• Residential
• Incorrect
• Multiple addresses
19 of 28
Red Flags of Shell Company Schemes
Invoices for unspecified or poorly defined
services
Unnumbered or sequentially numbered
vendor invoices
Vendor uses unfamiliar contractors
Vendors with similar names
Vendor and procurement employee have
similar or identical information
20 of 28
Red Flags of Shell Company Schemes
Vendor fails to submit an EIN
Unexplained increase in volumes of
purchases
Boilerplate contracts that have no clear
definition of goods or services to be delivered
Poor, illegible, or missing documentation
supporting a vendor payment
21 of 28
Red Flags of Shell Company Schemes
Large billings broken into multiple smaller
invoices that fall just below a threshold limit
An invoice with an even amount (round
number) that is not expected or reasonable
A check for an out-of-town vendor cashed
locally
Contracting employee shows interest in
invoices submitted by a particular vendor
22 of 28
Detecting Shell Company Schemes
Check vendor addresses against mail drop
address lists.
Search for new vendors that have high
activity.
Research unusually large expenses,
unexplained variances in expenses between
years, or expenses that exceed budgeted
amounts.
23 of 28
Detecting Shell Company Schemes
Compare all paid contractors to:
• Approved vendor lists
• Business directories
• Telephone reverse directories
• D&B listings
• Government business filings
Determine if invoiced goods or services were
received.
24 of 28
Detecting Shell Company Schemes
Examine financial statements for variances in
expenses that should correlate with revenue.
Examine work product from consultants.
Examine documentation for payments to
contractors that provide services or goods
that are difficult to verify.
25 of 28
Detecting Shell Company Schemes
Conduct a background check to identify:
• Ownership of contractor
• Contractors with undisclosed outside business
interests or front companies owned by the
contracting employee
• Contractor with family ties with a procurement
employee
• Procurement employees with unexplained
increase in wealth or outside income
26 of 28
Detecting Shell Company Schemes
Cross-check vendor contact information with
that of:
• Employees
• Employees’ outside businesses
• Employees’ relatives’ residences and businesses
Compare shipping addresses to:
• Employee addresses
• Addresses of other vendors
27 of 28
Detecting Shell Company Schemes
Compare vendor EIN to employees’:
• SSNs
• Outside business’ EINs
• Relatives’ SSNs
• Relatives’ business EINs
Conduct an on-site audit of the vendor.
28 of 28