SPRING 2017, ISSUE 3

INSIDE THIS ISSUE

VENDOR FRAUD
PAGE 1

Practice Tips
PAGE 6

FVS EYE ON FRAUD

The AICPA Forensic and Valuation Services Quarterly Report on Fraud Trends and Topics

VENDOR FRAUD
Issued by AICPA FLS Fraud Task Force (including vendor-fraud-related cybercrime) compared
Lead Author: Amy Yurish, CPA with the global market (54 percent in the United States
compared to 32 percent globally.)3
Vendor fraud continues to be a significant threat to
organizations. “Vendor, supplier, and procurement fraud” At the same time, perpetrators have become more
was cited as the second most prevalent fraud in the past sophisticated in adapting to the challenges associated
12 months by the 2016–2017 Kroll Global Fraud Annual with more robust internal control environments designed
Report.1 Further, technology has added a new layer of to prevent, detect, and deter fraud. Greater awareness,
complexity in fighting vendor fraud. Many times, the coupled with increased scrutiny by auditors due to the
most damaging vendor fraud schemes involve a cyber requirements of the Sarbanes-Oxley Act of 2002, have
component that exploits an organization’s vulnerabilities made it more difficult for individuals to perpetuate basic
in its IT systems, making these schemes more complex vendor fraud schemes that were prevalent in the past
than ever to defend against. against large, SEC-registered entities. However, this has
not seemed to deter the more sophisticated fraudsters,
Business email compromise, in which fraudulent emails
who see breaking through enhanced internal controls as a
are sent in the names of business executives or vendors
challenge, not a deterrent.
to solicit unauthorized wire transfers, was identified by the
Internet Crime Complaint Center in its 2015 annual report Fraudsters have access to the same publications and
as the number one cyber fraud in terms of losses, resulting guidelines that have helped organizations become more
in losses of more than $246.2 million for companies in familiar with necessary internal controls. Thus, many times,
the United States. Additionally, according to a survey
2
perpetrators are as familiar as organizations are with the
conducted by PricewaterhouseCoopers, the PwC Global very types of internal controls intended to prevent them.
Economic Crime Survey, although procurement fraud is The rise of cloud computing and digital data has presented
generally down from 27 percent to 22 percent, the United these individuals with new opportunities to take advantage
States experiences a disproportional amount of cybercrime of weaknesses in an organization’s internal controls and IT

Continued on page 2

1
Kroll Global Fraud & Risk Report: Building Resilience in a Volatile World 2016/2017.
2
Federal Bureau of Investigation – Internet Crime Complaint Center, 2015 Internet Crime Report.
3
PwC Global Economic Crime Survey 2016: U.S. Results.
EYE ON FRAUD – VENDOR FRAUD (CONTINUED)

Vendor fraud schemes vary greatly in

their sophistication and complexity.
The amount of damage caused to an
organization is typically commensurate
with the inherent sophistication of the
scheme. More sophisticated vendor
fraud schemes are harder to detect
and sometimes take years to unravel,
at which time, the fraud has likely
already cost the entity substantially.

systems. The challenges to deterring vendor fraud have • Sequential invoice numbers from the same vendor and
never been greater, and the education on vendor fraud is payments authorized during unusual times (dates or hours
ever-evolving, along with the constant changes in technology. outside of normal operating business hours)
• Differences between contract terms and invoices received
What Is Vendor Fraud? from a specific vendor, for example, if the total payments
Generally, vendor fraud includes abuses that involve improper made to a specific vendor exceeds the contractual limit
payments to real or fictitious vendors. In vendor fraud,
perpetrators manipulate a company's accounts payable and Who Is at Risk?
payment systems for personal gain. They do this in many Small- to mid-sized private entities — so-called “soft targets”
ways, and these methods can be categorized into three — generally face greater risk of exposure for vendor fraud
major groups: schemes. These businesses are less likely to have robust
• Fraud committed by an internal employee, or multiple internal controls or internal audit functions in place. Further,
employees, through collusion, against the defrauded these types of organizations typically rely heavily on a few
organization employees to execute the vendor and payment functions
and lack prudent segregation of duties. This increases
• Fraud committed by an outside vendor or individual
the opportunity for one or two individuals to manipulate
working without insider support
payments and records without easily being caught.
• Fraud that involves collusion between an outside vendor
or individual and an internal employee or multiple Due to the requirements imposed by Sarbanes-Oxley on
employees SEC-registered entities, larger organizations typically have risk
assessments and strong internal controls in place. This makes
Some examples of red flags that could indicate vendor fraud
these organizations harder targets for individuals seeking
are as follows:
to circumvent the processes and procedures for personal
• Multiple invoices paid to one vendor on the same date or gain. However, although larger organizations typically have
within the same payment cycle or multiple invoices for the
same amount paid to the same vendor
Continued on page 3

REPORT ON FRAUD — SPRING 2017 | 2

EYE ON FRAUD – VENDOR FRAUD (CONTINUED)

periodic financial statement audits conducted by external

auditors, these cannot be relied upon to detect fraud or offer
assurance that fraud does not exist. Financial statement audits
are designed to provide an opinion on specified criteria,
which typically includes whether financial statements are
stated in accordance with specified accounting standards
and whether they are free from material misstatements. It
is the organization’s management that is responsible for
implementing processes, procedures, and internal controls to
mitigate and detect fraud.

Examples of Vendor Fraud Schemes

Vendor fraud schemes vary greatly in their sophistication and
complexity. The amount of damage caused to an organization
is typically commensurate with the inherent sophistication Fictitious Vendor Schemes
of the scheme. More sophisticated vendor fraud schemes In this type of fraud scheme, an employee creates false
are harder to detect and sometimes take years to unravel, vendors and invoices in order to direct payments to
at which time, the fraud has likely already cost the entity themselves or a related party. These are commonly referred
substantially. The following provides examples of vendor to as fictitious vendors, shell companies, or phantom vendor
fraud schemes, varying in sophistication from basic to schemes because the employee directs payments to a vendor
complex, involving a cyber element. that does not exist. Signs of a fictitious or phantom vendor
scheme are payments made without supporting invoices,
Employee Skimming
payments made to photocopied invoices rather than originals,
This type of fraud scheme involves individual employees using
or suspicious vendor addresses, including P.O. boxes.
an unsophisticated and low-level approach to vendor fraud.
Typically, an employee will use unauthorized methods to skim Vendor Schemes Involving Legitimate Vendor
small increments of money. Examples of this type of scheme Accounts
include overstating the quantity of goods invoiced from an These schemes involve actual vendors that an organization
organization and skimming the excess goods or overstating uses and are perpetrated in a number of ways. Many of these
the total cost of an invoice and skimming the excess cash. In schemes require employee collusion in order to effectively
this type of scheme, an employee may overstate an invoice. execute the fraud scheme. A few examples of vendor schemes
For example, an employee enters an invoice with inflated involving actual vendors are as follows:
amounts and then pays the original amount to the vendor plus
–– Duplicate invoicing for goods or services when a
the inflated additional amount to himself. The opportunity
vendor is charging an organization for the same
for this type of scheme is increased when the same employee
goods or services twice
has access to both the invoice creation and payment systems.
The potential for this type of fraud scheme will always be –– Overbilling for legitimate goods or services when
prevalent within an organization due to the simplicity of a vendor invoices an organization for higher quality
the scheme and ease of access for employees. Fortunately, goods than what was delivered or a more complex
because of their unsophisticated nature, these types of service than what was performed
schemes are typically easier to detect and usually involve low –– Bribes and kick-back schemes involving collusion
dollar amounts. between a vendor and an employee within an
organization when the two individuals work in

Continued on page 4

REPORT ON FRAUD — SPRING 2017 | 3

EYE ON FRAUD – VENDOR FRAUD (CONTINUED)

conjunction to perpetrate the fraud (the employee is that vendor. In these schemes, the perpetrator accesses an
incentivized by receiving a bribe or kickback from the organization’s vendor and payment records electronically to
vendor) manipulate the data to skim payments based on legitimate
–– Bid rigging between two or more vendors, including invoices and purchase orders. For example, ABC Company
bid suppression, complementary bidding, bid rotation, purchases goods on a regular basis from D Manufacturer
and so on, allowing vendors to work together to and pays D Manufacturer based on its monthly invoices. A
fraudulently manipulate the procurement process third-party electronically changes the invoices slightly to
increase the amounts due and then directs the additional
–– Price fixing between two or more outside vendor
amount due to a separate bank account under their control.
companies to establish a price range or minimum price
ABC Company continues to pay without noticing the slight
for goods or services in order to attempt to increase
increase in cost, and D Manufacturer continues to receive
the market price of the specific goods or services
the amount expected from its own records while the
Outside Cyber Intrusion perpetrator is receiving the differential. Typically, changes
The most complex—and hardest to detect—vendor fraud are also made to the return and sales allowances accounts
typically is perpetrated by an outside entity unknown to to make it more complicated to verify invoice amounts and
the victim organization or its employees. It involves the use records. These types of fraud schemes are hard to detect,
of a real, legitimate vendor account, but one unknown to even when organizations have strong internal control
frameworks and internal audit functions.

Case Studies
The following are examples of real cases of vendor fraud. Miller was the director of finance at the University of
These cases demonstrate different scenarios and schemes Miami's Rosenstiel School of Marine and Atmospheric
of vendor fraud at varying levels of complexity and Science (RSMAS) from 2002–2012. Over the course of her
sophistication. employment, Miller embezzled $2.3 million by falsifying
invoices from a legitimate vendor called International
Fictional Vendor Embezzlement Scheme Assets. Miller changed the International Assets invoices so
John H. Martinez, a telecommunications administrator, that the vendor name would appear as "Inter, Inc." on the
pleaded guilty to defrauding his employer, Lincoln Land payments. The checks would be mailed back to RSMAS,
Community College, of approximately $700,000 over and then she would deposit the checks into a separate
seven years by authorizing the order of various products business account in the name of Intercontinental Oceans,
with a forged supervisor’s signature. Not only was Inc., which she controlled. Miller was sentenced to three
Martinez forging his supervisors’ signatures to authorize years in prison in August 2016.
expenditures over a certain amount, he would intentionally
mail checks to fictitious vendors or fictitious addresses, or False Invoice Skimming
both, knowing the checks would be returned to him due to Robert Banks, a carpenter and locksmith for the Plainfield
invalid addresses. Once returned, Martinez deposited the Board of Education, admitted to defrauding his employer,
checks into his personal bank account. Additionally, some stealing nearly $20,000. In his role, Banks was responsible
of the vendors were owned by Martinez’s friends, who for purchasing carpentry supplies from vendors. The board
would deposit the checks into their own bank accounts entered into contracts with a vendor, Bayway Lumber,
and split the proceeds with Martinez. to purchase certain products at a discounted price.
From 2007–2015, Banks worked with the employees of
$2.3 Million Embezzlement Scheme Bayway to overbill the board, receiving kickbacks from the
Kimberly Jean Miller pled guilty to tax evasion for failing to employees of Bayway. At times, Bayway charged the board
report income she unlawfully received from her employer. for items that were never received.

Continued on page 5

REPORT ON FRAUD — SPRING 2017 | 4

EYE ON FRAUD – VENDOR FRAUD (CONTINUED)

Case Studies (continued)

Utz Quality Foods False Invoice and Kickback $100 Million Business Email Compromise
From January 2010 to August 2014, Utz Quality Foods, In 2013, Evaldas Rimasauskas began his alleged $100
Inc., paid over $1.4 million to a vendor for products million business email compromise scheme by registering
that were never actually received. The vendor, Haas and incorporating a company in Latvia. Rimasauskas
Packaging & Design, was Utz’s provider of packaging and “coincidentally” gave his new company the same name
shelving products. Over a 4-year period, the vendor’s as a legitimate computer hardware manufacturer in Asia,
owner, Jonathan Haas, colluded with Utz’s Director of Quanta Computer, which regularly conducted multimillion
Purchasing, Kevin Myers, to submit 83 false invoices and dollar transactions with U.S. internet companies. Under this
43 fraudulent purchase orders. After Myers approved name, Rimasauskas created email accounts that resembled
the false invoices for payment, he would then receive those of the computer hardware vendor. He then sent
a portion of the proceeds from Haas through a false messages to employees at two large Internet companies,
invoice kick-back scheme. Myers even created a fictional requesting them to wire payments for legitimate goods
business entity, Myers Packaging Consulting, in order to to a bank account under his control. The employees,
conceal the kickbacks he was receiving from Haas. In the believing they were communicating with one of their
course of running the alleged false invoice scheme, Haas trusted suppliers, directed the payments to Rimasauskas’
received approximately $1.4 million while kicking back company in Latvia, instead of the true vendor, Quanta
approximately $523,500 to Myers. Jonathan Haas was Computer. Rimasauskas was charged with one count of
convicted and sentenced to 36 months in jail and required wire fraud, three counts of money laundering, and one
to pay approximately $1.4 million in restitution to Utz and count of aggravated identity theft and faced a maximum
Utz’s insurance carrier, Chubb Insurance. Kevin Myers was sentence of over 60 years in prison.
also convicted and sentenced to 51 months in prison.

How to Detect and Prevent Vendor Fraud • Check the address given by the vendor to confirm that it
actually exists.
Internal controls are a necessity for a business to mitigate
the risk of vendor fraud. However, despite the importance • Make sure the vendor has an address that would make
of internal controls, controls alone are not sufficient to sense based on the vendor’s size and services (that is, an
eliminate the risk of vendor fraud entirely. Internal controls actual business location versus a P.O. box).
are a well-known function in organizations to help prevent • Verify the vendor’s business registration, tax ID numbers,
all types of fraud, and thieves and perpetrators can, and will, and phone numbers.
view internal controls as an obstacle to overcome in order to
• Conduct a cross-search through an organization’s vendor
successfully defraud an organization. This does not mean an
database to confirm that a new vendor is, in fact, a unique
entity should take internal controls lightly.
new vendor and not a variation of an existing vendor in
Perform the necessary due diligence when selecting new the database.
vendors. This is an extremely important step in combating Strong internal controls around vendor master lists and the
vendor fraud. Thorough background checks into a vendor’s creation of new vendors can help mitigate the risk of vendor
business reputation, financial stability, and overall experience fraud.
are crucial. Additionally, simple checks are easy and can
help to eliminate fictitious vendors. The following are some Use separation of employee duties as a preventive internal
examples: control. Although it may seem like a basic practice for an
organization when it comes to preventing vendor fraud, many
• Compare a vendor’s address to the employee address
companies still do not assign separate employees to separate
master list.
duties as part of their internal controls.

Continued on page 6

REPORT ON FRAUD — SPRING 2017 | 5

EYE ON FRAUD – VENDOR FRAUD (CONTINUED)

• Separate employees should be involved in approving a new

third-party vendor and inputting the new vendor into the
vendor master list in order to avoid falling victim to fictitious
ADDITIONAL PRACTICE
vendors. TIPS FOR PRACTITIONERS
• Different employees should input new vendors into the The following are some helpful tips for
vendor master list, process invoices from vendors, and process practitioners to assist clients in gaining a better
payments to vendors. understanding of vendor fraud schemes and to
reduce an organization’s susceptibility to such
• There should be a clear separation between the employee
fraud:
responsible for processing vendor payments and those
employees that reconcile the bank statements and accounts. • Provide information on how vendor
• If a company is too small to separate each of these functions fraudsters operate and the internal control
individually, a careful review and monitoring of the duties weaknesses that are exploited by such
discussed previously must be done by the manager or owner thieves to perpetrate vendor fraud.
to help ensure proper vendors and proper amounts are paid.
• Deliver training on technological
Simply by segregating these tasks to various employees in the
safeguards that are available to combat
respective departments, an organization’s ability to prevent vendor
against the cyber component of vendor
fraud can be greatly increased.
fraud schemes.
Use state-of-the-art detection methods. Advances in technology
have made data mining easier and more cost effective as a • A ssist with implementation of continuous
defense against vendor fraud. Organizations can perform a variety monitoring of employee behavior, financial
of different data-related payment tests to identify anomalous data, and current internal controls to help
transactions that may indicate fraud. These types of tests include identify fraudulent activities in real time.
the following:
• Offer employee training on recognizing
• Running various queries and reports on the vendor payments suspicious email requests, such as requests
made, vendor invoices received, and vendor information for electronic transfers of funds, even when
changes (for example, new address, new payee information), the email appears to come from a reliable
looking for multiple invoices paid on the same day to the same source, like a long-standing vendor.
or related vendor, use of the same purchase order multiple
times, and use of the same invoice or sequential invoice • Help with development of procedures
numbers to verify the origin of wire requests. (See
• Testing contract terms against invoices received from a specific the AICPA fraud report on Executive
vendor, for example, an organization can test to see if the total Information.)
payments made to a specific vendor exceed the contractual
limit
• Testing for duplicate payments, looking for payments made
two or more times for the same invoice work performed
• Testing for payments made outside of normal business
operating times, such as weekends, holidays, or late at night

Continued on page 7

REPORT ON FRAUD — SPRING 2017 | 6

EYE ON FRAUD – VENDOR FRAUD (CONTINUED)

These are only a few examples of testing that can be done successfully defraud an organization. Organizations need
to help detect vendor fraud. An organization should tailor its to understand this challenge and accept it. It is imperative
detection program to its individual needs, including industry that organizations ensure that internal control procedures
practices, vendor profile, and company size. and segregation of duties are implemented and followed.
Organizations should periodically assess the success of
Provide anti-fraud training to all employees. Training is a
their current controls and evaluate if additional controls
critical tactic in the battle against vendor fraud. It increases
and procedures should be implemented to better reduce
employee awareness of the various vendor fraud schemes and
the risk of vendor fraud. They should perform periodic
the potential red flags that accompany those schemes.
risk assessments and identify the specific internal control
Establish a fraud hotline. This allows an organization’s weaknesses within their organization that create a soft target
employees to anonymously report any suspicious activity or for vendor fraud. Organizations that continually test, update,
irregularities without the fear of repercussions. By creating and improve their internal controls will find that they can be
an environment that encourages employees to be vigilant effective in mitigating the risk of fraud.
when it comes to awareness of any type of fraudulent activity,
an organization can greatly reduce its risk of catastrophic What to Do When Fraud Is Discovered
results from fraud schemes. Businesses should also consider Despite strong internal controls and procedures, it is
the costs and benefits of providing access to the hotline impossible to entirely eliminate the risk for fraud within an
externally because this would allow vendors and other organization. Many times, fraud is discovered simply by
third parties the ability to report suspicions. The function accident. When this happens, organizations often need to
of operating a fraud hotline can be outsourced to a third quickly get a handle on the breadth and depth of the fraud.
party; however, an organization must then have established Forensic accountants have experience and are trained to
protocols to effectively follow up and resolve tips received. perform in-depth investigations in a time-sensitive manner

Constantly review and update internal controls. Criminals while preserving evidence and records. This is critical because

who are perpetrating fraud are likely aware of the various litigation, be it criminal or civil, or both, often follows the

controls in place. Thieves and fraudsters can, and will, view discovery of fraud.

internal controls as an obstacle to overcome in order to

© 2017 American Institute of CPAs. All rights reserved. 22669-378

REPORT ON FRAUD — SPRING 2017 | 7