Do you really know where the money’s going?

Fraud in the procurement-to-pay process is common and difficult to detect. Here are 7 steps small and medium-size companies can take to prevent it.
By Cecilia Locati, ACMA, CGMA

Do you really know where the money’s going?
Image by EHStock/iStock

From fake invoicing and pay-and-return schemes to personal purchases with corporate funds and payment fraud, fraud in the procurement-to-pay process is very common and extremely difficult to prevent and detect.

According to the 2016 Report to the Nations on Occupational Fraud and Abuse by the Association of Certified Fraud Examiners, fraudulent disbursements are the most common form of asset misappropriation. Of all the types of fraudulent disbursement, billing schemes are the most common, making up an average of 22.2% of the cases and causing a median loss of about $100,000.

The following real-life examples illustrate common scenarios of procurement fraud in small and medium-size enterprises (SMEs): The first case study is a real-life example of an electronic disbursement fraud while the second and the third relate to billing schemes.


Jenny was managing the finance and administrative activities of MediaCo, a small media production company specializing in documentaries for TV, co-founded by Kevin and Ivan.

Over time, Jenny found an easy way to boost her wages. When approving payments, Kevin always cross-checked the invoices and payment details thoroughly, while Ivan approved the payments without double-checking them against the invoices.

From time to time, Jenny would enter her sister's bank details into the online banking system instead of a supplier's account details. She would then submit the payment for approval to Ivan. Ivan would approve without noticing that the bank details on the payment were different from those specified on the supplier's invoice. After a couple of weeks, when she knew that Ivan was out of the office, she would include the same vendor invoice in a payment (with the correct vendor bank details) and ask Kevin to approve it.

Jenny was the only one who managed the accounts at MediaCo, and she could easily allocate the cost of the fraudulent payment to a number of P&L accounts to cover up the shortage.

At one point, Jenny was forced to stay home for a couple of weeks because of an illness, and the co-founders' personal assistant covered for her. Following a call from an angry vendor who complained about not receiving payment on his last invoice, the personal assistant looked into the finance files to check whether the invoice had been paid. Thus it was discovered that by paying invoices to her sister's bank account, Jenny had managed to embezzle approximately $75,000 over three years.


Matt was the marketing manager for KitchenCo, a medium-size bespoke kitchen manufacturer. He convinced the company's owner of the need to invest approximately $125,000 to improve KitchenCo's online presence. The owner did not have any background in online marketing and social media presence. But he knew that some of his competitors were investing in such activities, and he wanted to keep up with them.

Matt created a shell search engine marketing company called SEMCo with a fancy website and his wife as the company director. He painted SEMCo as one of the top companies on the market and got the owner to approve an inflated quote for SEMCo's services.

Then, Matt engaged a couple of inexpensive contractors to whom SEMCo subcontracted the work for a much lower price than what KitchenCo paid SEMCo.

After a few months, during a networking dinner, the owner met a search engine optimization (SEO) consultant, and when their conversation turned to KitchenCo's SEO initiatives, the consultant was amazed by the price KitchenCo had paid, and stated that he had never heard of SEMCo.

Because of this conversation, the owner asked KitchenCo's finance director to carry out some checks on SEMCo and found out that it was owned by Matt's wife and that the price KitchenCo had paid was well above the market average.


For 15 years, David was the finance director of GlassesCo, a retailer that sold eyeglasses and lenses. GlassesCo used a small legal firm, LegalCo, and over the years, David got to know John, the owner, quite well.

At a certain point, the two men came to the following agreement: John would inflate the number of hours of consulting provided to GlassesCo, David would approve the inflated invoices, and they would split the fraudulent proceeds. This arrangement was quite easy to pull off because David was the only approver of the invoices.

One day, the CEO of GlassesCo received an anonymous email reporting that David was approving inflated consulting invoices. The CEO engaged a fraud investigator to verify whether the claims were true. By reviewing David's email archive, it became obvious that he was colluding with John in a pay-and-return fraud scheme worth about $37,500 over the past two years.

Because of the email archive retention period, it was not possible to ascertain whether the loss was even greater; however, given how long David had worked for the company and how long LegalCo had been providing services to GlassesCo, it is quite likely that the loss amounted to much more than that.


Segregation of duties

In all three examples, the lack of segregation of duties made the frauds possible or helped to conceal them. In MediaCo's case, the lack of segregation of duties in the accounting function allowed Jenny to hide the fraudulent payments in the general ledger without anybody noticing.

To achieve segregation of duties, responsibility for processing payments should be allocated to a different individual from the one in charge of posting transactions in the general ledger. Another way to segregate duties is to ensure that finance systems require two users to process journal entries: one to post journals and one to release them.

In the second case study, segregation of duties could have been achieved by giving the finance department responsibility for carrying out due diligence on the new vendors. This would have uncovered the shell company fraud scheme before the vendor had been engaged.

In the third case, David's fraud would have been discovered much earlier if the CEO had to approve LegalCo's invoices in addition to David's approval. To ensure that invoices are independently approved, they should be reviewed by a second individual, someone other than the person who holds the relationship with the vendor.

Robust reviews

In the first case, the fraud was made possible by the poor controls carried out by one of the two managing directors, who did not check the details of the payments against the supporting documents.

In the case of KitchenCo, the owner did not thoroughly review the marketing manager's vendor selection process, which resulted in the engagement of a shell company as a vendor.

When approving, the reviewer should be aware of the specific reasons the approval is needed and the risks it is designed to mitigate. Raising awareness around this topic would help improve the quality of the review performed.

Vendor selection and approval

Having a strong vendor selection and due-diligence process in place is crucial to avoiding procurement fraud, as the case of KitchenCo shows.

A strong vendor selection process should include a bidding procedure and a due-diligence process to ensure that the new vendor is a genuine company and that there is no potential conflict of interest.

Once those checks have been performed, the new vendor should be approved by another party who should conduct independent checks to ensure that the selection process has been carried out fairly and without bias.

Automated controls

Manual processes are more prone to errors and fraud than automated processes. In the case of MediaCo, the fraud would have been much more difficult to perpetrate if, instead of using manual payments, the company was using an automated system.

In this case, the vendor details would have been populated automatically based on the data available in the vendor master data. Therefore, provided that appropriate controls on the vendor master data had been in place, it would not have been possible to perpetrate this type of fraud.

Ongoing vendor monitoring and benchmarking

It is best practice to monitor an existing vendor's performance over time to ensure that the level of service meets expectations and the price is appropriate.

The monitoring activity should be carried out by a department or person different from the one managing the relationship with the client on a day-to-day basis. This would have helped prevent GlassesCo from falling victim to the overbilling scheme.

Tight analytical and budget review

All of these cases lacked a robust review of the actual and budgeted figures.

While more challenging for small, rapidly growing companies, the review process should include not only a tight review of the actual-versus-budget figures, but also analysis of the financial ratios and comparative analysis to identify costs that need further investigation.

The tighter the controls, the greater the chance of spotting fraud.


Tips are the most common way of uncovering fraud. Having a formal, structured process to report and follow up on suspected instances of fraud and control override helps SMEs encourage people to report such cases. Nowadays, a number of companies, for a flat annual or monthly fee, provide a 24/7 hotline service in different languages.

In each case study, the fraudsters saw an opportunity to take advantage of the perceived lack of control and thought they could get away with their scheme. To prevent and detect fraud effectively, senior management must have good oversight over controls.

Cecilia Locati ( is director of Fraud Fence, a consultancy that advises companies on internal fraud prevention.

Editor's note

A version of this article, "Do You Really Know Who You Are Paying?" was originally published Feb. 21, 2017, on

AICPA resources



  • Essentials of Forensic Accounting (#PFF1401P, paperback; #PFF1401E, ebook)
  • Forensic and Valuation Services Library (#PFVSCOLLO, online subscription)
  • The Guide to Investigating Business Fraud (#056558, paperback)

CPE self-study

  • Common Investigative Techniques (#159957, online access; #GT-FA.LEY.EL, group training)
  • Fraud Prevention, Detection, and Response (#159966, online access; #GT-FA.LFH.EL, group training)
  • Fraud Risk Management (#165337, online access; #GT-SMA-GRMG1, group training)
  • Fraud Update: Detecting and Preventing the Top Ten Fraud Schemes (#741203, text; #158012, online access; #GT-TTFS, group training)

For more information or to make a purchase, go to or call the Institute at 888-777-7077.

Where to find February’s flipbook issue

The Journal of Accountancy is now completely digital. 





Get Clients Ready for Tax Season

This comprehensive report looks at the changes to the child tax credit, earned income tax credit, and child and dependent care credit caused by the expiration of provisions in the American Rescue Plan Act; the ability e-file more returns in the Form 1040 series; automobile mileage deductions; the alternative minimum tax; gift tax exemptions; strategies for accelerating or postponing income and deductions; and retirement and estate planning.