How JDE Users Can Avoid Accounts Payable Fraud
- Brian Connor
- February 16, 2023
- Security management, JDE Security
- 0 Comments
In 2020, the Association of Certified Fraud Examiners (ACFE) reported that, based on 2,504 cases they studied from around the globe in the years 2018 to 2019, “occupational fraud”—meaning fraud committed from within an organization—represents a loss of 5% of total business revenues annually. In the cases examined for this particular study, that 5% translated to some $3.6 billion. In its report, the ACFE emphasized that the cases they studied represented only “a tiny fraction of the number of frauds committed each year against businesses, government organizations, and nonprofits throughout the world.” Clearly, fraud is big business.
In this article, we’ll discuss Accounts Payable (AP) Fraud, which includes the sort of occupational fraud examined in the 2020 ACFE study, but also includes fraud perpetrated against businesses from external sources. We’ll provide a breakdown on how accounts payable fraud is typically perpetrated against businesses, we’ll list some potential fraud indicators for you to be aware of, and we’ll share tips that can help safeguard your company against this type of criminal activity.
What is Accounts Payable (AP) Fraud?
Accounts Payable Fraud is an act of misrepresentation whereby someone attempts to scam a business into either paying a debt that is not owed or to else redirect payment for a legitimate debt to an illegitimate recipient. There are two broad categories of Accounts Payable Fraud: external and internal (or ‘occupational’) fraud.
External AP Fraud
External AP Fraud is perpetrated by someone outside of a business and can take on a number of forms. Here are three of the most common:
1. Identity Theft
Scammers steal authenticating credentials in order to take direct control of a business’s financial accounts and pay themselves, or else they somehow misrepresent themselves in order to manipulate the business into paying them. For instance, a hacker might obtain a password for Fred Jones who works in Accounting at ABC Corp and is authorized to issue checks up to $500 and cut himself a check under Fred’s name—or perhaps multiple checks if the fraud goes undetected for a length of time. Or the hacker might take over a corporate executive’s email account and direct Fred to make a payment of some kind—“Fred, we’ve got a new supplier. Here are the details. Go ahead and set them up in the system and pay this first invoice.”
2. Phishing Attacks
Scammers will work to obtain information on a company’s partners, vendors, suppliers, and others with whom the company has a formal relationship, and use the information to scam payments. For instance: Company A uses Company B for pest control at its corporate office. A scammer might send Company A an invoice that appears to be from Company B, noting a business name change (“We’ve recently been acquired…”) and providing a new payment address. Company A pays the invoice, not thinking anything of it until a few months later when they receive a notice that their outstanding balance must be paid or services can no longer continue. During the intervening time, their payments have been going to a scammer.
3. Billing Fraud
An employee at a partner company may decide to start padding invoices, perhaps claiming a price change or else charging for goods and/or services that were not actually provided, and pocketing the difference. Referring back to the pest control company example, it might be that Jeff—who handles billing for Company B—invoices Company A for two visits in April instead of one, and works out a way to divert the illegitimate amount to a private account. In this instance, both companies are being scammed, and if questioned, Jeff can always claim that he made a mistake.
Internal AP Fraud
Internal AP Fraud is perpetrated by a company’s own employees and/or officers, sometimes in cooperation with individuals outside of the company. As with external fraud, this type of scam can take on numerous forms and is often difficult to detect because it is carried out by people with inside knowledge, who may be very adept at covering their tracks. Here are some examples of the most common forms of Internal AP Fraud:
1. Check Fraud
This is one of the most difficult types of AP Fraud to detect. Employees will sometimes forge signatures on checks or even use chemicals to remove a name or amount from a check and replace it with something else. At other times, they steal checks and invent ways of cashing or depositing them. For instance, Brenda may take a check her boss writes to Allardyce Industries for $25,000, open an account under that name at her own bank, and deposit the check.
2. Billing Fraud
Employees can perpetrate this form of fraud in a number of creative manners. For instance, Jill, who works in Accounting and has authorization to pay invoices up to $1,000, could set up a new vendor in the system (or resurrect an inactive account of some type) and issue occasional payments, with the proceeds actually going to an account she set up for herself. Often, billing fraud is perpetrated by multiple actors, some of whom are external to the target company. For example, Jill might partner with Greg, who supervises vendors, to “hire” a fictitious pest control company. Greg generates monthly fake invoices under the fictitious company’s name and authorizes Jill to pay them, and they divide the spoils between them. This sort of partnership fraud can be very difficult to detect because the invoices and payments are handled through a trusted, legitimate chain of command.
3. Expense/Reimbursement Fraud
This form of fraud involves employees misrepresenting expenses and submitting them for reimbursement. For instance, Tom travels for a conference in Tampa and either reports expenses he didn’t incur or else inflates the amounts. He may even create and submit his own fraudulent supporting documentation.
4. ACH (Automated Clearing House) Fraud
With electronic payments increasingly being favored over paper checks—especially where large transactions are concerned—scammers are finding ways to divert funds in their favor. For example, if Kayleigh knows that a large payment is scheduled for transfer to the textbook manufacturer her company uses, she could change the bank account and routing details to transfer the funds to an account she controls. If she’s clever about it, she could even make it appear that the funds were stolen by an outside hacker, especially if she uses someone outside of the company to help.
Potential Fraud Indicators
Anyone involved with outlining your company’s financial accountability processes should have a good working knowledge of potential fraud indicators. The following are some of the most common:
- Payments issued just below the level where they require higher-level authorization. For instance, if an employee has a payment authorization limit of $1,000, and you find that they’re processing a lot of payments that fall just below that amount.
- Changes to billing information, including new company names, routing and account numbers.
- Invoices with price increases where there has been no prior notice or price change agreement.
- Duplicate payments.
- Invoices and other supporting documents that are vague, incomplete, or of poor quality (smudged signatures, numbers written over one another, handwritten receipts, etc).
- Payments issued without a purchase order.
- Vendors with names, addresses, and banking information that are similar to those of an employee.
- Unusual charges on corporate credit cards.
- Rounded numbers. You may sometimes receive payment requests that end in zero, but the majority will not, especially if taxes and fees are applied.
- Vendors who have some type of personal relationship with one or more of your employees. This may be perfectly legitimate. For instance, one of your employees may recommend a company run by a friend of his or hers who turns out to be a good business partner. In these instances, however, it could represent a conflict of interest or even a situation where your employee is receiving kickbacks from the vendor. For this reason, it would be wise to be sure that employees who have known relationships with vendors are not solely in charge of dealing with those individuals and companies, especially where invoicing and payments are concerned.
How to Prevent AP Fraud
Internal and External AP Fraud may arise from different sources—although, as we’ve demonstrated here, there is often overlap between them—but they both involve certain common elements you can safeguard against. Here are three strategies you can build into your AP policies to minimize your losses to fraud.
Companies often hire external auditing firms, but you will always know your own systems, practices, and employees best. For this reason, it’s a good idea to have a policy in place to provide for random audits of your AP practices and those involved in all stages of the payment process. Trained personnel should review past payments for the sort of potential fraud indicators we’ve listed here, and no one should ever be responsible for auditing themselves.
The Transportation Safety Administration (TSA) sometimes audits its security personnel and procedures by deliberately sending persons and items through security checkpoints to see whether they’ll be detected and detained. You may wish to employ similar procedures on occasion in your own company. From time to time, authorized personnel (with management knowledge, of course) should submit problematic invoices and see how far they make it through your AP process. Are your people just paying whatever comes into the office, or are they doing their due diligence? This may be one surefire way to find out.
Per the examples we’ve provided here, most types of AP Fraud involve a change of some type, and companies fall victim to scams they might otherwise avoid simply because they take for granted that they’re dealing with legitimate sources and accurate information. In the example where Company A received a fraudulent invoice for Company B and ended up paying a scammer, the situation might have been avoided had someone at Company A said, “This invoice claims they’ve recently been acquired, and they’re asking us to generate payment to the new company name at a new address. Let’s call our contacts on file over there to be sure this is on the level.”
Any kind of change where billing and payments are concerned should be directly verified whenever possible. Use the payment info you already have on hand for this person or company. Call and ask to speak to them directly, or maybe ask to speak to someone else, like a person’s manager, to verify the change.
Segregation of Duties (SOD)
No single person should be able to control the entire payment process. Instead, it’s wise to utilize segregation of duties. For instance, you might have one person or department responsible for receiving and processing invoices and another responsible for approving and paying them. It may also be a good idea to rotate your personnel through these responsibilities so that no one person is always handling the same part of any given process.
Additionally, limits should be placed on the payments employees are authorized to make, with larger payments requiring review and approval. This provides another check and balance in the process. With JD Edwards and other Oracle and SAP systems, processing often takes place during the day and batch payments are issued at night. For this reason, scammers will often try to get changes made at the last minute before those big batch payments go out. They’ll put pressure on your personnel to make payment changes immediately so that there is no time to verify. Mandating at least two levels of approval makes this more difficult because scammers can’t as easily turn up the heat on both persons.
JD Edwards makes this easier with a process called AP Payee Control. Any attempted change as to how and where payments are sent requires additional approval before it can be finalized. For instance, let’s say you’re supposed to be paying $50,000 to a vendor or contractor. Right before payment is to be issued, someone who supposedly represents the company calls to make a routing and account number change. The change data can be inputted in JD Edwards, but it will be put on hold until additional authorization is obtained. The additional authorizer should contact the company in question DIRECTLY to verify the change, preferably using a list of known contacts.
ERP Suites uses a strong toolset called All-Out Security to enforce SOD in JD Edwards. All-Out Security monitors for individuals who have access to multiple sides of a transaction, and can be used in two modes:
- Preventative Mode: If someone has the ability to set up a vendor, and they ask for additional authorization to enter vouchers and issue payments, a preventative control can be set up to deny the additional access.
- Detective Mode: If access is granted for whatever reason, the software will look for such transactions and report on them.
JDE Security Audit
Schedule time with our JDE security experts and we'll guide you on the best next steps for your business. ERP Suites offers 3 options for a Security Audit that will start you down the path to a more secure and efficient JDE system.
Tags: Security management, JDE Security