Posts

I presented last week as part of an event run by CIPFA –  the Chartered Institute of Public Finance and Accountancy. As you can imagine, their live events are notorious for wild behaviour and partying, but this was online, luckily for me. (OK, just my little public sector accountancy joke there…) Anyway, I talked about Bad Buying, particularly in the public sector context and with a focus on corruption and fraud which I thought would most interest accountants.

One of the other speakers, Mohamed Hans, a lawyer and public procurement adviser, talked about the “typical” profile of a corporate fraudster. Most work within the organisation, and apparently, he – and more often than not it is a “he” – is most likely to be middle aged, with quite a few years of service, well-respected internally, and in a management position.

I guess that all makes sense. You need to have some authority generally to commit fraud – in the procurement space, it really helps if you are a budget holder or can sign off expenditure in some way. If you have been around a while in the organisation, you are more likely to understand the systems and processes, and how to get around them to commit your fraud. All of that points to someone of a certain age, seniority and length of service.

That fits with my personal experience. Probably the closest I came to a major case was when a senior procurement executive who had a “dotted” reporting line to me was prosecuted for a fraud where he appeared to be in league with some very unpleasant “Russian gangsters”, according to the police. My firm was not aware of the fraud but the police spotted odd transactions at the gangster end of things, which it emerged came from our villain signing invoices for non-existent furniture purchases, with the payments going to the gangsters. He was in his forties, in a senior role, and had been with the firm for at least a decade, so he fit that archetype perfectly!

Other cases in my Bad Buying book include a mid-level executive for Toys ‘R ‘ Us at Maidenhead in England. He was a  “typical middle-aged accountant to colleagues, living in a semi-detached house near Reading and driving an old Vauxhall car. But actually he lived a double life and was stealing millions from the firm, spending money on sports cars, prostitutes and even an estate in Nigeria for his secret mistresses! He was ordered to repay £3.6 million when he was finally caught, as well as being jailed in 2010 for seven years. (His jail term will increase if he doesn’t pay the money back.)

His fraud was simple. He created a fictitious toy manufacturer, a ‘supplier’ to the firm, and then made regular payments of £300,000 a month over more than two years to that account, which of course he controlled. When this was reported in the press, one reader’s comment was amusing: ‘so he spent £2.4 million on call girls and sports cars – and wasted the rest’!  But it’s not really funny; this was shareholders’ money, and sympathy is due to his wife and family, who knew nothing about it and did not benefit in any way”.

Just to show it isn’t only men, the (female) interim director of operations at Ealing Hospital NHS Trust stole more than £200K back in 2008 to pay for (among other things) horse semen, needed for her stud-farm business. She fraudulently signed off payments, which went into her own bank accounts rather than to genuine suppliers. The judge said that she was, ‘a woman of very great ability and up to this point of very high character. The difficulty and sadness of cases such as this is only people of high ability could get themselves in a position where they can defraud people and the NHS of the amount of money you took.’

However, in most cases, fraud can be prevented quite simply. The most basic advice includes that no single person should be able to “create” a new supplier, and onboarding checks must be made. Then again, no one individual should be able to authorise a payment (e.g. by signing off an invoice) to any supplier, without some sort of check from another person.  It is not unknown for two or more people to collude in frauds, but in my experience establishing that sort of basic control reduces the probability of fraud by a significant factor. Carrying out a fraud alone is one thing; asking another person to collude with you brings another level of risk for the fraudster.

And don’t assume someone couldn’t possibly be a fraudster because they are respected, have worked in the organisation for years, are senior, go to church, are kind to animals …. Criminals come in all sorts of shapes, sizes and disguises!

One of the most annoying aspects of writing Bad Buying was reading dozens of fraud and corruption cases that came to court. Whilst the cases were often fascinating, the comments from the CFO or CEO of the organisation that suffered the fraud were always predictable. This is what I said in the book.

“But again and again, I see organisations failing to take basic precautions, and then once fraud is discovered, claiming that “this was a very sophisticated fraud”. In most cases, that remark is nonsense and is a fig-leaf for an embarrassed CFO or CEO who didn’t have basic fraud prevention measures in place.

Indeed, one way that fraud could be reduced globally is if CFOs in particular were told that their jobs are on the line. If a fraud takes place on their watch, that could have been prevented through simple actions, then they’ll be fired for incompetence. Implement this, and there will be a measurable drop in such cases very quickly”.

In recent weeks, a fraud committed by an IT manager in the UK’s National Health Service hit the headlines. Barry Stannard of Chelmsford in Essex, was “head of unified communications” for the Mid Essex Hospital Trust, which has since been merged into Mid and South Essex NHS Foundation Trust. He defrauded his employer of £806,229, which came out of the trust’s IT budget. He created two “fake companies” that he controlled, and then authorised payments against invoices from these firms – invoices he obviously produced himself.  He failed to declare any interest in these firms (obviously), no products or services invoiced were ever actually provided to the NHS, and he was sentenced to 5 years and 4 months’ imprisonment on June 30th.

At least the hospital did eventually spot this fraud. According to the Digital Health website, “Concerns first arose after the trust ran a data matching exercise on its payroll and accounts payable records, alongside Companies House records. After a comprehensive initial investigation by the Local Counter Fraud Specialist provider (RSM), the investigation was escalated to the NHS Counter Fraud Authority’s National Investigation Service”.

Stannard also charged VAT, which was never paid onwards to the tax authorities, so that was a further fraudulent element.  All of the hundreds of invoices submitted by his companies to the trust were individually for less than Stannard’s personal authorisation limit so he got away with it for some time.   

At least here nobody used the “sophisticated” word in describing the fraud, which is just as well because it wasn’t.  It was a pretty basic fraud and pretty basic best practice was not followed. That means there is a good case for sacking the CFO – and perhaps even the Procurement Head.  They certainly should answer these questions.

  • Why was there no proper “onboarding check” before a new supplier was first paid? Basic Companies House and Dun & Bradstreet checks would have shown a firm with Stannard as Director and presumably no other income.
  • Why was there no “separation of duties”? You should never have the same person able to choose a supplier, sign off the purchases, and approve the invoice (which includes confirmation of receipt of goods / services)?
  • Why did his boss not question the expenditure? Actually, it is not clear whether the budgets were his own or belonged to other managers (in which case why didn’t they query these costs for non-existent products)?

It all looks very negligent by the Trust and smacks of a poor attitude to spending taxpayers’ money, which unfortunately we’ve seen before in the case of public sector fraud of this nature.  So whatever your role, do think about whether such a fraud would be possible in your organisation.  If you wanted to extract money, how would you do it? Would you need an accomplice or could you do it yourself, as in this case.  If you do find gaps, then tell the CFO, CEO or equivalent. 

I reckon every organisation needs a few creative, cynical but trustworthy employees who can put themselves in the shoes of wrongdoers and have evil thoughts – for the greater good, of course!

We’ve written a couple of times about the Greensill affair, and now more is emerging about another key player in the financial scandal. Greensill in effect lent billions to Sanjeev Gupta, creator of the GFG Alliance of steel businesses.  That appears to have been based on both financing the invoices where GFG owed money to their suppliers, and also making early payment to gupta’s firms where GFG invoiced its own customers.

But the Financial Times, which has been instrumental in exploring matters, reports that Grant Thornton, the administrator for Greensill, has contacted some GFG “customers”.  Clearly, they in theory owe Greensill money. However, “some of them say they did no business with Gupta”.  In other cases, there are allegations that the customers were friends or associates of Gupta.

If this is true, it seems that Greensill was advancing money to GFG based on their invoices which had in theory been issued.  Greensill would collect the money owed from the customers in line with payment terms. So note this is financing Gupta based on its sales, rather than improving its cash flow by helping on the purchase side. But if these invoices – or some of them – were fake – then we have a real fraud, and Greensill obviously won’t be able to collect its debts. Maybe Greensill was an innocent victim, being told by GFG these were real customers and real debts. Or maybe not.

Anyway, this link with supply chain finance is for me potentially a new type of invoice-related fraud. I must admit I did not cover this in Bad Buying, but it might be in the 2nd edition / follow-up!

The more usual invoice frauds that I describe in my book fall into three categories.

  1. Fake invoices are created, submitted and authorised by someone inside the organisation. The money is paid to firms (probably set up for this purpose) which the insider(s) controls.
  2. Fake or inaccurate invoices are submitted by an external party, either “on spec” in the hope that the internal systems are poor and they get paid, or to be authorised by an accomplice internally. The supplier may even be genuine, but the amount invoiced may not reflect the actual goods supplied or work done.
  3. Invoice mis-direction, where the fraudster persuades the firm to pay a genuine invoice to the fraudsters bank account rather than to the real supplier’s account.    

“Fake invoice” fraud by insiders happens in the private sector, in government, and even in the charity sector. And it can be the most unlikely people – as in this case (taken from my book), where the former head of counter-fraud at Oxfam, the charity that fights poverty globally, was jailed after stealing more than £64,000 from the organisation.

Edward McKenzie-Green, 34, defrauded the organisation while investigating fellow charity workers in earthquake-hit Haiti. He filed fake invoices from bogus companies, making £64,612 in nine months before resigning because of unrelated disciplinary proceedings. The scheme was discovered after an internal inquiry was launched to investigate allegations that he’d behaved unprofessionally while leading a team in Haiti in 2011.

He agreed to resign, was given a £29,000 “golden handshake”, but then investigators unearthed 17 fraudulent invoices from two companies under his control.  An audit of his own counter-fraud department revealed payments to “Loss Prevention Associates” and “Solutions de Recherche Intelligence” in 2011. Investigators contacted the supposed head of one company, Keith Prowse, for an explanation of invoices for ‘intelligence investigation’, ‘surveillance equipment’ and ‘Haiti Confidential’. But there was no Mr Prowse – that was, in fact, Mackenzie-Green.  (The “real” Keith Prowse founded a very successful corporate hospitality firm in the UK).

McKenzie Green got two years in jail and Judge Wendy Joseph QC told him: “You have taken from those who desperately need it substantial sums of money. Worse, you have undermined the public confidence in a charitable institution. You were head of a department set up to counter fraud. This was a profound abuse of the trust invested in you.”

We suspect that the magnitude of the Gupta / Greensill affair might dwarf the Oxfam case and most of the others in the book, except perhaps for the Petrobras / Odebrecht scandal in Latin America, where fake invoicing was only a small part of the wider fraud and corruption picture. In any case, it will be interesting to see what emerges in the Gupta case over the coming months.

Bad Buying was published last week, and whilst there wasn’t exactly a rush of media appearances, it was reviewed in the Times on Saturday (behind the paywall unfortunately).

The reviewer (Robert Colvile) enjoyed it, although he found it annoying / depressing that governments seem to make the same mistakes time and time again when it comes to spending public money. Well, yes, I’d agree of course, that being one of my reasons for writing the book! He also picked up on one important point that is mentioned in the book but perhaps deserves more focus.  As Colville put it in his review,

“And the mistake was usually pretty elementary (as a rule, anyone who talks about how their organisation was victim to a “very sophisticated” gang of thieves is telling porky pies: far more likely is that there was a failure to attend to the absolute basics).”

This is so true. We see it almost every time there is a fraud case – the organisation that has lost out claims it is the cleverness of the fraudsters, not the stupidity of management that is to blame. That is the case even if all the fraudsters have done is phoned up the finance department and said “hello, this is IBM here, we’ve changed our bank details, please can you pay our outstanding invoices now to this new account”. Very sophisticated…

But it is  certainly not just the public sector that gets caught out. EssilorLuxottica, the worlds leading lens and eyewear firm, was the target of a 190 million euro ($213 million) fraud at one of its factories in Thailand. At the end of last year, the firm announced that it had fired employees associated with the incident (well, you would, wouldn’t you) and was looking to recover the money.

An intelligent guess would suggest that this was a “fake supplier” fraud, where money was paid under the authorisation of someone internally to external firms that were controlled by the fraudsters.  Those firms would not in reality be supplying anything to EssilorLuxottica of course, and by the  time the fraud was spotted, those bank accounts would have been closed and the cash long since extracted.  But this was a huge amount of money to disappear from a single factory in Thailand – it  sounds like it could be equivalent to the firm’s entire annual revenue in that country.

Assuming that was the nature of the fraud, how on earth could such large sums of money be extracted without anyone noticing? What were the policies in place and processes to check up on those new “suppliers” and their legitimacy? Who was allowed to approve high value payments?  Did the firm outsource any part of the payment process to a third party services provider? (That can sometimes lead to weaknesses in the process and less focus on what is going on).  Maybe there was some sophistication here in the fraud, but it really does smack of poor internal management and controls.

Anyway, that story is really told to demonstrate that it is not just the public sector that can waste money and fall down on basic anti-fraud processes. I’d suggest that every procurement or finance leader and every Board should consciously think about this question – “if I wanted to defraud my organisation, how would I do it”? 

Think  through the different options and potential points of weakness, and evaluate whether there are processes, checks or policies in place that would stop you getting away with it. If the answer is “no”, then either tighten up quickly or accept that you might be the next person waffling on to the press about “sophisticated criminals”!  Personally, I would also fire the CFO if such a basic fraud was committed on his or her watch.

The Bad Buying book might be useful too if you are concerned about these issues.  It contains seven key anti-fraud principles, with some practical and clear advice on how you can at the very least reduce the chances of fraud and corruption affecting your organisation.