Transcription
ACFE Course MaterialsWelcome!The ACFE would like to welcome you to Planning and Conducting Vendor Audits. We hope youwill find this course informative and immediately useful. The materials in this book will not onlysupplement your learning experience during the class, but will also serve as a reference andreminder for you when you are back on the job.There are a few important administrative items to keep in mind: Timing and Structure — Class will start promptly at 1:00 p.m. and end at 5:00 p.m. each day.Beverages, continental breakfast, and one group lunch will be provided. Sign-In Sheet — Please initial next to your name on the Sign-In Sheet. It is critical that youdo so each morning to be eligible for CPE credit. Certificate of Attendance — Please complete the CPE Reporting Form found inside yourregistration packet. This form is due on the last day of the seminar and will serve as yourCertificate of Attendance. Return the top white copy to the Registration Desk and keep thebottom yellow copy for your records. The yellow copy will serve as your Certificate ofAttendance. Evaluations — Course evaluations will be distributed by email. Please take time to providefeedback about the course, venue, and instructor. Your evaluation will help the ACFE makeimprovements to future training courses. At the conclusion of the evaluation you will receive alink to all the PowerPoint slides used throughout the class.Thank you for attending. Please let us know if there is anything we can do to make your experiencein this class more comfortable, productive, and valuable.Planning and Conducting Vendor Audits
2012 By the Association of Certified Fraud Examiners, Inc.Revised: 5/21/12No portion of this work may be reproduced or transmitted in any form or by any meanselectronic or mechanical, including photocopying, recording, or by any informationstorage and retrieval system without the written permission of the Association of CertifiedFraud Examiners, Inc.“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,”“ACFE,” “Fraud Magazine,” “CFE Exam Prep Course,” “EthicsLine,” the ACFE Seal,and the ACFE Logo are trademarks owned by the Association of Certified FraudExaminers, Inc.WORLD HEADQUARTERS, THE GREGOR BUILDING716 WEST AVENUE AUSTIN, TX 78701-2727 USATEL: (800) 245-3321 1 (512) 478-9000FAX: 1 (512) 478-9297WWW.ACFE.COMDISCLAIMEREvery effort has been made to ensure that the contents of this publication areaccurate and free from error. However, it is possible that errors exist, bothtypographical and in content. Therefore, the information provided hereinshould be used only as a guide and not as the only source of reference.The author, advisors, and publishers shall have neither liability norresponsibility to any person or entity with respect to any loss, damage, orinjury caused or alleged to be caused directly or indirectly by any informationcontained in or omitted from this publication.Printed in the United States of America.
Association of Certified Fraud Examiners23RD ANNUAL ACFE FRAUDPRE-CONFERENCEPLANNING AND CONDUCTING VENDOR AUDITSJUNE 17, 2012ORLANDO, FL11:00 a.m. – 1:00 p.m.1:00 p.m. – 2:10 p.m.2:10 p.m. – 2:25 p.m.2:25 p.m. – 3:35 p.m.3:35 p.m. – 3:50 p.m.3:50 p.m. – 5:00 p.m.Registration: City Hall LobbyRoom Name: Sun Ballroom CContract Terms and Conditions: The Foundation for GoodVendor AuditsBreakIdentifying and Selecting Audit Candidates: Where Is the Riskand Reward?BreakFinding Fraud in Vendor Audits: Identifying Loopholes andOpportunities for Fraud
RYAN C. HUBBS, CFE, CIA, CCSA, PHRSenior ManagerMatson, Driscoll & Damico (MD&D), Forensic AccountantsHouston, TXRyan C. Hubbs is a Senior Manager for Matson, Driscoll & Damico, ForensicAccountants, out of Houston, Texas. His responsibilities include providinginvestigative support to corporations, government entities, law firms, and non-profitsin response to fraud and employee misconduct investigations, internal controls, andaudits. He also provides consulting support to organizations that are looking tobolster, strengthen, or implement organization-wide anti-fraud programs andmeasures, including both preventive and detective enhancements. Mr. Hubbs’sbackground includes conducting hundreds of interviews, investigations, and internalaudit engagements within the utility and energy industry. Some of his areas ofexpertise include: experience with employee and contractor frauds, conflicts ofinterest, ethics and compliance violations, controls consulting, process improvements,fraud risk assessments, contract review, and contract recovery audits. In addition tohis anti-fraud experience, Mr. Hubbs has experience conducting investigations intoemployee misconduct including: discrimination, sexual harassment, retaliation,workplace violence, intimidation, and pornography.Mr. Hubbs is a member of the ACFE Faculty where he co-presents the CFE ExamReview Course, as well as specialized training such as Interviewing Techniques forAuditors and Conducting Internal Investigations. He also sits on the ProfessionalStandards and Practices Committee for the ACFE and the ACFE’s Advisory Council.He served four years as the founder and chapter President of the New Orleans ACFEChapter post–Hurricane Katrina and sits on the Board of Directors of the HoustonACFE Chapter.Mr. Hubbs has worked as an online faculty member with the University ofPhoenix teaching the graduate level course, Managing the Business Enterprise. Mr.Hubbs has published articles in both the Fraud Magazine and Security ManagementMagazine. He currently supports professional organizations such as the ACFE, theIIA, and local universities by giving presentations on fraud, waste, and abuse. Somenotable presentations have included: Conducting Facilitated Fraud Risk Assessments,Detecting and Preventing Employee Expense Purchase Schemes, How to Lose YourJob, Training Ground for Fraud, How the Internet Enables Fraudsters, and Using theDeviant Behaviors of Others to Find Fraud. Mr. Hubbs has also been a repeatpresenter at several of the ACFE Annual Fraud Conferences.
Mr. Hubbs has more than 10 years of experience in the fraud investigation andinternal audit field. He also has more than 13 years of full-time and volunteer lawenforcement experience. His last appointment was with the St. Tammany ParishSheriff’s Office in the Special Operations Division where he held the rank of reserveCorporal and Detective and assisted the Property Crimes Division on white-collarfraud cases. He also spent considerable time conducting search and rescue operationsafter Hurricane Katrina.Mr. Hubbs graduated from Louisiana State University with a Bachelor of Sciencein Business Administration and a minor in Sociology/Criminology. He latergraduated from Louisiana State University with a Master’s in BusinessAdministration. He is a Certified Fraud Examiner (CFE), a Certified Internal Auditor(CIA), Certified in Control Self-Assessment (CCSA), and a Certified HumanResources Professional (PHR).
TABLE OF CONTENTSCONTRACT TERMS AND CONDITIONS: THE FOUNDATION FOR GOOD VENDORAUDITSIntroduction .1The Importance of Effective Contract Language and How It Supports Future Audits .4Assessing If Vendor Audits Are a Viable Option .6Crafting an Effective Audit Clause .6Types of Contracts and Audit Challenges .26The Importance of Routinely Exercising Vendor Audit Rights .28IDENTIFYING AND SELECTING AUDIT CANDIDATES: WHERE IS THE RISK ANDREWARD?Determining the Purpose of the Audit .31Determining Which Vendors to Audit .32Requesting and Gathering Documents.51FINDING FRAUD IN VENDOR AUDITS: IDENTIFYING LOOPHOLES ANDOPPORTUNITIES FOR FRAUDIntroduction .55Fraud Schemes Involving Labor .55Fraud Schemes Involving Employee Travel .64Fraud Schemes Involving Materials .67Fraud Schemes Involving Equipment .72Fraud Schemes Involving Contract Rates .78Other Schemes .80Conclusion .88APPENDICES .A-1 2012Planning and Conducting Vendor Auditsi
CONTRACT TERMS AND CONDITIONSIntroductionGoals of a Vendor Audit or InvestigationThere are many reasons to perform vendor and supplieraudits. The industry in which a business operates, thegoods and services it delivers, and the type ofregulatory compliance requirements it faces are just afew factors that increase the risk of doing business withothers. And where there is increased risk, there can befraud, waste, and abuse.The four primary reasons to conduct audits of vendorsand suppliers are to: Ensure compliance with policies, procedures, rules,regulations, and legal requirements. Identify conflicts of interests or other fraudulentactivities or to investigate allegations ofwrongdoing. Determine if billings are accurate and in compliancewith contract terms. Ensure that the goods and services that werepurchased were actually received.Why Vendor Audits?Most organizations rely on vendors and suppliers tosupply goods and services needed to develop andproduce other goods and services or to facilitatebusiness operations. It typically makes good businesssense to use contracted vendors and suppliers whenthey can provide the necessary goods or services at acheaper price, with better quality, or with specializedexpertise.In a vendor-customer relationship, a contract is usuallyexecuted to serve as the formal documented agreementbetween the two parties. Unfortunately, simply having acontract in place does not ensure that a vendor willPlanning and Conducting Vendor Audits 20121
CONTRACT TERMS AND CONDITIONSinvoice the customer at the agreed rates, deliver thecorrect quantity or quality of materials, or perform thenecessary activities required by procedure or law. Thepressures, opportunities, and rationalizations that can becatalysts for employee fraud also apply to vendors andsuppliers, meaning these organizations cannot alwaysbe relied upon to police themselves.THE SIGNIFICANCE OF VENDOR FRAUDThe data is unfortunately very clear. In the ACFE’s2012 Report to the Nations on Occupational Fraudand Abuse, corruption and billing schemes—thetwo types of schemes that most typically involvemanipulation of vendor transactions—were two ofthe top three fraud scheme types in all regions of theworld. Billing and corruption schemes also accountfor some of the highest median fraud losses withbilling schemes resulting in a median loss of 100,000 and corruption causing a median loss of 250,000.Further, many vendor fraud schemes involve aninsider at the victim organization—typically anemployee in the procurement or purchasingfunction. While most managers do not want to thinkthat they have untrustworthy employees, the dataclearly show that corruption exists and is extremelycostly. And the costs do not just include themonetary loss of the scheme; the resultingregulatory costs and fines can dwarf the actual fraudloss. The expansion of the Foreign CorruptPractices Act (FCPA), the UK Bribery Act, andother bribery and corruption laws and regulationshas put the onus on business leaders to be proactivein identifying and preventing fraud, bribery, andcorruption, or they will face the consequences. ForPlanning and Conducting Vendor Audits 20122
CONTRACT TERMS AND CONDITIONSexample, in 2008, German company Siemens paidan 800 million fine to settle bribery and corruptioncharges—an amount that not does account for thecosts of the investigation, the costs associated withongoing monitoring required by the U.S.government, or the loss in stockholder value.OVER-RELIANCE ON THE CONTRACTThe first response to the suggestion of vendor auditsis often that they are unnecessary because contractsare in place to safeguard the organization in theevent of fraud. While having a contract in place isgood practice, there are opportunities for fraud inthe development, issuance, and management ofcontracts, such as: Management often does not review contractsbefore they are issued to look for weaknessesthat could allow fraud. Developers might already be corrupt when theybegin writing contracts. Corrupt employees can amend contracts or giveverbal exceptions to them.THE HIGH COST OF AFTER-THE-FACT AUDITS,INVESTIGATIONS, AND LEGAL INVOLVEMENTUnfortunately, once funds have been paid to anunscrupulous vendor, it can be extremely difficultand costly to get them back, even with a contract inplace. Further, waiting until an issue materializescan be more costly than the actual errors or fraud.Indirect costs can involve: Recovery constraints Operational costs Audit and investigation costs Legal costsPlanning and Conducting Vendor Audits 20123
CONTRACT TERMS AND CONDITIONSFraud prevention strategies and ongoing, proactivevendor audits can significantly reduce anorganization’s fraud risk and general overbillingissues. A continuous, well-communicated programcan also improve vendor and supplier relationshipsand help them understand what managementexpects from their billings and supportingdocumentation.The Importance of Effective Contract Language andHow It Supports Future AuditsDrafting sound contracts is best left to procurement andlegal experts who have the expertise. However, auditorsand investigators should have a role in crafting andreviewing the language before contracts are issued. Afterall, auditors and investigators are called upon to use thecontracts to verify compliance and recover funds ifnecessary. The contract terms, conditions, and expectationsaffect the planning, execution, and resolution of aconsequent vendor audit. In some instances, what is notincluded in the contract can be as just as important andcontentious as what is included.How Contract Language and Expectations CanActually Facilitate OverbillingMost contracts are written and implemented byattorneys and procurement professionals. Operations ormanagement might also play a part by setting scope,price, and other conditions. When multiple people withvastly different responsibilities and agendas areinvolved in crafting a contract, it is easy for gaps andholes to find their way into the language, which canfacilitate overbilling. Most personnel involved incontract development do not think about fraud or thedifficulties of auditing the vendor at a later date.Planning and Conducting Vendor Audits 20124
CONTRACT TERMS AND CONDITIONSTake, for example, a per diem paid to contractemployees. The contract stated: “Per diem will be paidat a sum of 70 per employee.” This was the onlylanguage in the contract regarding per diems. Theobvious expectation was that each contract employeewho puts in a full day’s work received 70 a day to payfor meals, lodging, and so forth. But did the contractlanguage actually say that?An audit of the vendor’s payroll revealed thatemployees only earned 45 per diem, allowing thevendor to make an extra 25 per day, per employee aspure profit. What rights would the organization have inrecovering the additional 25 per employee per day?What recourse would it have when employees whoworked less than a full day were also granted per diemcosts?Another example is travel time. One contract stated,“Travel time will only be paid for travel from thestaging area to the jobsite, which shall not be fartherthan 15 miles from one another.” Yet nowhere in thecontract were the jobsite or staging area locationsidentified. There was no language requiring theinclusion of staging and jobsite locations on timesheets,and—even worse—the billing clerk who received theinvoices and timesheets was unaware of the travel-timerequirement. The vendor company’s management wasnot held to the contract requirements, so they had theemployees and equipment return to the office eachnight, resulting in two hours of travel time (one houreach way).A final example of this premise involves meals andbreak times. The expectation is that, for the most part,workers will take a break or a meal break during thePlanning and Conducting Vendor Audits 20125
CONTRACT TERMS AND CONDITIONScourse of a day. But a contract simply stipulated that“time taken for meals or breaks will be deemed asunproductive time and un-billable.” The language didnot say that breaks or meals had to be taken, or for howlong. On the submitted timesheets, all the employeesand pieces of equipment were listed as in service from 8a.m. to 6 p.m., resulting in ten hours of billable time.When management asked why there were no meals orbreaks, the foreman said the crew opted to take theirmeals and breaks at the end of the shift.The auditor for the contracting organization had toprove if lunches and breaks were taken at the end of theday, or if the vendor’s employees actually took breaksbut coded them as productive time.These three examples highlight how assumptions andpoorly defined contract terms can leave situations openfor interpretation, to the point of facilitating overbilling.Assessing If Vendor Audits Are a Viable OptionOne of the biggest mistakes management can make is tobegin conducting a vendor audit before assessing whether itis even a viable option. Just because a contract exists doesnot mean that conducting an audit is appropriate. Considerthe following to determine the viability of a vendor audit: Are the signed and executed contracts available? Are there any change orders or verbal addendums? Ifso, what do they say? Does management have its supporting documentation? Does an adequate audit clause exist?Crafting an Effective Audit ClauseNot all audit clauses are created equal. And just because acontract contains a few sentences in section titled “Right toAudit” does not mean that the related vendor audit will bePlanning and Conducting Vendor Audits 20126
CONTRACT TERMS AND CONDITIONSstraightforward—or effective. The following considerationsshould be fully explored and incorporated, whereappropriate, for each vendor contract and audit clausebefore the contract is issued.Boilerplate or Dynamic Audit Clause LanguageBoilerplate contract language was designed byattorneys and procurement professionals to set standardcontract terms and speed up the contracting process forprocurement personnel. The problem is that auditingand investigating fraud, waste, and abuse is adynamic—and very rarely standard—process. Yet inmany organizations, boilerplate audit clauses areattached to every contract, indiscriminate of the goodsor services being delivered.Take, for example, a concrete supplier and fabricatorwith two contracts with a large IT infrastructurecompany. The first contract is for 15,000 foroverlaying a parking lot. The second contract is for 10million of hardened concrete as part of a disasterrecovery facility. These two contracts, while bothinvolving the same concrete supplier, are worlds apartwhen it comes to the services, dollar amounts, risk, andpotential liabilities. And because they are different andhave their own unique challenges and expectations, theaudit clauses for each contract should reflect thespecifics of the agreement. Applying the sameboilerplate audit clause used in the smaller contract tothe larger contract could severely derail certain auditinitiatives if the disaster recovery facility were toballoon in cost to 20 million or suffer catastrophicleaks due to faulty concrete fabrication.In contrast, dynamic audit clauses are designed basedon the various conditions of individual contracts (e.g.,Planning and Conducting Vendor Audits 20127
CONTRACT TERMS AND CONDITIONScontract type, contract amount, geography, timeconstraints, the use of inferior substitute materials, thepercentage involvement of subcontractors, etc.). Theinclusion or exclusion of such conditions affectsmanagement’s right to exercise an audit at a later date.This does not mean that every audit clause in everycontract must be built from the ground up (a practicethat would be cost prohibitive and inefficient).However, implementing a process with a dynamicnature allows the proper internal personnel (internalaudit, compliance, investigations, etc.) to evaluateboilerplate language against the draft contract terms,and anti-fraud experts can adjust the language toaddress considerations such as: Where could fraud, waste, and abuse occur in thisagreement given the contract variables andconditions? What additional documentation and expectationsshould be required of the vendor? Where could the vendor employ delay or confusiontactics and resist or cloud the audit?Does the current audit clause address all ofmanagement’s concerns?What improvements can be made to the audit clauselanguage to strengthen company rights?Term DefinitionsContracts are supposed to standardize the agreementsand expectations of the involved parties. However, inreality, the contracting organization’s definition of aword might be completely different than the vendor’s.The audit clause is such an important piece of thecontract language, it is surprising that many auditclause stipulations and expectations are not properlydefined. This leaves an enormous amount of room forboth parties to define terms in ways benefit them. ForPlanning and Conducting Vendor Audits 20128
CONTRACT TERMS AND CONDITIONSexample, many audit clauses use the words audit,inspect, examine, review, and analyze interchangeably.But these terms do not convey the same meanings orexpectations. A vendor trying to avoid an audit can usevague wording in a contract to fight the organization’sability to enforce the clause.Audit PeriodOne of the most important rights asserted under theaudit clause is the amount of time that the contractingorganization can go back and audit the billings. Manyboilerplate audit clauses have a fixed period of one tothree years, but this timeframe is not suited to allcontracts.Take, for example, the expansion of a major airport.Construction costs might exceed several hundreds ofmillions of dollars and the construction time couldexceed five to seven years. If a one-year audit period isincluded in the primary contract, the airport hasessentially given up a large majority of its auditingrights unless it routinely conducts audits of all of thevendors every year throughout construction. Typically,vendors will not be audited until allegations arise orconstruction costs and delays increase significantly. Inthis scenario, a one-year time limit might not be longenough for the airport to fully investigate theirconcerns.However, the contract can be amended to extend theright to audit and place more emphasis on the higherrisk areas. A stratified system of audit periods can bedesigned based on estimates of how much eachcontractor will spend. For example, vendors accountingfor the lowest level of cost could have one-year auditclauses, while the vendors with the highest billingsPlanning and Conducting Vendor Audits 20129
CONTRACT TERMS AND CONDITIONSmight have audit periods that cover the full contractengagement. Regardless of the strategy ormethodology, an arbitrary audit period might look goodon paper, but it does not fully protect the rights of thehiring organization.Audit NotificationDuring the contract-writing phase, it can be difficult toenvision how an audit clause will be executed in thefuture. Some audit clauses stipulate that the vendor willbe notified in advance of an audit. Other clausescompletely omit notification requirements, which causeboth parties to make assumptions. Some contracts statethat surprise audits are permitted or that no notificationis needed for staff to visit the site. The inclusion orexclusion of notification language affects the auditprocess.PLANNED AUDITSIt could be necessary to include language stipulatinga wait period between the notification and the onsite audit. The contracting organization might needto review receipts or travel to the site, the vendormight have periods where it is unavailable for anaudit, or a two-week notice might be insertedsimply to maintain good vendor relations. A waitingperiod should not cause concern regarding mostvendors; however, a vendor that is falsifyinginvoices or bribing a procurement employee can usethis notification period to conceal, destroy, orfabricate supporting documentation.SURPRISE AUDITSSurprise audits are excellent for identifying andassessing processes. Such audits do not allow timeto prepare employees; alter documentation; orPlanning and Conducting Vendor Audits 201210
CONTRACT TERMS AND CONDITIONSfabricate, destroy, or conceal other evidence ofwrongdoing. Unfortunately, some vendors willobject to allowing surprise audits in contracts.If there have been significant problems withvendors in the past, their contracts must includelanguage allowing surprise audits. If the vendorwants the organization’s business bad enough, itwill have no other option than to comply.Additionally, if the surprise audits are included inthe audit clause, they must be performed. Thisshows that the organization’s management iswilling to exercise the audit clause, and it makesvendors more hesitant to deviate in services orfalsify billings.Terms of Invoice and Payment ReviewsOne of the core items of the audit clause is thatmanagement reserves the right to review all billingsagainst the contract terms and conditions. But in theterms of the audit clause, who is management? Is it thefrontline supervisor, the regional manager, or theinternal audit director? This is a very importantdistinction that must be made and communicatedinternally. Organizations can find themselves in stickysituations when a diligent frontline manager routinelyrefers to his review of the invoices as an audit or,worse, as exercising the audit rights of the contract.This can complicate matters when internal audit iscalled on at a later date to perform a true audit of thebillings, only to be told by the vendor that they werealready audited.Language that attempts to couch a frontlinemanagement review as an audit, or that indicates thatPlanning and Conducting Vendor Audits 201211
CONTRACT TERMS AND CONDITIONSthe field review constitutes final approval of theaccuracy of the invoices, should be discouraged andadditional compensating contract language should beconsidered.EXAMPLEField review, approval, and payment will notlegitimize obvious errors or omissions in billings orinvoices. Such discrepancies, if identified, whetherafter payment or during an audit, will be held to thecontract terms and expectations as they are writtenor understood.TIME PERMITTED TO REVIEW INVOICESLimiting the contracting organization’s time toreview statements might be an attempt by vendorsto circumvent the audit process, or at least to givethemselves an out if audited. Such languagetypically states, “The owner has 15 days to reviewand dispute any charges or items on the invoice.After such time, the invoice is considered accurateand approved.” This restriction is a fallback positiontaken by a vendor who is confronted with a billingissue or a request to audit and could be the firsthurdle an organization’s management has toovercome without involving legal counsel and filingsuit. It is important that statements referring totimely review and payment stick to just that—review and payment. It should be made clear thatreview and payment does not forgo audit rights orlimit recovery for billings and errors that arecontrary to the nature and spirit of the contractterms.Planning and Conducting Vendor Audits 201212
CONTRACT TERMS AND CONDITIONSTerms Regarding Supporting Records andDocumentationFORMAT OF RECORDSAre supporting records kept in paper or plastic(digital media) format? A paper-based audit can beextremely time consuming and costly.Unscrupulous vendors know that it is more difficultto identify errors and discrepancies in boxes andboxes of records than in an automated system. Asignificantly large paper-based audit might deter anaudit altogether.If the contract requires the vendor to maintainelectronic documents, the terms need to be clearlydefined. For example, there is a huge differencebetween having payroll data in an Excel file andhaving 10,000 poorly scanned PDFs. Both aretechnically in an electronic format, but the latterwill be time consuming and possibly inadequate.Additionally, proprietary accounting systems,outdated storage media, and software programs thatno one knows how to use can limit access toelectronic files. Some data systems were designedto allow exports only by the firm that designed theprograms; the vendor can run some canned reportsbut not fully access the data. On the extreme end,so
Association of Certified Fraud Examiners 23RD ANNUAL ACFE FRAUD PRE-CONFERENCE PLANNING AND CONDUCTING VENDOR AUDITS JUNE 17, 2012 ORLANDO, FL 11:00 a.m. - 1:00 p.m. Registration: City Hall Lobby Room Name: Sun Ballroom C 1:00 p.m. - 2:10 p.m. Contract Terms and Conditions: The Foundation for Good Vendor Audits 2:10 p.m. - 2:25 p.m. Break
