Value and Opportunity: An Executive Guide to Procurement Integrity
By Robert Morison, JEN DUNHAM, Laurent Colombant, Jan 13, 2021
Procurement Integrity (PI) represents a broader problem and bigger opportunity than most businesses recognize.
Comprehensive PI programs continuously validate purchasing transactions, using data and analytics to trace patterns, spot anomalies, and reduce fraud, waste, and abuse. The problems uncovered range from occasional opportunistic fraud to ongoing organized fraud, from duplicate invoices and other improper payments to regular kickbacks, from conflicts of interest to ongoing collusion with suppliers. Continuous monitoring of anomalies in procurement and supplier due diligence processes reveal potential problems, including data issues and process breaches, and help focus the efforts of audit and other investigative staff.
PI programs also incorporate supplier integrity, both the initial onboarding of new suppliers for reliability and compliance, and ongoing supplier monitoring to detect non-compliance with legal and ethical business standards. Where do suppliers operate – in places where bribes and kickbacks are common? What kinds of workers do they employ – and are workers, perhaps children, being exploited? Who owns them and benefits from their operations (directly or indirectly) – and can the ultimate ownership even be determined? How are these suppliers interconnected – and are they operating in the customers’ interests? Do any employees have any undeclared interests in those suppliers?
These questions are asked in supplier onboarding checklists and interviews, but typically not verified systematically with external data. And organizations are less adept at monitoring those questions continuously, in case the initial answers turn out false or suppliers fall out of compliance. Detecting ongoing patterns and variations in supplier behavior protects compliance and reduces supply chain risk.
In the course of doing transaction validation and supplier monitoring well, PI programs also uncover opportunities to improve the efficiency and effectiveness of the end-to-end procurement process, including by finding and closing gaps in controls. Supplier selection, requests for quotes, contracts, orders, deliveries (full or partial, as specified or substitutes), quality checks, payments, and credits – procurement processes are complex and often spread across multiple information systems. Fraudsters exploit that complexity, and PI finds ways to improve processes, tighten controls, and thwart them.
“Procurement fraud is notoriously difficult to detect and investigate, because it takes so many forms and can be driven by any number of actors, internal or external, at any point in the procurement life cycle. Manual detection is futile. Only the right combination of advanced analytic techniques can arm large organizations to battle the fraudsters.”
Mickey North Rizza, Program Vice President of the Enterprise Applications & Digital Commerce Research Practice at IDC
Think about PI as the necessary process control layer that sits atop and goes beyond the controls built into purchasing, finance and ERP systems. Those systems are designed to execute transactions within the bounds of known business rules, but not to detect new patterns and spot anomalies across transactions, including behaviors of insiders who know the systems, processes, and controls – and how to game them. One of the biggest barriers to detecting internal fraud is people’s natural trust of their colleagues. Over half of all financial fraudsters are employees.1 The remedy is objective controls, and trust doesn’t exclude controls.
In short, the objectives of PI are not only to improve audits and controls to detect fraud and supplier non-compliance, but also to use ever-improving data and analytics to improve the procurement process, prevent fraud, improve governance, and lower supply chain risk. Realizing those objectives can generate enormous financial value for the enterprise.
The Procurement Integrity Value Proposition
How great is that value? It can be difficult to measure because so much procurement fraud and non-compliant supplier behavior go undetected, or sometimes detected but unacknowledged or simply not accounted for. Two-thirds of companies surveyed perform supplier checks only quarterly or even less frequently. One-third don’t know how much they lose to procurement fraud each year, and many are unaware of their exposure until after something big and bad has happened.
The Association of Certified Fraud Examiners (ACFE) estimates that organizations lose on average 4-5 percent of revenue to fraud annually.2 A University of Portsmouth study finds procurement fraud in the U.K. in the same range at just under 5 percent of spend.3 In a large enterprise, that’s a lot of money. And in organizations that make a concerted effort to measure their losses, the percentage is often higher. One government institution estimated losses at over $300 million across several years. A public utility identified 600 employees with active interests in suppliers. A bank discovered 120,000 cases of double invoicing and 40 cases of direct supplier collusion. Not all fraud and other misbehavior will be caught, of course, but preventing or recapturing just 20-25 percent of it can have significant bottom-line impact.
At the same time, the sometimes steep penalties for non-compliance can damage the bottom line. The top ten corporate settlements for failure to comply with the U.S. Foreign Corrupt Practices Act total over $13B.4 In a compliance crisis that lasted years, a major telco was fined $965M for paying $331M in bribes and saw its stock price drop by more than 28 percent. In contrast, ethics and integrity earn a market premium. Large companies recognized as the most ethical outperform their industry peers in terms of return on assets and stock price.5
Continuous automated monitoring and analysis of purchasing transactions and suppliers also pays off in terms of both efficiency and timing. Efficiency comes through more accurate detection of instances, with fewer false positives consuming staff effort. Timing is crucial because fraudulent schemes are detected on average 18 months after they begin. Perpetrators often get greedier over time and are detected only when they take greater risks. Earlier and faster detection prevents such prolonged ramp-up of losses. Stopping the fraud after three months saves 15 months or more of accumulating loss.
The Organizational Side of Procurement Integrity
The operation of a PI program may center on organizing disparate data, building and maintaining analytical models, and acting on the insights generated. However, the keys to success are as much organizational as technological or operational.
For starters, someone has to own PI, its challenges and opportunities. But in most enterprises, a variety of groups are responsible for different pieces of the puzzle. Purchasing vets suppliers, established contracts, and executes transactions, while striving for accuracy and efficiency. Finance is safeguarding the bottom line and managing the overall financial risk posture. Risk and Compliance is concerned with supplier integrity (including ethics, bribery, and their regulatory compliance) and the legality of contracts and transactions. Internal Audit reviews procurement activities and finances, finding problems but not responsible for addressing them. External Audit reviews and validates to protect shareholders and further ensure compliance. With so many players, some may choose to keep knowledge of problems to themselves, while others may erroneously assume that other players have the problems covered. A unified and coherent approach is needed.
So who should own the control system that we call PI? A recent survey of more than 2,000 business leaders across 38 countries found that responsibility most often (33 percent of the time) funnels up to the CFO, with the chief procurement officer in second place (23 percent).6 Neither the CFO nor the Procurement Officer is going to focus primarily on PI, so it makes sense to have a direct report do so. Especially when launching a more concerted effort at PI, an enterprise can create a specialized procurement audit group whose leader owns the PI initiative and the responsibility for orchestrating the other stakeholders. Faced with problems of siloed data and organizations, a major U.S. utility chartered such a unit that includes representatives of the major stakeholders, including supply chain, payables, audit/investigations, and purchasing. They chose to have the unit report to internal audit.
With overall ownership and clarity around stakeholders’ responsibilities, all those stakeholders need to play their roles, collaborate, and overcome any local tendencies toward denial or resistance. Fraud, waste, and abuse are sometimes downplayed or overlooked because organizations don’t want to look bad, or people hesitate to question colleagues’ performance, or the anomalies end up in the P&L without any specific underlying cause or reason. And people may resist technological solutions because they don’t want to appear to have underperformed in finding and preventing problems in the past. Fortunately, denial is diminishing as organizations grow more collaborative, transparent, and unified around common objectives. And resistance diminishes as automation and analytics are deployed effectively and businesspeople embrace them as means of focusing their effort and raising their performance, not taking their work away.
Procurement Integrity Capability
Robust PI capability has three hallmarks. First is automation to make PI faster, more thorough, more continuous, and more efficient. In most organizations, the work of monitoring and investigating purchasing activities and suppliers is largely manual and extremely time consuming. The most common means of monitoring the procurement process to detect possible fraud are manual controls (in 50 percent of companies) and business rules (38 percent).7 The monitoring often relies on sampling, so what’s noticed is conditioned (and sometimes biased) by the design of the sample, and investigations are ad hoc, looking into what happens to pop up. Many companies are short-handed in procurement audit staff, even as the data volumes they deal with continue to increase, so supplier audits are infrequent.
The sheer volume of suppliers and transactions demands automation. By automating the initial scanning of purchasing and supplier activities, businesses free investigators from repetitive and low-value tasks, so they can spend more time on higher likelihood cases. Automation enables more, and potentially all, activities to be scanned, not just samples. And it enables organizations to monitor more continuously, not necessarily in real time (as with credit card fraud detection systems), but at a cadence appropriate to the business. As with any information-intensive process, better automation of PI enables more data to be shared and more people to work in parallel. Handoffs are controlled or eliminated, and a complex process is simplified.
Second is analytics. Contemporary analytics, including machine learning and predictive analytics techniques, improve the accuracy of monitoring and anomaly detection, so cases flagged have a higher likelihood of fraud or other misbehavior. Investigators have richer packets of information and better tools for probing the details of cases and the connections among them. Suppliers and employees are scored, and the most risky are prioritized for action. There are fewer false positives, which consume time and energy and discourage investigators, and remaining false positives can be dispensed with more quickly. Patterns and trends in fraudulent activity and supplier behavior become more visible, so actions can be taken to anticipate and head off future cases before they happen.
Analytics can also help with the often formidable challenges of cleaning up and integrating purchasing and supplier data, including resolving the identities of similar entities and deduplicating information about suppliers, employees, products, and other key entities. The resulting data is more accurate, available sooner, and easier to enrich with external data about suppliers and market activity. Analytics can also be used to enhance the quality of ERP data with external data using these matching techniques.
The third hallmark is a continuous and robust feedback loop. Machine learning plays a central role here. The performance of analytical models – the accuracy of output, the false positives rate, the success of investigations and actions taken on the output – is measured and fed back in. Models get smarter over time. Accuracy and speed improve. The overall PI process becomes more efficient and effective.
To sum up, the PI process is complex. Data volumes are enormous. Would-be fraudsters are sophisticated and resourceful. And many organizations are short-handed in skilled investigators. The only way to catch up and get ahead of the game is with automation and analytics working together through continuous feedback.
The COVID-19 Effect
As the COVID-19 pandemic has disrupted businesses worldwide, it has thrown PI into a new light, making it more essential in more industries. PI has long been important to regulated industries with large purchasing spends, including utilities and telcos. But the pandemic is stress testing supply chains across the board. Suppliers close temporarily or go out of business. Transportation and logistics have slowed. Quality control procedures become more crucial than ever. Over-reliance on individual suppliers and overall supply chain risk are exposed. Pharmaceutical and medical supply companies in particular quickly learned about the gaps and risks in their supply chains.
The pandemic has also made retailers more susceptible to fraud on both the purchasing and sales sides of the business. New suppliers and distributors for scarce goods, starting with PPE, have popped up. Many are unreliable, some outright frauds, and supplier integrity procedures have to sort them out in record time. Meanwhile, consumers are spending plenty on retail goods, but their patterns of shopping, purchasing, payment, delivery, and returns have changed dramatically. There’s more browsing and buying online, more home delivery, more shipping from warehouse, more shopping service intermediaries, more combinations like buy online/pick up in store and deliver home/return in store. It’s harder for retailers to track what’s happening, more things can slip through the cracks, and fraudsters are exploiting the weaknesses.
Other industries, including hard-hit ones like travel and hospitality, are looking to save money, be more efficient, and minimize fraud, waste, and abuse. And enterprises of all kinds have shifted employees to working remotely, which means that investigators and other PI staff can’t rely as much on their manual and in-person checks and controls. In all these cases, more automated and analytical PI can reduce losses, increase efficiency, and amplify the capability of remote employees.
The Future of Procurement Integrity
What might the post-pandemic future hold? Enterprises will take action on the supply chain vulnerabilities and new types of fraud exposed during the pandemic. They should learn the general lesson that businesses must be able to use data and technology to transform their strategies, business models, and operations very quickly and on short notice. Their experience and resilience (or lack of) this time should prepare them for the next major business disruption.
Many enterprises will emerge with greater appreciation for the importance and value of continuous and analytical monitoring of business operations of all kinds, including procurement. And greater appreciation for the interconnectedness within their businesses – high performance in times of change requires integrated understanding of how the pieces work together. In the PI space, more organizations should recognize the value and seize the opportunity to make their monitoring and controls more complete and integrated, covering fraud, waste, abuse, risk, and compliance across suppliers, customers, and employees.
Improving Procurement Integrity
The first step in raising PI capability, performance, and value is to start a dialogue and do an assessment. How big are the problems of fraud and the risks of supplier misbehavior? How big are the opportunities to improve? And how good are the data and metrics to answer those questions? It’s the “unknown unknowns” that can do the most damage. So it’s a bad sign if the organization lacks good information on fraud and risk, and a worse sign if people downplay the problems without data to back up their assessment. Benchmarking may be a first step to compare oneself with peers in similar industries.
As you take action to improve PI, assemble the ingredients in due proportion. As discussed, establish ownership of PI and the responsibilities of the many stakeholder participants. You may need coordinated investment in data and actionable analytics. Just as in police work, if you don’t gather and process the evidence correctly, you can’t prosecute.
Along the way, recognize that you’re not alone and that you needn’t go it alone. Enterprises are naturally reticent about their PI problems and missteps and the extent of their losses and exposure, especially with respect to insider fraud and regulatory compliance. But be assured that other organizations inside and outside your industry face similar situations and challenges. The right technology partner can bring the experience of many organizations and industries to bear, and can be invaluable in piloting and testing new systems, proving their value, and rolling them out in ways that keep those key ingredients in proportion.
Finally, keep the big picture in mind. PI is about using automation and analytics to reduce fraud and protect the bottom line. To maintain compliance by lowering supplier risk. To improve the efficiency of the end-to-end procurement process and the supply chain generally. Even more fundamentally, PI is in service of business performance and business continuity. Better PI controls are not an imposition, not additional overhead. Rather, they are tools to improve the work of key individuals, while helping to ensure that the business has the integrity today to keep operating tomorrow. PI protects finances, protects supply, and protects the enterprise.
Marais, Petrus and Ostwalt, Phillip. “Global profiles of the fraudster: Technology enables and weak controls fuel the fraud.” KPMG, May 2016. https://home.kpmg/xx/en/home/insights/2016/05/global-profiles-of-the-fraudster.html ↵
ACFE Report to the Nations: The Average Fraud Costs Companies More Than $1.5 Million.” https://www.acfe.com/press-release.aspx?id=4295010563 ↵
Button, Mark, Gee, Jim, Mothershaw, Nick. “Annual Fraud Indicator 2017: Identifying the cost of fraud to the UK economy.” University of Portsmouth, Crowe Clark Whitehill, Experian, 2017, https://researchportal.port.ac.uk/portal/files/18878333/Annual_Fraud_Indicator_report_1_2017.pdf ↵
Cassin, Harry. “Wall Street bank earns top spot on FCPA Blog top ten list.” The FCPA Blog, October 26, 2020, https://fcpablog.com/2020/10/26/wall-street-bank-earns-top-spot-on-fcpa-blog-top-ten-list/ ↵
Kelly, Matt. “Dissecting the Ethics Premium.” Radical Compliance, March 12, 2019, http://www.radicalcompliance.com/2019/03/12/dissecting-ethics-premium/ ↵
“What Lies Beneath: The Prevalence of and Approaches to Procurement Fraud in Global Business.” SAS, 2020,https://www.sas.com/sas/offers/20/procurement-fraud.html ↵
SAS Digital Procurement Integrity Survey, 2019. Survey of 850 companies in 15 European countries. ↵
About the authors
Robert Morison serves as Lead Faculty with IIA. He is an accomplished researcher, writer, speaker, and management consultant, and an authority on what happens at the intersections of business, technology, and people management. He has been leading breakthrough research for more than 30 years, collaborating with eminent academics, thought leaders, and management innovators. He has written on topics ranging from business innovation, reengineering, and analytics to workforce management, demographics, and retirement.
Bob is coauthor of three books: What Retirees Want: A Holistic View of Life’s Third Age (Wiley, 2020), Analytics at Work: Smarter Decisions, Better Results (Harvard Business Press, 2010), and Workforce Crisis: How to Beat the Coming Shortage of Skills and Talent (Harvard Business Press, 2006). His 2004 Harvard Business Review article, “It’s Time to Retire Retirement,” coauthored with Ken Dychtwald and Tamara Erickson, received a McKinsey Award. He holds an AB from Dartmouth College and an MA from Boston University.
Jen Dunham, Principal Solutions Architect, SAS Institute
As a Principal Solution Specialist and Certified Fraud Examiner (CFE), Jen provides subject matter expertise across the world in addressing various security risks such as Insider Threat, Targeting, Cyber Crime, Threat Intelligence, All-Source (Fusion) Analysis, and similar applications. Other areas of expertise include Occupational Fraud, Procurement Fraud, and Prescription Drug Monitoring Analytics. Having served seven years in Active Duty Army as an Intelligence Analyst, Jen’s contributions have earned her numerous commendations including two Army Commendation Medals, two Army Achievement Medals, a NATO medal, and a Certificate of Appreciation from FBI Director Robert Mueller.
Jen holds a Bachelor of Science Degree in Business Marketing and recently completed the MIT Management Sloan School Executive Program for Artificial Intelligence: Implications for Business Strategy. Residing in the Washington DC area, Jen has been employed with SAS Institute since 2011.
Laurent Colombant, Continuous Monitoring Solution Lead EMEA, SAS Institute
Laurent has been helping customers tackle financial crime using NLP, ML and analytics since 1998. After focusing on sanctions screening, anti-money laundering, payment fraud and terrorist cell financing, he is now working to address continuous compliance and controls for SAS customers. This includes the procure-to pay-process, supplier integrity (KYS), maverick spend, contract compliance and retail shrinkage modus operandi. He’s the EMEA lead for the SAS Continuous Monitoring solution and believes it’s the next to hottest fraud detection solution in the market.
Prior to joining SAS 7 years ago, Laurent worked on sanctions screening and halt of business for Tier 1 banks using lexical AI. He was the General Manager of Cognitive Systems Europe specialized in STP of SWIFT messages. He holds an MBA in Finance from the University of Michigan and a joint degree in linguistics, econometrics and computing from the University of Montreal.