Heads of Internal Audit will have built up considerable knowledge of fraud risks and the key controls that need to be put into place to prevent, detect and respond to fraud. Payment processes and the required controls are well understood by most in the profession and an organisation with an established internal audit function is likely to have had its payment controls reviewed regularly and anti-fraud measures implemented.
The challenge remains that fraudulent activity is constantly evolving and becoming ever more sophisticated as fraudsters look to exploit weaknesses in payment processes and to encourage individuals within the business to depart from the control framework.
Payment process control vulnerability
Payment processes rely on two principal controls. Firstly, the payee bank account details - and any changes to these subsequently - need to be verified and accurately recorded. Payment approval must then be provided by at least one authorised individual. The primary focus of the payment approval control is to confirm that the transaction is within budget and undertaken on behalf of the business only by those authorised to do so. Those performing this control will expect that the payee details to have already been checked. Fraudsters look to exploit this by inducing changes to be made to the payee (supplier) bank account details without proper verification. Weaknesses in control over supplier bank account details therefore leave a business very exposed.
For organisations that use CHAPS or Faster Payments frequently, the fraud risk is higher. Transactions are cleared on the same day that they are initiated, limiting the opportunity for the transfer of funds to be stopped and the account frozen by the bank if the fraud is spotted at the last minute.
Current payment fraud techniques
Payment fraud investigations undertaken by BDO recently indicate that the vulnerability of payment process controls is being actively targeted by fraudsters and there is widespread use of social engineering techniques to obtain information about the target organisation and its suppliers and to build trust with the employees who are targeted to be duped.
Firstly, research is being undertaken by fraudsters using information readily available on the Internet. Industry sector websites typically announce details of major contract awards, naming the contracting party and the principal contractor. This often includes details of the lead managers for the contract, the timing of the contract and the nature of works involved or services provided.
The company websites or a simple google search provide information about the senior management team members, their contact details and email address. Social media applications such as LinkedIn enable the members of the Purchasing team and the Finance team for each organisation to be easily identified.
Following on from the research, the fraudsters send phishing emails to employees of the supplier with a view to obtaining the template of an official email from the organisation. All that is needed is for one employee to respond and the fraudsters have an exact copy of a plausible email template.
Using a fake email ID (in the name of a real individual employed by the supplier) the fraudsters contact the Accounts Payable team of the target company through a series of emails. Less experienced members of the team such as AP clerks are usually targeted. Without careful review, these emails appear to come from the supplier and a member of its Finance team since they mirror the correct supplier company email format and the sender appears to be a bona fide supplier employee. At this stage the email content is aimed at collecting useful information about the organisation’s supplier payment processes, obtaining copies of recent invoices and to build trust with the employee. Once sufficient information has been collected the fraud attempt begins with a request for details of the process to change supplier bank account details. Armed with the correct process to be followed the fraudster then submits a change request exactly in line with its requirements. Since the request is only made after an extended exchange of emails the employee is more likely simply to submit the change without question since the request has now come from a source that they recognise and trust.
The exchange of emails is then continued, following up the request for a change to the supplier bank account details before the bogus invoices are submitted. Having requested and obtained previous supplier invoices from the AP clerk (or from the supplier if this is easier), the fraudster simply submits similar forged invoices but with the bank account payment details changed to the false bank account.
In the cases we investigated where these fraud techniques were successful, a number of payment system controls failed. Firstly, the supplier bank account details were changed to the false bank account number without this change being properly validated and the bogus emails from the fraudster accepted as having come from a trusted source. Secondly, the payment was approved as required by two authorised individuals. However, since the invoice appeared to come from the supplier and was for an amount expected to be due - both individuals responsible for authorisation approved the payment – relying on control checks undertaken by the Accounts Payable team to have taken place to confirm that the bank account to which the payment was being made was correct.
By selecting CHAPS or Faster Payments as the preferred method of payment, the fraudsters limited the opportunity for the bank to take action, if it had been alerted to the fraud before the payment had cleared.
How should Heads of Internal Audit respond?
To be able to support management in implementing an effective anti-fraud control framework and prevent the fraud techniques outlined above from succeeding, Heads of Internal Audit need to ensure that they keep up to date with current fraud techniques and trends. Good sources of information include Action Fraud – the UK’s national fraud reporting centre, UK Finance – the trade association for UK banking and Financial Services and CIFAS – the UK fraud prevention service. Other useful resources are the reports and newsletters on fraud matters that are freely available from accountancy and fraud professionals.
Regular reviews of payment process controls are likely to already be included within the internal audit strategy. The testing approach to these important reviews needs to be updated each time they are undertaken to ensure current fraud techniques and scenarios are considered. Needless to say, controls over changes to supplier bank account details must be tested in depth and the potential for these being bypassed evaluated carefully.
Finally, Heads of Internal Audit should look at the training of the Finance team – the first line of defence against fraud. If it does not do so already, team training should include updates on fraud trends, favoured approaches by fraudsters, including social engineering techniques and key risk points such as summer holidays when more experienced team members may be on leave. In view of their expertise, Heads of Internal Audit may consider providing this training themselves, raising awareness of fraud risks and the importance of controls and ensuring that the Finance team remains alert to the potential threats.