Kroll logo
Business Intelligence: Don’t fly blind

Insights & Reports > Business Intelligence: Don’t fly blind

The Fraud Vulnerability Assessment:
Making your supply chain security best in class


The Fraud Vulnerability Assessment:Making your supply chain securitybest in class

Supply chains get squeezed by two fraud pincers in a downturn. On the one hand, almost everyone – including executives, employees, customers, and those working for suppliers and service providers – will be facing a worsened financial situation. Some will be in great distress, and of these a certain number inevitably turn to fraud. In other words, the number of people with motive increases. As for opportunity, the supply chain is a favorite target. According to the recent Kroll Global Fraud Report, theft of physical assets is consistently the most widespread fraud related problem. In 2008, before the financial meltdown began, 37% of companies said they had suffered from this over the preceding three years, including 50% who had weakened their internal controls – another unfortunate temptation in uncertain times. These two factors can combine in a painful way: protecting supply chains should accordingly rise up the list of priorities.

You may, however, think you are doing enough. C-TPAT, FAST, TAPA, CSI, AMR, ACI, ACFE, ASIS – if you are in the supply chain operations or security business, you know what all of these acronyms stand for and how they affect your business. If not, rest assured, someone in your operation does and you do not need to worry about all of them all of the time. In essence, they are standards and organizations that promulgate guidelines to help ensure the security of shipments and cargo, ease smooth transactions with U.S. Customs, identify security standards, and so forth. They provide companies with innumerable benefits.

What they do not do, however, is provide a comprehensive security or fraud prevention program. Just because a company follows best practices in security – or even scores extremely highly in a standardized, industry group security audit – does not mean that it is protected from fraud as well as it could be. As internal auditors of public companies will tell you, even though companies are Sarbanes-Oxley compliant, they still experience internal fraud and have to work hard to uncover it.

Doing well on audits of security programs – audits that are not customized but put out as guidelines – provides a false sense of security. Access control systems, cameras, guards, fences, fraud detection units, and other such wise investments, for example, if not properly deployed and monitored, may simply use up critical capital dollars in areas that only appear to be keeping assets safe.

Each component of the supply chain has its own unique risks [see Figure 1]. By conducting a Fraud Vulnerability Assessment (FVA), an organization can identify these and implement controls that help prevent fraud. Once controls are in place, data mining and exception reporting can assist with ongoing monitoring. Combining this with the physical security practices listed above will truly help reduce the risks which an organization faces.

When conducting an FVA, a committee – with representatives from HR, Finance, Logistics, Internal Audit, Security, IT, Risk Management, and any other area of concern – should delve into the company’s operations, looking for vulnerabilities to theft or fraud. Specifically, the group should ask, “If we wanted to steal from this company, how could we do it?” Once these “ways to steal” are identified, it should then ask, “What would stop us?” It is critical that each response to the latter question is well thought-through and challenged at every level. Often, the committee will identify physical security procedures as the existing defense against fraud. If, though, the reply to the second question is something like “it’s against policy”, much work needs to be done. All too often, managers rely on policies and procedures to make certain that things work properly. These, on their own, cannot completely ensure that everything is done honestly.

In reviewing operations in depth, the number of questions one could ask for each area identified in Figure 1 is immense. Figure 2 includes a small sample of what might be asked when looking at the supplier selection process. There could be many more. When we conduct brainstorming sessions with project leaders or committees, it is always amazing how many areas of opportunity we find.

In such a process, when we have a question where we do not know the answer, the best strategy is “let’s see what happens if we do it.” This is the easiest way to observe the points of vulnerability and breakdowns in controls. Most of the time, minor adjustments to existing internal controls are all that is needed to remove the vulnerability. Sometimes, though, it requires that processes be completely changed, updated, or monitored in ways that the organization had not considered. In other cases, process change may be too cumbersome or expensive. If so, the process will have to be watched and policed to ensure the risk is minimized. That is where data mining and exception reporting come in.

FIGURE 2

A few questions to consider when looking at the supplier selection process

  • Can a vendor be single sourced?
  • What is the procurement process? Can a manager easily set up a new vendor?
  • Do we benchmark our rates to see if we are getting the best prices?
  • Does someone outside of the business unit review the vendor performance and compliance with contract terms?
  • Do we know that our managers couldn’t send business to a related party?
  • Do we have anyone that always insists on dealing with a certain vendor or only travels when it is related to X?
  • Have we ever asked suppliers who were not selected if they were treated fairly?
  • Do we conduct due diligence on new suppliers? If so, is it done by the people that selected them?
  • Do we check to see if any of our personnel have any financial interest in other companies that may be directly or indirectly working with us?
  • Do we review expense reports for patterns of excessive meetings, events, meals, or other dealings with suppliers?
  • Do our employees certify on an annual basis that they have no conflicts of interest and have not accepted any gifts from suppliers?
  • Do our suppliers have access to our confidential hotline so that they can report any inappropriate behavior by our employees?


An example shows how the steps of an FVA work. In looking at the packaging and shipping operation, the brainstorming team members might ask “How could I ship something small out of here?” After considering the matter, they figure that if someone fills out a manual airbill – as is sometimes necessary – and then placed a package on the pallet for outgoing items when no one was watching, chances are that FedEx would take it.

The team then tests the idea, and it works. Knowing that it couldn’t eliminate the need for manual airbills, the team implements a procedure so that FedEx cannot take any package with a manual airbill unless approved by the small pack manager. Just to ensure that the manager couldn’t exploit the system, the team implements another procedure whereby a supervisor randomly pulls a daily report from the FedEx terminal and conducts a matching count of all of the small packs going out that day.

The latter is not something that could be done every day, but it raises awareness and reduces the risk of anyone being tempted to use this way to steal. Data mining and exception reporting could be utilized as well. One could, for example, compare all addresses shipped to by FedEx with customer addresses. Any anomalies could be reported as exceptions.

This is just a simple illustration of conducting and acting on an FVA, but it shows how the process could be used to identify the largest of fraudulent schemes. Think like a thief and your only limitation will be your imagination.

SummaryEven with the best security, certain employees – under more financial stress thanever – will identify and exploit vulnerabilities in the supply chain. Companies cannotrely on traditional security measures alone. They must identify their risks, evaluatetheir processes, and think like thieves to expose the true weaknesses within theirorganizations. Conducting in depth fraud vulnerability assessments, and raising therisks for anyone tempted to steal, are absolutely essential.
Time frame to completeFVAs generally take 4 - 6 weeks to complete based on the size, geographic location(s) andnumber of facilities.
Cost considerationsFVA reports range from US$25,000 to US$75,000.
AdvantagesFVAs identify exposure and provide real-time solutions for protecting the assets of theorganization.
RisksUnrecognized ongoing fraud and loss of margin.


John Brocar is an Associate Managing Director in Chicago and can be contacted on +1 312 681 1500 or .