Here’s are risk analysis team’s explanation of the quiz results. We hope you find it informative and helpful. If you have a question about this quiz please call us at 832.663.9634.
Question #1: “Does your business require a written contract for all payments made to vendors, including change orders and other forms of contract/business deal modifications?”
If you answered “No” to this question you have significant fraud and embezzlement exposure to both internal and external fraud and embezzlement schemes.
Question #2: “If a vendor notifies you that they have changed their business banking relationship and have a new account, which of the following best describes your process that follows? Select all that apply.”
Option 1: “Enter Call the vendor and confirm the bank change information.”
If you know that you would likely take the telephone number listed in the notification from the vendor and call it to confirm the change, you opened the door to be victimized by a payment diversion fraud scheme.
Option 2: ”Review the vendor contract to confirm the vendor’s information is correct.”
If you at least do this, statistics show you cut the loss risk (in dollars and cents) by about half. The bad news is the median payment diversion fraud loss is around $200,000 and takes a median of 14 months to discover.
Option 3: “Ask the vendor if ACH transfers would be better for them because they are more convenient and cost efficient for managing payments and fraud.”
If you routinely take this route you are exposed to false billing fraud and payment diversion fraud. Many businesses falsely assume their bank protects them against this type of fraud only to find out they are solely on the hook and the bank has no responsibility.
Option 4: “Make the required change as requested to expedite future payments.”
Many businesses are too busy and have too many things to do and have too many people working remotely to conduct a forensic audit that would stop a payment diversion attempt. This action is the most common action and the costliest. If you at least stop doing this as a policy, it’s better than nothing.
Question #3: “If a vendor calls with a payment complaint and forwards you the invoice, contract and supporting email traffic, which of the following selections would apply to your process that follows? Check all that apply.”
Option 1: “Refer the vendor to accounts payable for immediate resolution.”
Criminals rely on this process and will go to the trouble of doing background research to see if your company routinely engages in this process. If you do, this is insane, and you have to stop it as you may have already been victimized and not realized it.
Option 2: “Have management confirm the payment is due.”
This is a good second step that helps interrupt the “velocity of fraud schemes” that is critical to mitigation but may not serve as prevention. This helps but it is not foolproof.
Option 3: “Have an executive of the company handle the problem.”
This can help alleviate internal embezzlement schemes and also interrupt an external fraud attempt because the management of the company should be on the ball enough to know who they are doing business with on a routine basis. If this is all you have it is better than nothing, but you still have exposure.
Option 4: “Check the vendor’s contract to make sure the payment is due.”
If you took for granted that the attached documents in the email from the vendor were legit and processed them, you may have already been hit and not even know it. The median time to detection for companies with no mitigation plan in place is 24 months (12 months if they do). Please don’t take their documents for granted.
Option 5: “Obtain an independent confirmation, inspection or other acceptance activity to validate the work was done and the payment is due.”
Fraud mitigation relies heavily on interrupting the “velocity of fraud schemes” and requiring some level of confirmation of performance can at least reduce your risk of false billing fraud losses by almost 50%.
Question #4: “If a vendor submits an invoice as a result of your company authorizing additional or different contract work over the phone, via text or email, which of the following applies? Check all that apply.”
Option 1: “Obtain a copy of the new written agreement, then release payment.”
This helps reduce the external fraud exposure but does not do anything for embezzlement in and of itself. You still don’t know if the vendor performed and you still don’t know if the payment is going to the vendor or a criminal. They count on this and you are exposed.
Option 2: “Obtain proof of delivery, then release the payment.”
This is a great mitigation plan element but leaves open the question of where/who the payment is really going. This is better than nothing but still incomplete and a way out for criminals.
Option 3: “Reject the payment application.”
If this is your mindset you are on the path of the righteous. “Thou protest too much!” Trust but verify. Emotional pleas are designed to defeat protocols that prevent fraud.
Option 4: “Refer the matter to executive management for review by at least two (2) officers of the company.”
This is a great piece to the prevention pie. Again, if management okays the payment via two (2) separate officers reviewing all of the information – not just the invoice, you have a chance at mitigating a good measure of your exposure to internal fraud and embezzlement. The key is understanding the depth to which it is routinely applied because the criminal will know this information already in many cases and use it to victimize your company.
Question #5: “Which of the following best describes your accounts payable process? Select only one option.”
Option #1: “Employee in charge of accounts payable receives invoices, processes the invoices and makes payments.”
If this is generally your company’s policy, you have significant fraud and embezzlement exposure to internal and external threats. There may have already been losses and/or an ongoing scheme because there are no checks and balances to prevent them. You have to stop doing this for your own sake.
Option #2: “Employees process invoices and at least two (2) officers of the company approve payments.”
This is the next step up and it’s a good start. Independent checks make for catching critical mistakes but are not a guarantee against internal or external payment diversion fraud. You have exposure and need to further refine your approach.
Option #3: “I am a small business and process, approve and pay vendors myself.”
You are in trouble. You don’t have the time, so the small-scale scam is the most likely one to hit you and you are very likely to be repeatedly victimized. Plus, this is expensive as the value of an entrepreneur is their creative process and there is no creativity in paying invoices, just real work that someone else could do if it were affordable.