The Story of Mark, the Procurement Manager Who Knew Too Much
“GlobalCorp Industries,” a large manufacturing firm, prided itself on its streamlined processes. Mark, the Procurement Manager, was a key figure in this efficiency. He had the authority to not only select vendors and negotiate contracts but also to create new vendor profiles in the system and approve invoices for payment. He was a one-stop shop for procurement, and for years, this was seen as a testament to his capability and the trust the company placed in him.
The Danger Lurking in Combined Duties
Mark’s extensive control over the procurement cycle represented a critical SoD violation. He could:
- Initiate Purchases: Identify the need for goods/services.
- Select and Onboard Vendors: Choose who the company does business with and add them to the payment system.
- Approve Invoices: Authorize payments to these vendors.
This trifecta of responsibilities is a classic setup for procurement fraud.
The Scheme Unfolds: Payments to Nowhere
Mark began subtly. He created a fictitious vendor, “Apex Supplies,” complete with a convincing (but fake) backstory and a bank account he controlled. He then started generating purchase orders for Apex Supplies for non-existent goods or services. Since he could also approve the invoices, these fraudulent requests sailed through the system. Payments were duly made to Apex Supplies, which meant directly into Mark’s personal account. He even went so far as to manipulate entries to make it appear as though legitimate vendors were being paid, covering his tracks.
The Ripple Effect of Unchecked Authority
The consequences for GlobalCorp were severe:
- Significant Financial Losses: Millions were siphoned off over several years through these fraudulent payments.
- Compromised Financial Integrity: The company’s expenses were inflated, and its financial statements were misleading.
- Operational Disruptions (Potentially): If Mark had been creating purchase orders for actual goods that were never delivered (but paid for), it could have led to production delays or shortages.
- Erosion of Internal Trust: The discovery of such a long-running fraud by a trusted manager can have a devastating impact on company morale.
- Regulatory Scrutiny: This type of internal control failure can attract the attention of auditors and regulatory bodies, potentially leading to fines and sanctions.
The Fix: Dividing Procurement Responsibilities
To prevent such scenarios, GlobalCorp needed to implement robust SoD in its procurement process:
- Separate Vendor Creation and Maintenance: The responsibility for creating and modifying vendor master files should be separate from those who can initiate purchases or approve invoices. This should ideally be handled by a centralized finance or vendor management team.
- Independent Purchase Requisition and Approval: The person requesting a purchase should not be the same person who approves it, especially for high-value orders.
- Segregate Invoice Processing and Payment Authorization: The individual who processes an incoming invoice (matching it to a purchase order and goods receipt) should be different from the person who authorizes the payment.
- Three-Way Matching: Implement a strict three-way matching process – comparing the purchase order, goods receipt note, and vendor invoice before any payment is approved.
- Regular Vendor Audits: Periodically review the vendor master file for unusual or inactive vendors. Conduct due diligence on new vendors.
- Compensating Controls: For smaller entities where full segregation is challenging:
- Require dual signatures for payments above a certain threshold.
- Implement regular, independent review of vendor payments and purchase orders by a senior manager or owner.
- Utilize system-generated reports of vendor master file changes, reviewed by an independent party.
By distributing these critical functions, companies can create a system of checks and balances that makes it significantly harder for procurement fraud to occur.